Re: clients dns settings
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 3 Jan 2007 11:31:21 -0500
"Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx> wrote in message
news:%23EHgWCvLHHA.4244@xxxxxxxxxxxxxxxxxxxxxxx
Security implications forwarding to an ISP? Some say yes, some say no. Ihad
bookmarked an article that argues this, but I can't seem to find it.
I can understand the case where someone would find the ISP
less reliable due to the ISP's security practices than their own.
But for the average small domain admin who doesn't yet fully
understand DNS AND who has a reputable ISP the ISP is likely
to have stronger security than the admin can provide his own
DNS server.
IF the ISP is compromised then your machines could be directed
to "dangerous" partners, e.g., a request for WindowsUpdate.microsoft.com
could return the address of a machine at "evilHackersRUs.com".
If youprovided
are worried about it, as Herb said, you can forward to your router,
it will handle DNS proxy queries that it will forward on to an outsideDNS.
This is MORE secure if the admin has the skills to keep the
machine properly maintained and secured. Lapses here are
still dangerous but not as dangerous as letting a DC or other
critical internal DNS server visit the entire Internet.
Otherwise you can setup and outside DNS server, (which we'll call our "DNShttp://www.akomolafe.com/Portals/1/Docs/guide_to_securing_microsoft_windows_2000_dns.pdf
Resolver") which will use the root hints, and it doesn't have to be a
Windows DNS server, soley for the purpose of forwarding from your internal
DNS.
Here is an NSA Unclassed doc with info on Windows DNS security.
Ace
.
- References:
- Re: clients dns settings
- From: Herb Martin
- Re: clients dns settings
- From: jamestulloch
- Re: clients dns settings
- From: Ace Fekay [MVP]
- Re: clients dns settings
- Prev by Date: Re: DNS SRV records
- Next by Date: Re: Can't view trust domain
- Previous by thread: Re: clients dns settings
- Next by thread: Re: DNS SRV records
- Index(es):
Relevant Pages
|
