internal DNS question

[brian]

Hello all. Hoping someone can assist me.

For our domain, we have the root and our domain name zone
setup. Certain users need to have internet access but
cannot gain it via the main dns server due to . zone. I
installed another win2k server, setup dns on it and
configured it as a secondary. I am transferring the
internal zone over to the secondary and setup forwarding
to my ISP's dns server. This solution works, only
partially. When users have the secondary dns server and
the primary in their ipconfig, no internet. When only the
secondary is included, internet works fine but local
resolution does not. When internal is only setup, no
internet.

Any suggestions?

 

[Scott Harding - MS MVP]

You need to delete the "." zone. Then add forwarders to your ISP's DNS
server. All your clients need to point to your internal DNS server for DNS.

 

[brian]

Yes, I could do that but only 'select' people are to have
internet access. Deleting the . zone would give everyone
access.

 

[Scott Harding - MS MVP]

How are you setting up forwarders with "." there??? You should not DNS to
restrict Interenet access. You should be using your firewall. An easy way is
just to not give those computers a default gateway and then they won't get
to the internet.

 

[Ace Fekay [MVP]]

In

How are you setting up forwarders with "." there??? You should not
DNS to restrict Interenet access. You should be using your firewall.
An easy way is just to not give those computers a default gateway and
then they won't get to the internet.

Or just to add, some sort of Proxy (ISA, Wingate, Sygate, SurfControl, etc).

Or even by using a fake proxy address for IE in a GPO just for those user
accounts.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Yes, I could do that but only 'select' people are to have
internet access. Deleting the . zone would give everyone
access.

Set up a Group Policy Object for users you want to restrict from having
internet access in the user configuration, Windows Settings, in Internet
Explorer Maintenance, Connection settings put in a fake proxy address, you
can even allow the users to use Windows updates by adding
*.windowsupdate.microsoft.com and *.windowsupdate.com to the bypass proxy
list.