DNS on w2k - Internal Only

  • Thread starter Thread starter Randy Henson
  • Start date Start date
R

Randy Henson

I'm testing the upgrade process going from a winnt domain to w2k. the
upgrade went fine, as did the dns install, however there are a couple
of issues that I'd like to have answered.

dns is working fine, however, I have some clients that are not to have
internet access, but I haven't been able to track down how to make the
dns server internal only.

My plan is to set up the internal as the primary dns server, and for
the clients that get internet access, use the isp dns as secondary -
unless someone has a better idea.

I appreciate any help you can give me on this.

Randy
 
For AD DNS clients you must point them to the AD DNS server ONLY. To get
Internet access set up your AD DNS server to forward requests and list your
ISP's DNS server as the forwarder. This is the ONLY place your ISP's DNS
servers should be listed on your network.

To restrict some clients from Internet access and not others, check to see
if this function is available in the software/hardware you are using to
share the internet connection with. Don't try to do this with DNS.

hth
DDS W 2k MVP MCSE
 
In
Randy Henson said:
I'm testing the upgrade process going from a winnt domain
to w2k. the upgrade went fine, as did the dns install,
however there are a couple of issues that I'd like to
have answered.

dns is working fine, however, I have some clients that
are not to have internet access, but I haven't been able
to track down how to make the dns server internal only.

My plan is to set up the internal as the primary dns
server, and for the clients that get internet access, use
the isp dns as secondary - unless someone has a better
idea.
Click to expand...

Do NOT use your ISP's DNS in any position on any interface of any AD domain
member, no exceptions.

Your internal DNS probably has a " . " Forward Lookup Zone, delete it. Then
on the DNS server properties in the DNS management console, forwarder tab,
configure the ISP DNS there and only there.
 
In
Randy Henson said:
I'm testing the upgrade process going from a winnt domain to w2k. the
upgrade went fine, as did the dns install, however there are a couple
of issues that I'd like to have answered.

dns is working fine, however, I have some clients that are not to have
internet access, but I haven't been able to track down how to make the
dns server internal only.

My plan is to set up the internal as the primary dns server, and for
the clients that get internet access, use the isp dns as secondary -
unless someone has a better idea.

I appreciate any help you can give me on this.

Randy
Click to expand...

To use the ISP's DNS in IP properties of any AD member (DC, client or member
server) is not advised or you can expect a multitude of errors and problems.
With AD, you MUST only use the internal DNS server, since AD requires that.
To have an additional DNS entry does not offer the ability for the DNS
client side resolver to 'toggle' back and forth between the entries, but
rather it will use the first one, and if it gets a time out, then it goes to
the second one, which then it removes the first one from the 'eligible
resolvers list'. The only way to reset it is to either restart the machine,
restart the DNS client service or make a reg entry to alter the default
behavior.

If you want to control Internet access selectively, I can either suggest to
selectively place the users that you do not want to have Inernet access into
thier own OU, then create a GPO with a setting that gives them a fake Proxy
address or actually install ISA server, or any other Proxy of your choosing
that works with AD and allow access based on user the logon.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
wrote their comments
Then Kevin replied below:
In Danny Sanders <[email protected]> made a
post then I commented below

Sorry Danny, didn't see your post prior to my posting. I
should have refreshed first.

Ace
Click to expand...

I still don't see Danny's post.
 
In
Kevin D. Goodknecht Sr. said:
In Ace Fekay [MVP]
their comments
Then Kevin replied below:

I still don't see Danny's post.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
Click to expand...

I think his time zone is off:
From: "Danny Sanders" <[email protected]>
References: <[email protected]>
Subject: Re: DNS on w2k - Internal Only
Date: Wed, 4 Aug 2004 13:04:14 -0600

My properties show:
From: "Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&[email protected]>
References: <[email protected]>
<[email protected]>
Subject: Re: DNS on w2k - Internal Only
Date: Wed, 4 Aug 2004 17:52:57 -0400

Your date/time shows the same except -0500 and I know you are one time zone
west of me. So I think Danny's zone's off. But strange that I would see it
before you.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
In
Danny Sanders said:
Not to worry, we're all telling him the same thing.

DDS
Click to expand...

From: "Danny Sanders" <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<#[email protected]>
Subject: Re: DNS on w2k - Internal Only
Date: Wed, 4 Aug 2004 16:19:08 -0600

Now it looks like your zone is correct, unless your other one was correct
and I'm misreading it or was it off before or was it just posted that much
earlier and the news servers weren't didn't up?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Danny, I appreciate the help.

I have already deleted the root. I have a single machine set up as a
client on the test domain, have the internal DNS server as the dns
server on the client, and it is still able to get out to the net,
forwarders are not enabled.

I use all private IPs on my network, and NAT at the router to get out.

How do I keep it from going outside without forwarders?

Randy
 
In
Randy Henson said:
dns is working fine, however, I have some clients that
are not to have internet access, but I haven't been able
to track down how to make the dns server internal only.
Click to expand...

You need for DNS to do all resolution for all clients even if the client
does not have internet access.
Probably the easies way to prevent those clients from accessing the
internet, is to set up a dummy Proxy address on those clients. You can do
this through group policy by creating a new OU (call it NoNet if you want)
for the users/clients you don't want accessing the net and move those
users/clients to that OU, then right click on the OU select properties,
Group Policy tab, New, name the Policy then select Edit. Expand User
Configuration, Windows Settings, Internet Explorer Maintenance. Select
Connection then double click Proxy Settings. Then if it is the Machine
expand Computer Configuration, Administrative Templates, Windows Components
and select Internet Explorer. Double Click "Make proxy settings per-machine
(rather that pre-user) and enable the policy.

Once the Policy is set up any account you put in the OU will get the dummy
proxy address which will only get them a Socket Error. OE does not use the
Proxy setting so, they _can_ still get e-mail, just not if the content
requires http, ftp, SSL, etc.
 
Randy said:
Danny, I appreciate the help.

I have already deleted the root. I have a single machine set up as a
client on the test domain, have the internal DNS server as the dns
server on the client, and it is still able to get out to the net,
forwarders are not enabled.

I use all private IPs on my network, and NAT at the router to get out.

How do I keep it from going outside without forwarders?
Click to expand...

Because of Root Hints. What about giving these clients static IPs with no
default gateway specified? Cheap & cheerful....or, if you have ISA or
another proxy server, there are other methods.
 
forgive me if I seem confused, but with the date/time stamp problem
mentioned earlier, it looks like you guys have responded do my
questions before I even see my own post.

Setting them up with no gateway I can do. seems that I did that
before and there was a problem getting to the mail server, but that
will be another post!

So is it OK that my clients can get out to the net from my internal
dns server? I was under the impression that there was a way to keep
them from going out via the internal, and would need to enable
forwarders to go out. If they can get out via the internal, doesn't
that negate the need for forwarders???

Once again sorry for the confusion.

randy
 
In
Randy Henson said:
forgive me if I seem confused, but with the date/time stamp problem
mentioned earlier, it looks like you guys have responded do my
questions before I even see my own post.
Click to expand...

It's a time warp! There was a tachyon fluctuation in the space continuum.
:-)

Setting them up with no gateway I can do. seems that I did that
before and there was a problem getting to the mail server, but that
will be another post!
Click to expand...

That's a tough one when trying to selectively control web access. ISA or the
fake Proxy that Kevin and I mentioned should do the trick. Or even a real
Proxy, either way it should work.
So is it OK that my clients can get out to the net from my internal
dns server? I was under the impression that there was a way to keep
them from going out via the internal, and would need to enable
forwarders to go out. If they can get out via the internal, doesn't
that negate the need for forwarders???
Click to expand...

Well, you can create a Root zone, but that would kill everyone, which I do
not think that is what you want, since you want to selectively block. With
ISA server, you can create the Root and then let ISA control access. But in
your case without ISA, it seems like the fake Proxy address on those
specific clients will do it.
Once again sorry for the confusion.

randy
Click to expand...

:-)



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
In
Randy Henson said:
forgive me if I seem confused, but with the date/time
stamp problem mentioned earlier, it looks like you guys
have responded do my questions before I even see my own
post.

Setting them up with no gateway I can do. seems that I
did that before and there was a problem getting to the
mail server, but that will be another post!
Click to expand...

That is why I recommended using a bogus proxy, it still allows OE or Outlook
to access mail servers. If you use web base email you can even set the web
mail name in the bypass proxy list. e.g. *.hotmail.com;*.msn.com in the
bypass proxy list will allow users to get to their hotmail account.

So is it OK that my clients can get out to the net from
my internal dns server?
Click to expand...
That is your decision, there is no technical reason to not allow your DNS to
resolve external names unless it is already over burdened with internal
queries.

I was under the impression that
there was a way to keep them from going out via the
internal, and would need to enable forwarders to go out.
If they can get out via the internal, doesn't that negate
the need for forwarders???
Click to expand...


You enable a forwarder to offload some of the queries to the external DNS
server so it can improve DNS performance. Not enabling the forwarder will
not prevent DNS from resolving names if it can still use its root hints. One
sure fire way to prevent your internal DNS from resolving external names is
to disable recursion on the Advanced tab. That won't prevent determined
users from getting internet access if they want by just putting another DNS
server in TCP/IP properties.
 
Back
Top