none
Need DNS 'whitelist'

    Question

  • Here's what we've got:

    domain.com zone, hosted externally:

    [a]   @         ->  hosting company's ip address
    [a]   office    ->  our public-facing ip address
    [mx]  @         ->  office.domain.com
    [mx]  exchange  ->  exchange provider's hostname 1
    [mx]  exchange  ->  exchange provider's hostname 2

    All mail sent to *@domain.com is routed to our office; a mail rule then relays certain aliases to their corresponding *@exchange.domain.com mailboxes. Anything that arrives at our office that's not within domain.com is summarily rejected.

    With this setup we're able to achieve (or simulate) so-called "split domain mail routing," whereby some aliases are peeled off and processed externally while the remainder are handled internally.

    It's worked very well for us for nigh on three years now; however we've recently decided to retrofit our network and replace our aging CentOS PDC (it's called SME Server) box with a Windows Server 2012 Essentials instance running in a Hyper-V host.

    My problem is that SME's control panel is a little TOO user-friendly when it comes to managing DNS. It hides the plumbing a bit too well. And I'm certainly a DNS novice in the first place, so I suppose in that regard at least it's been a good match. But now that I'm faced with the task of replicating the environment in Windows DNS, I'm scratching my head a bit.

    Here's a quick shot of the relevant SME control panel section:

    Fair enough. Brain dead simple. Somehow the server is smart enough to know the difference between an internal and an external domain; my goal is not necessarily to figure out exactly how that happens, but rather to accomplish the same thing over here.

    How to configure the new server to do what SME does for us now? It accepts mail to *@domain.com, rejects mail to *@any.other.domain, and yet knows that an outgoing *.any.other.domain request from inside the LAN is for an external destination and should therefore be forwarded on to our ISP for further resolution.

    As a reluctant SysAdmin I'm familiar enough with the basic point-and-click mechanics of Windows DNS, along with how to create and manage a basic zone, but deeper architectural concepts like this are a bit beyond me.

    I appreciate any assistance/advice.

    Thanks,
    Jeff Bowman



    • Edited by InteXX Sunday, January 20, 2013 1:17 AM Formatting
    Sunday, January 20, 2013 1:09 AM

Answers

  • [a] @ -> hosting company's ip address

    To create an "@" entry, you right-click, New Host (A) Record, keep the hostname field blank, and type in the IP address.

    .

    I assume you are not using Exchange for email, therefore email is hosted externally, such as Office365. In that case, there's nothing internally or on your router that you have to do.

    Also, based on your post, I don't fully understand where you are hosting DNS, but I think you're implying that you're hosting your public domain name on your internal DNS server and not at a public provider, such as y our ISP or webhost provider? If that's the case, I don't really recommend that for a number of reasons besides security and uptime. Can you elaborate?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by InteXX Monday, January 21, 2013 1:09 PM
    Monday, January 21, 2013 4:53 AM

All replies

  • [a] @ -> hosting company's ip address

    To create an "@" entry, you right-click, New Host (A) Record, keep the hostname field blank, and type in the IP address.

    .

    I assume you are not using Exchange for email, therefore email is hosted externally, such as Office365. In that case, there's nothing internally or on your router that you have to do.

    Also, based on your post, I don't fully understand where you are hosting DNS, but I think you're implying that you're hosting your public domain name on your internal DNS server and not at a public provider, such as y our ISP or webhost provider? If that's the case, I don't really recommend that for a number of reasons besides security and uptime. Can you elaborate?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by InteXX Monday, January 21, 2013 1:09 PM
    Monday, January 21, 2013 4:53 AM
  • [a] @ -> hosting company's ip address

    To create an "@" entry, you right-click, New Host (A) Record, keep the hostname field blank, and type in the IP address.

    .

    I assume you are not using Exchange for email, therefore email is hosted externally, such as Office365. In that case, there's nothing internally or on your router that you have to do.

    Also, based on your post, I don't fully understand where you are hosting DNS, but I think you're implying that you're hosting your public domain name on your internal DNS server and not at a public provider, such as y our ISP or webhost provider? If that's the case, I don't really recommend that for a number of reasons besides security and uptime. Can you elaborate?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn

    Hi Ace, how's it going today?

    > I assume you are not using Exchange for email, therefore email is hosted externally

    Correct.

    > In that case, there's nothing internally or on your router that you have to do

    I was starting to suspect that. I suppose what led me to believe that I did was SME's behavior when I was first setting it up three years ago. I added an MX record in our public DNS pointing to our office and sent a test email. It bounced. I added the domain to SME as external and resent the test. It didn't bounce.

    Not sure why SME does things this way, but there are a lot of things I'm not sure of. One more doesn't make me nervous.

    Anyway, all this is moot now. I've since decided not to trouble with this 'split mail routing' setup and just move all of our mailboxes to our external Exchange provider. Simple, done. That's why we're paying them anyway--to remove the word hassle from the equation.

    > I think you're implying that you're hosting your public domain name on your internal DNS server

    Not at all. It's hosted externally, along with our website. Same provider.

    Thanks,
    Jeff Bowman

    Monday, January 21, 2013 1:08 PM
  • So Jeff, it seems we were looking at an elephant through a microscope! Essentially, all you have to do is just setup your internal private name, and that's it. And if you are not using Active Directory, there really is no need internally for an internal private domain name such as domain.local, and you wouldn't even need DNS internally, otherwise if you do  have an internal AD, then DNS and the internal domain.local is required for AD to work, Otherwise, there's nothing to do regarding your email or web, and it's much easier than you thought. :-)

    If you are running AD, and this is your first time with AD, let us know if you have any questions.

    Cheers!


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, January 21, 2013 1:50 PM
  • So Jeff, it seems we were looking at an elephant through a microscope!

    We?  ;-)

     

    Essentially, all you have to do is just setup your internal private name, and that's it.

    Beautiful  :-)

     

    And if you are not using Active Directory

    Oh, but I am! Essentials did all of that for me by magic.

     

    it's much easier than you thought. :-)

    That's always good. Always.

     

    and this is your first time with AD, let us know if you have any questions.

    Well...  eight years ago I set up a W2K3 SBS server for myself. Just about all I did with AD then was look at it to see that it was there. And it was.

    Fast forward to today... I wouldn't know what questions to ask, quite frankly. I suppose I'll come up with some if I run into any problems. But if I don't do anything with it I shouldn't have any problems.

    I do appreciate your offer  :-)

    Thanks,
    Jeff Bowman

     

    Monday, January 21, 2013 2:31 PM
  • Cheers!


    p.s. Thank you VERY much for the note on your website about DC snapshots. I was about to try that. I'll just shut the machine down and save off a copy of the .VHDX instead. Whew. Close one.
    Monday, January 21, 2013 2:42 PM
  • What's nice about SBS wizards is they do everything for you. Just keep in mind to administer SBS only through the SBS adminisrative console and not through the operating system, or more specifically, try the console first, and if that doesn't have provisions, then you can do it through the other tools, such as ADUC, Services, etc.

    And no problem to help with AD questions. Keep this link below handy, since that;s the actual AD forum (also called the DS - Directory Services - forum).
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

    .

    But a huge note here, since SBS is a slightly different animal, and essentially Windows 2012 Essentials is SBS, the best place to ping SBS questions is the SBS forum where the SBS, gurus hang out. :-)
    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads

    .

    ANd I'm glad you found my blog warning to not snapshot virtualized machines. It's good for educational and testing purposes, but will cause havoc with production machines.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, January 21, 2013 8:27 PM
  • What's nice about SBS wizards is they do everything for you. Just keep in mind to administer SBS only through the SBS adminisrative console and not through the operating system, or more specifically, try the console first, and if that doesn't have provisions, then you can do it through the other tools, such as ADUC, Services, etc.

    And no problem to help with AD questions. Keep this link below handy, since that;s the actual AD forum (also called the DS - Directory Services - forum).
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

    .

    But a huge note here, since SBS is a slightly different animal, and essentially Windows 2012 Essentials is SBS, the best place to ping SBS questions is the SBS forum where the SBS, gurus hang out. :-)
    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads

    .

    ANd I'm glad you found my blog warning to not snapshot virtualized machines. It's good for educational and testing purposes, but will cause havoc with production machines.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn

    Thanks Ace, you're a good man  :-)

    Monday, January 21, 2013 9:12 PM
  • Thanks Ace, you're a good man  :-)


    Hey, I'm just trying to help! :-)

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, January 21, 2013 9:24 PM
  • Hey, I'm just trying to help! :-)

    Keep up the good work!

    Thanks,
    Jeff Bowman

    Tuesday, January 22, 2013 1:15 AM