getting a new DNSReport Error - has to do with Disable Recursion

17/03/2006, 02h23

Hello,

I have a few servers up at a CO-LO running a windows 2000 domain. I
have 2 Domain Controllers (PDC and SDC) and i'm all of a sudden getting
a red flag error on dnsreport.com for all of my domains that I host on
my name servers. Here's one example:

http://www.dnsreport.com/tools/dnsre...osstheroom.com

http://forums.dnsstuff.com/tool/post...78&trail=15#14

The problem is, if i follow the recommendation and check the Disable
Recursion checkbox, I can no longer see the Internet from my name
servers. I don't even know if this is a problem or why this happened,
but i did it remotely (through Remote Desktop) and i didn't get
disconnected, so i seemed to be connected still. Anyway, what is the
correct way to configure this?

Thanks,
Dave

17/03/2006, 02h28

p.s. i've seem some suggestions saying you have to make the allow
recursion only to the internal network. Is this correct? And if so, how
do i do this on a windows 2000 dns server?

20/03/2006, 11h59

Dave wrote:
> Hello,
>
> I have a few servers up at a CO-LO running a windows 2000 domain. I
> have 2 Domain Controllers (PDC and SDC) and i'm all of a sudden
> getting a red flag error on dnsreport.com for all of my domains that
> I host on my name servers. Here's one example:
>
> http://www.dnsreport.com/tools/dnsre...osstheroom.com
>
> http://forums.dnsstuff.com/tool/post...78&trail=15#14
>
> The problem is, if i follow the recommendation and check the Disable
> Recursion checkbox, I can no longer see the Internet from my name
> servers. I don't even know if this is a problem or why this happened,
> but i did it remotely (through Remote Desktop) and i didn't get
> disconnected, so i seemed to be connected still. Anyway, what is the
> correct way to configure this?

You are going to have to ignore the DNS report or MOVE the public zone to a
non-recursive DNS server. If the Windows DNS is used for DNS resolution for
clients, you cannot disable recursion. MS DNS recurses for all or recurses
for none.

This question has been asked what seems like 50 times in this group since
DNSreport.com added this test.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

20/03/2006, 12h15

"Dave" <chakachimp@yahoo.com> wrote in message
news:1142562509.243628.171380@v46g2000cwv.googlegr oups.com...
> p.s. i've seem some suggestions saying you have to make the allow
> recursion only to the internal network. Is this correct? And if so, how
> do i do this on a windows 2000 dns server?
>

Kevin has told you, and I have told you, this is
not going to work as long as you use the same
Microsoft DNS server for this purpose.

We have also told you it is a bad design to use
the same server for both internal and external
resolution anyway.

And we have mentioned that this is NOT a "giant
issue" in most cases -- odds of someone seriously
abusing your server are fairly low (and you can
block their address if you find this happening.)

We have also mentioned that you can solve this
problem by moving your EXTERNAL resolution back
to the REGISTRAR (so that you will have two DNS
server sets without spending more money.)

Beyond that you must run two DNS servers -- one
configured to operate ONLY on the internal and the
other (non-MS) DNS server on strictly on the
external NIC-address (or at least a NON-MS DNS
which can do what you wish but I would discourage
that even more strongly at this time.)

There just isn't any way to get your MICROSOFT
DNS server to handle recursive requests for YOUR
users, but only handle requests (non-recursive) for
external users TOO.

And again, it would be a poor design even if you could
so doing this is likely a worse security hole than just
leaving the recursive request service enabled.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

17/03/2006, 02h28	#2
Dave Messages: n/a Hébergeur:	Re: getting a new DNSReport Error - has to do with Disable Recursion p.s. i've seem some suggestions saying you have to make the allow recursion only to the internal network. Is this correct? And if so, how do i do this on a windows 2000 dns server?

20/03/2006, 11h59	#3
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: getting a new DNSReport Error - has to do with Disable Recursion Dave wrote: > Hello, > > I have a few servers up at a CO-LO running a windows 2000 domain. I > have 2 Domain Controllers (PDC and SDC) and i'm all of a sudden > getting a red flag error on dnsreport.com for all of my domains that > I host on my name servers. Here's one example: > > http://www.dnsreport.com/tools/dnsre...osstheroom.com > > http://forums.dnsstuff.com/tool/post...78&trail=15#14 > > The problem is, if i follow the recommendation and check the Disable > Recursion checkbox, I can no longer see the Internet from my name > servers. I don't even know if this is a problem or why this happened, > but i did it remotely (through Remote Desktop) and i didn't get > disconnected, so i seemed to be connected still. Anyway, what is the > correct way to configure this? You are going to have to ignore the DNS report or MOVE the public zone to a non-recursive DNS server. If the Windows DNS is used for DNS resolution for clients, you cannot disable recursion. MS DNS recurses for all or recurses for none. This question has been asked what seems like 50 times in this group since DNSreport.com added this test. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ https://secure.lsaol.com/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

20/03/2006, 12h15	#4
Herb Martin Messages: n/a Hébergeur:	Re: getting a new DNSReport Error - has to do with Disable Recursion "Dave" <chakachimp@yahoo.com> wrote in message news:1142562509.243628.171380@v46g2000cwv.googlegr oups.com... > p.s. i've seem some suggestions saying you have to make the allow > recursion only to the internal network. Is this correct? And if so, how > do i do this on a windows 2000 dns server? > Kevin has told you, and I have told you, this is not going to work as long as you use the same Microsoft DNS server for this purpose. We have also told you it is a bad design to use the same server for both internal and external resolution anyway. And we have mentioned that this is NOT a "giant issue" in most cases -- odds of someone seriously abusing your server are fairly low (and you can block their address if you find this happening.) We have also mentioned that you can solve this problem by moving your EXTERNAL resolution back to the REGISTRAR (so that you will have two DNS server sets without spending more money.) Beyond that you must run two DNS servers -- one configured to operate ONLY on the internal and the other (non-MS) DNS server on strictly on the external NIC-address (or at least a NON-MS DNS which can do what you wish but I would discourage that even more strongly at this time.) There just isn't any way to get your MICROSOFT DNS server to handle recursive requests for YOUR users, but only handle requests (non-recursive) for external users TOO. And again, it would be a poor design even if you could so doing this is likely a worse security hole than just leaving the recursive request service enabled. -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site]

17/03/2006, 02h23	#1
Dave Messages: n/a Hébergeur:	getting a new DNSReport Error - has to do with Disable Recursion Hello, I have a few servers up at a CO-LO running a windows 2000 domain. I have 2 Domain Controllers (PDC and SDC) and i'm all of a sudden getting a red flag error on dnsreport.com for all of my domains that I host on my name servers. Here's one example: http://www.dnsreport.com/tools/dnsre...osstheroom.com http://forums.dnsstuff.com/tool/post...78&trail=15#14 The problem is, if i follow the recommendation and check the Disable Recursion checkbox, I can no longer see the Internet from my name servers. I don't even know if this is a problem or why this happened, but i did it remotely (through Remote Desktop) and i didn't get disconnected, so i seemed to be connected still. Anyway, what is the correct way to configure this? Thanks, Dave

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email