Re: Forworders or Root Hints?
- From: Johan Strange <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 10 Oct 2007 00:21:02 -0700
I respect you and your posts, in my company I never have the oppertunity to
bounce ideas off others so I look to users like you in various Windows and
Linux forums and like I said I have always agreed with your point regarding
DNS Security.
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"MS News" wrote:
Inline.
At some stage your DNS needs to use an external source regardless of theAs long as it isn't my internal DNS I'm fine with that, that's what I'm
topology, root hints and forwarders are methods of doing this.
saying since the beginning.
Anyway, I'm sorry if I hurt your feelings, that's not my intention, I only
was trying to do a (healthy) discussion, is not about being MVP, winning or
losing, etc... As I told you before, to me, It's all about discussing
different points of view, no need to get mad with me.
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:91CFDBEA-5330-4F19-BD40-6857ED890260@xxxxxxxxxxxxxxxx
At some stage your DNS needs to use an external source regardless of the
topology, root hints and forwarders are methods of doing this. I know what
you're saying and you seem to be very aggressively forcing your point
across.
I know that forwarders cause issues, I have seen it and yes you're right
it
is down to others which is reason enough not to use them. Heaven forbid
anyone else has an opinion Jorge. I have said that you have a point, and
if
you are an MVP you will, even silently, admit that what I say is also
correct
even if it goes against what you say.
For the sake of the argument lets just say you are right and I am wrong,
well done Jorge.
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"Jorge Silva" wrote:
Doesn't sound to me that the stated reasons have anything to do with
forwarding configuration but rather with changes that were done by other
people in other DNS servers. If you don't trust them DON'T use them
"That's
what I'm saying since the beginning (by other words-Especially true for
internal network)" You can have your own Cache only DNS server without
being
mess up by others, if that server suffers an attack from public or
internal,
bad luck , in less than 5 minutes I have another one in place and didn't
messup my internal DNS server. You talk and talk about external
providers,
if you pay attention to my previous posts I said to AVOID using external
DNS
servers for direct queiries from your internal DNS servers, if I'm using
external providers root hints, ISPs, etc... My servers go to public, and
that was my point, don't do it (or try not to)...
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8B3E209E-1D8F-463B-A872-6E591DB07424@xxxxxxxxxxxxxxxx
When using Forwarders the query is passed to a DNS Server or Servers
that
we
know and trust, these are configured as forwarders, they use their
resolver
to resolve the query and pass the result back to our Windows box.
Possibly
we
have our own BIND Server in a DMZ, maybe we use another Windows DNS,
but
nevertheless we are reliant on these systems to be available to resolve
the
query on behalf of our Windows box. In return our own DNS remains
Secure
and
gets another system doing its work with external hosts resolution. The
last
time I saw an issue with forwarders was with a client that had their
DNS
Server querying two BT (British Telecom) DNS Servers. BT had changed
the
security on their network and where not responding to my clients DNS
Requests, I will not bore you with BT Logic because I do not understand
it
myself. On another instance a consultant had configured a Server to
query
an
ISP Name Server from an IP Address assigned to Demon. The ISP who held
the
DNS saw the requests from outside their network and decided to add the
IP
of
my clients DSL Router to the Hosts Deny file on their Bind. If these
users
had been using cache hints then this issue would not have occurred.
It take around 5 seconds to emulate this in a lab. I have never seen a
root
hint failure.
Can you see this as a point Jorge?
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"Jorge Silva" wrote:
Ok, I can live with that, but can you explain why forwaders are easier
to
break?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:4698336F-9FA1-4AEC-AACF-5E016C4446AD@xxxxxxxxxxxxxxxx
Then its all opinions. I personally see forwaders as easier to
break. I
don't
disagree with what you say but I have seen from experience that root
hints
are more solid. But that's my opinion ... :)
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"Jorge Silva" wrote:
Please don't be sorry, that's your opinion and I respect that.
However doesn't make since to me, the reason is simple, the poster
wants
a
solution to solve names outside its domain, so, assuming that is
talking
about public names, he can use root hints (very unsecure-> and if
he
loose
connectivity to the root hints servers they won't be able to solve
public
names as well- So I don't see this option as an advantage), Stub
Zones
(doesn't make sense to create one stub zone for each public domain,
and
it's
not doable because you have thousands of public domains (You also
rely
on
connectivity to the NS to achieve the query results)), Secondary
Zones
won't
work (for obvious reasons), at last you have Conditional Forwarding
(not
doable for the same reasons as the stub Zones) and Forwarding.
To me Forwarding is the right way to go for, the reasons are
simple,
you
can
control where to send the queries, not to use root hints better
from
security perspective, and it's easy to implement.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:2EF254A3-7C35-4F49-AA35-B5ED46BEF083@xxxxxxxxxxxxxxxx
Thank you for that Jorge. I am sorry that what I said goes
against
your
explanation. I understand forwarders and conditional forwarders.
Can
you
confirm that what I said is never a possibilty?
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
"Jorge Silva" wrote:
You must be joking... That's your reason to not use forwarders?
Remember Forwarders don't have to necessarily be external/public
DNS
servers.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in
message
news:B62E3D40-1647-43D6-A946-57B2A1D68474@xxxxxxxxxxxxxxxx
With forwarders you are relaying on set name servers to
resolve
requests
that
are not in the resolver cache. Then if these devices can not
be
contacted
for
various reasons you can not resolve hostnames for external
resources.
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
"Jorge Silva" wrote:
Hi
I vote in Forwarders the reason is security, with forwarders
your
server
won't go to public "you must select the option disable
recursion
for
this
domain".
Now, if all your clients do ONLY external resolution why not
have a
cache
only DNS server to do that job?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Nutzer" <helo@xxxxxxxxxxx> wrote in message
news:b4SdnUosG-yHr5janZ2dnUVZ_r2nnZ2d@xxxxxxxxxxxxxxx
Hello,
I'm trying to configure my DC servers as a DNS server.
Should
I
set
it
for Forworders or Root hint? This is AD integrated DNS.
But
all
my
users
will resolve to outside with this DNS server.
- References:
- Forworders or Root Hints?
- From: Nutzer
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: MS News
- Forworders or Root Hints?
- Prev by Date: Re: DNS suffix for FQDN?
- Next by Date: RE: DNS Stuck somewhere?
- Previous by thread: Re: Forworders or Root Hints?
- Next by thread: Re: Netmask Ordering and Site Failure
- Index(es):
Relevant Pages
|
