Win2K DC + IIS5 behind NAT - DNS records?

[Gordon Fecyk]

I'm running a Win2K DC behind a firewall and I have only certain ports
forwarded for Internet clients. I also have Win2K Pro workstations behind
the NAT. The DNS zone is AD-integrated. The server and all stations behind
the NAT are using private IPs.

I want Internet clients to be able to reach the machine by name properly.
My first thought - have a separate A RR for "www" - would work except the
machine is also a Certificate Server and it's already prepared certificates
under its own FQDN (srv1.pan-am.ca). I'd rather not create a new server
certificate for "www.pan-am.ca" if possible, though if I have to I will.
It's just the server creates a cert for itself for other purposes under the
server's true name.

So that leaves me with having to create a second A RR for the public IP, or
create a new non-default website for "www" and have it make up its own
certificate. This might fail with browsers that don't support HTTP 1.1, not
to mention cause havoc with other things I want SSL for like POP3, so I'd
like to avoid making another web site if possible. This is where DNS magic
comes in.

I don't suppose I can specify, depending on where the requesting client is,
which A RR record is returned? IE: for within the private IP space return
the private IP and for all other clients return the public IP.

 

[Kevin D. Goodknecht [MVP]]

In Gordon Fecyk <[email protected]> posted a question
Then Kevin replied below:
: I don't suppose I can specify, depending on where the requesting
: client is, which A RR record is returned? IE: for within the private
: IP space return the private IP and for all other clients return the
: public IP.
Not with MS DNS, with BIND can do this, but BIND is not as secure. If using
MS DNS you'll have to have separate DNS servers to give public address for a
record of the same name.

 

[Gordon Fecyk]

Not with MS DNS, with BIND can do this, but BIND is not as secure.

I think the ISC would take exception to that.

If using MS DNS you'll have to have separate DNS servers
to give public address for a record of the same name.

I'm using an AD-integrated zone. How about using the ACLs on the DNS
records to determine who receives what records? Couldn't I deny "everyone"
read access to the private IP A RR, and deny local users read access to the
public IP A RR record?

I've also determined that my ISP's Cisco 800 series won't allow LAN side
clients access to WAN-side forwarded ports, so providing a public IP "www" A
RR won't work for LAN side clients. Kinda necessary since I have to test
the website. I'm looking at putting a Snapgear there instead.

In an absolute worst case I can get public IPs from my ISP, but then I'd
have to packet-filter incoming traffic and I could get DoS'd faster by some
jerk attacking a /29 instead of just one IP. I run an anti-spam project so
I'm expecting this kind of garbage.

 

[Kevin D. Goodknecht [MVP]]

In Gordon Fecyk <[email protected]> posted a question
Then Kevin replied below:
: :: Not with MS DNS, with BIND can do this, but BIND is not as secure.
:
: I think the ISC would take exception to that.

When compared to Active Directory Intergrated DNS zones BIND cannot compare
in security.

:
:: If using MS DNS you'll have to have separate DNS servers
:: to give public address for a record of the same name.
:
: I'm using an AD-integrated zone. How about using the ACLs on the DNS
: records to determine who receives what records? Couldn't I deny
: "everyone" read access to the private IP A RR, and deny local users
: read access to the public IP A RR record?

Denying the Everyone group does just that, it denies everyone.
Many people ask the same question you do and they get the same answer, when
using MS DNS you need separate DNS servers for internal and external
records. You can use BIND but you give up security.

:
: I've also determined that my ISP's Cisco 800 series won't allow LAN
: side clients access to WAN-side forwarded ports, so providing a
: public IP "www" A RR won't work for LAN side clients. Kinda
: necessary since I have to test the website. I'm looking at putting a
: Snapgear there instead.
:
: In an absolute worst case I can get public IPs from my ISP, but then
: I'd have to packet-filter incoming traffic and I could get DoS'd
: faster by some jerk attacking a /29 instead of just one IP. I run an
: anti-spam project so I'm expecting this kind of garbage.

You can try what you want if you can find a way to do it there are a lot of
people that would like to know how with one MS DNS server.
You would have to put pubic IP addresses on all NICs of your DC so that it
would only register public records. Domain controllers were designed for
internal security, to get good internal security you don't give public users
access to your internal resources.

 

[Gordon Fecyk]

You can try what you want if you can find a way to do it there are a lot of
people that would like to know how with one MS DNS server.

Sounds like a feature request for Longhorn or Windows 2003 Server.

The separate record for "www" would work if not for this Cisco 800 behaving
the way it is. I can reach it from the outside but not from the inside. I
know this works with Snapgear and Linksys NAT boxes so probably a change of
routing hardware is in order.

If the only thing wrong now is "The site does not match the certificate"
when administering from the inside, well, I'll live with that. I can also
specify different server certs for each external service to avoid name
problems.

 

[Ace Fekay [MVP]]

In

I think the ISC would take exception to that.

<snip>

You can go to www.hideaway.net and download their security monitor tool
which keeps track of all OS's and certain apps out there and their
vulnerabilities. MS DNS is actually more secure than BIND. Especially if the
zones are AD Integrated.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In Gordon Fecyk <[email protected]> posted a question
Then Kevin replied below:
: ::
:: You can try what you want if you can find a way to do it there are a
:: lot of people that would like to know how with one MS DNS server.
:
: Sounds like a feature request for Longhorn or Windows 2003 Server.
:
: The separate record for "www" would work if not for this Cisco 800
: behaving the way it is. I can reach it from the outside but not from
: the inside. I know this works with Snapgear and Linksys NAT boxes so
: probably a change of routing hardware is in order.
:
: If the only thing wrong now is "The site does not match the
: certificate" when administering from the inside, well, I'll live with
: that. I can also specify different server certs for each external
: service to avoid name problems.

The certificate matches by name not IP address, that is why you need two DNS
servers, so you can access by the same name internally as externally. Some
refer to this as shadow DNS, split DNS, split horizon DNS, call it what you
want. It means the external clients cannot see the internal DNS and internal
clients cannot see the external DNS because each is in the other's shadow.