Re: Restrict Dynamic Updates

Ace:

Currently I have a firewalled AD test lab setup, so I'm not experiencing
updates from unexpected external hosts, but our procduction environment is
quite different.

Our current production network doesn't have a perimeter firewall, nor do we
we have dedicated separate external/internal DNS servers.

Our current [BIND] DNS servers provide both external/internal name
resolution and have public IP addresses.

The current plan is to continue to point our clients to the BIND DNS servers
for external / non-AD internal name resolution, but delegate the AD zones to
provide internal AD-specific name resolution.

The other alternative option is to point our clients to the AD/DNS servers
for internal AD-specific name resolution, but use forwarders to point clients
to our BIND/DNS servers for internal non-AD and external name resolution.

At this point, I'm not sure which scenario is preferable, but have decided
to start with the option that requires the least amount of rework, with the
assumption that I can change this if required.

As the AD/DNS server(s) will in all likelihood have public IP addresses too,
I'm trying to maximize their security configuration in an effort to minimize
their exposure to external networks and the Internet.

I've tried re-enabling the Windows firewall with the DNS ports outlined in
the article "HOW TO Configure DNS for Internet Access in Windows Server
2003", realizing that that was not the initial intent of this article, but in
doing so may have "broken" some other [NTDS] functionality.

Any further recommendations are greatly appreciated.

Thanks,

Bob
--
Robert Lindholm
University of Rochester


"Ace Fekay [MVP]" wrote:

In news:6B5375B7-802E-41FD-8C70-CDA3F647C312@xxxxxxxxxxxxx,
Robert Lindholm <RobertLindholm@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Hello:

I'm looking for a way to restrict DDNS updates to just "local"
subnets using a native AD/DNS facility [if available].

We currently don't have the ability to block this traffic with a
perimeter firewall and the Windows firewall seems inadaquately suited
for this purpose.

Essentially what I'm trying to do is specify which subnets can "talk"
to our DNS servers to minimize exposure to external threats and
prevent our local AD traffic from "leaking out" into other
internal/non-participating AD domains.

Any suggestions are greatly appreciated.

Bob

Are you experiencing updates being sent from machines you do not want to
update? I assume all of your internal DNS servers are only used for internal
resolution for AD, correct? Or am I missing something? If so, please
elaborate.

In all cases, if the internal machines are ONLY using the internal DNS, and
there are no port-remap rules to allow inbound DNS queries from the
internet, there is really no problem. If not, simply point your clients to
the preferred DNS servers you want them to use. Then there will be no
question as to which DNS servers they are using. Windows clients by default
will attempt to register their interfaces to the DNS server configured in
their IP properties.

As for controlling what subnets to listen on, that is difficult without
firewalling. But like I said, a client will use whatever DNS it is
configured to use, no others.

I cannot see how your internal DNS would be exposed to external threats if
no outside query traffic is using them. I would also configure a Forwarder
to your ISP from your DNS server. This will eliminate the DNS server from
directly querying an outside DNS server when a client sends a query for an
external name/resource.

I do assume all of your clients are ONLY using your internal DNS servers and
not your ISP's in their IP properties. Otherwise you'll have a host of
errors.

291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/?id=291382

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
(forwarding) :
http://support.microsoft.com/?id=323380

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/?id=825036

Cheers!

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations



.

Relevant Pages

  • Re: Windows cannot find the network path error message in GPMC
    ... Preferred DNS server. ... bar of the Network Connections window, ... sure you have Forwarders to your ISP DNS servers Enabled. ... preventing access to this computer from the Internet" is Not checked on this ...
    (microsoft.public.windows.group_policy)
  • Re: Domain Name 2 NS Mapping
    ... On the Public DNS you will create records that have names and IPs to point ... Also if a internet user has to connect to our website ... Internet user's DNS servers will ask the DNS servers listed on your Public ... network, these IPs cannot be routed accross the internet. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS problem - 2 IP addresses on one adapter
    ... the name is available via public DNS and resolves to our ... another FQDN which on public DNS servers resolves to the same external IP, ... But this would override (on the clients) the DNS request ... 192.168.x.y won't route on the Internet. ...
    (microsoft.public.windows.server.dns)
  • Re: AD Replication: What Does "Fully Routed" Mean?
    ... > pointing to two DNS servers could cause problems for Active Directory. ... you to resolve the Internet. ...
    (microsoft.public.win2000.active_directory)
  • Re: Internal (AD) vs. external (Internet) DNS namespace
    ... Internet clients can do that but your internal folks ... records to two DNS servers, are there any other reasons why this is a bad ... wouldn't everybody be able to reach the web site by domain name alone, ... Internet domain name, mycompany.com. ...
    (microsoft.public.windows.server.active_directory)