How do you manage dns in dmz perimeter?

A

acesea

Limp Gawd
Joined
Oct 2, 2004
Messages
211
Our ISP may offer to provide reverse dns delegation. Looking for best solution for our dmz network with some mail transport and web servers using several different aliasing domain names. Will test in esxi lab then move to esxi production. I have no experience with domain name servers beyond internal Microsoft Active Directory ecosystems.

What would I need to have prepared for when applying for reverse dns delegation thru ISP? Any additional configurations recommended for peak synergy between the perimeter dns coexisting with Edge Transport in dmz serving several domain aliases and the internal lan Windows 2008r2 dns?

PowerDNS, Bind9, MyDNS, djbdns, nsd all appear relatively solid. Wanting to start with some training wheels before going hardcore or cli.. unless there's a good resource that'll quickly equip my mental and xp.

Heard of Simple Management for BIND aka Smbind which is a PHP-based tool for managing DNS zones for BIND via the web. http://sourceforge.net/projects/smbind/. Also found a friendly web interface for PowerDNS https://www.poweradmin.org/trac/.

Open to all comments and OS platforms as well as who and why I should entertain offsite hosted dns in the cloud. Thanks
 
I can answer questions if you want to be a bit more specific, for now it sounds like you should just do some readin up on DNS hosting. Generally unless you own the IP block, your ISP will maintain control of your PTR records for you, it's not really that much of a hassle.
I personally use pDNS backed by BIND9 on CentOS for my production DNS server, windows server DNS internally.
BIND isn't really very comples, easy to manage by itself. I use SVN (subversion) for my version control with BIND, jsut do an SVN CO via shellscript to update my records and then restart my PDNS service gracefully to load the new records.
I've also done pDNS backed by MySQL, which is nice, current employer just happened to be setup this way so i'm fine with continuing it, only a few hundred domains, so whatever.
 
The ISP owns and controls the ip blocks as well as the ptr record. However they have offered to provide me reverse delegation and so I was investigating how to take advantage of this and what this may entail. Specifically what provoked this interest was that I will be adding a lot more domain aliases for some exchange mailboxes. I was assuming there to be a more elegant solution instead of purchasing more public static ips for each domain, establishing each with valid ptr records, etc, and routing everything accordingly.

Am I going about this incorrectly? Does reverse delegation have nothing to do with the ability of validating ptr records? What are the best options for setting up an exchange edge transport with several domain aliases? Any particular exchange smart hosts or hosted DNS services I should review?

Thanks
 
Last edited:
I think you need multiple IP's for this, if you have multiple PTR's for the same IP, the DNS server treats them as round-robin (load balances with DNS)

...so when someone does an rDNS lookup, and your public ip 1.1.1.1 has ptr records for mx.company.com mx.company1.com and mx.company2.com it's going to get one fo the three, not all three, and fail 2/3 of the time
 
Hosting the PTR record is no different than hosting a forward zone. When someone asks what the forward record for 1.1.1.1 is, it's delegated to you then you respond with a hostname. Nothing more nothing less. Round-robin rDNS records are perfectly legal, but there's no practical application for it.

For what it sounds like you're trying to do, I would route all the mail out a single smtp relay host (edge server(s) or appliance(s) that can talk AD) and have the forward and reverse records match (somesmtphost.hostingsolution.com/1.1.1.1). Do the same for the MX records or if you have enough traffic, separate them (separate MX and SMTP hosts).

Setup SPF records for each domain.

Basically think of yourself as a small size cudamail or mailstreet. The MX records for all their hosted domains all point to the the same addresses (basically). The reverse matches each specific host (load balances probably). It's just as simple as it sounds :)

Also, please don't ever use the term "peak synergy" ever again. Thanks :)

edit: I would have your DNS on at least 2 separate networks, so personally I would host my own and then use someone like opendns to host a secondary that I send notifications to.
 
Last edited:
Berg0 said:
I think you need multiple IP's for this, if you have multiple PTR's for the same IP, the DNS server treats them as round-robin (load balances with DNS)

...so when someone does an rDNS lookup, and your public ip 1.1.1.1 has ptr records for mx.company.com mx.company1.com and mx.company2.com it's going to get one fo the three, not all three, and fail 2/3 of the time
Click to expand...

I don't see failing 2/3 of the time a practical solution when that implies lots of outgoing emails being flagged as spam due to invalid reverse lookup.


squishy said:
Hosting the PTR record is no different than hosting a forward zone. When someone asks what the forward record for 1.1.1.1 is, it's delegated to you then you respond with a hostname. Nothing more nothing less. Round-robin rDNS records are perfectly legal, but there's no practical application for it.

For what it sounds like you're trying to do, I would route all the mail out a single smtp relay host (edge server(s) or appliance(s) that can talk AD) and have the forward and reverse records match (somesmtphost.hostingsolution.com/1.1.1.1). Do the same for the MX records or if you have enough traffic, separate them (separate MX and SMTP hosts).

Setup SPF records for each domain.

Basically think of yourself as a small size cudamail or mailstreet. The MX records for all their hosted domains all point to the the same addresses (basically). The reverse matches each specific host (load balances probably). It's just as simple as it sounds :)

Also, please don't ever use the term "peak synergy" ever again. Thanks :)

edit: I would have your DNS on at least 2 separate networks, so personally I would host my own and then use someone like opendns to host a secondary that I send notifications to.
Click to expand...

I blame using the term on being very tired/sleep deprived and attempting to get thoughts across. At that moment it did have a nice ring to it ;)

The issue is with outgoing mail getting flagged as spam by other mail servers performing filtering.. If I only have one smtp edge with matching forward and reverse (smtp.domain1.com/1.1.1.1) how do I manage SPF for a mailbox set to send email from an alias domain2.com that I also own? With only one smtp edge the sent message leaves 1.1.1.1 and the receiving smtp server will see from ip 1.1.1.1 and flag as spam since the rdns for this ip is domain1.com and not domain2.com as per the email message.

I know forward resolution is simple in setting the A and mx record for the domain forward zone to point to the edge transport server. But what is the elegant solution for dozens of alias TLD that send email out through one edge transport with one forward and reverse lookup zone?

Is there anything I can config on the edge transport mail server or pfsense firewall to send outbound smtp.domain2.com messages out from 1.1.1.2 and then set this ip to point reverse lookup to domain2.com?
 
acesea said:
The issue is with outgoing mail getting flagged as spam by other mail servers performing filtering.. If I only have one smtp edge with matching forward and reverse (smtp.domain1.com/1.1.1.1) how do I manage SPF for a mailbox set to send email from an alias domain2.com that I also own? With only one smtp edge the sent message leaves 1.1.1.1 and the receiving smtp server will see from ip 1.1.1.1 and flag as spam since the rdns for this ip is domain1.com and not domain2.com as per the email message.
Click to expand...

All you do is create a SPF record in each domain zone for the smtp server name/address that's allowed to send mail for that domain.

So each domain would have the same SPF record since each domain is using the same IP to send mail.

The hostname / domain name relationship is irrelevant. smtp.foobarblah.com can send mail for microsoft.com if you control the microsoft.com and foobarblah.com zones.
 
squishy said:
All you do is create a SPF record in each domain zone for the smtp server name/address that's allowed to send mail for that domain.

So each domain would have the same SPF record since each domain is using the same IP to send mail.

The hostname / domain name relationship is irrelevant. smtp.foobarblah.com can send mail for microsoft.com if you control the microsoft.com and foobarblah.com zones.
Click to expand...

Thanks squishy. I thought it'd be more complex than adding a TXT entry in each dns zone.

So just to get closure on my previous ill thoughts: reverse delegation would only afford me the ability to provide reverse lookup for an ip to one unique name. What utility do folks get from being delegated reverse lookup? Disintermediating the ISP?
 
Last edited:
Convenience really, I'm not sure too many people do it anymore. The last time I delegated PTR records from the ISP was *long* before any front-ends existed, so it was either open a ticket with the provider and wait 3 days or have it delegated to me. Nowadays I'd rather just use the ISP's web interface, I have enough to manage already. In all honestly I'd just let the ISP keep it as long as you have a reasonable interface to it.

And you're welcome, any time.
 
Honestly, it looks like you better want the control but not the hassle of managing the infrastructure. Ask your ISP if they offer hidden primary setups where you feed their DNS servers with your own zones.

The zone would contain NS records pointing to your ISP's name servers, so when you update it locally your DNS server would automatically notify their servers.

Edit: Reverse lookups are normal lookups. When you ask for www.hardforum.com, you ask for an A record for www.hardforum.com. When you ask for the reverse of 1.2.3.4, what you're really asking for is a PTR record for 4.3.2.1.in-addr.arpa
 
Wow, did not know you could delegate reverse lookups.

Now requesting my ISP to point my /24 to DnsMadeEasy
 
You must log in or register to reply here.
Back
Top