Re: Only Forward DNS Requests for Specific IPs

"opc3" <opc3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C2F5F7BB-D877-450C-A149-410E720A9188@xxxxxxxxxxxxxxxx
Thanks again for the response, but I think you are making some assumptions
about my environment which is only muddying the waters. Thanks for the
input,
I appreciate you trying to work throught his with me, hopefully others are
benefiting from our exchange as well...

Let me try explaining again:

I only want to make my already public (and only public) DNS server that
currently only responds for the zones for which it is authoritative (i.e.
forwarding is currently off) to forward DNS requests only if the request
is
originating from an IP that I trust.

No.

The answer remains "no."

With the sole exeption that you can resolve on one/some NIC/IPs,
while refusing to resolve requests on other IPs/NICs of the
same DNS server.

Whatever you will resolve for anyone is going to be resolved
for everyone you allow to contact the server at all.

(That is, you can use filtering and such to prevent DNS
requests but if you resolve anything for them then the
DNS server will help them with anything/everything that
it knows how to do.)

There are NO VIEWs (as exist in a BIND server).

And yes, I understood your question the first time -- answered
it and answered the associated questions, in case those were
what you really meant.

MS DNS won't do what you ask.

(It remains a bad idea but MS DNS won't do it anyway.)


This will effectively create a server
where unknown computers can continue to use my DNS server for name
resolution
of zones for which I am authoritative (same functionality as is setup
right
now) but in addition to that IPs that I trust can use query my DNS server
for
all zones regardless of whether I am authoritative for that zone or not
effectively allowing them to make use of my server as their primary DNS
server to resolve all internet domains. Make sense?

Yes, the question makes perfect sense as it generally did the first
time but the answer remains "No, MS DNS won't do that."

BIND will. (To at least some useful and interesting extent
with "Views", but even the BIND experts generally consider
this a very poor design.)

And such designs are practically always unnecessary -- you
have hit on one of the main reasons (besides security) why
most companies should not run their own public DNS servers
but put it back at the REGISTRAR.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


"Herb Martin" wrote:

"opc3" <opc3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@xxxxxxxxxxxxxxxx
Thanks for the input. It is not readily apparent to me how this setup
could
be insecure, however I agree it could be done better.

In several ways but the simplest to understand is that
since this DNS is publicly accessible it is much more
likely to be compromised. IF it serves both roles then
it will not only compromise your external publishing but
also could lead to comprimising the internal network.

Security as a layered design is almost always the way to
think about it.

While this design may be lacking in certain areas, I will look to clean
those up later. I am just trying to see if it is possible using
Microsoft
DNS
for now.

No, (as I said originally) and it is a bad idea even if it were possible.

Could you elaborate on "....Fowarding is only done by ZONE. On the
other
hand you can pick off a zone of "one name" and thus NOT forward for a
small
number of specific names...."?

Sure. If you wish a DNS server to hold a zone (i.e., be
authoritative for that zone) then it will answer ONLY
from what it knows (about THAT zone) with one exeption:

If you delegate, then the child zone will be resolved
by the child zone DNS servers (they become authoritative)

But, if you don't want to hold an entire zone but resolve ONE
specific machine (from that zone) then you can create a "zone"
(just like any other zone) with the specific machine name* and
give it an A record with a blank name -- this will override for
that machine while still allowing this DNS server to NOT take
control/resposibility for the entire 'real' zone.

*Looks like this:

Assume the real zone is: zone.com
Assume the machine you wish to override is: server.zone.com

Build a zone with the name "server.zone.com" and give it a "blank"
("same as parent") A record.


"Herb Martin" wrote:

"opc3" <opc3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@xxxxxxxxxxxxxxxx
Is there a way to setup Microsoft DNS to only forward DNS requests
for
a
specific set of IPs?

Not conveniently. Fowarding is only done by ZONE.
(Even prior to Win2003 which can conditionally forward
by zone as well.)

On the other hand you can pick off a zone of "one name" and
thus NOT forward for a small number of specific names.

I would like to turn forwarding on in my internet DNS server so that
machines in my DMZ can use it for name resolution of zones where I
am
not
the
authority (like microsoft.com). However, I do not want to forward
DNS
requests originating from the internet, i.e. I only want internet
users
to
be
able to use my DNS server to resolve zones for which I am
authoritative.

The real problem here is that you are trying to use the same
server for PUBLIC DNS and for private, internal DNS.

These two jobs should NOT be mixed. It is a bad and insecure
design (even with BIND servers which can accomplish this using
"views").

You really should move your PUBLIC DNS back to the REGISTRAR
if possible.

Most small companies have no business running their public DNS
at all.



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]





.

Relevant Pages

  • Re: Replication issues
    ... I wanted to say Zone Transfers not Zone Forwarding. ... AD-Integrated DNS does not do zone transfers between the ... your DNS server will bypass ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS Redesign Issue
    ... This is because tbe TLD DNS server is the only ... set the new child domain DNS server as primary for the domain controllers? ... -Using DNS console you can right-click the zone and export to a File, ...
    (microsoft.public.windows.server.dns)
  • Re: Windows 2003 DNS Setup for Sub-Domain off of Root
    ... > dns in any other zone than the one that is assigned to them. ... > delegating each sub-domains zone from the root domain. ... they are not needed on the root domain DNS servers as the actual ... > the root zone from the sub-domains dns server. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Redesign Issue
    ... set the new child domain DNS server as primary for the domain controllers? ... -If you are going to create a new AD Integrated Zone in each child domain, ...
    (microsoft.public.windows.server.dns)
  • Re: DHCP Clients getting DNS lookup failures
    ... It sounds to me like you had a DNS issue but you fixed it, ... The DNS server has encountered a critical error from the Active ... Check that the Active Directory is functioning properly. ... Active Directory for this zone and is unable to load the zone without ...
    (microsoft.public.windows.server.sbs)
Loading