Question about Windows 2000 DNS

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi Friends,

Is there any way to restrict which machine my DNS Server will respond
DND Queries?
For explample: Machine coming from Internet can just queries for my
domain (that I have authority SOA) and my DNS Server WON'T do recursive
queries, and machines coming from my company (INTRANET) my DNS Server
will do recusive queries to outside DND Servers.

I know that BIND 9 do some thing like that, with the feature VIEW (that
you can say for which IP my DNS Server do recusive queries.

Help me!!

Thank you a lot

Carlos Henrique
Rio de Janeiro - Brasil

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Carlos Henrique" <carloshenrique@urbi.com.br> wrote in message
news:OKBRAKKMFHA.656@TK2MSFTNGP14.phx.gbl...
>
> Hi Friends,
>
> Is there any way to restrict which machine my DNS Server will respond
> DND Queries?

Yes, there are two basic approaches.

One is to restrict which NICs/IP it responds on
which prevents a multihomed machine from responding,
for instance, on the "outside".

Or filters using some NIC filtering scheme such
as IPSec* policies.

* Many people incorrectly believe that IPSec policies
are ONLY for invoking IPSec security of the data, but
they can be use for simple BLOCK, PASS, or Negotiate
IPSec -- only the latter may actually invokes the IPSec
security features on the data.

> For explample: Machine coming from Internet can just queries for my
> domain (that I have authority SOA) and my DNS Server WON'T do recursive
> queries, and machines coming from my company (INTRANET) my DNS Server
> will do recusive queries to outside DND Servers.

If you allow the machine to answer queries however,
you must either enable recursion for ALL such, or
disable them for all such.

Generally, there is no reason that the SAME DNS
server should be handling both internal (recursive)
queries and external (non-recursive) queries.

In general, public zones should be at the REGISTRAR
anyway. (Not on your DNS servers nor those of the
ISP in most cases.)


> I know that BIND 9 do some thing like that, with the feature VIEW (that
> you can say for which IP my DNS Server do recusive queries.

Yes, a VIEW can do that.

Windows doesn't do views.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

I want my DNS Server answers any kind of queries (any domais) to my
INTRANET machines, and when a query come from INTERNET (public) my
server just answers if these queries are about MY DOMAIN (that i am
authoritative) ... and dont answers queries like "who is
www.microsft.com?" to INTERNET machine's, but "who is
www.mydomain.com.br?" my server HAVE to answers, understand?
Who can I do that?


Sorry for the poor english...



Herb Martin wrote:
> "Carlos Henrique" <carloshenrique@urbi.com.br> wrote in message
> news:OKBRAKKMFHA.656@TK2MSFTNGP14.phx.gbl...
>
>>Hi Friends,
>>
>>Is there any way to restrict which machine my DNS Server will respond
>>DND Queries?
>
>
> Yes, there are two basic approaches.
>
> One is to restrict which NICs/IP it responds on
> which prevents a multihomed machine from responding,
> for instance, on the "outside".
>
> Or filters using some NIC filtering scheme such
> as IPSec* policies.
>
> * Many people incorrectly believe that IPSec policies
> are ONLY for invoking IPSec security of the data, but
> they can be use for simple BLOCK, PASS, or Negotiate
> IPSec -- only the latter may actually invokes the IPSec
> security features on the data.
>
>
>>For explample: Machine coming from Internet can just queries for my
>>domain (that I have authority SOA) and my DNS Server WON'T do recursive
>>queries, and machines coming from my company (INTRANET) my DNS Server
>>will do recusive queries to outside DND Servers.
>
>
> If you allow the machine to answer queries however,
> you must either enable recursion for ALL such, or
> disable them for all such.
>
> Generally, there is no reason that the SAME DNS
> server should be handling both internal (recursive)
> queries and external (non-recursive) queries.
>
> In general, public zones should be at the REGISTRAR
> anyway. (Not on your DNS servers nor those of the
> ISP in most cases.)
>
>
>
>>I know that BIND 9 do some thing like that, with the feature VIEW (that
>>you can say for which IP my DNS Server do recusive queries.
>
>
> Yes, a VIEW can do that.
>
> Windows doesn't do views.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Carlos Henrique" <carloshenrique@urbi.com.br> wrote in message
news:uj0tEeVMFHA.1948@TK2MSFTNGP14.phx.gbl...
> I want my DNS Server answers any kind of queries (any domais) to my
> INTRANET machines, and when a query come from INTERNET (public) my
> server just answers if these queries are about MY DOMAIN (that i am
> authoritative) ... and dont answers queries like "who is
> www.microsft.com?" to INTERNET machine's, but "who is
> www.mydomain.com.br?" my server HAVE to answers, understand?
> Who can I do that?

It doesn't work that way.

And it is a bad idea, even if you could get it to work.


> Sorry for the poor english...

No problem.

I probably don't speak your language that well either. <grin>

(Actually, if it is Spanish, I am trying to learn it but you still
have better English.)