DNS on w2k - Internal Only

G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

I'm testing the upgrade process going from a winnt domain to w2k. the
upgrade went fine, as did the dns install, however there are a couple
of issues that I'd like to have answered.

dns is working fine, however, I have some clients that are not to have
internet access, but I haven't been able to track down how to make the
dns server internal only.

My plan is to set up the internal as the primary dns server, and for
the clients that get internet access, use the isp dns as secondary -
unless someone has a better idea.

I appreciate any help you can give me on this.

Randy
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

For AD DNS clients you must point them to the AD DNS server ONLY. To get
Internet access set up your AD DNS server to forward requests and list your
ISP's DNS server as the forwarder. This is the ONLY place your ISP's DNS
servers should be listed on your network.

To restrict some clients from Internet access and not others, check to see
if this function is available in the software/hardware you are using to
share the internet connection with. Don't try to do this with DNS.

hth
DDS W 2k MVP MCSE

"Randy Henson" <rhenson@cellxion.com> wrote in message
news:5dde95d2.0408041055.4eff2f41@posting.google.com...
> I'm testing the upgrade process going from a winnt domain to w2k. the
> upgrade went fine, as did the dns install, however there are a couple
> of issues that I'd like to have answered.
>
> dns is working fine, however, I have some clients that are not to have
> internet access, but I haven't been able to track down how to make the
> dns server internal only.
>
> My plan is to set up the internal as the primary dns server, and for
> the clients that get internet access, use the isp dns as secondary -
> unless someone has a better idea.
>
> I appreciate any help you can give me on this.
>
> Randy
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:5dde95d2.0408041055.4eff2f41@posting.google.com,
Randy Henson <rhenson@cellxion.com> wrote their comments
Then Kevin replied below:
> I'm testing the upgrade process going from a winnt domain
> to w2k. the upgrade went fine, as did the dns install,
> however there are a couple of issues that I'd like to
> have answered.
>
> dns is working fine, however, I have some clients that
> are not to have internet access, but I haven't been able
> to track down how to make the dns server internal only.
>
> My plan is to set up the internal as the primary dns
> server, and for the clients that get internet access, use
> the isp dns as secondary - unless someone has a better
> idea.

Do NOT use your ISP's DNS in any position on any interface of any AD domain
member, no exceptions.

Your internal DNS probably has a " . " Forward Lookup Zone, delete it. Then
on the DNS server properties in the DNS management console, forwarder tab,
configure the ISP DNS there and only there.




--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:5dde95d2.0408041055.4eff2f41@posting.google.com,
Randy Henson <rhenson@cellxion.com> made a post then I commented below
> I'm testing the upgrade process going from a winnt domain to w2k. the
> upgrade went fine, as did the dns install, however there are a couple
> of issues that I'd like to have answered.
>
> dns is working fine, however, I have some clients that are not to have
> internet access, but I haven't been able to track down how to make the
> dns server internal only.
>
> My plan is to set up the internal as the primary dns server, and for
> the clients that get internet access, use the isp dns as secondary -
> unless someone has a better idea.
>
> I appreciate any help you can give me on this.
>
> Randy

To use the ISP's DNS in IP properties of any AD member (DC, client or member
server) is not advised or you can expect a multitude of errors and problems.
With AD, you MUST only use the internal DNS server, since AD requires that.
To have an additional DNS entry does not offer the ability for the DNS
client side resolver to 'toggle' back and forth between the entries, but
rather it will use the first one, and if it gets a time out, then it goes to
the second one, which then it removes the first one from the 'eligible
resolvers list'. The only way to reset it is to either restart the machine,
restart the DNS client service or make a reg entry to alter the default
behavior.

If you want to control Internet access selectively, I can either suggest to
selectively place the users that you do not want to have Inernet access into
thier own OU, then create a GPO with a setting that gives them a fake Proxy
address or actually install ISA server, or any other Proxy of your choosing
that works with AD and allow access based on user the logon.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl,
Danny Sanders <Danny.Sanders@cpcNOmedSPAM.org> made a post then I commented
below

Sorry Danny, didn't see your post prior to my posting. I should have
refreshed first.

Ace
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:OkPft1meEHA.4068@TK2MSFTNGP11.phx.gbl,
Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com>
wrote their comments
Then Kevin replied below:
> In news:eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl,
> Danny Sanders <Danny.Sanders@cpcNOmedSPAM.org> made a
> post then I commented below
>
> Sorry Danny, didn't see your post prior to my posting. I
> should have refreshed first.
>
> Ace

I still don't see Danny's post.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Not to worry, we're all telling him the same thing.

DDS
"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:%23Q6CuAneEHA.384@TK2MSFTNGP10.phx.gbl...
> In news:OkPft1meEHA.4068@TK2MSFTNGP11.phx.gbl,
> Ace Fekay [MVP]
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com>
> wrote their comments
> Then Kevin replied below:
> > In news:eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl,
> > Danny Sanders <Danny.Sanders@cpcNOmedSPAM.org> made a
> > post then I commented below
> >
> > Sorry Danny, didn't see your post prior to my posting. I
> > should have refreshed first.
> >
> > Ace
>
> I still don't see Danny's post.
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================
> --
> When responding to posts, please "Reply to Group" via your
> newsreader so that others may learn and benefit from your
> issue. To respond directly to me remove the nospam. from my
> email. ==========================================
> http://www.lonestaramerica.com/
> ==========================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ==========================================
> Keep a back up of your OE settings and folders with
> OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ==========================================
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%239QlWEneEHA.1424@tk2msftngp13.phx.gbl,
Danny Sanders <Danny.Sanders@cpcNOmedSPAM.org> wrote their comments
Then Kevin replied below:
> Not to worry, we're all telling him the same thing.

I just don't like stepping on toes :)



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23Q6CuAneEHA.384@TK2MSFTNGP10.phx.gbl,
Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> made a post then I
commented below
> In news:OkPft1meEHA.4068@TK2MSFTNGP11.phx.gbl,
> Ace Fekay [MVP]
> <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote
> their comments
> Then Kevin replied below:
>> In news:eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl,
>> Danny Sanders <Danny.Sanders@cpcNOmedSPAM.org> made a
>> post then I commented below
>>
>> Sorry Danny, didn't see your post prior to my posting. I
>> should have refreshed first.
>>
>> Ace
>
> I still don't see Danny's post.
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================

I think his time zone is off:
From: "Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org>
References: <5dde95d2.0408041055.4eff2f41@posting.google.com>
Subject: Re: DNS on w2k - Internal Only
Date: Wed, 4 Aug 2004 13:04:14 -0600

My properties show:
From: "Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com>
References: <5dde95d2.0408041055.4eff2f41@posting.google.com>
<eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl>
Subject: Re: DNS on w2k - Internal Only
Date: Wed, 4 Aug 2004 17:52:57 -0400

Your date/time shows the same except -0500 and I know you are one time zone
west of me. So I think Danny's zone's off. But strange that I would see it
before you.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%239QlWEneEHA.1424@tk2msftngp13.phx.gbl,
Danny Sanders <Danny.Sanders@cpcNOmedSPAM.org> made a post then I commented
below
> Not to worry, we're all telling him the same thing.
>
> DDS

From: "Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org>
References: <5dde95d2.0408041055.4eff2f41@posting.google.com>
<eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl>
<OkPft1meEHA.4068@TK2MSFTNGP11.phx.gbl>
<#Q6CuAneEHA.384@TK2MSFTNGP10.phx.gbl>
Subject: Re: DNS on w2k - Internal Only
Date: Wed, 4 Aug 2004 16:19:08 -0600

Now it looks like your zone is correct, unless your other one was correct
and I'm misreading it or was it off before or was it just posted that much
earlier and the news servers weren't didn't up?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Danny, I appreciate the help.

I have already deleted the root. I have a single machine set up as a
client on the test domain, have the internal DNS server as the dns
server on the client, and it is still able to get out to the net,
forwarders are not enabled.

I use all private IPs on my network, and NAT at the router to get out.

How do I keep it from going outside without forwarders?

Randy


"Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org> wrote in message news:<eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl>...
> For AD DNS clients you must point them to the AD DNS server ONLY. To get
> Internet access set up your AD DNS server to forward requests and list your
> ISP's DNS server as the forwarder. This is the ONLY place your ISP's DNS
> servers should be listed on your network.
>
> To restrict some clients from Internet access and not others, check to see
> if this function is available in the software/hardware you are using to
> share the internet connection with. Don't try to do this with DNS.
>
> hth
> DDS W 2k MVP MCSE
>
> "Randy Henson" <rhenson@cellxion.com> wrote in message
> news:5dde95d2.0408041055.4eff2f41@posting.google.com...
> > I'm testing the upgrade process going from a winnt domain to w2k. the
> > upgrade went fine, as did the dns install, however there are a couple
> > of issues that I'd like to have answered.
> >
> > dns is working fine, however, I have some clients that are not to have
> > internet access, but I haven't been able to track down how to make the
> > dns server internal only.
> >
> > My plan is to set up the internal as the primary dns server, and for
> > the clients that get internet access, use the isp dns as secondary -
> > unless someone has a better idea.
> >
> > I appreciate any help you can give me on this.
> >
> > Randy
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:5dde95d2.0408041055.4eff2f41@posting.google.com,
Randy Henson <rhenson@cellxion.com> wrote their comments
Then Kevin replied below:
> dns is working fine, however, I have some clients that
> are not to have internet access, but I haven't been able
> to track down how to make the dns server internal only.

You need for DNS to do all resolution for all clients even if the client
does not have internet access.
Probably the easies way to prevent those clients from accessing the
internet, is to set up a dummy Proxy address on those clients. You can do
this through group policy by creating a new OU (call it NoNet if you want)
for the users/clients you don't want accessing the net and move those
users/clients to that OU, then right click on the OU select properties,
Group Policy tab, New, name the Policy then select Edit. Expand User
Configuration, Windows Settings, Internet Explorer Maintenance. Select
Connection then double click Proxy Settings. Then if it is the Machine
expand Computer Configuration, Administrative Templates, Windows Components
and select Internet Explorer. Double Click "Make proxy settings per-machine
(rather that pre-user) and enable the policy.

Once the Policy is set up any account you put in the OU will get the dummy
proxy address which will only get them a Socket Error. OE does not use the
Proxy setting so, they _can_ still get e-mail, just not if the content
requires http, ftp, SSL, etc.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

I'm in the mountain time zone.


DDS
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:OJzd4FneEHA.1604@TK2MSFTNGP11.phx.gbl...
> In news:%23Q6CuAneEHA.384@TK2MSFTNGP10.phx.gbl,
> Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> made a post then I
> commented below
> > In news:OkPft1meEHA.4068@TK2MSFTNGP11.phx.gbl,
> > Ace Fekay [MVP]
> > <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote
> > their comments
> > Then Kevin replied below:
> >> In news:eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl,
> >> Danny Sanders <Danny.Sanders@cpcNOmedSPAM.org> made a
> >> post then I commented below
> >>
> >> Sorry Danny, didn't see your post prior to my posting. I
> >> should have refreshed first.
> >>
> >> Ace
> >
> > I still don't see Danny's post.
> >
> > --
> > Best regards,
> > Kevin D4 Dad Goodknecht Sr. [MVP]
> > Hope This Helps
> > ============================
>
> I think his time zone is off:
> From: "Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org>
> References: <5dde95d2.0408041055.4eff2f41@posting.google.com>
> Subject: Re: DNS on w2k - Internal Only
> Date: Wed, 4 Aug 2004 13:04:14 -0600
>
> My properties show:
> From: "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com>
> References: <5dde95d2.0408041055.4eff2f41@posting.google.com>
> <eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl>
> Subject: Re: DNS on w2k - Internal Only
> Date: Wed, 4 Aug 2004 17:52:57 -0400
>
> Your date/time shows the same except -0500 and I know you are one time
zone
> west of me. So I think Danny's zone's off. But strange that I would see it
> before you.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Randy Henson wrote:
> Danny, I appreciate the help.
>
> I have already deleted the root. I have a single machine set up as a
> client on the test domain, have the internal DNS server as the dns
> server on the client, and it is still able to get out to the net,
> forwarders are not enabled.
>
> I use all private IPs on my network, and NAT at the router to get out.
>
> How do I keep it from going outside without forwarders?

Because of Root Hints. What about giving these clients static IPs with no
default gateway specified? Cheap & cheerful....or, if you have ISA or
another proxy server, there are other methods.
>
> Randy
>
>
> "Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org> wrote in message
> news:<eZfacXleEHA.384@TK2MSFTNGP10.phx.gbl>...
>> For AD DNS clients you must point them to the AD DNS server ONLY. To
>> get Internet access set up your AD DNS server to forward requests
>> and list your ISP's DNS server as the forwarder. This is the ONLY
>> place your ISP's DNS servers should be listed on your network.
>>
>> To restrict some clients from Internet access and not others, check
>> to see if this function is available in the software/hardware you
>> are using to share the internet connection with. Don't try to do
>> this with DNS.
>>
>> hth
>> DDS W 2k MVP MCSE
>>
>> "Randy Henson" <rhenson@cellxion.com> wrote in message
>> news:5dde95d2.0408041055.4eff2f41@posting.google.com...
>>> I'm testing the upgrade process going from a winnt domain to w2k.
>>> the upgrade went fine, as did the dns install, however there are a
>>> couple of issues that I'd like to have answered.
>>>
>>> dns is working fine, however, I have some clients that are not to
>>> have internet access, but I haven't been able to track down how to
>>> make the dns server internal only.
>>>
>>> My plan is to set up the internal as the primary dns server, and for
>>> the clients that get internet access, use the isp dns as secondary -
>>> unless someone has a better idea.
>>>
>>> I appreciate any help you can give me on this.
>>>
>>> Randy
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

forgive me if I seem confused, but with the date/time stamp problem
mentioned earlier, it looks like you guys have responded do my
questions before I even see my own post.

Setting them up with no gateway I can do. seems that I did that
before and there was a problem getting to the mail server, but that
will be another post!

So is it OK that my clients can get out to the net from my internal
dns server? I was under the impression that there was a way to keep
them from going out via the internal, and would need to enable
forwarders to go out. If they can get out via the internal, doesn't
that negate the need for forwarders???

Once again sorry for the confusion.

randy
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:5dde95d2.0408051610.47d67ca8@posting.google.com,
Randy Henson <rhenson@cellxion.com> wrote their comments
Then Kevin replied below:
> forgive me if I seem confused, but with the date/time
> stamp problem mentioned earlier, it looks like you guys
> have responded do my questions before I even see my own
> post.
>
> Setting them up with no gateway I can do. seems that I
> did that before and there was a problem getting to the
> mail server, but that will be another post!

That is why I recommended using a bogus proxy, it still allows OE or Outlook
to access mail servers. If you use web base email you can even set the web
mail name in the bypass proxy list. e.g. *.hotmail.com;*.msn.com in the
bypass proxy list will allow users to get to their hotmail account.


>
> So is it OK that my clients can get out to the net from
> my internal dns server?
That is your decision, there is no technical reason to not allow your DNS to
resolve external names unless it is already over burdened with internal
queries.

I was under the impression that
> there was a way to keep them from going out via the
> internal, and would need to enable forwarders to go out.
> If they can get out via the internal, doesn't that negate
> the need for forwarders???


You enable a forwarder to offload some of the queries to the external DNS
server so it can improve DNS performance. Not enabling the forwarder will
not prevent DNS from resolving names if it can still use its root hints. One
sure fire way to prevent your internal DNS from resolving external names is
to disable recursion on the Advanced tab. That won't prevent determined
users from getting internet access if they want by just putting another DNS
server in TCP/IP properties.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:ea7onNweEHA.3964@TK2MSFTNGP12.phx.gbl,
Danny Sanders <Danny.Sanders@cpcNOmedSPAM.org> made a post then I commented
below
> I'm in the mountain time zone.
>

So that makes sense why it's -0600. I guess it was due to the servers!

Ace
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:5dde95d2.0408051610.47d67ca8@posting.google.com,
Randy Henson <rhenson@cellxion.com> made a post then I commented below
> forgive me if I seem confused, but with the date/time stamp problem
> mentioned earlier, it looks like you guys have responded do my
> questions before I even see my own post.

It's a time warp! There was a tachyon fluctuation in the space continuum.
:)


>
> Setting them up with no gateway I can do. seems that I did that
> before and there was a problem getting to the mail server, but that
> will be another post!

That's a tough one when trying to selectively control web access. ISA or the
fake Proxy that Kevin and I mentioned should do the trick. Or even a real
Proxy, either way it should work.

>
> So is it OK that my clients can get out to the net from my internal
> dns server? I was under the impression that there was a way to keep
> them from going out via the internal, and would need to enable
> forwarders to go out. If they can get out via the internal, doesn't
> that negate the need for forwarders???

Well, you can create a Root zone, but that would kill everyone, which I do
not think that is what you want, since you want to selectively block. With
ISA server, you can create the Root and then let ISA control access. But in
your case without ISA, it seems like the fake Proxy address on those
specific clients will do it.

>
> Once again sorry for the confusion.
>
> randy

:)



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================