I
Ivan Slovic
I want to disable allow-recursion on my DNS servers for anyone except my
internal set of IP addresses.
Is this possible to do it?
Thanks,
Ivan
internal set of IP addresses.
Is this possible to do it?
Thanks,
Ivan
D
Deji Akomolafe
No.
--
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
--
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
I
Ivan Slovic
Just plain and simple 'No'? 
I'm having some kind of atacks on my DNS server.. when I run Network Monitor
I get this:
Std Qry for . of type Auth NS on class INET addr.
And my DNS server reply with 13 answers of root dns servers... I have about
2 IP addresses asking my DNS this kind od 'question' and my DNS is making
constant 25Kbps outgoing traffic for nothing. When I block this 2 IPs next
day I get another 2.. I can't disable completly recursion... any
suggestions?
I'm having some kind of atacks on my DNS server.. when I run Network Monitor
I get this:
Std Qry for . of type Auth NS on class INET addr.
And my DNS server reply with 13 answers of root dns servers... I have about
2 IP addresses asking my DNS this kind od 'question' and my DNS is making
constant 25Kbps outgoing traffic for nothing. When I block this 2 IPs next
day I get another 2.. I can't disable completly recursion... any
suggestions?
K
Kevin D. Goodknecht [MVP]
In You either allow recursion or you disable recursion. You don't have a choice
as to who gets to use it.
This is one reason why you shouldn't allow access to your internal DNS
server by external users. If you had your public zones on a sepparate DNS
server you could disable recursion on it.
as to who gets to use it.
This is one reason why you shouldn't allow access to your internal DNS
server by external users. If you had your public zones on a sepparate DNS
server you could disable recursion on it.
I
Ivan Slovic
Kevin D. Goodknecht said:
I think this allow-recursion should me more scalable thing, and I don't
think it's a bad idea if you can choose who gets to use it. Maybe in the
next version of Windows DNS Server we'll get this opportunity. Now.. my
problem.. I can't have separate DNS servers for internal and public use. I
only have one DNS server and that's it! So... any ideas how can I fix this
problem? I need recursion for my internal clients...
Thanks,
Ivan
K
Kevin D. Goodknecht [MVP]
In
This is a case when you should let your registrar host the public zone for
you. It is risky business to have the internal DNS server you need for
internal DNS resolution, also resolving names for public users.
One big negative, unless your internal Network is using all public IP
addresses, you are going to have big problems resolving names for the
correct IP for both internal and public users.
This is a case when you should let your registrar host the public zone for
you. It is risky business to have the internal DNS server you need for
internal DNS resolution, also resolving names for public users.
One big negative, unless your internal Network is using all public IP
addresses, you are going to have big problems resolving names for the
correct IP for both internal and public users.
I
Ivan Slovic
Kevin D. Goodknecht said:
My network is a little bit complicated to explain here, but this segment I'm
talking about here is all public IPs and my DNS needs to be like it is right
now.
Thanks anyway... you helped me save my time and quit looking for selective
recursion, because I thought it could be done, it seemed to me as a normal
dns option.
Ivan
A
Ace Fekay [MVP]
In
This feature exists under BIND...It's called 'views'.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Ivan Slovic said:My network is a little bit complicated to explain here, but this
segment I'm talking about here is all public IPs and my DNS needs to
be like it is right now.
Thanks anyway... you helped me save my time and quit looking for
selective recursion, because I thought it could be done, it seemed to
me as a normal dns option.
Ivan
This feature exists under BIND...It's called 'views'.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
I
Ivan Slovic
"Ace Fekay [MVP]"
I know... but we don't use Linux or some kind of *ix OS. We're Microsoft
Certified Partner. ))))
Ivan
I know... but we don't use Linux or some kind of *ix OS. We're Microsoft
Certified Partner.
))))Ivan
A
Ace Fekay [MVP]
In
I understand that...just wanted to point out the feature does exist in BIND.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Ivan Slovic said:"Ace Fekay [MVP]"
I know... but we don't use Linux or some kind of *ix OS. We're
Microsoft Certified Partner.
Ivan
I understand that...just wanted to point out the feature does exist in BIND.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
J
Jonathan de Boyne Pollard
IS> I have about 2 IP addresses asking my DNS this kind od
IS> 'question' and my DNS is making constant 25Kbps outgoing
IS> traffic for nothing.
This is one of the reasons why you should not provide promiscuous proxy DNS
service, which is what you currently are doing. Providing promiscuous
proxy DNS service is just as bad an idea as providing promiscious proxy
HTTP service or "open" SMTP Relay service. Your proxy DNS server's front
end should be listening on an IP address that is simply not reachable by
the rest of Internet. (For best results, it should be a non-routable IP
address in one of the RFC 1918 address ranges.) Only its back-end should
be capable of reaching the rest of Internet.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ProxyIP>
If you wish to publish DNS data to the rest of Internet, that should be done
with a _separate_ content DNS server.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-server-as-content.html>
IS> 'question' and my DNS is making constant 25Kbps outgoing
IS> traffic for nothing.
This is one of the reasons why you should not provide promiscuous proxy DNS
service, which is what you currently are doing. Providing promiscuous
proxy DNS service is just as bad an idea as providing promiscious proxy
HTTP service or "open" SMTP Relay service. Your proxy DNS server's front
end should be listening on an IP address that is simply not reachable by
the rest of Internet. (For best results, it should be a non-routable IP
address in one of the RFC 1918 address ranges.) Only its back-end should
be capable of reaching the rest of Internet.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ProxyIP>
If you wish to publish DNS data to the rest of Internet, that should be done
with a _separate_ content DNS server.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-server-as-content.html>
J
Jonathan de Boyne Pollard
IS> I think this allow-recursion should me more scalable thing, [...]
That's BIND Think, and it's wrong. You haven't thought things through.
Access control lists on the DNS server (which is what that of course is)
don't stop attackers from being able to make your server do work and use
your resources, and they don't stop several forms of attack.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ProxyIP>
IS> I can't have separate DNS servers for internal and public use.
You can (with Microsoft's DNS server) if you can have more than one bastion
host. (With other DNS server softwares, where one can far more easily run
multiple DNS servers on a single machine than one can with Microsoft's DNS
server, one can have separate content DNS servers and proxy DNS servers
even when one has only the one bastion host.)
That's BIND Think, and it's wrong. You haven't thought things through.
Access control lists on the DNS server (which is what that of course is)
don't stop attackers from being able to make your server do work and use
your resources, and they don't stop several forms of attack.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ProxyIP>
IS> I can't have separate DNS servers for internal and public use.
You can (with Microsoft's DNS server) if you can have more than one bastion
host. (With other DNS server softwares, where one can far more easily run
multiple DNS servers on a single machine than one can with Microsoft's DNS
server, one can have separate content DNS servers and proxy DNS servers
even when one has only the one bastion host.)