Question about Windows 2000 DNS

  • Thread starter Thread starter Carlos Henrique
  • Start date Start date
C

Carlos Henrique

Hi Friends,

Is there any way to restrict which machine my DNS Server will respond
DND Queries?
For explample: Machine coming from Internet can just queries for my
domain (that I have authority SOA) and my DNS Server WON'T do recursive
queries, and machines coming from my company (INTRANET) my DNS Server
will do recusive queries to outside DND Servers.

I know that BIND 9 do some thing like that, with the feature VIEW (that
you can say for which IP my DNS Server do recusive queries.

Help me!!

Thank you a lot

Carlos Henrique
Rio de Janeiro - Brasil
 
Carlos Henrique said:
Hi Friends,

Is there any way to restrict which machine my DNS Server will respond
DND Queries?
Click to expand...

Yes, there are two basic approaches.

One is to restrict which NICs/IP it responds on
which prevents a multihomed machine from responding,
for instance, on the "outside".

Or filters using some NIC filtering scheme such
as IPSec* policies.

* Many people incorrectly believe that IPSec policies
are ONLY for invoking IPSec security of the data, but
they can be use for simple BLOCK, PASS, or Negotiate
IPSec -- only the latter may actually invokes the IPSec
security features on the data.
For explample: Machine coming from Internet can just queries for my
domain (that I have authority SOA) and my DNS Server WON'T do recursive
queries, and machines coming from my company (INTRANET) my DNS Server
will do recusive queries to outside DND Servers.
Click to expand...

If you allow the machine to answer queries however,
you must either enable recursion for ALL such, or
disable them for all such.

Generally, there is no reason that the SAME DNS
server should be handling both internal (recursive)
queries and external (non-recursive) queries.

In general, public zones should be at the REGISTRAR
anyway. (Not on your DNS servers nor those of the
ISP in most cases.)

I know that BIND 9 do some thing like that, with the feature VIEW (that
you can say for which IP my DNS Server do recusive queries.
Click to expand...

Yes, a VIEW can do that.

Windows doesn't do views.
 
I want my DNS Server answers any kind of queries (any domais) to my
INTRANET machines, and when a query come from INTERNET (public) my
server just answers if these queries are about MY DOMAIN (that i am
authoritative) ... and dont answers queries like "who is
www.microsft.com?" to INTERNET machine's, but "who is
www.mydomain.com.br?" my server HAVE to answers, understand?
Who can I do that?


Sorry for the poor english...
 
Carlos Henrique said:
I want my DNS Server answers any kind of queries (any domais) to my
INTRANET machines, and when a query come from INTERNET (public) my
server just answers if these queries are about MY DOMAIN (that i am
authoritative) ... and dont answers queries like "who is
www.microsft.com?" to INTERNET machine's, but "who is
www.mydomain.com.br?" my server HAVE to answers, understand?
Who can I do that?
Click to expand...

It doesn't work that way.

And it is a bad idea, even if you could get it to work.

Sorry for the poor english...
Click to expand...

No problem.

I probably don't speak your language that well either. <grin>

(Actually, if it is Spanish, I am trying to learn it but you still
have better English.)
 
Back
Top