>
> > We're running Active Directory on Windows 2003 Servers. 99% of the
> > time, all is well. Occassionally we seem to be pulling erroneous MX
> > information. When I do an nslookup type=MX from the Imail server, I get
> > the correct information... most of the time. The erroneous server is
> > always another server that's located at the provider for the company in
> > question. I check their DNS server and can find no problems...
>
> The MS DNS cache could be getting poisoned, esp if you have recursion and
> access from Internet enabled, which you very probably have. You can't
turn
> recursion off since IMail needs it. You can't restrict recursion to your
> subnets, only on or off.
>
> I always recommend that mail servers not use MS DNS (AD or not), but BIND
> on *nix or Windows. Especially recommend for high-volume mail systems that
> generate high-volumes of queries. BIND has more security features, eg
> anti-poisoning and finer access controls. BIND is free so you don't have
> to pay another $1000 to Win server version.
>
> Making your AD/DNS box accessible from Internet is really bad practice.
If
> you set up BIND on a separate machine, have the AD/DNS box forward to it,
> and block access from Internet to the AD/DNS box.
>
> Len
Cache pollution was my initial reaction. I have the cache secured
against pollution and have followed Microsoft's best practices in order to
attenuate that problem... (for what that's worth... <koff!>)
We do have recursion enabled, but the AD/DNS box is not directly
accessible via the internet. We're also forwarding to an AT&T DNS server.
Good advice re: running BIND DNS for Imail... I have a few boxes kicking
around that I could set up with LINUX...
Thanx for the advice...
-Gil
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
