PHWinfo - Afficher un message - Only Forward DNS Requests for Specific IPs

28/10/2006, 17h59

Got it, in current MS DNS, the answer is 'no'. While BIND may support it you
are saying it is not a good idea. Thanks for hanging in there with me, I
appreciate the input.

"Herb Martin" wrote:

> "opc3" <opc3@discussions.microsoft.com> wrote in message
> news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com...
> > Thanks again for the response, but I think you are making some assumptions
> > about my environment which is only muddying the waters. Thanks for the
> > input,
> > I appreciate you trying to work throught his with me, hopefully others are
> > benefiting from our exchange as well...
> >
> > Let me try explaining again:
> >
> > I only want to make my already public (and only public) DNS server that
> > currently only responds for the zones for which it is authoritative (i.e.
> > forwarding is currently off) to forward DNS requests only if the request
> > is
> > originating from an IP that I trust.
>
> No.
>
> The answer remains "no."
>
> With the sole exeption that you can resolve on one/some NIC/IPs,
> while refusing to resolve requests on other IPs/NICs of the
> same DNS server.
>
> Whatever you will resolve for anyone is going to be resolved
> for everyone you allow to contact the server at all.
>
> (That is, you can use filtering and such to prevent DNS
> requests but if you resolve anything for them then the
> DNS server will them with anything/everything that
> it knows how to do.)
>
> There are NO VIEWs (as exist in a BIND server).
>
> And yes, I understood your question the first time -- answered
> it and answered the associated questions, in case those were
> what you really meant.
>
> MS DNS won't do what you ask.
>
> (It remains a bad idea but MS DNS won't do it anyway.)
>
>
> > This will effectively create a server
> > where unknown computers can continue to use my DNS server for name
> > resolution
> > of zones for which I am authoritative (same functionality as is setup
> > right
> > now) but in addition to that IPs that I trust can use query my DNS server
> > for
> > all zones regardless of whether I am authoritative for that zone or not
> > effectively allowing them to make use of my server as their primary DNS
> > server to resolve all internet domains. Make sense?
>
> Yes, the question makes perfect sense as it generally did the first
> time but the answer remains "No, MS DNS won't do that."
>
> BIND will. (To at least some useful and interesting extent
> with "Views", but even the BIND experts generally consider
> this a very poor design.)
>
> And such designs are practically always unnecessary -- you
> have hit on one of the main reasons (besides security) why
> most companies should not run their own public DNS servers
> but put it back at the REGISTRAR.
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> >
> > "Herb Martin" wrote:
> >
> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
> >> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com...
> >> > Thanks for the input. It is not readily apparent to me how this setup
> >> > could
> >> > be insecure, however I agree it could be done better.
> >>
> >> In several ways but the simplest to understand is that
> >> since this DNS is publicly accessible it is much more
> >> likely to be compromised. IF it serves both roles then
> >> it will not only compromise your external publishing but
> >> also could lead to comprimising the internal network.
> >>
> >> Security as a layered design is almost always the way to
> >> think about it.
> >>
> >> > While this design may be lacking in certain areas, I will look to clean
> >> > those up later. I am just trying to see if it is possible using
> >> > Microsoft
> >> > DNS
> >> > for now.
> >>
> >> No, (as I said originally) and it is a bad idea even if it were possible.
> >>
> >> > Could you elaborate on "....Fowarding is only done by ZONE. On the
> >> > other
> >> > hand you can pick off a zone of "one name" and thus NOT forward for a
> >> > small
> >> > number of specific names...."?
> >>
> >> Sure. If you wish a DNS server to hold a zone (i.e., be
> >> authoritative for that zone) then it will answer ONLY
> >> from what it knows (about THAT zone) with one exeption:
> >>
> >> If you delegate, then the child zone will be resolved
> >> by the child zone DNS servers (they become authoritative)
> >>
> >> But, if you don't want to hold an entire zone but resolve ONE
> >> specific machine (from that zone) then you can create a "zone"
> >> (just like any other zone) with the specific machine name* and
> >> give it an A record with a blank name -- this will override for
> >> that machine while still allowing this DNS server to NOT take
> >> control/resposibility for the entire 'real' zone.
> >>
> >> *Looks like this:
> >>
> >> Assume the real zone is: zone.com
> >> Assume the machine you wish to override is: server.zone.com
> >>
> >> Build a zone with the name "server.zone.com" and give it a "blank"
> >> ("same as parent") A record.
> >>
> >>
> >> > "Herb Martin" wrote:
> >> >
> >> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
> >> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
> >> >> > Is there a way to setup Microsoft DNS to only forward DNS requests
> >> >> > for
> >> >> > a
> >> >> > specific set of IPs?
> >> >>
> >> >> Not conveniently. Fowarding is only done by ZONE.
> >> >> (Even prior to Win2003 which can conditionally forward
> >> >> by zone as well.)
> >> >>
> >> >> On the other hand you can pick off a zone of "one name" and
> >> >> thus NOT forward for a small number of specific names.
> >> >>
> >> >> > I would like to turn forwarding on in my internet DNS server so that
> >> >> > machines in my DMZ can use it for name resolution of zones where I
> >> >> > am
> >> >> > not
> >> >> > the
> >> >> > authority (like microsoft.com). However, I do not want to forward
> >> >> > DNS
> >> >> > requests originating from the internet, i.e. I only want internet
> >> >> > users
> >> >> > to
> >> >> > be
> >> >> > able to use my DNS server to resolve zones for which I am
> >> >> > authoritative.
> >> >>
> >> >> The real problem here is that you are trying to use the same
> >> >> server for PUBLIC DNS and for private, internal DNS.
> >> >>
> >> >> These two jobs should NOT be mixed. It is a bad and insecure
> >> >> design (even with BIND servers which can accomplish this using
> >> >> "views").
> >> >>
> >> >> You really should move your PUBLIC DNS back to the REGISTRAR
> >> >> if possible.
> >> >>
> >> >> Most small companies have no business running their public DNS
> >> >> at all.
> >> >>
> >>
> >>
> >> --
> >> Herb Martin, MCSE, MVP
> >> Accelerated MCSE
> >> http://www.LearnQuick.Com
> >> [phone number on web site]
> >>
> >>
> >>
>
>
>

28/10/2006, 17h59	#7
opc3 Messages: n/a Hébergeur:	Re: Only Forward DNS Requests for Specific IPs Got it, in current MS DNS, the answer is 'no'. While BIND may support it you are saying it is not a good idea. Thanks for hanging in there with me, I appreciate the input. "Herb Martin" wrote: > "opc3" <opc3@discussions.microsoft.com> wrote in message > news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com... > > Thanks again for the response, but I think you are making some assumptions > > about my environment which is only muddying the waters. Thanks for the > > input, > > I appreciate you trying to work throught his with me, hopefully others are > > benefiting from our exchange as well... > > > > Let me try explaining again: > > > > I only want to make my already public (and only public) DNS server that > > currently only responds for the zones for which it is authoritative (i.e. > > forwarding is currently off) to forward DNS requests only if the request > > is > > originating from an IP that I trust. > > No. > > The answer remains "no." > > With the sole exeption that you can resolve on one/some NIC/IPs, > while refusing to resolve requests on other IPs/NICs of the > same DNS server. > > Whatever you will resolve for anyone is going to be resolved > for everyone you allow to contact the server at all. > > (That is, you can use filtering and such to prevent DNS > requests but if you resolve anything for them then the > DNS server will them with anything/everything that > it knows how to do.) > > There are NO VIEWs (as exist in a BIND server). > > And yes, I understood your question the first time -- answered > it and answered the associated questions, in case those were > what you really meant. > > MS DNS won't do what you ask. > > (It remains a bad idea but MS DNS won't do it anyway.) > > > > This will effectively create a server > > where unknown computers can continue to use my DNS server for name > > resolution > > of zones for which I am authoritative (same functionality as is setup > > right > > now) but in addition to that IPs that I trust can use query my DNS server > > for > > all zones regardless of whether I am authoritative for that zone or not > > effectively allowing them to make use of my server as their primary DNS > > server to resolve all internet domains. Make sense? > > Yes, the question makes perfect sense as it generally did the first > time but the answer remains "No, MS DNS won't do that." > > BIND will. (To at least some useful and interesting extent > with "Views", but even the BIND experts generally consider > this a very poor design.) > > And such designs are practically always unnecessary -- you > have hit on one of the main reasons (besides security) why > most companies should not run their own public DNS servers > but put it back at the REGISTRAR. > > > -- > Herb Martin, MCSE, MVP > Accelerated MCSE > http://www.LearnQuick.Com > [phone number on web site] > > > > > "Herb Martin" wrote: > > > >> "opc3" <opc3@discussions.microsoft.com> wrote in message > >> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com... > >> > Thanks for the input. It is not readily apparent to me how this setup > >> > could > >> > be insecure, however I agree it could be done better. > >> > >> In several ways but the simplest to understand is that > >> since this DNS is publicly accessible it is much more > >> likely to be compromised. IF it serves both roles then > >> it will not only compromise your external publishing but > >> also could lead to comprimising the internal network. > >> > >> Security as a layered design is almost always the way to > >> think about it. > >> > >> > While this design may be lacking in certain areas, I will look to clean > >> > those up later. I am just trying to see if it is possible using > >> > Microsoft > >> > DNS > >> > for now. > >> > >> No, (as I said originally) and it is a bad idea even if it were possible. > >> > >> > Could you elaborate on "....Fowarding is only done by ZONE. On the > >> > other > >> > hand you can pick off a zone of "one name" and thus NOT forward for a > >> > small > >> > number of specific names...."? > >> > >> Sure. If you wish a DNS server to hold a zone (i.e., be > >> authoritative for that zone) then it will answer ONLY > >> from what it knows (about THAT zone) with one exeption: > >> > >> If you delegate, then the child zone will be resolved > >> by the child zone DNS servers (they become authoritative) > >> > >> But, if you don't want to hold an entire zone but resolve ONE > >> specific machine (from that zone) then you can create a "zone" > >> (just like any other zone) with the specific machine name* and > >> give it an A record with a blank name -- this will override for > >> that machine while still allowing this DNS server to NOT take > >> control/resposibility for the entire 'real' zone. > >> > >> *Looks like this: > >> > >> Assume the real zone is: zone.com > >> Assume the machine you wish to override is: server.zone.com > >> > >> Build a zone with the name "server.zone.com" and give it a "blank" > >> ("same as parent") A record. > >> > >> > >> > "Herb Martin" wrote: > >> > > >> >> "opc3" <opc3@discussions.microsoft.com> wrote in message > >> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com... > >> >> > Is there a way to setup Microsoft DNS to only forward DNS requests > >> >> > for > >> >> > a > >> >> > specific set of IPs? > >> >> > >> >> Not conveniently. Fowarding is only done by ZONE. > >> >> (Even prior to Win2003 which can conditionally forward > >> >> by zone as well.) > >> >> > >> >> On the other hand you can pick off a zone of "one name" and > >> >> thus NOT forward for a small number of specific names. > >> >> > >> >> > I would like to turn forwarding on in my internet DNS server so that > >> >> > machines in my DMZ can use it for name resolution of zones where I > >> >> > am > >> >> > not > >> >> > the > >> >> > authority (like microsoft.com). However, I do not want to forward > >> >> > DNS > >> >> > requests originating from the internet, i.e. I only want internet > >> >> > users > >> >> > to > >> >> > be > >> >> > able to use my DNS server to resolve zones for which I am > >> >> > authoritative. > >> >> > >> >> The real problem here is that you are trying to use the same > >> >> server for PUBLIC DNS and for private, internal DNS. > >> >> > >> >> These two jobs should NOT be mixed. It is a bad and insecure > >> >> design (even with BIND servers which can accomplish this using > >> >> "views"). > >> >> > >> >> You really should move your PUBLIC DNS back to the REGISTRAR > >> >> if possible. > >> >> > >> >> Most small companies have no business running their public DNS > >> >> at all. > >> >> > >> > >> > >> -- > >> Herb Martin, MCSE, MVP > >> Accelerated MCSE > >> http://www.LearnQuick.Com > >> [phone number on web site] > >> > >> > >> > > >