Public DNS Requests from Domain Controller?

  • Thread starter Thread starter Dave
  • Start date Start date
D

Dave

Hi all,

Should I permit (on my firewall) outbound/public DNS
requests from my domain controllers?

I am employing split-brain DNS, whereby 2 domain
controllers resolve domain lookups, but forward public
lookups to our two public DNS servers.

Now, if all non-domain DNS requests are forwarding through
our public DNS servers, then why would my domain
controllers show outbound DNS (port 53) connection attempts
in my firewall's logs?

Do I enable the port or suspect a trojan? Or, have I
perhaps misconfigured DNS in my domain controllers?

Any advice is greatly appreciated.
 
Dave said:
Hi all,

Should I permit (on my firewall) outbound/public DNS
requests from my domain controllers?

I advise against it.
I am employing split-brain DNS, whereby 2 domain
controllers resolve domain lookups, but forward public
lookups to our two public DNS servers.

Then you already have half of the solution -- forwarding
to another server for Internet resolution.
Now, if all non-domain DNS requests are forwarding through
our public DNS servers, then why would my domain
controllers show outbound DNS (port 53) connection attempts
in my firewall's logs?

Because on the Forwarders tab (assumming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Disadvantage is that Internet resolution is now dependent
on the reliability of the Forwarder.
Do I enable the port or suspect a trojan? Or, have I
perhaps misconfigured DNS in my domain controllers?

Probably not a trojan. Probably you just didn't chech the
box.
Any advice is greatly appreciated.

Do NOT check the (other) box in "Advanced" which
say "Disable Recursion" -- it disables physical recursion
AND forwarding.
 
Dave said:
Hi all,

Should I permit (on my firewall) outbound/public DNS
requests from my domain controllers?

I advise against it.
I am employing split-brain DNS, whereby 2 domain
controllers resolve domain lookups, but forward public
lookups to our two public DNS servers.

Then you already have half of the solution -- forwarding
to another server for Internet resolution.
Now, if all non-domain DNS requests are forwarding through
our public DNS servers, then why would my domain
controllers show outbound DNS (port 53) connection attempts
in my firewall's logs?

Because on the Forwarders tab (assuming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Disadvantage is that Internet resolution is now dependent
on the reliability of the Forwarder.
Do I enable the port or suspect a trojan? Or, have I
perhaps misconfigured DNS in my domain controllers?

Probably not a trojan. Probably you just didn't check the
box.
Any advice is greatly appreciated.

Do NOT check the (other) box in "Advanced" which
say "Disable Recursion" -- it disables physical recursion
AND forwarding.
 
Because on the Forwarders tab (assumming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Thank you, Herb!!!
 
Back
Top