[Architecture discussion] IPv6 and best practices for DNS naming and the MX/SMTP problem

Andreas Meile mailingliste at andreas-meile.ch
Thu Jun 6 14:10:43 UTC 2013


Hello Carsten and Kevin

Thanks for your answers. As a short summary, I will use (and recommend) the 
following ways:

- consider .local/.loc/.intra/.lan etc. as legacy which should be eliminated 
(Microsoft officially supports Active Directory domain renaming procedures 
for that).
- preferred way is to use intra.example.com, dmz.example.com etc. so 
example.com itself can stay fully public while the sub DNS zones can be 
setup restricted but the correct DNS delegation chains must be complete so 
every DNS resolver on the world on a authorized system (this can also be a 
friend company or local office over VPN, not only the LAN behind the 
firewall itself) can resolve the names and IP(v6) adresses successfully in 
both directions.
- In BIND this list of authorized resolvers can be setup with the 
allow-query directive, so unauthorized systems don't get a DNS timeout, they 
just get a refused answer when trying to resolve internal resources.
- a smart relay host with both public IPv4 and IPv6 addresses on the network 
interfaces eliminates the dual stack MX / EHLO hostname IPv4-NAT problem 
because I fully can control the way between my internal mail server and the 
smart relay host (they always can [and should] communicate over IPv6 for 
example so there is no need to point the MX record to the firewall instead 
internal mail server itself because of NAT) => this even allows me to put 
the smart relay host as a friend system for my internal DNS server so the 
MTA on the smart relay host knows mailserv.intra.example.com as valid EHLO 
hostname and can send info at example.com to 
infouser at mailserv.intra.example.com for example (forwarding rule).

In my own network I already started to implement several of these measures. 
My current goal is to implement dual-stack for every component/network 
segment so I can give some feedback in a later time. When everything works 
well, another goal is to implement that in my customer's networks (I am 
working as freelancer for several regional customers) as part of future IT 
migration projects.

Corrections and additions are welcome. :-)

             Andreas

----- Original Message ----- 
From: "Carsten Strotmann" <cas at strotmann.de>
To: "Andreas Meile" <mailingliste at andreas-meile.ch>
Cc: <bind-users at lists.isc.org>
Sent: Monday, May 27, 2013 8:20 AM
Subject: Re: [Architecture discussion] IPv6 and best practices for DNS 
naming and the MX/SMTP problem


> Hello Andreas,
[...]
-- 
Teste die PC-Sicherheit mit www.sec-check.net 




More information about the bind-users mailing list