PLEASE READ ENTIRE MESSAGE BEFORE REPLYING!

I need to deliberatly poison dns queries for a "walled garden" type setup.

I need to return a fixed A record for ALL queries, so that means I need to
be "quasi-authoritative" for all the .TLD, but only for clients that are
re-directed to this DNS server.

I understand all the pro's and con's; and don't need advice as to the logic.

If I add a "." in the forwarder, this will simply stop all recursion to root
servers; which is half the battle. Where I am having the issue with is how
to respond to queries that are TLD destined and have a single fixed A record
be returned. So I guess the question I'm asking is to how to privately be
authoritative for all .TLD in a private selective basis...?

Example:

Client --- DNS Server --->google.com
DNS Server has a .com record that returns 192.168.1.1

Client --- DNS Server --->microsoft.com
DNS Server has a .com record that returns 192.168.1.1

Client --- DNS Server --->ANY QUERY ending in .com, .net, .org reply
DNS Server has a .com record that returns 192.168.1.1

Anything else gets no reponse.

Read inline please.

In news:C8D4897A-55F1-4B6A-8180-B325B710BE4B@microsoft.com,
T.M. Carter <TMCarter@discussions.microsoft.com> typed:
> PLEASE READ ENTIRE MESSAGE BEFORE REPLYING!
>
> I need to deliberatly poison dns queries for a "walled garden" type
> setup.
>
> I need to return a fixed A record for ALL queries, so that means I
> need to be "quasi-authoritative" for all the .TLD, but only for
> clients that are re-directed to this DNS server.

You cannot "redirect" clients to a certain DNS server, the client will use
the DNS configured in its TCP/IP settings.

>
> I understand all the pro's and con's; and don't need advice as to the
> logic.
>
> If I add a "." in the forwarder, this will simply stop all recursion
> to root servers; which is half the battle. Where I am having the
> issue with is how to respond to queries that are TLD destined and
> have a single fixed A record be returned. So I guess the question
> I'm asking is to how to privately be authoritative for all .TLD in a
> private selective basis...?
>
> Example:
>
> Client --- DNS Server --->google.com
> DNS Server has a .com record that returns 192.168.1.1
>
> Client --- DNS Server --->microsoft.com
> DNS Server has a .com record that returns 192.168.1.1
>
> Client --- DNS Server --->ANY QUERY ending in .com, .net, .org reply
> DNS Server has a .com record that returns 192.168.1.1
>
> Anything else gets no reponse.

Start with creating a . (Root) forward lookup zone, from there you just have
to add records or delegations for the names you do want to resolve.

For other domains that you don't want to resolve at all don't add them, for
domains that you want all hosts to resolve to resolve to the same IP
address, add the domain, then add a wildcard "*" (Asterisk) record to that
domain. For example, if you want all names in a certain TLD create the TLD
as a subdomain to the root, then add a wildcard A record to the domain. Do
not add a wildcard record to any name that is in your DNS suffix search
list. Those domains are searched first, if the exact match doesn't exist,
the wildcard will be returned instead. If the whole point of this is to
prevent all non-local names from being resolved, just add the root zone.


Be aware of the fact that many sites use CNAMEs to FQDNs that are outside
the original domain, those FQDNs must be delegated too, if the original
domain is delegated. For example, there are A records for the Root of
microsoft.com, but many if not most of the other hosts in microsoft.com are
CNAMEs so you can really create A records for these hosts because I've seen
many cases where this IP change at any time.


Examples of how CNAMEs are used and other domains that must be resolvable in
order to use a Root zone to resolve only names you choose.


microsoft.com. IN A

ANSWER SECTION:
microsoft.com. 3030 IN A 207.46.197.32
microsoft.com. 3030 IN A 207.46.232.182

download.windowsupdate.com. IN A

ANSWER SECTION:
download.windowsupdate.com. 3555 IN CNAME
download.windowsupdate.nsatc.net.
download.windowsupdate.nsatc.net. 555 IN CNAME
download.windowsupdate.com.fp.nsatc.net.
download.windowsupdate.com.fp.nsatc.net. 3555 IN CNAME
download.windowsupdate.com.c.footprint.net.
download.windowsupdate.com.c.footprint.net. 185 IN A
199.93.46.124
download.windowsupdate.com.c.footprint.net. 185 IN A
199.93.62.124

update.microsoft.com. IN A

ANSWER SECTION:
update.microsoft.com. 3600 IN CNAME
update.microsoft.com.nsatc.net.
update.microsoft.com.nsatc.net. 300 IN CNAME
www.update.microsoft.com.
www.update.microsoft.com. 804 IN CNAME
www.update.microsoft.com.nsatc.net.
www.update.microsoft.com.nsatc.net. 55 IN A 65.55.200.157

www.microsoft.com. IN A

ANSWER SECTION:
www.microsoft.com. 3578 IN CNAME toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 292 IN CNAME g.www.ms.akadns.net.
g.www.ms.akadns.net. 292 IN CNAME lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net. 292 IN A 207.46.19.190
lb1.www.ms.akadns.net. 292 IN A 207.46.193.254
lb1.www.ms.akadns.net. 292 IN A 207.46.19.254
lb1.www.ms.akadns.net. 292 IN A 207.46.192.254


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================