External DNS & smtp relay
rileymartin
Member Posts: 12 ■□□□□□□□□□
in Off-Topic
Hi,
We purchased static IP address and cablemodem service and need to install
an external DNS server and an SMTP relay service for an internal email
server.
I am using private IPs for my internal network and will utilize a second
router with NAT overload and access lists to better protect my internal
network. My internal DNS servers will use an internal name space and my
external DNS server will use a totally separate DNS name space without active
directory.
I would like to use Windows 2003 server and turn on the firewall/ICS
that comes with sp2. I looked up information on Technet for securing 2003
and DNS and didn't find any really good documents. What I did find was
general information on Windows firewall/ICS and the general best practices
for DNS I have listed below. Does anyone have any recommendations they can
provide? Thanks.
1) Protect the DNS infrastructure of your organization by utilizing an
internal root and name space.
2) Only the external DNS server is configured with Internet root hints.
3) All internal DNS servers are configured only with the root hints pointing
to the internal DNS servers hosting the root zone for your internal name
space.
4) All DNS servers run on domain controllers with all DNS zones stored in
Active Directory. Active Directory DACLs are utilized to secure
administration of DNS. All DNS servers are configured with NTFS as the file
system.
5) External DNS resolution is only performed by your external DNS server.
The internal DNS servers point to the external DNS server.
6) Internal DNS servers are configured to only permit zone transfers to
specific internal DNS servers.
7) The default setting of cache pollution prevention is enabled.
UDP/TCP port 53 is only open between one of your internal DNS servers and
only your external DNS server through a firewall in your DMZ.
9) Only secure dynamic DNS updates are allowed for all zones except for the
top-level and root zones, which do not allow dynamic updates at all.
10) All Internet name resolution is performed using proxy servers and
gateways.
11) Utilize Windows Firewall and create exceptions only for DNS ports TCP
and UDP port 53.
We purchased static IP address and cablemodem service and need to install
an external DNS server and an SMTP relay service for an internal email
server.
I am using private IPs for my internal network and will utilize a second
router with NAT overload and access lists to better protect my internal
network. My internal DNS servers will use an internal name space and my
external DNS server will use a totally separate DNS name space without active
directory.
I would like to use Windows 2003 server and turn on the firewall/ICS
that comes with sp2. I looked up information on Technet for securing 2003
and DNS and didn't find any really good documents. What I did find was
general information on Windows firewall/ICS and the general best practices
for DNS I have listed below. Does anyone have any recommendations they can
provide? Thanks.
1) Protect the DNS infrastructure of your organization by utilizing an
internal root and name space.
2) Only the external DNS server is configured with Internet root hints.
3) All internal DNS servers are configured only with the root hints pointing
to the internal DNS servers hosting the root zone for your internal name
space.
4) All DNS servers run on domain controllers with all DNS zones stored in
Active Directory. Active Directory DACLs are utilized to secure
administration of DNS. All DNS servers are configured with NTFS as the file
system.
5) External DNS resolution is only performed by your external DNS server.
The internal DNS servers point to the external DNS server.
6) Internal DNS servers are configured to only permit zone transfers to
specific internal DNS servers.
7) The default setting of cache pollution prevention is enabled.
UDP/TCP port 53 is only open between one of your internal DNS servers andonly your external DNS server through a firewall in your DMZ.
9) Only secure dynamic DNS updates are allowed for all zones except for the
top-level and root zones, which do not allow dynamic updates at all.
10) All Internet name resolution is performed using proxy servers and
gateways.
11) Utilize Windows Firewall and create exceptions only for DNS ports TCP
and UDP port 53.
Riley