Exchange 2007 Edge Transport - what DNS suffix?

core3
core3 used Ask the Experts™
on
I am setting up an Exchange 2007 Edge Transport server in its own DMZ (obviously not on the domain). As this is a small installation, DNS resolution of the Hub Transport(s) will be done via 'hosts' file entries.

I want to know what the best practice is for setting the DNS suffix on the Edge Server.

As I see it, there are three options:

Internal domain (e.g. internal.com)
External domain (e.g. external.com)
Arbitrary, unrelated domain (e.g. company-dmz.com)

What I am looking for is an explanation of when you would choose each of the above and why. Of particular interest are any security concerns - for example if the server gets compromised.

I see some people suggesting it be set to the internal domain name and others saying it should be the external one. Logically, it seems that if DNS to the Hub is handled by the 'hosts' file, the DNS suffix should be irrelevant and could be set arbitrarily. Unfortunately, no one provides much justification for their answer and, as usual, MS are painfully uninformative.

It probably isn't worth the stress but I don't like being forced to make decisions where I don't understand the reasoning behind the options. I've put the points up because I am looking for explanations, not just simple answers or links to any of the dozens of pages I've already been to.

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi there,

chosing an arbitrary domain name would be useful to hide informations about the internal and external
structure of your infrastucture and, on the other side, using an internal suffix would expose such information.

I'd choose the external domain for the edge server, since it will accept the mail from the internet.
And from the securiy point of view the DNS suffix your least urging problem when an intruder took control
of your edge server.


--TheDoctor

Author

Commented:
Hi Doc,

Thanks for the info and sorry for the delay -  anti-spam picked up the notification.

That all seems logical to me but is there really no better justification for one over the other? It seems that you would never use the internal DNS suffix but this is precisely what I have seen some people suggest. Maybe they are just wrong!

Accepting that it is, at best, pointless to use the internal suffix, is there any reason why the external suffix is preferable to an arbitrary suffix?

To me there seems to be no reason to favour one over the other. My concern comes with Microsoft's repeated admonitions to ensure you configure the 'correct' DNS suffix. This implies there is a incorrect way to do it!

Thanks and sorry again for the delay.

Phill.

Author

Commented:
Unfortunately, I still haven't seen any explanation of why you would choose your external DNS suffix over an arbitrary one so the question hasn't been full answered. I suspect no one really knows and just does whatever seems best to them.

In the end it doesn't really matter. Use your external suffix - it will work fine.

Author

Commented:
Thanks to Doc but I didn't get an answer to part of the question and the reason I put up the full 500 was because it was a multi-part question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial