PHWinfo - Afficher un message - Only Forward DNS Requests for Specific IPs

28/10/2006, 11h17

"opc3" <opc3@discussions.microsoft.com> wrote in message
news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com...
> Thanks again for the response, but I think you are making some assumptions
> about my environment which is only muddying the waters. Thanks for the
> input,
> I appreciate you trying to work throught his with me, hopefully others are
> benefiting from our exchange as well...
>
> Let me try explaining again:
>
> I only want to make my already public (and only public) DNS server that
> currently only responds for the zones for which it is authoritative (i.e.
> forwarding is currently off) to forward DNS requests only if the request
> is
> originating from an IP that I trust.

No.

The answer remains "no."

With the sole exeption that you can resolve on one/some NIC/IPs,
while refusing to resolve requests on other IPs/NICs of the
same DNS server.

Whatever you will resolve for anyone is going to be resolved
for everyone you allow to contact the server at all.

(That is, you can use filtering and such to prevent DNS
requests but if you resolve anything for them then the
DNS server will them with anything/everything that
it knows how to do.)

There are NO VIEWs (as exist in a BIND server).

And yes, I understood your question the first time -- answered
it and answered the associated questions, in case those were
what you really meant.

MS DNS won't do what you ask.

(It remains a bad idea but MS DNS won't do it anyway.)

> This will effectively create a server
> where unknown computers can continue to use my DNS server for name
> resolution
> of zones for which I am authoritative (same functionality as is setup
> right
> now) but in addition to that IPs that I trust can use query my DNS server
> for
> all zones regardless of whether I am authoritative for that zone or not
> effectively allowing them to make use of my server as their primary DNS
> server to resolve all internet domains. Make sense?

Yes, the question makes perfect sense as it generally did the first
time but the answer remains "No, MS DNS won't do that."

BIND will. (To at least some useful and interesting extent
with "Views", but even the BIND experts generally consider
this a very poor design.)

And such designs are practically always unnecessary -- you
have hit on one of the main reasons (besides security) why
most companies should not run their own public DNS servers
but put it back at the REGISTRAR.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> "Herb Martin" wrote:
>
>> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com...
>> > Thanks for the input. It is not readily apparent to me how this setup
>> > could
>> > be insecure, however I agree it could be done better.
>>
>> In several ways but the simplest to understand is that
>> since this DNS is publicly accessible it is much more
>> likely to be compromised. IF it serves both roles then
>> it will not only compromise your external publishing but
>> also could lead to comprimising the internal network.
>>
>> Security as a layered design is almost always the way to
>> think about it.
>>
>> > While this design may be lacking in certain areas, I will look to clean
>> > those up later. I am just trying to see if it is possible using
>> > Microsoft
>> > DNS
>> > for now.
>>
>> No, (as I said originally) and it is a bad idea even if it were possible.
>>
>> > Could you elaborate on "....Fowarding is only done by ZONE. On the
>> > other
>> > hand you can pick off a zone of "one name" and thus NOT forward for a
>> > small
>> > number of specific names...."?
>>
>> Sure. If you wish a DNS server to hold a zone (i.e., be
>> authoritative for that zone) then it will answer ONLY
>> from what it knows (about THAT zone) with one exeption:
>>
>> If you delegate, then the child zone will be resolved
>> by the child zone DNS servers (they become authoritative)
>>
>> But, if you don't want to hold an entire zone but resolve ONE
>> specific machine (from that zone) then you can create a "zone"
>> (just like any other zone) with the specific machine name* and
>> give it an A record with a blank name -- this will override for
>> that machine while still allowing this DNS server to NOT take
>> control/resposibility for the entire 'real' zone.
>>
>> *Looks like this:
>>
>> Assume the real zone is: zone.com
>> Assume the machine you wish to override is: server.zone.com
>>
>> Build a zone with the name "server.zone.com" and give it a "blank"
>> ("same as parent") A record.
>>
>>
>> > "Herb Martin" wrote:
>> >
>> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
>> >> > Is there a way to setup Microsoft DNS to only forward DNS requests
>> >> > for
>> >> > a
>> >> > specific set of IPs?
>> >>
>> >> Not conveniently. Fowarding is only done by ZONE.
>> >> (Even prior to Win2003 which can conditionally forward
>> >> by zone as well.)
>> >>
>> >> On the other hand you can pick off a zone of "one name" and
>> >> thus NOT forward for a small number of specific names.
>> >>
>> >> > I would like to turn forwarding on in my internet DNS server so that
>> >> > machines in my DMZ can use it for name resolution of zones where I
>> >> > am
>> >> > not
>> >> > the
>> >> > authority (like microsoft.com). However, I do not want to forward
>> >> > DNS
>> >> > requests originating from the internet, i.e. I only want internet
>> >> > users
>> >> > to
>> >> > be
>> >> > able to use my DNS server to resolve zones for which I am
>> >> > authoritative.
>> >>
>> >> The real problem here is that you are trying to use the same
>> >> server for PUBLIC DNS and for private, internal DNS.
>> >>
>> >> These two jobs should NOT be mixed. It is a bad and insecure
>> >> design (even with BIND servers which can accomplish this using
>> >> "views").
>> >>
>> >> You really should move your PUBLIC DNS back to the REGISTRAR
>> >> if possible.
>> >>
>> >> Most small companies have no business running their public DNS
>> >> at all.
>> >>
>>
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>>

28/10/2006, 11h17	#6
Herb Martin Messages: n/a Hébergeur:	Re: Only Forward DNS Requests for Specific IPs "opc3" <opc3@discussions.microsoft.com> wrote in message news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com... > Thanks again for the response, but I think you are making some assumptions > about my environment which is only muddying the waters. Thanks for the > input, > I appreciate you trying to work throught his with me, hopefully others are > benefiting from our exchange as well... > > Let me try explaining again: > > I only want to make my already public (and only public) DNS server that > currently only responds for the zones for which it is authoritative (i.e. > forwarding is currently off) to forward DNS requests only if the request > is > originating from an IP that I trust. No. The answer remains "no." With the sole exeption that you can resolve on one/some NIC/IPs, while refusing to resolve requests on other IPs/NICs of the same DNS server. Whatever you will resolve for anyone is going to be resolved for everyone you allow to contact the server at all. (That is, you can use filtering and such to prevent DNS requests but if you resolve anything for them then the DNS server will them with anything/everything that it knows how to do.) There are NO VIEWs (as exist in a BIND server). And yes, I understood your question the first time -- answered it and answered the associated questions, in case those were what you really meant. MS DNS won't do what you ask. (It remains a bad idea but MS DNS won't do it anyway.) > This will effectively create a server > where unknown computers can continue to use my DNS server for name > resolution > of zones for which I am authoritative (same functionality as is setup > right > now) but in addition to that IPs that I trust can use query my DNS server > for > all zones regardless of whether I am authoritative for that zone or not > effectively allowing them to make use of my server as their primary DNS > server to resolve all internet domains. Make sense? Yes, the question makes perfect sense as it generally did the first time but the answer remains "No, MS DNS won't do that." BIND will. (To at least some useful and interesting extent with "Views", but even the BIND experts generally consider this a very poor design.) And such designs are practically always unnecessary -- you have hit on one of the main reasons (besides security) why most companies should not run their own public DNS servers but put it back at the REGISTRAR. -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > > "Herb Martin" wrote: > >> "opc3" <opc3@discussions.microsoft.com> wrote in message >> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com... >> > Thanks for the input. It is not readily apparent to me how this setup >> > could >> > be insecure, however I agree it could be done better. >> >> In several ways but the simplest to understand is that >> since this DNS is publicly accessible it is much more >> likely to be compromised. IF it serves both roles then >> it will not only compromise your external publishing but >> also could lead to comprimising the internal network. >> >> Security as a layered design is almost always the way to >> think about it. >> >> > While this design may be lacking in certain areas, I will look to clean >> > those up later. I am just trying to see if it is possible using >> > Microsoft >> > DNS >> > for now. >> >> No, (as I said originally) and it is a bad idea even if it were possible. >> >> > Could you elaborate on "....Fowarding is only done by ZONE. On the >> > other >> > hand you can pick off a zone of "one name" and thus NOT forward for a >> > small >> > number of specific names...."? >> >> Sure. If you wish a DNS server to hold a zone (i.e., be >> authoritative for that zone) then it will answer ONLY >> from what it knows (about THAT zone) with one exeption: >> >> If you delegate, then the child zone will be resolved >> by the child zone DNS servers (they become authoritative) >> >> But, if you don't want to hold an entire zone but resolve ONE >> specific machine (from that zone) then you can create a "zone" >> (just like any other zone) with the specific machine name* and >> give it an A record with a blank name -- this will override for >> that machine while still allowing this DNS server to NOT take >> control/resposibility for the entire 'real' zone. >> >> *Looks like this: >> >> Assume the real zone is: zone.com >> Assume the machine you wish to override is: server.zone.com >> >> Build a zone with the name "server.zone.com" and give it a "blank" >> ("same as parent") A record. >> >> >> > "Herb Martin" wrote: >> > >> >> "opc3" <opc3@discussions.microsoft.com> wrote in message >> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com... >> >> > Is there a way to setup Microsoft DNS to only forward DNS requests >> >> > for >> >> > a >> >> > specific set of IPs? >> >> >> >> Not conveniently. Fowarding is only done by ZONE. >> >> (Even prior to Win2003 which can conditionally forward >> >> by zone as well.) >> >> >> >> On the other hand you can pick off a zone of "one name" and >> >> thus NOT forward for a small number of specific names. >> >> >> >> > I would like to turn forwarding on in my internet DNS server so that >> >> > machines in my DMZ can use it for name resolution of zones where I >> >> > am >> >> > not >> >> > the >> >> > authority (like microsoft.com). However, I do not want to forward >> >> > DNS >> >> > requests originating from the internet, i.e. I only want internet >> >> > users >> >> > to >> >> > be >> >> > able to use my DNS server to resolve zones for which I am >> >> > authoritative. >> >> >> >> The real problem here is that you are trying to use the same >> >> server for PUBLIC DNS and for private, internal DNS. >> >> >> >> These two jobs should NOT be mixed. It is a bad and insecure >> >> design (even with BIND servers which can accomplish this using >> >> "views"). >> >> >> >> You really should move your PUBLIC DNS back to the REGISTRAR >> >> if possible. >> >> >> >> Most small companies have no business running their public DNS >> >> at all. >> >> >> >> >> -- >> Herb Martin, MCSE, MVP >> Accelerated MCSE >> http://www.LearnQuick.Com >> [phone number on web site] >> >> >>