How to stop root DNS connection attempts

  • Thread starter Thread starter Bentley
  • Start date Start date
B

Bentley

How can I stop w2k pro & server from trying to connect to
outside DNS servers? They both have entries for the local
DNS servers.
Thanks
 
not a lot of detail to work with here ...

Have you ensured the server's resolver settings are pointing to the internal
DNS servers?

-ds
 
In
Bentley said:
How can I stop w2k pro & server from trying to connect to
outside DNS servers? They both have entries for the local
DNS servers.
Thanks
Click to expand...

Can you clarify what you are actually trying to acheive?
If using AD only the DNS server itself (not the machine) should access
external DNS servers.
 
My security guy reports that currently he sees on the
firewall where clients are trying to hit outside DNS
servers. He does not want this.

Recursion is enabled on the DNS server, so to me that
seems as though the clients should never know about
outside DNS servers.

All clients point to 2 internal DNS servers.
Thanks
 
In
Bentley said:
My security guy reports that currently he sees on the
firewall where clients are trying to hit outside DNS
servers. He does not want this.
Click to expand...

Have your firewall guy give you the IP of those clients and check that
client personally.
Recursion is enabled on the DNS server, so to me that
seems as though the clients should never know about
outside DNS servers.
Click to expand...

Even if recursion is disabled the clients won't query external DNS servers
if they are not configured to query them.
All clients point to 2 internal DNS servers.
Thanks
Click to expand...

You should verify that the clients are not getting the addresses for
external DNS servers or that users are not putting in the external DNS
servers.
You may need to set a GPO that makes sure clients can't use external DNS
servers
 
Thanks for the info.
Users are prohibited from changing their DNS settings.
The ones I spot checked are set correctly.
Some of the clients trying to query outside are servers
and only I have access to control their settings. We are
stumped as to how the clients know about the outside IPs
they are trying to query.
 
I've got the same problem but the machine attempting to go outside is a dns
server. I read a TechNet article that said the server has to go out once at
startup to update the root server list but this seems to happen every 5
minutes or so. Its on a DoD line so I need an answer too. I set the server
to do not use recursion and have a forwarder set which belongs to our ISP.
As far as I can tell the dns configuration is set per best practices. I
think this may be a default gateway issue or something.

Lee
 
In
Leon E. Webster said:
I've got the same problem but the machine attempting to
go outside is a dns server. I read a TechNet article
that said the server has to go out once at startup to
update the root server list but this seems to happen
every 5 minutes or so. Its on a DoD line so I need an
answer too. I set the server to do not use recursion and
have a forwarder set which belongs to our ISP. As far as
I can tell the dns configuration is set per best
practices. I think this may be a default gateway issue
or something.
Click to expand...

The DNS server has to get out any time it needs to answer a query for a name
it does not hold. Make sure that only local domain names are in the DNS
suffix search list. If you run ipconfig /all what names are in your DNS
suffix search list?
 
Back
Top