Hello Carsten and Kevin
Thanks for your answers. As a short summary, I will use (and recommend) the
following ways:
- consider .local/.loc/.intra/.lan etc. as legacy which should be eliminated
(Microsoft officially supports Active Directory domain renaming procedures
for that).
- preferred way is to use intra.example.com, dmz.example.com etc. so
example.com itself can stay fully public while the sub DNS zones can be
setup restricted but the correct DNS delegation chains must be complete so
every DNS resolver on the world on a authorized system (this can also be a
friend company or local office over VPN, not only the LAN behind the
firewall itself) can resolve the names and IP(v6) adresses successfully in
both directions.
- In BIND this list of authorized resolvers can be setup with the
allow-query directive, so unauthorized systems don't get a DNS timeout, they
just get a refused answer when trying to resolve internal resources.
- a smart relay host with both public IPv4 and IPv6 addresses on the network
interfaces eliminates the dual stack MX / EHLO hostname IPv4-NAT problem
because I fully can control the way between my internal mail server and the
smart relay host (they always can [and should] communicate over IPv6 for
example so there is no need to point the MX record to the firewall instead
internal mail server itself because of NAT) => this even allows me to put
the smart relay host as a friend system for my internal DNS server so the
MTA on the smart relay host knows mailserv.intra.example.com as valid EHLO
hostname and can send i...@example.com to
infou...@mailserv.intra.example.com for example (forwarding rule).
In my own network I already started to implement several of these measures.
My current goal is to implement dual-stack for every component/network
segment so I can give some feedback in a later time. When everything works
well, another goal is to implement that in my customer's networks (I am
working as freelancer for several regional customers) as part of future IT
migration projects.
Corrections and additions are welcome. :-)
Andreas
----- Original Message -----
From: "Carsten Strotmann" <c...@strotmann.de>
To: "Andreas Meile" <mailingli...@andreas-meile.ch>
Cc: <bind-users@lists.isc.org>
Sent: Monday, May 27, 2013 8:20 AM
Subject: Re: [Architecture discussion] IPv6 and best practices for DNS
naming and the MX/SMTP problem
Hello Andreas,
[...]
--
Teste die PC-Sicherheit mit www.sec-check.net
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
