fireguy1125
asked on
DNS Confusion with DynDNS and Private DNS Server
I'm confused with the DNS setup that we currently have, and have had since my joining this company. We use DynDNS to host our zones with the Custom DNS service. Our company.org DNS zone uses the following services:
Host TTL Type Data
company.org 60 A 123.123.123.123
company.org 43200 MX 5 company.org.
www.company.org 43200 CNAME company.org.
We have 2 in house DNS servers with Active Directory implementation and our site reverse lookup zones running on Server 2003. Our local domain ends in company.net, our public one used for e-mails and website is company.org
Our Forward Lookup Zones:
_msdcs.company.net
company
company.net
company.org
Reverse Lookup Zones
192.168.0.x Subnet
10.1.1.x Subnet
10.1.2.x Subnet
I have the Root Forwarders pointing to our ISP DNS servers. Is this correct?
I want to make sure I have the DNS configured correctly to avoid any conflicts. The reason is I'm concerned that e-mails sent from our e-mail server, are not going to end up on a blacklist b/c of misconfiguration, and if the DNS is configured correctly.
Important: There are NO problems right now, everything is working fine, but I would just like a better understanding of this setup that I have, as well as any recommendations that may otimize it.
Also on the Advanced Delivery settings of the Default SMTP Virtual server, I have the FQDN as mail.company.net. If i check the DNS it shows domain as valid. Is this the correct e-mail name, shouldn't it be mail.company.org, since that is our public dns? Also, performing a reverse dns lookup on incoming messages, should this be enabled to reduce spam, or keep it disabled? And finally, as to configure external DNS server for this virtual server. I currently have nothing in there. Should I put the dyndns ips or our ISP ips in there?
Thanks, I know this is long, and if I could assign 1000 points i would.
Host TTL Type Data
company.org 60 A 123.123.123.123
company.org 43200 MX 5 company.org.
www.company.org 43200 CNAME company.org.
We have 2 in house DNS servers with Active Directory implementation and our site reverse lookup zones running on Server 2003. Our local domain ends in company.net, our public one used for e-mails and website is company.org
Our Forward Lookup Zones:
_msdcs.company.net
company
company.net
company.org
Reverse Lookup Zones
192.168.0.x Subnet
10.1.1.x Subnet
10.1.2.x Subnet
I have the Root Forwarders pointing to our ISP DNS servers. Is this correct?
I want to make sure I have the DNS configured correctly to avoid any conflicts. The reason is I'm concerned that e-mails sent from our e-mail server, are not going to end up on a blacklist b/c of misconfiguration, and if the DNS is configured correctly.
Important: There are NO problems right now, everything is working fine, but I would just like a better understanding of this setup that I have, as well as any recommendations that may otimize it.
Also on the Advanced Delivery settings of the Default SMTP Virtual server, I have the FQDN as mail.company.net. If i check the DNS it shows domain as valid. Is this the correct e-mail name, shouldn't it be mail.company.org, since that is our public dns? Also, performing a reverse dns lookup on incoming messages, should this be enabled to reduce spam, or keep it disabled? And finally, as to configure external DNS server for this virtual server. I currently have nothing in there. Should I put the dyndns ips or our ISP ips in there?
Thanks, I know this is long, and if I could assign 1000 points i would.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, you would delete the CNAME and make it an A record. It has the same effect, but the way I suggested is the cleaner method.
Correct on the forwarder part.
ASKER
ok, so i ran into a problem with the mail.
When i added the mail.company.org 60 A 123.123.123.123
we also a mail.company.org 1440 A(WebHop) https://outlook.company.org/exchange
now when we type in mail.company.org it displays our website.
When i added the mail.company.org 60 A 123.123.123.123
we also a mail.company.org 1440 A(WebHop) https://outlook.company.org/exchange
now when we type in mail.company.org it displays our website.
Your internal DNS on your domain controllers should be treated as a separate entity to the external DNS. They can contain different records.
If you have mail.company.org as a DNS record then you should not have a web hop as well. If your SSL certificate is issued to https://outlook.company.org then either point the A record for outlook.company.org to your external IP address or use CNAME to point it to mail.company.org
If you have a static external IP address then you do not need to use the advanced features of dyndns.
While having your DNS setup incorrectly can stop email being delivered, it will not get you blacklisted. Blacklists operate on hosts - ie IP addresses, not host names/domain names.
-M
If you have mail.company.org as a DNS record then you should not have a web hop as well. If your SSL certificate is issued to https://outlook.company.org then either point the A record for outlook.company.org to your external IP address or use CNAME to point it to mail.company.org
If you have a static external IP address then you do not need to use the advanced features of dyndns.
While having your DNS setup incorrectly can stop email being delivered, it will not get you blacklisted. Blacklists operate on hosts - ie IP addresses, not host names/domain names.
-M
Ok...
The "mail.company.org" A record should point towards the external IP address of your Mail Server, or the external IP address of the connection that has your exchange server behind it.
You are saying that now when you visit "mail.company.org" *internally* that you see the company's webpage as opposed to Outlook Web Access?
The "mail.company.org" A record should point towards the external IP address of your Mail Server, or the external IP address of the connection that has your exchange server behind it.
You are saying that now when you visit "mail.company.org" *internally* that you see the company's webpage as opposed to Outlook Web Access?
Mestha is correct in saying that blacklists operate on IP addresses (which are assigned to certain entities by ICANN) not domain names.
ASKER
No, externally from the outside, when we type in mail.company.org, our webpage appears. What is supposed to appear is the OWA logon. We have a webhop configured like this:
mail.company.org 1440 A(WebHop) https://outlook.company.org/exchange
mail.company.org 1440 A(WebHop) https://outlook.company.org/exchange
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
As for the external DNS entries, it won't let me add the
www.company.org 60 A 123.123.123.123
because of the CNAME entry for it. Should I delete the CNAME entry for it and replace it with the above?
We are currently using a combination of Jep Greylisting, GFI mail essentials, and Symantec Mail Security.
Thanks.