How NOT to provide external name resolution on win2k3?

  • Thread starter Thread starter Joel
  • Start date Start date
J

Joel

We have a domain with 2 windows 2003 servers as domain controllers that are
also providing DNS services. Workstations within the domain are a
combination of windows xp and also legacy systems running windows nt. The
workstations point to these 2 servers as their preferred dns servers.

We recently discovered that the workstations can resolve internet addresses
with no problem. While we don't actually mind that the workstations have
internet access, we'd like to make it difficult for them to resolve internet
addresses.

At first I thought it was strange that the workstations were able to resolve
internet addresses in Internet Explorer because the servers don't have any
forwarders configured. The servers did however point to 2 "external
capable" dns servers as their numbers 3 and 4 dns servers. (The first 2
being themselves.)

I removed the entries of the external dns servers that were bound to the nic
card, and deleted the entries in the root hints list in the dns
properties. Well this seemed to have stunned it momentarily, but after a
few minutes the servers were again able to browse the internet. Is there
any easy way to change this so that the servers and the workstations cannot
resolve names enough to browse the internet?

Thanks, Joel
 
There are a number of ways to do this - but I'm not sure that's *really*
what you want to do ...

The best way to "control" internet access is via Proxies. Configure your
client's browsers to point to a proxy address and any "non-local" queries
will be forwarded by the client directly to the proxy. The proxy can be
configured to control Internet access as the administrator sees fit.

If you want to ensure your internal DNS servers don't forward, either
disable forwarding or configure them as "Root Servers".

-ds
 
Joel said:
We have a domain with 2 windows 2003 servers as domain controllers
that are also providing DNS services. Workstations within the domain
are a combination of windows xp and also legacy systems running
windows nt. The workstations point to these 2 servers as their
preferred dns servers.

We recently discovered that the workstations can resolve internet
addresses with no problem. While we don't actually mind that the
workstations have internet access, we'd like to make it difficult for
them to resolve internet addresses.

At first I thought it was strange that the workstations were able to
resolve internet addresses in Internet Explorer because the servers
don't have any forwarders configured. The servers did however point
to 2 "external capable" dns servers as their numbers 3 and 4 dns
servers. (The first 2 being themselves.)
Click to expand...

You should not use your ISP's DNS in any position on any DC or member
client. If you don't want the DNS servers resolving internet names disabled
recursion on the Advanced tab of the DNS server property sheet. This
disables forwarders and root hints.
I removed the entries of the external dns servers that were bound to
the nic card, and deleted the entries in the root hints list in the
dns properties. Well this seemed to have stunned it momentarily, but
after a few minutes the servers were again able to browse the
internet. Is there any easy way to change this so that the servers
and the workstations cannot resolve names enough to browse the
internet?
Click to expand...

Make sure the clients can only use the DCs for DNS, and disable recursion on
the DNS server.
 
Thank you Kevin! This is most helpful.

To clarify, I was not using DNS servers from an ISP but rather our
customer's dns servers on whose network our servers reside.

One more question: By disabling recursion on our dns servers, will that
prevent workstations from browsing the internet even if our servers point to
the dns servers that have knowledge about external sites?
 
Joel said:
Thank you Kevin! This is most helpful.

To clarify, I was not using DNS servers from an ISP but rather our
customer's dns servers on whose network our servers reside.

One more question: By disabling recursion on our dns servers, will
that prevent workstations from browsing the internet even if our
servers point to the dns servers that have knowledge about external
sites?
Click to expand...

Disabling recursion stop DNS from using any recursion, either its own or a
forwarders.
Your servers must point to the DNS servers that have knowledge about the AD
domain, period. No external DNS servers allowed.
 
This is interesting. For learning's sake, please explain further 1) the
reason why I should not use DNS servers that do not belong to the AD domain,
and 2) how will my servers be able to resolve external addresses if they
don't point to DNS servers in the know? (Ah! Or is that what forwarders
are used for?!) I want to be certain that my servers can at least get
windows updates when required. Appreciatively, Joel
 
Joel said:
This is interesting. For learning's sake, please explain further 1)
the reason why I should not use DNS servers that do not belong to the
AD domain, and 2) how will my servers be able to resolve external
addresses if they don't point to DNS servers in the know? (Ah! Or
is that what forwarders are used for?!) I want to be certain that my
servers can at least get windows updates when required.
Click to expand...

Because a domain controller in an AD domain registers its Service Location
records in DNS. Using DNS servers in TCP/IP properties on a DC in any
position on any interface will cause the DC to attempt to register its
records in the its domain using these DNS servers. There is a 99.9% chance
that any external DNS will not even know the real location of the DNS
servers for the AD domain and will log 5774 events.
All AD domain members must use only the DNS servers that know the location
of the AD DNS servers. For DCs it is to register the records and enable
replication to all DC, and for members it is to locate the DCs and
authenticate with the AD domain.
If internet access is required your local DNS server will provide internet
resolution through forwarders or root hints.
 
Excellent! Thank you Kevin.
I have one more question since this is so helpful:

2 Servers in a domain. Server A and Server B--they are also both DNS
servers for the domain. What is the optimal arrangement for preferred and
alternate dns configs?

Server A points to 1: server A and 2: server B.
Server B points to 1: server A and 2: server B.

OR:

Server A points to 1: server A and 2: server B.
Server B points to 1: server B and 2: server A.

And does it make a difference if Server A and B are on the same subnet or
not?

Appreciate your help--next question I'll start a new post! /Joel
 
Back
Top