Is there a way to setup Microsoft DNS to only forward DNS requests for a
specific set of IPs?

I would like to turn forwarding on in my internet DNS server so that
machines in my DMZ can use it for name resolution of zones where I am not the
authority (like microsoft.com). However, I do not want to forward DNS
requests originating from the internet, i.e. I only want internet users to be
able to use my DNS server to resolve zones for which I am authoritative.

"opc3" <opc3@discussions.microsoft.com> wrote in message
news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
> Is there a way to setup Microsoft DNS to only forward DNS requests for a
> specific set of IPs?

Not conveniently. Fowarding is only done by ZONE.
(Even prior to Win2003 which can conditionally forward
by zone as well.)

On the other hand you can pick off a zone of "one name" and
thus NOT forward for a small number of specific names.

> I would like to turn forwarding on in my internet DNS server so that
> machines in my DMZ can use it for name resolution of zones where I am not
> the
> authority (like microsoft.com). However, I do not want to forward DNS
> requests originating from the internet, i.e. I only want internet users to
> be
> able to use my DNS server to resolve zones for which I am authoritative.

The real problem here is that you are trying to use the same
server for PUBLIC DNS and for private, internal DNS.

These two jobs should NOT be mixed. It is a bad and insecure
design (even with BIND servers which can accomplish this using
"views").

You really should move your PUBLIC DNS back to the REGISTRAR
if possible.

Most small companies have no business running their public DNS
at all.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks for the input. It is not readily apparent to me how this setup could
be insecure, however I agree it could be done better.

While this design may be lacking in certain areas, I will look to clean
those up later. I am just trying to see if it is possible using Microsoft DNS
for now.

Could you elaborate on "....Fowarding is only done by ZONE. On the other
hand you can pick off a zone of "one name" and thus NOT forward for a small
number of specific names...."?


"Herb Martin" wrote:

> "opc3" <opc3@discussions.microsoft.com> wrote in message
> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
> > Is there a way to setup Microsoft DNS to only forward DNS requests for a
> > specific set of IPs?
>
> Not conveniently. Fowarding is only done by ZONE.
> (Even prior to Win2003 which can conditionally forward
> by zone as well.)
>
> On the other hand you can pick off a zone of "one name" and
> thus NOT forward for a small number of specific names.
>
> > I would like to turn forwarding on in my internet DNS server so that
> > machines in my DMZ can use it for name resolution of zones where I am not
> > the
> > authority (like microsoft.com). However, I do not want to forward DNS
> > requests originating from the internet, i.e. I only want internet users to
> > be
> > able to use my DNS server to resolve zones for which I am authoritative.
>
> The real problem here is that you are trying to use the same
> server for PUBLIC DNS and for private, internal DNS.
>
> These two jobs should NOT be mixed. It is a bad and insecure
> design (even with BIND servers which can accomplish this using
> "views").
>
> You really should move your PUBLIC DNS back to the REGISTRAR
> if possible.
>
> Most small companies have no business running their public DNS
> at all.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
>

"opc3" <opc3@discussions.microsoft.com> wrote in message
news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com...
> Thanks for the input. It is not readily apparent to me how this setup
> could
> be insecure, however I agree it could be done better.

In several ways but the simplest to understand is that
since this DNS is publicly accessible it is much more
likely to be compromised. IF it serves both roles then
it will not only compromise your external publishing but
also could lead to comprimising the internal network.

Security as a layered design is almost always the way to
think about it.

> While this design may be lacking in certain areas, I will look to clean
> those up later. I am just trying to see if it is possible using Microsoft
> DNS
> for now.

No, (as I said originally) and it is a bad idea even if it were possible.

> Could you elaborate on "....Fowarding is only done by ZONE. On the other
> hand you can pick off a zone of "one name" and thus NOT forward for a
> small
> number of specific names...."?

Sure. If you wish a DNS server to hold a zone (i.e., be
authoritative for that zone) then it will answer ONLY
from what it knows (about THAT zone) with one exeption:

If you delegate, then the child zone will be resolved
by the child zone DNS servers (they become authoritative)

But, if you don't want to hold an entire zone but resolve ONE
specific machine (from that zone) then you can create a "zone"
(just like any other zone) with the specific machine name* and
give it an A record with a blank name -- this will override for
that machine while still allowing this DNS server to NOT take
control/resposibility for the entire 'real' zone.

*Looks like this:

Assume the real zone is: zone.com
Assume the machine you wish to override is: server.zone.com

Build a zone with the name "server.zone.com" and give it a "blank"
("same as parent") A record.


> "Herb Martin" wrote:
>
>> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
>> > Is there a way to setup Microsoft DNS to only forward DNS requests for
>> > a
>> > specific set of IPs?
>>
>> Not conveniently. Fowarding is only done by ZONE.
>> (Even prior to Win2003 which can conditionally forward
>> by zone as well.)
>>
>> On the other hand you can pick off a zone of "one name" and
>> thus NOT forward for a small number of specific names.
>>
>> > I would like to turn forwarding on in my internet DNS server so that
>> > machines in my DMZ can use it for name resolution of zones where I am
>> > not
>> > the
>> > authority (like microsoft.com). However, I do not want to forward DNS
>> > requests originating from the internet, i.e. I only want internet users
>> > to
>> > be
>> > able to use my DNS server to resolve zones for which I am
>> > authoritative.
>>
>> The real problem here is that you are trying to use the same
>> server for PUBLIC DNS and for private, internal DNS.
>>
>> These two jobs should NOT be mixed. It is a bad and insecure
>> design (even with BIND servers which can accomplish this using
>> "views").
>>
>> You really should move your PUBLIC DNS back to the REGISTRAR
>> if possible.
>>
>> Most small companies have no business running their public DNS
>> at all.
>>


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks again for the response, but I think you are making some assumptions
about my environment which is only muddying the waters. Thanks for the input,
I appreciate you trying to work throught his with me, hopefully others are
benefiting from our exchange as well...

Let me try explaining again:

I only want to make my already public (and only public) DNS server that
currently only responds for the zones for which it is authoritative (i.e.
forwarding is currently off) to forward DNS requests only if the request is
originating from an IP that I trust. This will effectively create a server
where unknown computers can continue to use my DNS server for name resolution
of zones for which I am authoritative (same functionality as is setup right
now) but in addition to that IPs that I trust can use query my DNS server for
all zones regardless of whether I am authoritative for that zone or not
effectively allowing them to make use of my server as their primary DNS
server to resolve all internet domains. Make sense?

"Herb Martin" wrote:

> "opc3" <opc3@discussions.microsoft.com> wrote in message
> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com...
> > Thanks for the input. It is not readily apparent to me how this setup
> > could
> > be insecure, however I agree it could be done better.
>
> In several ways but the simplest to understand is that
> since this DNS is publicly accessible it is much more
> likely to be compromised. IF it serves both roles then
> it will not only compromise your external publishing but
> also could lead to comprimising the internal network.
>
> Security as a layered design is almost always the way to
> think about it.
>
> > While this design may be lacking in certain areas, I will look to clean
> > those up later. I am just trying to see if it is possible using Microsoft
> > DNS
> > for now.
>
> No, (as I said originally) and it is a bad idea even if it were possible.
>
> > Could you elaborate on "....Fowarding is only done by ZONE. On the other
> > hand you can pick off a zone of "one name" and thus NOT forward for a
> > small
> > number of specific names...."?
>
> Sure. If you wish a DNS server to hold a zone (i.e., be
> authoritative for that zone) then it will answer ONLY
> from what it knows (about THAT zone) with one exeption:
>
> If you delegate, then the child zone will be resolved
> by the child zone DNS servers (they become authoritative)
>
> But, if you don't want to hold an entire zone but resolve ONE
> specific machine (from that zone) then you can create a "zone"
> (just like any other zone) with the specific machine name* and
> give it an A record with a blank name -- this will override for
> that machine while still allowing this DNS server to NOT take
> control/resposibility for the entire 'real' zone.
>
> *Looks like this:
>
> Assume the real zone is: zone.com
> Assume the machine you wish to override is: server.zone.com
>
> Build a zone with the name "server.zone.com" and give it a "blank"
> ("same as parent") A record.
>
>
> > "Herb Martin" wrote:
> >
> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
> >> > Is there a way to setup Microsoft DNS to only forward DNS requests for
> >> > a
> >> > specific set of IPs?
> >>
> >> Not conveniently. Fowarding is only done by ZONE.
> >> (Even prior to Win2003 which can conditionally forward
> >> by zone as well.)
> >>
> >> On the other hand you can pick off a zone of "one name" and
> >> thus NOT forward for a small number of specific names.
> >>
> >> > I would like to turn forwarding on in my internet DNS server so that
> >> > machines in my DMZ can use it for name resolution of zones where I am
> >> > not
> >> > the
> >> > authority (like microsoft.com). However, I do not want to forward DNS
> >> > requests originating from the internet, i.e. I only want internet users
> >> > to
> >> > be
> >> > able to use my DNS server to resolve zones for which I am
> >> > authoritative.
> >>
> >> The real problem here is that you are trying to use the same
> >> server for PUBLIC DNS and for private, internal DNS.
> >>
> >> These two jobs should NOT be mixed. It is a bad and insecure
> >> design (even with BIND servers which can accomplish this using
> >> "views").
> >>
> >> You really should move your PUBLIC DNS back to the REGISTRAR
> >> if possible.
> >>
> >> Most small companies have no business running their public DNS
> >> at all.
> >>
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
>

"opc3" <opc3@discussions.microsoft.com> wrote in message
news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com...
> Thanks again for the response, but I think you are making some assumptions
> about my environment which is only muddying the waters. Thanks for the
> input,
> I appreciate you trying to work throught his with me, hopefully others are
> benefiting from our exchange as well...
>
> Let me try explaining again:
>
> I only want to make my already public (and only public) DNS server that
> currently only responds for the zones for which it is authoritative (i.e.
> forwarding is currently off) to forward DNS requests only if the request
> is
> originating from an IP that I trust.

No.

The answer remains "no."

With the sole exeption that you can resolve on one/some NIC/IPs,
while refusing to resolve requests on other IPs/NICs of the
same DNS server.

Whatever you will resolve for anyone is going to be resolved
for everyone you allow to contact the server at all.

(That is, you can use filtering and such to prevent DNS
requests but if you resolve anything for them then the
DNS server will them with anything/everything that
it knows how to do.)

There are NO VIEWs (as exist in a BIND server).

And yes, I understood your question the first time -- answered
it and answered the associated questions, in case those were
what you really meant.

MS DNS won't do what you ask.

(It remains a bad idea but MS DNS won't do it anyway.)


> This will effectively create a server
> where unknown computers can continue to use my DNS server for name
> resolution
> of zones for which I am authoritative (same functionality as is setup
> right
> now) but in addition to that IPs that I trust can use query my DNS server
> for
> all zones regardless of whether I am authoritative for that zone or not
> effectively allowing them to make use of my server as their primary DNS
> server to resolve all internet domains. Make sense?

Yes, the question makes perfect sense as it generally did the first
time but the answer remains "No, MS DNS won't do that."

BIND will. (To at least some useful and interesting extent
with "Views", but even the BIND experts generally consider
this a very poor design.)

And such designs are practically always unnecessary -- you
have hit on one of the main reasons (besides security) why
most companies should not run their own public DNS servers
but put it back at the REGISTRAR.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> "Herb Martin" wrote:
>
>> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com...
>> > Thanks for the input. It is not readily apparent to me how this setup
>> > could
>> > be insecure, however I agree it could be done better.
>>
>> In several ways but the simplest to understand is that
>> since this DNS is publicly accessible it is much more
>> likely to be compromised. IF it serves both roles then
>> it will not only compromise your external publishing but
>> also could lead to comprimising the internal network.
>>
>> Security as a layered design is almost always the way to
>> think about it.
>>
>> > While this design may be lacking in certain areas, I will look to clean
>> > those up later. I am just trying to see if it is possible using
>> > Microsoft
>> > DNS
>> > for now.
>>
>> No, (as I said originally) and it is a bad idea even if it were possible.
>>
>> > Could you elaborate on "....Fowarding is only done by ZONE. On the
>> > other
>> > hand you can pick off a zone of "one name" and thus NOT forward for a
>> > small
>> > number of specific names...."?
>>
>> Sure. If you wish a DNS server to hold a zone (i.e., be
>> authoritative for that zone) then it will answer ONLY
>> from what it knows (about THAT zone) with one exeption:
>>
>> If you delegate, then the child zone will be resolved
>> by the child zone DNS servers (they become authoritative)
>>
>> But, if you don't want to hold an entire zone but resolve ONE
>> specific machine (from that zone) then you can create a "zone"
>> (just like any other zone) with the specific machine name* and
>> give it an A record with a blank name -- this will override for
>> that machine while still allowing this DNS server to NOT take
>> control/resposibility for the entire 'real' zone.
>>
>> *Looks like this:
>>
>> Assume the real zone is: zone.com
>> Assume the machine you wish to override is: server.zone.com
>>
>> Build a zone with the name "server.zone.com" and give it a "blank"
>> ("same as parent") A record.
>>
>>
>> > "Herb Martin" wrote:
>> >
>> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
>> >> > Is there a way to setup Microsoft DNS to only forward DNS requests
>> >> > for
>> >> > a
>> >> > specific set of IPs?
>> >>
>> >> Not conveniently. Fowarding is only done by ZONE.
>> >> (Even prior to Win2003 which can conditionally forward
>> >> by zone as well.)
>> >>
>> >> On the other hand you can pick off a zone of "one name" and
>> >> thus NOT forward for a small number of specific names.
>> >>
>> >> > I would like to turn forwarding on in my internet DNS server so that
>> >> > machines in my DMZ can use it for name resolution of zones where I
>> >> > am
>> >> > not
>> >> > the
>> >> > authority (like microsoft.com). However, I do not want to forward
>> >> > DNS
>> >> > requests originating from the internet, i.e. I only want internet
>> >> > users
>> >> > to
>> >> > be
>> >> > able to use my DNS server to resolve zones for which I am
>> >> > authoritative.
>> >>
>> >> The real problem here is that you are trying to use the same
>> >> server for PUBLIC DNS and for private, internal DNS.
>> >>
>> >> These two jobs should NOT be mixed. It is a bad and insecure
>> >> design (even with BIND servers which can accomplish this using
>> >> "views").
>> >>
>> >> You really should move your PUBLIC DNS back to the REGISTRAR
>> >> if possible.
>> >>
>> >> Most small companies have no business running their public DNS
>> >> at all.
>> >>
>>
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>>

Got it, in current MS DNS, the answer is 'no'. While BIND may support it you
are saying it is not a good idea. Thanks for hanging in there with me, I
appreciate the input.

"Herb Martin" wrote:

> "opc3" <opc3@discussions.microsoft.com> wrote in message
> news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com...
> > Thanks again for the response, but I think you are making some assumptions
> > about my environment which is only muddying the waters. Thanks for the
> > input,
> > I appreciate you trying to work throught his with me, hopefully others are
> > benefiting from our exchange as well...
> >
> > Let me try explaining again:
> >
> > I only want to make my already public (and only public) DNS server that
> > currently only responds for the zones for which it is authoritative (i.e.
> > forwarding is currently off) to forward DNS requests only if the request
> > is
> > originating from an IP that I trust.
>
> No.
>
> The answer remains "no."
>
> With the sole exeption that you can resolve on one/some NIC/IPs,
> while refusing to resolve requests on other IPs/NICs of the
> same DNS server.
>
> Whatever you will resolve for anyone is going to be resolved
> for everyone you allow to contact the server at all.
>
> (That is, you can use filtering and such to prevent DNS
> requests but if you resolve anything for them then the
> DNS server will them with anything/everything that
> it knows how to do.)
>
> There are NO VIEWs (as exist in a BIND server).
>
> And yes, I understood your question the first time -- answered
> it and answered the associated questions, in case those were
> what you really meant.
>
> MS DNS won't do what you ask.
>
> (It remains a bad idea but MS DNS won't do it anyway.)
>
>
> > This will effectively create a server
> > where unknown computers can continue to use my DNS server for name
> > resolution
> > of zones for which I am authoritative (same functionality as is setup
> > right
> > now) but in addition to that IPs that I trust can use query my DNS server
> > for
> > all zones regardless of whether I am authoritative for that zone or not
> > effectively allowing them to make use of my server as their primary DNS
> > server to resolve all internet domains. Make sense?
>
> Yes, the question makes perfect sense as it generally did the first
> time but the answer remains "No, MS DNS won't do that."
>
> BIND will. (To at least some useful and interesting extent
> with "Views", but even the BIND experts generally consider
> this a very poor design.)
>
> And such designs are practically always unnecessary -- you
> have hit on one of the main reasons (besides security) why
> most companies should not run their own public DNS servers
> but put it back at the REGISTRAR.
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> >
> > "Herb Martin" wrote:
> >
> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
> >> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com...
> >> > Thanks for the input. It is not readily apparent to me how this setup
> >> > could
> >> > be insecure, however I agree it could be done better.
> >>
> >> In several ways but the simplest to understand is that
> >> since this DNS is publicly accessible it is much more
> >> likely to be compromised. IF it serves both roles then
> >> it will not only compromise your external publishing but
> >> also could lead to comprimising the internal network.
> >>
> >> Security as a layered design is almost always the way to
> >> think about it.
> >>
> >> > While this design may be lacking in certain areas, I will look to clean
> >> > those up later. I am just trying to see if it is possible using
> >> > Microsoft
> >> > DNS
> >> > for now.
> >>
> >> No, (as I said originally) and it is a bad idea even if it were possible.
> >>
> >> > Could you elaborate on "....Fowarding is only done by ZONE. On the
> >> > other
> >> > hand you can pick off a zone of "one name" and thus NOT forward for a
> >> > small
> >> > number of specific names...."?
> >>
> >> Sure. If you wish a DNS server to hold a zone (i.e., be
> >> authoritative for that zone) then it will answer ONLY
> >> from what it knows (about THAT zone) with one exeption:
> >>
> >> If you delegate, then the child zone will be resolved
> >> by the child zone DNS servers (they become authoritative)
> >>
> >> But, if you don't want to hold an entire zone but resolve ONE
> >> specific machine (from that zone) then you can create a "zone"
> >> (just like any other zone) with the specific machine name* and
> >> give it an A record with a blank name -- this will override for
> >> that machine while still allowing this DNS server to NOT take
> >> control/resposibility for the entire 'real' zone.
> >>
> >> *Looks like this:
> >>
> >> Assume the real zone is: zone.com
> >> Assume the machine you wish to override is: server.zone.com
> >>
> >> Build a zone with the name "server.zone.com" and give it a "blank"
> >> ("same as parent") A record.
> >>
> >>
> >> > "Herb Martin" wrote:
> >> >
> >> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
> >> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
> >> >> > Is there a way to setup Microsoft DNS to only forward DNS requests
> >> >> > for
> >> >> > a
> >> >> > specific set of IPs?
> >> >>
> >> >> Not conveniently. Fowarding is only done by ZONE.
> >> >> (Even prior to Win2003 which can conditionally forward
> >> >> by zone as well.)
> >> >>
> >> >> On the other hand you can pick off a zone of "one name" and
> >> >> thus NOT forward for a small number of specific names.
> >> >>
> >> >> > I would like to turn forwarding on in my internet DNS server so that
> >> >> > machines in my DMZ can use it for name resolution of zones where I
> >> >> > am
> >> >> > not
> >> >> > the
> >> >> > authority (like microsoft.com). However, I do not want to forward
> >> >> > DNS
> >> >> > requests originating from the internet, i.e. I only want internet
> >> >> > users
> >> >> > to
> >> >> > be
> >> >> > able to use my DNS server to resolve zones for which I am
> >> >> > authoritative.
> >> >>
> >> >> The real problem here is that you are trying to use the same
> >> >> server for PUBLIC DNS and for private, internal DNS.
> >> >>
> >> >> These two jobs should NOT be mixed. It is a bad and insecure
> >> >> design (even with BIND servers which can accomplish this using
> >> >> "views").
> >> >>
> >> >> You really should move your PUBLIC DNS back to the REGISTRAR
> >> >> if possible.
> >> >>
> >> >> Most small companies have no business running their public DNS
> >> >> at all.
> >> >>
> >>
> >>
> >> --
> >> Herb Martin, MCSE, MVP
> >> Accelerated MCSE
> >> http://www.LearnQuick.Com
> >> [phone number on web site]
> >>
> >>
> >>
>
>
>

"opc3" <opc3@discussions.microsoft.com> wrote in message
news:97DB8995-3766-4F9F-99A7-301176E48EEB@microsoft.com...
> Got it, in current MS DNS, the answer is 'no'. While BIND may support it
> you
> are saying it is not a good idea.

Right and right.

> Thanks for hanging in there with me, I
> appreciate the input.

No problem.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> "Herb Martin" wrote:
>
>> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> news:C2F5F7BB-D877-450C-A149-410E720A9188@microsoft.com...
>> > Thanks again for the response, but I think you are making some
>> > assumptions
>> > about my environment which is only muddying the waters. Thanks for the
>> > input,
>> > I appreciate you trying to work throught his with me, hopefully others
>> > are
>> > benefiting from our exchange as well...
>> >
>> > Let me try explaining again:
>> >
>> > I only want to make my already public (and only public) DNS server that
>> > currently only responds for the zones for which it is authoritative
>> > (i.e.
>> > forwarding is currently off) to forward DNS requests only if the
>> > request
>> > is
>> > originating from an IP that I trust.
>>
>> No.
>>
>> The answer remains "no."
>>
>> With the sole exeption that you can resolve on one/some NIC/IPs,
>> while refusing to resolve requests on other IPs/NICs of the
>> same DNS server.
>>
>> Whatever you will resolve for anyone is going to be resolved
>> for everyone you allow to contact the server at all.
>>
>> (That is, you can use filtering and such to prevent DNS
>> requests but if you resolve anything for them then the
>> DNS server will them with anything/everything that
>> it knows how to do.)
>>
>> There are NO VIEWs (as exist in a BIND server).
>>
>> And yes, I understood your question the first time -- answered
>> it and answered the associated questions, in case those were
>> what you really meant.
>>
>> MS DNS won't do what you ask.
>>
>> (It remains a bad idea but MS DNS won't do it anyway.)
>>
>>
>> > This will effectively create a server
>> > where unknown computers can continue to use my DNS server for name
>> > resolution
>> > of zones for which I am authoritative (same functionality as is setup
>> > right
>> > now) but in addition to that IPs that I trust can use query my DNS
>> > server
>> > for
>> > all zones regardless of whether I am authoritative for that zone or not
>> > effectively allowing them to make use of my server as their primary DNS
>> > server to resolve all internet domains. Make sense?
>>
>> Yes, the question makes perfect sense as it generally did the first
>> time but the answer remains "No, MS DNS won't do that."
>>
>> BIND will. (To at least some useful and interesting extent
>> with "Views", but even the BIND experts generally consider
>> this a very poor design.)
>>
>> And such designs are practically always unnecessary -- you
>> have hit on one of the main reasons (besides security) why
>> most companies should not run their own public DNS servers
>> but put it back at the REGISTRAR.
>>
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>> >
>> > "Herb Martin" wrote:
>> >
>> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> >> news:29E7D7B1-3CE6-41B1-BFC1-5F5ACB199959@microsoft.com...
>> >> > Thanks for the input. It is not readily apparent to me how this
>> >> > setup
>> >> > could
>> >> > be insecure, however I agree it could be done better.
>> >>
>> >> In several ways but the simplest to understand is that
>> >> since this DNS is publicly accessible it is much more
>> >> likely to be compromised. IF it serves both roles then
>> >> it will not only compromise your external publishing but
>> >> also could lead to comprimising the internal network.
>> >>
>> >> Security as a layered design is almost always the way to
>> >> think about it.
>> >>
>> >> > While this design may be lacking in certain areas, I will look to
>> >> > clean
>> >> > those up later. I am just trying to see if it is possible using
>> >> > Microsoft
>> >> > DNS
>> >> > for now.
>> >>
>> >> No, (as I said originally) and it is a bad idea even if it were
>> >> possible.
>> >>
>> >> > Could you elaborate on "....Fowarding is only done by ZONE. On the
>> >> > other
>> >> > hand you can pick off a zone of "one name" and thus NOT forward for
>> >> > a
>> >> > small
>> >> > number of specific names...."?
>> >>
>> >> Sure. If you wish a DNS server to hold a zone (i.e., be
>> >> authoritative for that zone) then it will answer ONLY
>> >> from what it knows (about THAT zone) with one exeption:
>> >>
>> >> If you delegate, then the child zone will be resolved
>> >> by the child zone DNS servers (they become authoritative)
>> >>
>> >> But, if you don't want to hold an entire zone but resolve ONE
>> >> specific machine (from that zone) then you can create a "zone"
>> >> (just like any other zone) with the specific machine name* and
>> >> give it an A record with a blank name -- this will override for
>> >> that machine while still allowing this DNS server to NOT take
>> >> control/resposibility for the entire 'real' zone.
>> >>
>> >> *Looks like this:
>> >>
>> >> Assume the real zone is: zone.com
>> >> Assume the machine you wish to override is: server.zone.com
>> >>
>> >> Build a zone with the name "server.zone.com" and give it a "blank"
>> >> ("same as parent") A record.
>> >>
>> >>
>> >> > "Herb Martin" wrote:
>> >> >
>> >> >> "opc3" <opc3@discussions.microsoft.com> wrote in message
>> >> >> news:3B8773A4-83B6-491B-A9D1-C15CDD376FA2@microsoft.com...
>> >> >> > Is there a way to setup Microsoft DNS to only forward DNS
>> >> >> > requests
>> >> >> > for
>> >> >> > a
>> >> >> > specific set of IPs?
>> >> >>
>> >> >> Not conveniently. Fowarding is only done by ZONE.
>> >> >> (Even prior to Win2003 which can conditionally forward
>> >> >> by zone as well.)
>> >> >>
>> >> >> On the other hand you can pick off a zone of "one name" and
>> >> >> thus NOT forward for a small number of specific names.
>> >> >>
>> >> >> > I would like to turn forwarding on in my internet DNS server so
>> >> >> > that
>> >> >> > machines in my DMZ can use it for name resolution of zones where
>> >> >> > I
>> >> >> > am
>> >> >> > not
>> >> >> > the
>> >> >> > authority (like microsoft.com). However, I do not want to forward
>> >> >> > DNS
>> >> >> > requests originating from the internet, i.e. I only want internet
>> >> >> > users
>> >> >> > to
>> >> >> > be
>> >> >> > able to use my DNS server to resolve zones for which I am
>> >> >> > authoritative.
>> >> >>
>> >> >> The real problem here is that you are trying to use the same
>> >> >> server for PUBLIC DNS and for private, internal DNS.
>> >> >>
>> >> >> These two jobs should NOT be mixed. It is a bad and insecure
>> >> >> design (even with BIND servers which can accomplish this using
>> >> >> "views").
>> >> >>
>> >> >> You really should move your PUBLIC DNS back to the REGISTRAR
>> >> >> if possible.
>> >> >>
>> >> >> Most small companies have no business running their public DNS
>> >> >> at all.
>> >> >>
>> >>
>> >>
>> >> --
>> >> Herb Martin, MCSE, MVP
>> >> Accelerated MCSE
>> >> http://www.LearnQuick.Com
>> >> [phone number on web site]
>> >>
>> >>
>> >>
>>
>>
>>