Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 662
  • Last Modified:

DNS Confusion with DynDNS and Private DNS Server

I'm confused with the DNS setup that we currently have, and have had since my joining this company.  We use DynDNS to host our zones with the Custom DNS service.  Our company.org DNS zone uses the following services:

Host                             TTL        Type        Data
company.org                60            A           123.123.123.123
company.org             43200       MX          5 company.org.
www.company.org  43200     CNAME      company.org.

We have 2 in house DNS servers with Active Directory implementation and our site reverse lookup zones running on Server 2003.  Our local domain ends in company.net, our public one used for e-mails and website is company.org

Our Forward Lookup Zones:

_msdcs.company.net
company
company.net
company.org

Reverse Lookup Zones
192.168.0.x Subnet
10.1.1.x Subnet
10.1.2.x Subnet

I have the Root Forwarders pointing to our ISP DNS servers.  Is this correct?
I want to make sure I have the DNS configured correctly to avoid any conflicts.  The reason is I'm concerned that e-mails sent from our e-mail server, are not going to end up on a blacklist b/c of misconfiguration, and if the DNS is configured correctly.

Important: There are NO problems right now, everything is working fine, but I would just like a better understanding of this setup that I have, as well as any recommendations that may otimize it.

Also on the Advanced Delivery settings of the Default SMTP Virtual server, I have the FQDN as mail.company.net.  If i check the DNS it shows domain as valid.  Is this the correct e-mail name, shouldn't it be mail.company.org, since that is our public dns?  Also, performing a reverse dns lookup on incoming messages, should this be enabled to reduce spam, or keep it disabled?  And finally, as to configure external DNS server for this virtual server.  I currently have nothing in there.  Should I put the dyndns ips or our ISP ips in there?

Thanks, I know this is long, and if I could assign 1000 points i would.

0
fireguy1125
Asked:
fireguy1125
  • 6
  • 3
2 Solutions
 
dfxdeimosCommented:
Be careful with the terminology here. You want your Forwarders configured to point towards your ISP's DNS servers. You want to leave your Root Hints alone. There is no such thing as a Root Forwarder.

------------------

The FQDN listed int he Default SMTP connector should match the MX record that is listed as part of your domain. In your case this is company.org.

------------------

You should enable RDNS to reduce SPAM.

------------------

That should be configured to point towards your ISPs DNS server.

------------------

Also, your external DNS should look something more like this:

Host                             TTL        Type        Data
company.org                60            A           123.123.123.123
www.company.org       60            A           123.123.123.123
mail.company.org         60            A           123.123.123.123
company.org             43200        MX          5 mail.company.org

I would also consider implementing Postini for improved anti-spam capability and redundancy.
0
 
fireguy1125Author Commented:
Thanks, so I don't need the Forwarders pointing to the dyndns servers at all?

As for the external DNS entries, it won't let me add the
www.company.org    60    A    123.123.123.123

because of the CNAME entry for it.  Should I delete the CNAME entry for it and replace it with the above?

We are currently using a combination of Jep Greylisting, GFI mail essentials, and Symantec Mail Security.

Thanks.
0
 
dfxdeimosCommented:
Yes, you would delete the CNAME and make it an A record. It has the same effect, but the way I suggested is the cleaner method.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dfxdeimosCommented:
Correct on the forwarder part.
0
 
fireguy1125Author Commented:
ok, so i ran into a problem with the mail.

When i added the mail.company.org     60     A     123.123.123.123

we also a mail.company.org     1440     A(WebHop) https://outlook.company.org/exchange

now when we type in mail.company.org it displays our website.
0
 
MesthaCommented:
Your internal DNS on your domain controllers should be treated as a separate entity to the external DNS. They can contain different records.

If you have mail.company.org as a DNS record then you should not have a web hop as well. If your SSL certificate is issued to https://outlook.company.org then either point the A record for outlook.company.org to your external IP address or use CNAME to point it to mail.company.org

If you have a static external IP address then you do not need to use the advanced features of dyndns.

While having your DNS setup incorrectly can stop email being delivered, it will not get you blacklisted. Blacklists operate on hosts - ie IP addresses, not host names/domain names.

-M
0
 
dfxdeimosCommented:
Ok...

The "mail.company.org" A record should point towards the external IP address of your Mail Server, or the external IP address of the connection that has your exchange server behind it.

You are saying that now when you visit "mail.company.org" *internally* that you see the company's webpage as opposed to Outlook Web Access?
0
 
dfxdeimosCommented:
Mestha is correct in saying that blacklists operate on IP addresses (which are assigned to certain entities by ICANN) not domain names.
0
 
fireguy1125Author Commented:
No, externally from the outside, when we type in mail.company.org, our webpage appears.  What is supposed to appear is the OWA logon.  We have a webhop configured like this:

mail.company.org     1440     A(WebHop) https://outlook.company.org/exchange

0
 
dfxdeimosCommented:
Ahh, I see.

Well, that is a little bit of an odd configuration, but if you don't want to correct it at this time then I would just switch the MX record back to pointing towards the "company.org" address like you had previously.

The way *I* would resolve this (if all of this is being done in IIS) is to edit the bindings on the company's main website to not include "mail.company.org". I would then modify the bindings on the virtual directory holding the OWA components to include "mail.company.org", and set it to autoforward to the "/exchange" subdirectory.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now