Solved

isa 2006 - dns publishing rule query

Posted on 2012-04-10
9
669 Views
Last Modified: 2012-04-14
hi i have successfully configured my win 2003 dc which gets its internet access via my win 2003/isa 2006 standard 2 nic member server.

i have successfully configured 'dns server' publishing as per my instructions from 'url':

- http://support.microsoft.com/kb/837833

i realise the below instructions would not work from an 'internet cafe' as i would not be allowed to change their ip addressing scheme and their machines would not be recognised on my network!!!!

if i was a vpn user this scenario below would not fit although i could allocate a static address, but as my network is on a domain & isa2006/vpn/windows group configuration i would not be able to 'browse' to my laptop as it would not be on my 'master dc/dns' although yes 'dhcp' does allocate my vpn an address either dynamically or a static address!!

question 1.
so can anyone advise in what scenario im missing to fit with the below instructions ?
1.Click the Firewall Policy tab, right-click the new server publishing rule that you created, and then click Properties.
2.Click the From tab, click Anywhere, click Remove, and then click Add.
3.In the Network entities dialog box, click New, and then click Computer.
4.In the Name box, type a descriptive name for the new computer rule element, type the computer's IP address in the Computer IP Address box, and then click OK.
5.Expand Computers, click the new computer element that you created, click Add, and then click Close.
6.Click OK.
7.Click Apply to save your changes and to update the firewall policy, and then click OK
0
Comment
Question by:mikey250
  • 5
  • 3
9 Comments
 
LVL 3

Expert Comment

by:chris-burns
Comment Utility
Can i check.

I am unsure from your question, Are you planning on publishing your internal DNS server to the internet? Assuming this is the case, you know this is a bad idea don't you?

If it is just for your VPN clients they will use your DNS server as soon as they are logged in.

Again, i may have misunderstood your question....
0
 

Author Comment

by:mikey250
Comment Utility
hi apologies for confusion!!!:)

test 1: visited a remote friends house and used their internet by connecting my laptop/vpn successfully and accessing and saving & copying files!

test 2: as a temporary measure used my laptop/vpn connected to my 3 mobile phone and accessed, saved and copied files successfully!

next task below:

why does isa 2006 offer below if not recommended as vpn is maybe preferred method uuuummmm ?

- 'dns server - publishing - configured but fails
- https server- publishing - not configured as need website i think

im sure i read yesturday that dns zone transfers could take place by a hacker if dns server/http server was used!!!!!

hence my main thread shows step 1 - 7 to allocate 'static address', but this would not be relevant for 'internet cafe' as they use their own ip address scheme.!!!!!!!!!!!!uuuuummmm
0
 
LVL 3

Accepted Solution

by:
chris-burns earned 333 total points
Comment Utility
Hi,

Just because ISA allows it does not mean it is a good idea. When i set my ISA up i did not even think about exposing my internal DNS servers.

"im sure i read yesturday that dns zone transfers could take place by a hacker if dns server/http server was used!!!!!" Very true, which is why i would not do this.

I ended up with a split brain DNS. Kept internal DNS internal and used Zoneedit or an external server for outside DNS.

I would suggest this is the path you follow. Just to be on the safe side.
0
 

Author Comment

by:mikey250
Comment Utility
hi chris, yes i had a browse of this 'url' yesturday but did not read it all:

- http://www.isaserver.org/tutorials/you_need_to_create_a_split_dns.html

i will put on my to do list!!!

question 1.
what companies would even do this then although you say avoid altogether ?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 167 total points
Comment Utility
I want to second chris-burns' comment.

Publishing DNS?   You...just ...don't!

Chris is laying out the correct process.

question 1.
what companies would even do this then although you say avoid altogether ?


In all the years I have dealt with this, which is getting close to a decade and a half,...I am still waiting to find a company that really should do it,...I haven't met one yet.   A lot of companies do things that are not such a great idea,..even large companies.

A Company might have to have a DNS available to the public if they handle their own DNS Hosting for their own Public Namespace,...but,...one,..that's rare,...and two,... even then it would be a standalone DNS placed on the "outside" of their network,...it would not be their internal DNS.
0
 

Author Comment

by:mikey250
Comment Utility
ok i can accept what you say!!!!!!!!no problems!!:)

i just wish i knew why after configuring it in the firewall policy, why it isn't until the next day
publishing failure' shows but has repeat entries where it is automatically 're-sync'd itself and appears ok!

everytime i learn something i like to know that at least i can configure it rather than just chat about it!! thats all!!

the same with 'https server' aswell but i gather i need a website for that!! ?

then i can close this thread once and for all and get out of my ignorant phase!!:)(
0
 

Author Comment

by:mikey250
Comment Utility
hi chris & pwindell, ive just been going through my isa 2006 video course and my notes and found the following information regarding 'dns zone transfers.

in isa 2006 under the configuration/general option on the left hand side i selected under: 'additional security policy':

enable intrusion detection & dns attack detection and 2 tabs show:

- common attacks tab: self explanatory
- dns attacks tab: dns zone transfer - not ticked by default so 'zone transfers' could happen, but if 'ticked' 'dns zone transfer' would not be allowed according to the video verbal explaination!!!

so i assume from the above if i wanted public users or an external company that was not part of my network then other than using a 'vpn' i could then do this!!

can anyone advise ? :)
0
 
LVL 3

Assisted Solution

by:chris-burns
chris-burns earned 333 total points
Comment Utility
I think if you had a dedicated DNS server on your network that was not attached to your AD. And it's sole purpose was to provide outside resolution then this would apply.

But i get the impression this is not what you want to do. Based on your question above you appear to want to expose your AD DNS. Even without a zone transfer you are still exposing some potentially sensitive information. AD DNS holds a lot of information about the make up of your internal network

If i was running my own public DNS server on Microsoft OS i would certainly place the server behind an ISA box and use the protection mechanisms mentioned above. But i would certainly not allow my AD DNS to be seen by the outside world regardless of the protections offered.

The other thing is, your AD DNS should be resolving to your internal IP addresses. If you were to try and resolve them from outside the routing would not work. You would need to expose external ip addresses... then in that case your internal clients would be picking up an external address and would not route properly.

Whilst technically it is possible, I really don't know why you would.

If you don't want to have an external company provide DNS for you, then set up a second non-AD connected box in your DMZ with DNS installed then use the above protection mechanisms.

Chris

EDIT: I did type this quite quickly, so apologies  for any grammar or spelling mistakes
0
 

Author Comment

by:mikey250
Comment Utility
thanks for that!!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now