Public DNS Requests from Domain Controller?

D

Dave

Hi all,

Should I permit (on my firewall) outbound/public DNS
requests from my domain controllers?

I am employing split-brain DNS, whereby 2 domain
controllers resolve domain lookups, but forward public
lookups to our two public DNS servers.

Now, if all non-domain DNS requests are forwarding through
our public DNS servers, then why would my domain
controllers show outbound DNS (port 53) connection attempts
in my firewall's logs?

Do I enable the port or suspect a trojan? Or, have I
perhaps misconfigured DNS in my domain controllers?

Any advice is greatly appreciated.
 
H

Herb Martin

Dave said:
Hi all,

Should I permit (on my firewall) outbound/public DNS
requests from my domain controllers?
Click to expand...

I advise against it.
I am employing split-brain DNS, whereby 2 domain
controllers resolve domain lookups, but forward public
lookups to our two public DNS servers.
Click to expand...

Then you already have half of the solution -- forwarding
to another server for Internet resolution.
Now, if all non-domain DNS requests are forwarding through
our public DNS servers, then why would my domain
controllers show outbound DNS (port 53) connection attempts
in my firewall's logs?
Click to expand...

Because on the Forwarders tab (assumming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Disadvantage is that Internet resolution is now dependent
on the reliability of the Forwarder.
Do I enable the port or suspect a trojan? Or, have I
perhaps misconfigured DNS in my domain controllers?
Click to expand...

Probably not a trojan. Probably you just didn't chech the
box.
Any advice is greatly appreciated.
Click to expand...

Do NOT check the (other) box in "Advanced" which
say "Disable Recursion" -- it disables physical recursion
AND forwarding.
 
H

Herb Martin

Dave said:
Hi all,

Should I permit (on my firewall) outbound/public DNS
requests from my domain controllers?
Click to expand...

I advise against it.
I am employing split-brain DNS, whereby 2 domain
controllers resolve domain lookups, but forward public
lookups to our two public DNS servers.
Click to expand...

Then you already have half of the solution -- forwarding
to another server for Internet resolution.
Now, if all non-domain DNS requests are forwarding through
our public DNS servers, then why would my domain
controllers show outbound DNS (port 53) connection attempts
in my firewall's logs?
Click to expand...

Because on the Forwarders tab (assuming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Disadvantage is that Internet resolution is now dependent
on the reliability of the Forwarder.
Do I enable the port or suspect a trojan? Or, have I
perhaps misconfigured DNS in my domain controllers?
Click to expand...

Probably not a trojan. Probably you just didn't check the
box.
Any advice is greatly appreciated.
Click to expand...

Do NOT check the (other) box in "Advanced" which
say "Disable Recursion" -- it disables physical recursion
AND forwarding.
 
G

Guest

Because on the Forwarders tab (assumming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.
Click to expand...

Thank you, Herb!!!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DNS security 1
Dns Prob 6
peparing mcsa: help on a question 1
Correct DNS configuration 3
newbie: nslookup question 2
DNS delegation 8
Domain Controller 5
Public & Private DNS Issue 6

Top