I found that when I used Google's DNS Servers that my Exchange 2003 IMF
Connection Filtering RBL's (specifically zen.spamhaus.org) were not always
working properly and were allowing spam to pass through. Apparently there
is something in Google's DNS service that prevents a propery query to
zen.spamhaus.org. Switching to another DNS (Open DNS) corrected the problem
for me.
I only mention spamhaus because they have a quick and simple test
capability:
http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20SBL#207
It was easy for me to see immediately that the DNS change fixed the problem.
If you are using Google's DNS and using the Exchange 2003 IMF you might want
to test your RBL's to see if they are working properly.
I remember reading about this issue with Google, as well. It has to do with
the type of DNS servers Google uses. Good you found a work around.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
From their FAQ:
Your DNSBL blocks nothing at all!
Check what DNS resolvers you are using: If you are using a free "open DNS
resolver" service such as Google Public DNS or Level3's public DNS servers
to resolve your DNSBL requests, in most cases you will receive a "not
listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. Please use
your own DNS servers when doing DNSBL queries to Spamhaus.
"Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org> wrote in message
news:ul13EUNh...@TK2MSFTNGP02.phx.gbl...
Thank you for posting this info. I hope it helps others when they search for
this issue.
:-)
Acee
--
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
30% OFF Microsoft Online Services -
http://www.microsoft-online-services.com/
"Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org> wrote in message
news:u32Bfnch...@TK2MSFTNGP02.phx.gbl...
I know a few colleagues using it. Works nicely. :-)
Ace
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
"Russ SBITS.Biz [SBS-MVP]" <ru...@REMOVETHIS.sbits.biz> wrote in message
news:4754ABCD-5178-4E32...@microsoft.com...
I'm more in love with the Blocking of "BAD" Sites
For FREE!
Clients love this... :)
Russ
--
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
30% OFF Microsoft Online Services -
http://www.microsoft-online-services.com/
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:O27j4Jrh...@TK2MSFTNGP06.phx.gbl...
Once you turn it off, you'll see NXDOMAIN when appropriate.
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:O27j4Jrh...@TK2MSFTNGP06.phx.gbl...
"Chucko" <chu...@myrealbox.com> wrote in message
news:utHdD0xh...@TK2MSFTNGP04.phx.gbl...
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
"Chucko" <chu...@myrealbox.com> wrote in message
news:utHdD0xh...@TK2MSFTNGP04.phx.gbl...
I'm not against using OpenDNS, just pointing out some potential side
effects. OpenDNS is an opt in product. What's really bad is when your ISP
does DNS injection without telling you.
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
"Russ SBITS.Biz [SBS-MVP]" <ru...@REMOVETHIS.sbits.biz> wrote in message
news:C837762B-A1FA-4205...@microsoft.com...
I have most of them added as networks under a single account so with one
login I can administer and view stats.
Additionally, the Open DNS system will even monitor the networks and provide
me with a warning if a PC on one of those networks appears to be infected
with malware (they can tell by the DNS requests and where those DNS requests
are directed).
Pretty good stuff, and priced reasonably.
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:%233551By...@TK2MSFTNGP05.phx.gbl...
--
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
30% OFF Microsoft Online Services -
http://www.microsoft-online-services.com/
"Chucko" <chu...@myrealbox.com> wrote in message
news:Oelmscyh...@TK2MSFTNGP06.phx.gbl...
http://www.circleid.com/posts/nxdomain_substitution_good_or_evil/
Again, OpenDNS does this but it can be turned off and OpenDNS is an opt in
service. It is important to be aware of of the consequences of DNS injection
but in the case of OpenDNS it may be justified.
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:eHhFiByh...@TK2MSFTNGP05.phx.gbl...
Russ
--
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
30% OFF Microsoft Online Services -
http://www.microsoft-online-services.com/
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:OGr2d20h...@TK2MSFTNGP04.phx.gbl...
"Russ SBITS.Biz [SBS-MVP]" <ru...@REMOVETHIS.sbits.biz> wrote in message
news:uaKpf60h...@TK2MSFTNGP05.phx.gbl...
> Is this a big issue with you and your clients?
>
Big issue for me. I'm on the Canadian Internet Registration Authority board
of directors. We manage the DNS for the .ca ccTLD. We answer 400,000 DNS
queries per minute and it's some of those answers that are getting modified.
It's a question of trust in the system. DNSSEC will solve this anyway so
it's annoying but it will go away given time.
For my clients it can be an inconvenience. Usually it's just odd NDRs but I
have seen a case where an Exchange server was brought to it's knees because
of not seeing NXDOMAIN responses. Several workstations were infected and
generating a lot of spam email through the Exchange server. Because the
server wasn't seeing any NXDOMAIN replies it kept trying non-existing email
servers. It was easily fixed but for an hour or so no email was flowing.
--
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
30% OFF Microsoft Online Services -
http://www.microsoft-online-services.com/
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:epvXYk1h...@TK2MSFTNGP02.phx.gbl...
As I have mentioned, I have several friends using OpenDNS, and they think it
works fine, however not ever having used it, I can't comment much more on
it. I would rather use my own DNS servers internally, and the registrar's
DNS as forwarders. Therefore, depending on how the Exchange server is setup,
meaning that if the SMTP service is configured to use an external DNS, and
is pointed to OpenDNS, then the lack of NXDOMAIN responses may occur, from
what you are saying. But as I said, I don't use OpenDNS and don't really
know. I usually just leave Exchange to use the internal AD servers, with
forwarders, and it works fine.
Ace
Right, see, those DNSBLs allow free use if you keep *under* a given
query rate,
otherwise you'll have to "buy" an account with them so that your DNS IPs
will be
able to query the blacklists w/o restrictions (or, optionally you may
setup your
own rbldnsd and keep a local copy of the BL zones); now... using
whatever
public resolver means that such resolvers may issue a whole lot of
queries
toward the DNSBLs so the total traffic from those open resolvers IPs as
seen
from the DNSBL servers point of view will be above the rate limit and
this in
turn will trigger the rate limiting mechanism resulting in NXDOMAIN
answer
to any query coming from those resolvers IP addresses
The bottom line is that, as long as you have your own DNS server you
should
NOT rely on 3rd party (external) resolvers using them as forwarders but
instead
set up your DNS to carry on the full resolution process; and this is
*especially*
true when it comes to DNS resolvers serving mailservers
The rule of thumb with forwarders is that you should use them only under
one
of the following conditions
* You have a slow internet connection (i.e. dialup, ISDN)
* The external DNS which you use as forwarders are under your direct
control
* You have some special needs which force you to only use forwarders
as a bottom note; if you still want to use forwarders for your DNS, even
if
you don't need them, you'd better setup some conditional forwarding
rules
on your DNS so that queries directed to the DNSBL you are using will be
directly sent to the DNS servers which are authoritative for such zones
Heh... and they'll "monitor" much more than just that <eg>
Not just that; opendns is fast since they extensively use their cache
and to speed up this, they override the TTL values, now, imagine one
of your customers mailserver ending up into a DNSBL just due to some
worm spitting out spam; after a couple hours the folks at your customer
site manage to fix things and to remove the entry from the DNSBL but,
since you are using OpenDNS, the entry will still be cached and you'll
be rejecting the emails
Cool huh ?
I didn't know OpenDNS works like that. Friends use it, however apparently
they do not exceed the limits. I've never used it, nor do I have any plans
to.
And nice hearing from you, Obi! I hope things are going well.
Ace
Heh... Ace, you know enough about DNS to understand that
whoever "fully sees" your queries has a *great* power; and btw,
getting back to ODNS there's also to say that I saw an answer
to a folk regarding the use of ODNS for mailservers and the mail
stated that "in whatever instant opendns may consider queries
as an abuse and blackhole the querying IP or in any case they
may decide to disrupt the service" and this isn't exactly a good
thing if you're trying to run a reliable email service
> And nice hearing from you, Obi! I hope things are going well.
Heh... thanks to Susan for calling me here, I'm no SBS-er but
when I saw her email and your name I couldn't just stay silent :)
hope things are going well on your side too ... and btw a really
merry Christmas (ok... a late one) and very HAPPY new year
and may the coming year bring some peace and happiness
to this poor world !
whooops overlooked that
it's not opendns... the rate limiter is on DNSBL servers
and those see queries coming from ODNS ... and since
there's a bunch of people using ODNS the query rate
quickly goes over the rate limiter
then, btw, ODNS has its own ratelimiter as well, so one
may eventually hit that one and fail each and every dns
query ... w/o any notice :P ... and btw by the time the admin
will realize that there's a DNS failure a bunch of emails will
be lost
I never used ODNS, so this is new to me. Understanding DNS and its
processes, this kind of tells me why would anyone use it? Same with the
DNSBL service.
Thanks to Susan, I'm glad you jumped in on this thread. It helped understand
what is going on. :-)
A belated Merry Christmas to you and yours, and a Happy New Year!
Ace
Interesting. Another reason why DNS injection is not a good thing. DNS is
the underlying glue (pun intended) that holds the Internet together. Messing
with it is never a good thing. FWIW the first thing I do when taking on a
new client is to make sure their DNS is not using any forwarders.
It's easy, Ace, lemme put it plain; let's use spamhaus as the DNSBL
You run a mailserver and your own DNS (no forwarders)
your mailserver uses "zen.spamhaus.org" as one of the DNSBLs
upon incoming connections, your mailserver (the IMF in this case)
runs a query against the auth DNS for "zen.spamhaus.org" to check
if the connecting IP is blacklisted
the auth DNS servers for the spamhaus zone see your IP and keep
a track of the queries you issue, so, if your query/time ratio goes over
a given limit, they suddenly start answering an NXDOMAIN to further
queries
the above never happens to you since your email volume is under
the limit (which is quite high) so you will never see such a behaviour,
otherwise, in case you'll be facing such an issue, this would mean
that you'll need to purchase an account with spamhaus... anyways...
let's look at the above scenario but let's say you use the opendns
servers as your forwarders; your DNS along with some thousands
other systems is using the ODNS resolvers, so the spamhaus auth
DNS will see the queries coming from the ODNS IPs and not from
your own one, this means that the rate limiter will quickly kick in for
the ODNS IPs and this in turn will render the DNSBL queries useless
> Thanks to Susan, I'm glad you jumped in on this thread. It helped
> understand what is going on. :-)
Hehe... she posted a note elsewhere and at first I didn't realize it
was related to an NG thread but when I realized that and saw your
name I immediately jumped in :D
> A belated Merry Christmas to you and yours, and a Happy New Year!
ditto :D !!!!
As I wrote, the use of forwarders makes sense in SOME cases, but
in general, if you have a DNS server it's better setting it up as a full
resolver w/o using ANY forwarders at all; more, if we're talking about
a LAN, the firewall should be configured to BLOCK *all* DNS queries
coming from the internal network and going toward external DNS
servers, such queries should ONLY be allowed to the DNS server(s)
sitting on the LAN; this means blocking any outbound traffic toward
port 53/udp and 53/tcp and allowing it only from the DNS server(s)
We block all DNS queries from all nodes except the DNS server - that
would be the SBS box itself.
Interesting question - SBS and a separate Terminal Server using Open DNS
for web site filtering.
Since the forwarders have to use ODNS's DNS servers, how would you have
SBS not be seen as originating from ODNS when doing RBL checks while
still using ODNS for web blocking?
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam9...@rrohio.com (remove 999 for proper email address)
Oh, duh! I misintrepreted DNSBL for some reason. I used various DNSBLs with
the IMF, but have never used ODNS in this respect. I'm curious as to the
limited the various DNSBLs use, such as Spamhaus, Spamcop, etc. I've never
encountered any limits, but then again, for my smaller clients, using the
IMF would never see such a limit. For larger customers that I've worked
with, such as a pharma, we used a third party gateway, one of note was
IronMail from CA. CA uses Trusted Source, which is essentially a pay for
service that is part of the Ironmail purchase/subscription, which has no
limits only because of that reason.
Interesting use limit scenario. So I had to look it up, and found the
following:
The Spamhaus Project - DNSBL Usage Limits
www.spamhaus.org/organization/dnsblusage.html
In summary, the link indicates the service is free unless (quoted):
1. Your use of the Spamhaus DNSBLs is non-commercial*, and
2. Your email traffic is less than 100,000 SMTP connections per day, and
3. Your DNSBL query volume is less than 300,000 queries per day.
As for DNS injection, Network Solutions was doing that a few years ago, but
they wound up removing it after numerous complaints.
Ace
You can find that configuration tab under default SMTP Virtual Server
Properties, Delivery, Advanced, Configure.
That way you can use DNS servers that provide the proper NXDOMAIN response
for the SMTP mail traffic and something like Open DNS for the Server and
Workstations. That is how I normally set it up. I was trying out and
testing the Google DNS servers for SMTP traffic and that is how I found out
about the initial problem.
"Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org> wrote in message
news:OzscoG4h...@TK2MSFTNGP06.phx.gbl...
Thanks,
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
"Chucko" <chu...@myrealbox.com> wrote in message
news:#Y2RcREi...@TK2MSFTNGP02.phx.gbl...
exactly, now, since the spamhaus DNS servers only see the IP of
the querying box, in case your DNS is using the OpenDNS servers
as forwarders, the spamhaus DNS will see the IPs of the OpenDNS
servers since the query "chain" will be
exchange IMF <-> your DNS <-> OpenDNS <-> spamhaus DNS
now, the above means that anyone using the same config will be
seen by the spamhaus DNS with the SAME IP, so even a bunch
of low traffic email servers may quickly go above the allowed
spamhaus query rate (as seen above) and this in turn would
result in NXDOMAIN answers being returned by the spamhaus
DNS servers and btw the same (rate limit) issue is also true for
most/all other DNSBLs not just for spamhaus
bottom line, if one has a DNS server, better using it and not
some external forwarder (set aside the exceptions I listed
into another post in this same thread) since such a setup
will avoid a lot of troubles ... and since with such a setup
YOU will be back in control of YOUR DNS resolution :)
good setup, ensure to do the same for SMTP too :)
> Interesting question - SBS and a separate Terminal Server using Open
> DNS for web site filtering.
uhm... let me understand, you have two servers, one is running sbs
and has its own DNS server w/o any forwarder, another one is used
as a TS and its network settings are configured so that the DNS IPs
point to OpenDNS ? That's totally crazy imHo :( it would badly screw
the AD
> Since the forwarders have to use ODNS's DNS servers, how would
> you have SBS not be seen as originating from ODNS when doing
> RBL checks while still using ODNS for web blocking?
you have TWO solutions
the first one (which I prefer) is to setup a DNS server on the TS,
ensure the TS DNS has a copy of the local AD zones and then
configure it to use ODNS forwarder, next setup the TS machine
to use its own IP as the DNS; this way the SBS box won't be
using OpenDNS while the TS will
the second one is... pointing both SBS and TS to the SBS DNS
then configuring conditional forwarding on the SBS DNS so that
queries directed to the DNSBL in use will go straight to the auth
servers for those domains while all other queries will be forwarded
to the OpenDNS servers
in spamhaus case, the DNS can be obtained by running
nslookup -type=NS spamhaus.org
the same goes for the DNS for all the other DNSBL zones you
are using in IMF but, again, I'd prefer the first solution since this
one would force you to keep your DNS up-to-date whenever
you'll change the DNSBLs you use
if you'll be using an external "public" resolver like OpenDNS, Google
or whatever else, you may face the same issues I described elsewhere
in this thread, that is, long cache retention causing false positives
*and*
rate limiting causing NXDOMAIN answers
bottom line... do NOT use forwarders; it makes NO sense when you
have your own DNS; it's like having a car, keeping it with the engine
on but then hitchhicking instead of using your own car (which will be
still parked there with the engine working) :P
As I have mentioned in the post above.:-)
Ace
Some of the only reasons I would see using a forwarder, which I configure my
customers for, is to offload the recursion process, or to bypass a firewall
that doesn't support EDNS0 or that an admin is unaware of how to update the
firewall to allow that type of traffic.
Ace
I was thinking on how to respond to this one yesterday. I think your option
#1 is the better solution.
IMHO, I wouldn't use ODNS and simply use the IMF for Exchange, and use a
firewall that supports Websense or use ISA.
Ace
No kidding. I didn't think of this scenario. So the rate limit could be
quickly reached and everyone is blaming ODNS for it. Well, it is ODNS fault,
only because all of the queries are eminating from ODNS.
>
> bottom line, if one has a DNS server, better using it and not
> some external forwarder (set aside the exceptions I listed
> into another post in this same thread) since such a setup
> will avoid a lot of troubles ... and since with such a setup
> YOU will be back in control of YOUR DNS resolution :)
True, eliminating the single point query scenario of ODNS to the DNSBLs.
Ace
Ace... DNS resolution process, under standard conditions isn't
a resource pig at all, and in such a case, the "DNS tree" approach
is the way to go, about EDNS0, I personally found that, disabling it
won't have ANY negative effect and will, in general, solve a whole
lot of resolution issues; just in case...
http://support.microsoft.com/kb/828731
then btw one will need (not referring to you, but more often than not
people forgets about it) to ensure that DNS queries won't be filtered
and this means allowing traffic from "any port" to port 53/upd and to
port 53/tcp of whatever external machine
or even use this one ;-)
http://pgl.yoyo.org/adservers/
Pete is a good friend (and answers to emails ;-D)
and once you get a grip on how the DNS blocking
idea works (notice - that isn't just another "hosts"
file, try looking at the "MS DNS" format or at the
ISA one ;-D) it will be easy to setup your own,
personal filter to fit your needs ;-) !
No, you don't understand this:
1) SBS has forwarders for OpenDNS
2) Terminal server has DNS pointing to SBS DNS
We use this to limit what the terminal server users can browse and
access on the web.
>
> > Since the forwarders have to use ODNS's DNS servers, how would
> > you have SBS not be seen as originating from ODNS when doing
> > RBL checks while still using ODNS for web blocking?
>
> you have TWO solutions
>
> the first one (which I prefer) is to setup a DNS server on the TS,
> ensure the TS DNS has a copy of the local AD zones and then
> configure it to use ODNS forwarder, next setup the TS machine
> to use its own IP as the DNS; this way the SBS box won't be
> using OpenDNS while the TS will
>
> the second one is... pointing both SBS and TS to the SBS DNS
> then configuring conditional forwarding on the SBS DNS so that
> queries directed to the DNSBL in use will go straight to the auth
> servers for those domains while all other queries will be forwarded
> to the OpenDNS servers
>
> in spamhaus case, the DNS can be obtained by running
>
> nslookup -type=NS spamhaus.org
>
> the same goes for the DNS for all the other DNSBL zones you
> are using in IMF but, again, I'd prefer the first solution since this
> one would force you to keep your DNS up-to-date whenever
> you'll change the DNSBLs you use
Thanks - I had not thought about conditional forwarding, I will look
into that.
The issue for this solution, for using OpenDNS, is web-blocking, we use
IMF and Zen for spam filtering on this very small client - they have a
firewall appliance, but they don't have the Web/Spam service on it.
If we let them have unrestricted access to the web, the generic users
would be everywhere instead of working - and all of their team is remote
from the servers (they co-locate)....
I'll look at conditional forwarding and see if I can get that working
tonight.
<<<SIGH>>>
> I'll look at conditional forwarding and see if I can get that working
> tonight.
that's quite straightforward; first of all, you'll need to obtain a list
of all the DNSBLs which are used by the IMF, let's say they are
zen.spamhaus.org
ix.dnsbl.manitu.net
bl.spamcop.net
dul.dnsbl.sorbs.net
bb.barracudacentral.org
combined.njabl.org
bogons.cymru.com
drone.abuse.ch
httpbl.abuse.ch
virbl.dnsbl.bit.nl
next you'll need to retrieve the authoritative DNS servers
for each zone, for example, willing to retrieve the auth DNS
for the zen.spamhaus.org zone you'll need to run
nslookup -type=NS zen.spamhaus.org
the above command will return a list of DNS names like
zen.spamhaus.org nameserver = 1.ns.spamhaus.org
zen.spamhaus.org nameserver = k.ns.spamhaus.org
zen.spamhaus.org nameserver = r.ns.spamhaus.org
zen.spamhaus.org nameserver = d.ns.spamhaus.org
zen.spamhaus.org nameserver = h.ns.spamhaus.org
zen.spamhaus.org nameserver = l.ns.spamhaus.org
... and so on ...
at this point you'll have to retrieve the IPs for *all* those
servers and make a note about them, then you'll have
to setup a conditional forward in your DNS so that all
queries directed to the "zen.spamhaus.org" domain
will be forwarded to the servers IPs you obtained above
repeat the same for all the other DNSBL zones and you'll
have your conditional forward up and running, but remember
that auth DNS IPs may change from time to time and that
you'll have to keep your forwarding setup updated to reflect
the DNSBLs you'll be using in IMF
I'm *still* convinced that installing a DNS instance on the TS
machine would be a better and more straightforward solution
Yep, it may be better, since I don't want to have to mess with the IP
checking (in case they change) from time to time.
I'll install DNS on the TS box this weekend, thanks.
True, it's not a resource hog at all, especially for small infrastructures.
For larger ones, I would rather install a separate DNS server that is not
part of the domain/infrstructure internally to forward to. I normally don't
disable EDNS0, rather update or configure the firewall to allow it (such as
a PIX or ASA). I try to simplify internal configs by not changing too much
from default settings. It's easy for me when I'm trying to juggle multiple
customers in my head and their configs. It's enough I have to remember each
customer's IP range! LOL
I agree about the filtering. Some are not aware of that. Source:
internal-interface any-any destination external-interface any TCP 53
(something like that!).
Ace
I didn;t know this site exists. I lile the DNS method. Each registry entry
is an ad zone. Interesting. This can also be modified to block instant
messaging sub domains, sucha s that AIM, YIM, etc, use. Thanks for the heads
up! I added this to my notes. Thanks!
Ace
:-)
in such a case, ensure the DNS on the TS holds copies of the local
domains, then set it up to forward all external queries to ODNS so that
you'll have your filtering for the TS users and remove the ODNS forward
from the SBS box so that you won't have NXDOMAIN/caching issues :)
> :-)
hehe... well, sounds like he changed his mind
as soon as he realized that it would be a hell
to mantain the forwarders list :D
let me better sum it up
Install DNS on the TS box, ensure that the DNS is AD integrated
Configure DNS to hold a copy of your local zones (AD...)
Configure DNS to forward all queries to the OpenDNS resolvers
Configure the TS box to use its own IP as the ONLY DNS server
Remove the OpenDNS forwarding from the SBS box and
refresh the root hints (just in case)
Ensure the SBS is pointing to its own IP as the ONLY DNS server
this way the SBS will carry on full recursive resolution using the
root hints and avoiding the NXDOMAIN/cache issues with your
email services, on the other hand, the TS box will allow users
to correctly log on to the domain but will forward all external
queries to the OpenDNS resolvers which will filter them as
you desire
> No kidding. I didn't think of this scenario. So the rate limit could
> be quickly reached and everyone is blaming ODNS for it.
Yes... although ODNS still plays a role here, see, their aggressive
use of caching and TTL overriding means that NXDOMAIN answers
returned by the DNSBL due to the rate limiter kicking in, will be kept
in cache for a quite long time causing hosts which should instead
be BLOCKED by the blacklist to get through; worse, such a thing
will affect ALL the systems using ODNS for resolution :P
I've nothing against OpenDNS, they're offering a decent service
and helping to protect against "bad sites" but that's all, I won't
recommend using OpenDNS as a forwarder/resolver when it
comes to a server system or a business network for the reasons
seen in this thread and ... for some others as well :)
Thanks - I'm aware of DNS replication, just never thought about the
OpenDNS issue with RBL's.
Yea, that would cut into your drinking time!! :-D
<snipped>
I just wanted to point out that if the zone is AD integrated, it will
already have a copy of the AD zone(s). :-)
Ace
I'm sure they had a good reason to institute limits. It's probably meant for
the home-owner, since it's a quick and free, whereas many companies
(especially larger ones) have a third party handling this sort of function.
:-)
Ace
I'm sure that OpenDNS is means for SMALL, according to their website,
not just homes, since most homes don't have SMTP servers. We have
clients with 1 to 17 servers and 2 to 350 workstations. Most of the
clients with a small shop will purchase a real firewall, but they won't
spend the extra on web/smtp filtering services. OpenDNS gives them some
control over what the employees can get access to - like being able to
block web-email sites, to force them to use the company email system.
Hmm... I know, we're in SBS-land here so my suggestion won't probably
fit, but in general, when it comes to such scenarios, I prefer having a
DNS
on the mailserver box (or either a DNS dedicated to email service) and
another one (or btw more than one) used by clients
Sorry, I meant to say "for the home user and small business owner." I don't
see why a home user can't put the ODNS addresses in their configs to control
inappropriate sites.
Ace
I didn't mean that home users should not use OpenDNS - we suggest it to
most residential types as well as small offices that don't have a server
- it's great for what it does. We're on the same page.
I like the idea of the TS have it's own DNS for OpenDNS lookups past the
local network - had not thought of that - thanks.
:-)
"Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org> wrote in message
news:eArLPPIi...@TK2MSFTNGP05.phx.gbl...
> "Chucko" <chu...@myrealbox.com> wrote in message
> news:%23Y2RcRE...@TK2MSFTNGP02.phx.gbl...
>> One more thing to add to this discussion is that you can configure the
>> Exchange Virtual SMTP Server to use a different DNS than the rest of the
>> system uses.
>>
>> You can find that configuration tab under default SMTP Virtual Server
>> Properties, Delivery, Advanced, Configure.
>>
>> That way you can use DNS servers that provide the proper NXDOMAIN
>> response for the SMTP mail traffic and something like Open DNS for the
>> Server and Workstations. That is how I normally set it up. I was trying
>> out and testing the Google DNS servers for SMTP traffic and that is how I
>> found out about the initial problem.
>>
>
> As I have mentioned in the post above.:-)
>
> Ace
>
No problem. :-)
According to the open DNS folks, they fully support and work with DNSBL's:
http://www.opendns.com/support/article/33
In regards to DNS caching, we all know about TTL's, and once a TTL has past,
then a value is refreshed indirectly from the root servers via the
authoritative DNS for the domain (or DNSBL). Large DNS providers like
OpenDNS adhere to this system, otherwise there would be DNS chaos. I don't
believe that OpenDNS overrides TTL's unless they don't get a response from
the authoritative DNS server for the domain, and even then, that behavior is
configurable.
In summary, I'm not seeing problems at all like you are describing by using
OpenDNS on my test SBS 2003 system. It is a fully patched SBS 2003 system,
using IMF along with DNSBL's. My test SBS 2003 server is of course a DNS
server and it is using forwarders, specifically only OpenDNS. I've been
running it this way for several months, except for a few days recently where
I used Google DNS for the SMTP DNS queries, and that caused a problem,
leading me to make the initial post in this thread.
Now I know that we're all a smart bunch of people here, and I enjoy learning
from the peer exchange that forums like this allow. IMHO I just think that
maybe a few of you are a bit premature or possibly a bit misinformed in your
condemnation of DNS providers like OpenDNS.
"ObiWan [MVP]" <obi...@mvps.org> wrote in message
news:eCSFR5Ti...@TK2MSFTNGP02.phx.gbl...
>