Re: conditional forwarding configuration issues
- From: "Marty Peterson" <mpeterson@xxxxxxxxxxx>
- Date: Wed, 8 Jun 2005 01:10:39 -0500
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
> "Marty Peterson" <mpeterson@xxxxxxxxxxx> wrote in message
>> I currently have a Windows 2003 DNS server set up with a "." zone so that
>> is authoritative for everything.
> Why? It is usually wrong to do this -- despite the "helpful"
> default during Win2000 setup when no Internet connection
> is available.
>> I use this DNS server to resolve some
>> internal DNS name spaces for client computers that I do NOT want to have
>> access the internet. This generally works great.
> Ok, so you are trying to do outbound firewalling with DNS
> which is not real security. (They can still go out by name).
not true...they can't go out by name...I think you meant by IP, which these
users will have no clue about...
> Get a Proxy -- ISA is best for this specific task, especially
> if all internal clients are Domain Windows machines.
Not practicle for this environment...too difficult to configure for too
large a variety of machines (PC's, Linux. and Mac's) Overkill for what I am
trying to do. This works fine although it isn't truly "secure"
>> Now, I want to continue to resolve these internal namespaces as I have
>> always done, but also be able to resolve fedex.com and ups.com. (I need
>> clients that are using this DNS server to be able to get to these web
>> sites). I would like to use conditional forwarding to do this, so this is
>> what I did:
>> 1.) Set up conditional forwarding for fedex.com and ups.com to point to
>> DNS server that is configured to forward to my ISP for resolution.
>> Result: Would not resolve the two domains.
> Yes. It would. But nothing else external.
Actually, this didn't work because if you have a root zone, the conditional
forwarding is all grayed out..my bad...
>> 2) So, then I removed the "." zone
>> Result: Resolves everything including other internet sites that I don't
>> to resolve (forwards to the internet using root hints)
> Yes. It does.
>> 3) So, I removed the root hints entries out. (It warned me about deleting
>> the last root hint and I said ok)
>> Result: Still resolves everything, but I am not sure how it is doing this
>> cleared the cache on the server).
>> Something in there is still using root hints to resolve sites.
> Maybe it is still in the cache? The cache for root hints is MONTHS or
> Clear cache and see if it changes.
As stated in the original post, I did clear the cache...actually every time
I made any changes, I cleared this...
>> 4) So, I then unchecked the box in the advanced properties to allow
>> Result: Couldn't resolve anything other than the zones that are on the
> That turns off BOTH recursion AND forwarding.
>> 5) So, I then decided to post this to the news group as I am almost out
> You might need two different DNS servers to do this but
> you really need a Proxy/Firewall like ISA.
> Why ISA? It offers connection control based on USER
> account so that users cannot cheat by using a different machine
> and an Admin (or whoever is authorized) can use any machine
> for Internet access.
All client machines are not on the same domain or even on a domain...many of
these machines are just stand alone boxes, all sorts of OS's and very
>> I was thinking that I may be able to set up another DNS server that has
>> "." zone it it, then set up a forwarder to it and then my conditional
>> forwarding should work and everthing else would return nothing, which
>> solve my problem, but I really don't want to do set up another DNS
> Could work but you are swimming uphill -- DNS is not a firewall.
Preaching to the choir here...but you gotta do what you gotta do with what
you got...if it is found that someone running one of these machines to hit
the internet because the user was smarter than we thought, then the machine
is locked down with the firewall. This has only happened once so far...
>> Can anyone tell me how I can resolve only the zones that are on the DNS
>> server and my conditional forwarding domains, but yet not resolve
>> else? This is my goal. (I do NOT want to manually try to keep a fedex.com
>> secondary zone up to date and fedex.com doesn't allow zone transfers)
> No, those are totally impractical even if you could get ALL
> the necessary data to start.
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> [phone number on web site]
- Prev by Date: Re: conditional forwarding configuration issues
- Next by Date: DNS server problem
- Previous by thread: Re: conditional forwarding configuration issues
- Next by thread: Re: conditional forwarding configuration issues