Hi!

I want to set up my win2k-Server as a dns-server which resolves the
ip's from the lan (Active Directory) and forwards all other questions
to another dns-server (linux).
For security reason, I want to disable all other dns-traffic from
win2k despite from the linux-pc, so I tried to delete all root-servers
(cause win2k seems to connect several times to them - but this traffic
is completly firewalled).

But: After I delete all root-server, it takes some hour/days
(reboot?), and suddenly all root-servers appears in the dns-settings
and I one again have the dns-traffic from win2k to the root servers.

Is there a way to completely delete the root-servers, so that they
never appears again? Or is there a reason, why I MUSt have
root-servers, which I don't recognized?!?

Best regards

Steff

On 31 Jan 2004 07:00:55 -0800, Stefan Kirch wrote:

> Hi!
>
> I want to set up my win2k-Server as a dns-server which resolves the
> ip's from the lan (Active Directory) and forwards all other questions
> to another dns-server (linux).
> For security reason, I want to disable all other dns-traffic from
> win2k despite from the linux-pc, so I tried to delete all root-servers
> (cause win2k seems to connect several times to them - but this traffic
> is completly firewalled).
>
> But: After I delete all root-server, it takes some hour/days
> (reboot?), and suddenly all root-servers appears in the dns-settings
> and I one again have the dns-traffic from win2k to the root servers.
>
> Is there a way to completely delete the root-servers, so that they
> never appears again? Or is there a reason, why I MUSt have
> root-servers, which I don't recognized?!?
>
> Best regards
>
> Steff

Hi

You don't delete the root servers themselves you just delete the "." (no
quotes) domain and set the forwarders tab to the IP address of your Linux
DNS box.

Regards

Bill

See 298148 HOWTO: Remove the Root Zone (Dot Zone)
http://support.microsoft.com/?id=298148

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.


"Stefan Kirch" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi!
>
> I want to set up my win2k-Server as a dns-server which resolves the
> ip's from the lan (Active Directory) and forwards all other questions
> to another dns-server (linux).
> For security reason, I want to disable all other dns-traffic from
> win2k despite from the linux-pc, so I tried to delete all root-servers
> (cause win2k seems to connect several times to them - but this traffic
> is completly firewalled).
>
> But: After I delete all root-server, it takes some hour/days
> (reboot?), and suddenly all root-servers appears in the dns-settings
> and I one again have the dns-traffic from win2k to the root servers.
>
> Is there a way to completely delete the root-servers, so that they
> never appears again? Or is there a reason, why I MUSt have
> root-servers, which I don't recognized?!?
>
> Best regards
>
> Steff

In news:(E-Mail Removed),
Stefan Kirch <(E-Mail Removed)> posted a question
Then Kevin replied below:
: Hi!
:
: I want to set up my win2k-Server as a dns-server which resolves the
: ip's from the lan (Active Directory) and forwards all other questions
: to another dns-server (linux).
: For security reason, I want to disable all other dns-traffic from
: win2k despite from the linux-pc, so I tried to delete all root-servers
: (cause win2k seems to connect several times to them - but this traffic
: is completly firewalled).
:
: But: After I delete all root-server, it takes some hour/days
: (reboot?), and suddenly all root-servers appears in the dns-settings
: and I one again have the dns-traffic from win2k to the root servers.
:
: Is there a way to completely delete the root-servers, so that they
: never appears again? Or is there a reason, why I MUSt have
: root-servers, which I don't recognized?!?
:
: Best regards
:
: Steff

You don't need to delete anything, on the Forwarders tab, check the box "Do
not use recursion" that will force your DNS to use the Linux as a forwarder
and basically disables the root hints, although they will still be there,
they will not be used.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

"Kevin D. Goodknecht [MVP]" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...

> You don't need to delete anything, on the Forwarders tab, check the box "Do
> not use recursion" that will force your DNS to use the Linux as a forwarder
> and basically disables the root hints, although they will still be there,
> they will not be used.

But this leads to the situation, that NO hostnames are resolved.

What I want is, that for ANY resolving, the forwarder is used (despite
for the ActiveDirectory-Domain). I just tried to delete the
default-root-servers and add my forwarder-ip in the hint for
root-servers area - let's hope, this will help.

Or is there any other way to solve the problem?
Is my idea really so strange, to only use a forwarder for any
dns-traffic?

Steff

"Marc Reynolds [MSFT]" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> See 298148 HOWTO: Remove the Root Zone (Dot Zone)
> http://support.microsoft.com/?id=298148

I already deleted the dot-zone some month ago.

What I want is:
* use the Win2K-DNS ONLY for the local ActiveDirectory-Domain
* for any other dns-traffic, use the forwarder, i.e. the linux-bind-server
* DON'T use any root-server

Any other idea?

Steff

In news:(E-Mail Removed),
Stefan Kirch <(E-Mail Removed)> posted a question
Then Kevin replied below:
: "Kevin D. Goodknecht [MVP]" <(E-Mail Removed)> wrote in message
: news:<(E-Mail Removed)>...
:
:: You don't need to delete anything, on the Forwarders tab, check the
:: box "Do not use recursion" that will force your DNS to use the Linux
:: as a forwarder and basically disables the root hints, although they
:: will still be there, they will not be used.
:
: But this leads to the situation, that NO hostnames are resolved.
:
: What I want is, that for ANY resolving, the forwarder is used (despite
: for the ActiveDirectory-Domain). I just tried to delete the
: default-root-servers and add my forwarder-ip in the hint for
: root-servers area - let's hope, this will help.
:
: Or is there any other way to solve the problem?
: Is my idea really so strange, to only use a forwarder for any
: dns-traffic?
:
: Steff

If you did what I said and it caused you to loose DNS resolution then the
DNS on the Linux is not doing recursive lookups. DO NOT confuse "Do not use
recursion" on the Forwarders tab with "Disable recursion" on the Advanced
tab. They are not the same.
"Do not use recursion" on the Forwarder tab prevents your DNS server from
using its Root Hints.
"Disable recursion" on the Advanced tab prevents your DNS server from
resolving any name not in its zones.

If you check "Do not use recursion" on the Forwarders tab and it stopped
resolution, then the forwarder has Recursion disabled. In this case it is
the DNS on the Linux. If you run dig against the Linux you can see if the ra
bit is disabled. In the Dig query you will see a Flags section If you see an
RD followed by an RA then it has recusion available, if you have only a RD
not followed by an RA then recursion is disabled.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================