Re: Can Internet Computers see my private address DNS server?
- From: "Manny Borges" <manny_borges@xxxxxxxxxxx>
- Date: Mon, 10 Apr 2006 02:29:34 -0400
To answer your questions (in no particular order),
1 No. You said it, internal requests go out and are responded to, external
requests do not come into a NAT. Your internal DNS would not be exposed.
Even if it was, you use private IP addressing, so these addresses are non
routable.
UNLESS you specifically open a port into your network or have foolishly
placed one of your systems on the DMZ port.
2. To let your DNS server resolve these external names I typically just
remove the root zone (if present) and allow the root hints to do their job.
You could alternately configure the ISP DNS as a forwarder.
3. Sure add a revere zone. Why would it make you vulnerable? Again, you are
talking internal traffic only.
Other points of note:
You have only one DC. Granted, with only six client machines, that is no big
deal, but it is still a potential issue if your one DC goes down.
I would recommend using your 2003 server to perform your DHCP. It is a more
feature rich product.
I didn't understand the need for a static IP. Many small companies get sold
static IPS(at greater monthly cost) for no reason. If you have your own mail
server, VoIP server, Web server, etc etc, you might need one. But even then,
dynamic external DNS is a wonderful thing.
--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master
There are 10 kinds of people in the world. Those who do understand binary
and those who don't.
"WPD" <county(please-delete-this)pyrenees@xxxxxxxxx> wrote in message
news:E8CCE9CA-3F14-4DEB-B0F4-4607EE454CC9@xxxxxxxxxxxxxxxx
I am both new to networks, and I am NOT knowledgeable about DNS. Recently,
I
have read much information about DNS, both by Microsoft and by 3rd
parties,
however I have not seen my Subject addressed, anywhere. Of course, at this
point, I am in a constant state of confusion, so the answer could have
slapped me upside the head, and I wouldn't have noticed. Oh, well. I have
tried to make the following information complete without being
overwhelming.
If it doesn't meet these criteria, please accept my apology.
We have a small Client/Server network with private addressing.
(192.168.5.xxx/255.255.255.0). There is 1 Domain Controller [Win Server
2003
/ SP-1] which is also the Domain Name System server for this internal and
private network, and there are 6 clients. 3 of the clients have Win XP Pro
/
SP-2; 2 of the clients have Win 2000 Pro / SP-??; 1 of the clients has Win
Server 2003 / SP-1.
In Network Connections\Local Area Connection\Properties\General
tab\Internet
Protocol(TCP/IP)\Properties\General tab\Preferred DNS server: box , all of
these computers have the Domain Controller / DNS server's address entered.
No
address is entered in the Alternate DNS server: box.
All of the 192.168.5.xxx computers are behind a Linksys NAT router which
also acts, on the LAN side, as the DHCP server. The Domain Controller has
a
fixed address as do the Win 2000 Pro and Win Server 2003 clients. The Win
XP
Pro clients are all served by DHCP. The WAN side of the router has a fixed
address.
In the DNS server dialog box, I have entered my Internet Service
Provider's
DNS server addresses in the Forward box. At this point, I only have a
Forward
Lookup zone.
Finally, the questions: I want my client computers to be able to go to
internet sites such as www.google.com, but I don't want any uninvited
guests
coming back the other way. I sort of understand how the NAT router is a
one-way check valve which only lets in outsiders who are responding to a
request from an internal client. However, will they be able to access,
somehow, my private address DNS server? And, should I add a Reverse Lookup
zone or will that make us vulnerable in some way?
Thank you for your assistance.
.
- Follow-Ups:
- Prev by Date: Re: Stand Alone Internet DNS Only?
- Next by Date: Re: SRV Records
- Previous by thread: Re: Stand Alone Internet DNS Only?
- Next by thread: Re: Can Internet Computers see my private address DNS server?
- Index(es):
Relevant Pages
|
