Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Public DNS Requests from Domain Controller?

Public DNS Requests from Domain Controller?

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Public DNS Requests from Domain Controller?

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!

News

Ask the community Add a reply

Bottom Search this thread

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi all,

Should I permit (on my firewall) outbound/public DNS
requests from my domain controllers?

I am employing split-brain DNS, whereby 2 domain
controllers resolve domain lookups, but forward public
lookups to our two public DNS servers.

Now, if all non-domain DNS requests are forwarding through
our public DNS servers, then why would my domain
controllers show outbound DNS (port 53) connection attempts
in my firewall's logs?

Do I enable the port or suspect a trojan? Or, have I
perhaps misconfigured DNS in my domain controllers?

Any advice is greatly appreciated.

Add a reply

Archived from groups: microsoft.public.win2000.dns (More info?)

"Dave" <anonymous@discussions.microsoft.com> wrote in message
news:25a701c512d3$d8f0db30$a401280a@phx.gbl...
> Hi all,
>
> Should I permit (on my firewall) outbound/public DNS
> requests from my domain controllers?

I advise against it.

> I am employing split-brain DNS, whereby 2 domain
> controllers resolve domain lookups, but forward public
> lookups to our two public DNS servers.

Then you already have half of the solution -- forwarding
to another server for Internet resolution.

> Now, if all non-domain DNS requests are forwarding through
> our public DNS servers, then why would my domain
> controllers show outbound DNS (port 53) connection attempts
> in my firewall's logs?

Because on the Forwarders tab (assumming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Disadvantage is that Internet resolution is now dependent
on the reliability of the Forwarder.

> Do I enable the port or suspect a trojan? Or, have I
> perhaps misconfigured DNS in my domain controllers?

Probably not a trojan. Probably you just didn't chech the
box.

> Any advice is greatly appreciated.

Do NOT check the (other) box in "Advanced" which
say "Disable Recursion" -- it disables physical recursion
AND forwarding.

--
Herb Martin

Reply to Anonymous

Archived from groups: microsoft.public.win2000.dns (More info?)

"Dave" <anonymous@discussions.microsoft.com> wrote in message
news:25a701c512d3$d8f0db30$a401280a@phx.gbl...
> Hi all,
>
> Should I permit (on my firewall) outbound/public DNS
> requests from my domain controllers?

I advise against it.

> I am employing split-brain DNS, whereby 2 domain
> controllers resolve domain lookups, but forward public
> lookups to our two public DNS servers.

Then you already have half of the solution -- forwarding
to another server for Internet resolution.

> Now, if all non-domain DNS requests are forwarding through
> our public DNS servers, then why would my domain
> controllers show outbound DNS (port 53) connection attempts
> in my firewall's logs?

Because on the Forwarders tab (assuming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Disadvantage is that Internet resolution is now dependent
on the reliability of the Forwarder.

> Do I enable the port or suspect a trojan? Or, have I
> perhaps misconfigured DNS in my domain controllers?

Probably not a trojan. Probably you just didn't check the
box.

> Any advice is greatly appreciated.

Do NOT check the (other) box in "Advanced" which
say "Disable Recursion" -- it disables physical recursion
AND forwarding.

--
Herb Martin

Reply to Anonymous

Ask the community Add a reply

Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Public DNS Requests from Domain Controller?

Go to:

Help |
Forum rules

There are 536 identified and unidentified users. To see the list of identified users, Click here.

Page generated in 0.250 seconds

Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel

Focus On

Public DNS Requests from Domain Controller?

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Public DNS Requests from Domain Controller?

Please mind