How to hide stealth Name Servers in DNS

25/10/2006, 22h23

We just took over responsibilty for our external dns here at my company.
Previously we were only responsible for the internal DNS.

To make a long story short, we migrated external DNS zones from one server
running Incognito DNS to two special Windows 2003 domain controllers sitting
on the corporate LAN that are providing Active Directory authentication for a
special in-house domain. We then created two member servers in the DMZ that
hold secondary copies of the zones that are the actual DNS's that the rest of
the world sees. Our internal DNS servers are protected by the firewall and
cannot be reached from the outside world.

When we migrated the zones off of the incognito DNS server we first set the
the zones up on the DC's as secondaries and then changed them from Secondary
to Active Directory Integrated zones. When we did this Active Directory
immediately created an NS record in the zone for each of the DC's. I went
into properties and deleted the NS records for the two DC's leaving the two
original public NS records "as is" but later on when we refreshed the zones
we noted that the NS records for the 2 DC's were automatically re-created.

Bottom line is that we do not want to advertise the existence of our
Internal Name Servers to the public though sites like WWW.DNSREPORTS.COM
dispite the fact that these two DC's cannot be reached. Short of converting
the zones from AD Integrated to Primary (file) on one DC and creating them as
secondaries on the second DC is there any way that we can leave them AD
integrated and not publicly advertise their existence to the world?

26/10/2006, 04h59

I think this link may :

http://technet2.microsoft.com/Window....mspx?mfr=true

This is a registry key that will disable DNS dynamic update registration for
all interfaces on the system.

"Moondoggy" <Moondoggy@discussions.microsoft.com> wrote in message
news:781C2C5A-31EC-4AA6-B8A9-44B4C3E9F0D4@microsoft.com...
> We just took over responsibilty for our external dns here at my company.
> Previously we were only responsible for the internal DNS.
>
> To make a long story short, we migrated external DNS zones from one server
> running Incognito DNS to two special Windows 2003 domain controllers
> sitting
> on the corporate LAN that are providing Active Directory authentication
> for a
> special in-house domain. We then created two member servers in the DMZ
> that
> hold secondary copies of the zones that are the actual DNS's that the rest
> of
> the world sees. Our internal DNS servers are protected by the firewall
> and
> cannot be reached from the outside world.
>
> When we migrated the zones off of the incognito DNS server we first set
> the
> the zones up on the DC's as secondaries and then changed them from
> Secondary
> to Active Directory Integrated zones. When we did this Active Directory
> immediately created an NS record in the zone for each of the DC's. I went
> into properties and deleted the NS records for the two DC's leaving the
> two
> original public NS records "as is" but later on when we refreshed the
> zones
> we noted that the NS records for the 2 DC's were automatically re-created.
>
> Bottom line is that we do not want to advertise the existence of our
> Internal Name Servers to the public though sites like WWW.DNSREPORTS.COM
> dispite the fact that these two DC's cannot be reached. Short of
> converting
> the zones from AD Integrated to Primary (file) on one DC and creating them
> as
> secondaries on the second DC is there any way that we can leave them AD
> integrated and not publicly advertise their existence to the world?
>

28/10/2006, 15h03

Moondoggy wrote:
> We just took over responsibilty for our external dns here at my
> company. Previously we were only responsible for the internal DNS.
>
> To make a long story short, we migrated external DNS zones from one
> server running Incognito DNS to two special Windows 2003 domain
> controllers sitting on the corporate LAN that are providing Active
> Directory authentication for a special in-house domain. We then
> created two member servers in the DMZ that hold secondary copies of
> the zones that are the actual DNS's that the rest of the world sees.
> Our internal DNS servers are protected by the firewall and cannot be
> reached from the outside world.
>
> When we migrated the zones off of the incognito DNS server we first
> set the the zones up on the DC's as secondaries and then changed them
> from Secondary to Active Directory Integrated zones. When we did
> this Active Directory immediately created an NS record in the zone
> for each of the DC's. I went into properties and deleted the NS
> records for the two DC's leaving the two original public NS records
> "as is" but later on when we refreshed the zones we noted that the NS
> records for the 2 DC's were automatically re-created.
>
> Bottom line is that we do not want to advertise the existence of our
> Internal Name Servers to the public though sites like
> WWW.DNSREPORTS.COM dispite the fact that these two DC's cannot be
> reached. Short of converting the zones from AD Integrated to Primary
> (file) on one DC and creating them as secondaries on the second DC is
> there any way that we can leave them AD integrated and not publicly
> advertise their existence to the world?

This KB article tells you two ways to stop the NS record autocreation. you
should carefully read the entire section to understand the effects of doing
this.
267855 - Problems with Many Domain Controllers with Active Directory
Integrated DNS Zones
http://support.microsoft.com/kb/267855

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

25/10/2006, 22h23	#1
Moondoggy Messages: n/a Hébergeur:	How to hide stealth Name Servers in DNS We just took over responsibilty for our external dns here at my company. Previously we were only responsible for the internal DNS. To make a long story short, we migrated external DNS zones from one server running Incognito DNS to two special Windows 2003 domain controllers sitting on the corporate LAN that are providing Active Directory authentication for a special in-house domain. We then created two member servers in the DMZ that hold secondary copies of the zones that are the actual DNS's that the rest of the world sees. Our internal DNS servers are protected by the firewall and cannot be reached from the outside world. When we migrated the zones off of the incognito DNS server we first set the the zones up on the DC's as secondaries and then changed them from Secondary to Active Directory Integrated zones. When we did this Active Directory immediately created an NS record in the zone for each of the DC's. I went into properties and deleted the NS records for the two DC's leaving the two original public NS records "as is" but later on when we refreshed the zones we noted that the NS records for the 2 DC's were automatically re-created. Bottom line is that we do not want to advertise the existence of our Internal Name Servers to the public though sites like WWW.DNSREPORTS.COM dispite the fact that these two DC's cannot be reached. Short of converting the zones from AD Integrated to Primary (file) on one DC and creating them as secondaries on the second DC is there any way that we can leave them AD integrated and not publicly advertise their existence to the world?

26/10/2006, 04h59	#2
Greg Messages: n/a Hébergeur:	Re: How to hide stealth Name Servers in DNS I think this link may : http://technet2.microsoft.com/Window....mspx?mfr=true This is a registry key that will disable DNS dynamic update registration for all interfaces on the system. "Moondoggy" <Moondoggy@discussions.microsoft.com> wrote in message news:781C2C5A-31EC-4AA6-B8A9-44B4C3E9F0D4@microsoft.com... > We just took over responsibilty for our external dns here at my company. > Previously we were only responsible for the internal DNS. > > To make a long story short, we migrated external DNS zones from one server > running Incognito DNS to two special Windows 2003 domain controllers > sitting > on the corporate LAN that are providing Active Directory authentication > for a > special in-house domain. We then created two member servers in the DMZ > that > hold secondary copies of the zones that are the actual DNS's that the rest > of > the world sees. Our internal DNS servers are protected by the firewall > and > cannot be reached from the outside world. > > When we migrated the zones off of the incognito DNS server we first set > the > the zones up on the DC's as secondaries and then changed them from > Secondary > to Active Directory Integrated zones. When we did this Active Directory > immediately created an NS record in the zone for each of the DC's. I went > into properties and deleted the NS records for the two DC's leaving the > two > original public NS records "as is" but later on when we refreshed the > zones > we noted that the NS records for the 2 DC's were automatically re-created. > > Bottom line is that we do not want to advertise the existence of our > Internal Name Servers to the public though sites like WWW.DNSREPORTS.COM > dispite the fact that these two DC's cannot be reached. Short of > converting > the zones from AD Integrated to Primary (file) on one DC and creating them > as > secondaries on the second DC is there any way that we can leave them AD > integrated and not publicly advertise their existence to the world? >

28/10/2006, 15h03	#3
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: How to hide stealth Name Servers in DNS Moondoggy wrote: > We just took over responsibilty for our external dns here at my > company. Previously we were only responsible for the internal DNS. > > To make a long story short, we migrated external DNS zones from one > server running Incognito DNS to two special Windows 2003 domain > controllers sitting on the corporate LAN that are providing Active > Directory authentication for a special in-house domain. We then > created two member servers in the DMZ that hold secondary copies of > the zones that are the actual DNS's that the rest of the world sees. > Our internal DNS servers are protected by the firewall and cannot be > reached from the outside world. > > When we migrated the zones off of the incognito DNS server we first > set the the zones up on the DC's as secondaries and then changed them > from Secondary to Active Directory Integrated zones. When we did > this Active Directory immediately created an NS record in the zone > for each of the DC's. I went into properties and deleted the NS > records for the two DC's leaving the two original public NS records > "as is" but later on when we refreshed the zones we noted that the NS > records for the 2 DC's were automatically re-created. > > Bottom line is that we do not want to advertise the existence of our > Internal Name Servers to the public though sites like > WWW.DNSREPORTS.COM dispite the fact that these two DC's cannot be > reached. Short of converting the zones from AD Integrated to Primary > (file) on one DC and creating them as secondaries on the second DC is > there any way that we can leave them AD integrated and not publicly > advertise their existence to the world? This KB article tells you two ways to stop the NS record autocreation. you should carefully read the entire section to understand the effects of doing this. 267855 - Problems with Many Domain Controllers with Active Directory Integrated DNS Zones http://support.microsoft.com/kb/267855 -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email