Query ACL

  • Thread starter Thread starter nonbindguy
  • Start date Start date
N

nonbindguy

Can I set up a query ACL based on an IP range, or
subnets, instead of OU or workstation groups?

Does ACL has to be set up on AD intergrated zones, is
Read for query?

Thanks!
 
nonbindguy said:
Can I set up a query ACL based on an IP range, or
subnets, instead of OU or workstation groups?

Does ACL has to be set up on AD intergrated zones, is
Read for query?

Thanks!
Click to expand...

I guess you're thinking of the 'views' feature in BIND? Unfortunately that's
not available in MS DNS. ACLs only are available when the zone is AD
Integrated.

Read allows someone to view the zone, I don't believe it's query based, but
rather for administrative purposes.


--
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
It doesn't have to be to the view feature, the "allow
query" statement available since bind 8...

the question may boil down to whether you can create a
security group based on IP segment, but not necessarily
site based, as some networks may not belong to an AD
domain but still need to query the zone.

can machines outside a AD domian query the AD integrated
DNS? is the everybody group for that? by the way I think
Read is for both admin and query.
 
nonbindguy said:
It doesn't have to be to the view feature, the "allow
query" statement available since bind 8...

the question may boil down to whether you can create a
security group based on IP segment, but not necessarily
site based, as some networks may not belong to an AD
domain but still need to query the zone.

can machines outside a AD domian query the AD integrated
DNS? is the everybody group for that? by the way I think
Read is for both admin and query.
Click to expand...

There's no way I'm aware of creating a security group base on IP subnet in
MS DNS. However there's a netmask feature ... but this more applies to an
alternative to Round Robin then what you're trying to do. Here's a snipet
below from the help files (chec the DNS help files for examples to see what
I mean):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Enable netmask ordering:
Determines whether the DNS server reorders A resource records within the
same resource record set in its response to a query based on the IP address
of the source of the query.
By default, the DNS Server service uses local subnet priority.

Prioritizing local subnets.:
This feature requires that the client application attempt to connect to the
host using its closest (and typically fastest) IP address available for
connection.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



As for the security tab, its only available with AD INtegrated zones and is
just for administration... here's another snipet:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manage the discretionary access control list (DACL) on DNS servers running
on domain controllers. In addition to the default DNS Server service
settings that affect security described above, DNS servers configured as
domain controllers use a DACL. The DACL allows you to control the
permissions for the Active Directory users and groups that control the DNS
Server service.
The following table lists the default group or user names and permissions
for the DNS Server service when it is running on a domain controller... etc

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


--
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
can machines outside a AD domian query the AD integrated
DNS? is the everybody group for that?
Click to expand...

Forgot to answer this one... anyone can query it since it's just a DNS
server. AD Integration just states how is the actual zone file stored,
nothing else, other than the AD integration features, such as the
Multimaster feature and using AD replication so it's available on any DC
that has DNS installed on it. It also acts as a Primary zone to allow zone
transfers to any machine that you will allow zone transfers to.

--
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
round robin is more for server's benefit while netmask
ordering is for the client's.

I also believe the Read applies to query..but need to
verify.

When MS talking about security, they pay too much
attention to DDNS, while there are other concerns to be
addressed...

Ace, you are the >4000 favorites strong guy, and will
find one way or another, to shed some light on this. I
have confidence in you.
 
Actually the security group is in general, doesn't have
to have DNS in mind when you create it...you are probably
right, there is no such thing in the MS world... site is
something close to it, but is has to be in the MS world,
part of your domain, tree, or forest, right?
 
In
the confused said:
round robin is more for server's benefit while netmask
ordering is for the client's.

I also believe the Read applies to query..but need to
verify.

When MS talking about security, they pay too much
attention to DDNS, while there are other concerns to be
addressed...

Ace, you are the >4000 favorites strong guy, and will
find one way or another, to shed some light on this. I
have confidence in you.
Click to expand...

I'm still sticking to my guns saying that the permissions under the security
tab on an AD Integrated zones are permissions for who can administer it and
not about who can query it. Maybe a personal firewall will do the trick.

Unfortunately between BIND and MS DNS, there are pros and cons for both,
depending on what you're trying to do.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
I also believe the Read applies to query..but need to
verify.
Click to expand...

If you look at what's under the security tab, you'll see by default they are
the inherited AD permissions. Everyone has Read and Auth Users have Create
All Child Objects. They are only dealing with DDNS and who can administer
it.

Keep in mind "everyone" does not mean the "world" but rather means any
object in that default domain and any domains that are trusted to it and
includes the Guest account (disabled anyway) and the IUSR account where Auth
User does not contain those two accounts as members.

So therefore, it doesn't have anything to do with who can query DNS. DNS
running as a service will respond to anyone who queries it.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
partial answer:

w2k dns seems not to have query restriction by IPs.
however, it can be done in a special case.

For a multihomeed dns server, you can restrict the nics
and let the server only listen to the desired segments.
 
the confused said:
Actually the security group is in general, doesn't have
to have DNS in mind when you create it...you are probably
right, there is no such thing in the MS world... site is
something close to it, but is has to be in the MS world,
part of your domain, tree, or forest, right?
Click to expand...

You mean AD Sites? AD Sites are just for logon/authentication and
replication optimization. Unfortuantely we can't even use them in
controlling what users use this server for queries.

--
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top