Re: conditional forwarding configuration issues
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 7 Jun 2005 17:35:11 -0500
"Marty Peterson" <mpeterson@xxxxxxxxxxx> wrote in message
news:#E6Ss16aFHA.1504@xxxxxxxxxxxxxxxxxxxxxxx
> Hello,
>
> I currently have a Windows 2003 DNS server set up with a "." zone so that
it
> is authoritative for everything.
Why? It is usually wrong to do this -- despite the "helpful"
default during Win2000 setup when no Internet connection
is available.
> I use this DNS server to resolve some
> internal DNS name spaces for client computers that I do NOT want to have
> access the internet. This generally works great.
Ok, so you are trying to do outbound firewalling with DNS
which is not real security. (They can still go out by name).
Get a Proxy -- ISA is best for this specific task, especially
if all internal clients are Domain Windows machines.
> Now, I want to continue to resolve these internal namespaces as I have
> always done, but also be able to resolve fedex.com and ups.com. (I need
the
> clients that are using this DNS server to be able to get to these web
> sites). I would like to use conditional forwarding to do this, so this is
> what I did:
>
> 1.) Set up conditional forwarding for fedex.com and ups.com to point to a
> DNS server that is configured to forward to my ISP for resolution.
>
> Result: Would not resolve the two domains.
Yes. It would. But nothing else external.
> 2) So, then I removed the "." zone
>
> Result: Resolves everything including other internet sites that I don't
want
> to resolve (forwards to the internet using root hints)
Yes. It does.
> 3) So, I removed the root hints entries out. (It warned me about deleting
> the last root hint and I said ok)
>
> Result: Still resolves everything, but I am not sure how it is doing this
(I
> cleared the cache on the server).
>
> Something in there is still using root hints to resolve sites.
Maybe it is still in the cache? The cache for root hints is MONTHS or more.
Clear cache and see if it changes.
> 4) So, I then unchecked the box in the advanced properties to allow
> recursion.
>
> Result: Couldn't resolve anything other than the zones that are on the
> server.
That turns off BOTH recursion AND forwarding.
> 5) So, I then decided to post this to the news group as I am almost out of
> ideas...
You might need two different DNS servers to do this but
you really need a Proxy/Firewall like ISA.
Why ISA? It offers connection control based on USER
account so that users cannot cheat by using a different machine
and an Admin (or whoever is authorized) can use any machine
for Internet access.
> I was thinking that I may be able to set up another DNS server that has
the
> "." zone it it, then set up a forwarder to it and then my conditional
> forwarding should work and everthing else would return nothing, which
would
> solve my problem, but I really don't want to do set up another DNS
server...
Could work but you are swimming uphill -- DNS is not a firewall.
> Can anyone tell me how I can resolve only the zones that are on the DNS
> server and my conditional forwarding domains, but yet not resolve anything
> else? This is my goal. (I do NOT want to manually try to keep a fedex.com
> secondary zone up to date and fedex.com doesn't allow zone transfers)
No, those are totally impractical even if you could get ALL
the necessary data to start.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- Re: conditional forwarding configuration issues
- From: Marty Peterson
- Re: conditional forwarding configuration issues
- References:
- conditional forwarding configuration issues
- From: Marty Peterson
- conditional forwarding configuration issues
- Prev by Date: Re: dns server behind a firewall?
- Next by Date: Re: Time Server On singal Forest domain
- Previous by thread: conditional forwarding configuration issues
- Next by thread: Re: conditional forwarding configuration issues
- Index(es):
Relevant Pages
|
