Re: [exim] check_srv anyone?

Top Page
Delete this message
Reply to this message
Author: Edgar Lovecraft
Date:  
To: Exim users
Subject: Re: [exim] check_srv anyone?
John Horne wrote:
>

..[snip]...
>
> My concern is that a sending site may well want to secure their MS
> servers as much as possible (understatement??), and that includes no
> external access to its DNS zone if the records are only used by their
> own users/servers. As such I suspect this (SRV lookup) would be a common
> problem, and for us to ask them to open up their server for us to
> resolve the DNS records is of course not on. So perhaps
> 'srv_fail_domains' should default to '*'?


And that is where the problem is... not with securing the servers,
but being too lazy, or inexperienced, or underqulifed where the DNS
administration comes in...

What they need to do (and MS documents this VERY well) is setup
a split DNS, one for the internal Windows domain structure, and another
for the public internet at large. The private DNS zone(s) should only
give out information relevant to the internal hosts, and the external,
or public DNS zone(s) should only give out information relevant to the
public at large. This can include SRV records, but the SRV data needs
to point to external hostnames, IP addresses, data, etc.

This is no different than any other type of internal/external/dmz style
DNS information, it just happens that most people, unfortunately, do
not understand that Windows Active Directory has to have this in some
form (unless of course the AD is external only or internal only, etc.).

Just by having the DNS structure visable by the public internet does
not make anything inherently less secure, as long as you consider
what information you are giving out, but here again, this is why
it is better to have one DNS server for external resolvers, and another
DNS server for internal resolvers, etc.

The biggest problem I have seen with Windows AD installations is that
the installer/maintainer just does not have enough understanding of
DNS, Windows AD Domains just plain do not work correctly unless the
underlying DNS structure is designed properly and works properly.

Any way... I guess we are way off topic for the Exim list now :P

--

--EAL--

--