Re: External DNS & smtp relay security & recommendations
- From: "Anthony" <anthony.spam@xxxxxxxxxxxxxx>
- Date: Sat, 6 Oct 2007 18:03:38 +0100
Hi Riley,
Its a bit of an open question, so here are a few general answers:
- Are you sure you need to run an external DNS server? Maybe you do, but
often this arises through misunderstanding.
- Windows Server is an expensive choice of platform for this. Most people
doing this would do it on Linux
- If you really do need an external DNS server then you'd like to have a DMZ
and a firewall device, so the external server does not have access to the
internal LAN
- If you need to use the Windows firewall, then its just a matter of
allowing inbound connections only on known specified ports for the internet
services you are running, and nothing else
- If you are really looking for a DNS server to service clients inside your
network, then its all much simpler. Just add a forwarder to the ISPs DNS, or
use the Root Hints, and don't allow any access from outside at all.
If you'd like to explain a little more what you are doing with the DNS you
may get a more specific answer,
Hope that helps,
Anthony, http://www.airdesk.com
"rileymartin" <rileymartin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:47706E40-7BE9-41B1-8797-491E6F906F8A@xxxxxxxxxxxxxxxx
Hi,
I purchased static IP address and cablemodem service and need to install
an
external DNS server and an SMTP relay service for an internal email
server. I
would like to use Windows 2003 server and turn on the firewall/ICS that
comes
with sp2. I looked up information on Technet for securing 2003 and DNS and
didn't find any really good documents. What I did find was general
information on Windows firewall/ICS and the general best practices for DNS
I
have listed below. Does anyone have any recommendations they can provide?
Thanks.
1) Protect the DNS infrastructure of your organization by utilizing an
internal root and name space.
2) Only the external DNS server is configured with Internet root hints.
3) All internal DNS servers are configured only with the root hints
pointing
to the internal DNS servers hosting the root zone for your internal name
space.
4) All DNS servers run on domain controllers with all DNS zones stored in
Active Directory. Active Directory DACLs are utilized to secure
administration of DNS. All DNS servers are configured with NTFS as the
file
system.
5) External DNS resolution is only performed by your external DNS server.
The internal DNS servers point to the external DNS server.
6) Internal DNS servers are configured to only permit zone transfers to
specific internal DNS servers.
7) The default setting of cache pollution prevention is enabled.
8) UDP/TCP port 53 is only open between one of your internal DNS servers
and
only your external DNS server through a firewall in your DMZ.
9) Only secure dynamic DNS updates are allowed for all zones except for
the
top-level and root zones, which do not allow dynamic updates at all.
10) All Internet name resolution is performed using proxy servers and
gateways.
11) Utilize Windows Firewall and create exceptions only for DNS ports TCP
and UDP port 53.
.
- Follow-Ups:
- Re: External DNS & smtp relay security & recommendations
- From: rileymartin
- Re: External DNS & smtp relay security & recommendations
- Prev by Date: Domain Still Resolving To IP of Demoted Domain Controller
- Next by Date: Re: External DNS & smtp relay security & recommendations
- Previous by thread: Domain Still Resolving To IP of Demoted Domain Controller
- Next by thread: Re: External DNS & smtp relay security & recommendations
- Index(es):
Relevant Pages
|
Loading
