Re: MS DNS and AD question

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 10/26/01 

Message-ID: <072101c15e5a$534c9540$0b00010a@lauradominion.com>
From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "James Fullerton" <James@RS25.com>, <focus-ms@securityfocus.com>
Subject: Re: MS DNS and AD question
Date: Fri, 26 Oct 2001 16:10:50 -0400

While I would recommend setting up separate internal and external servers
(your ISP could provide the external resolution if you do not wish to
maintain your own external DNS server), the solution that Microsoft
recommends could work but would be rather tedious to implement (although I'm
not sure why they are mentioning maintaining *two* zones; that doesn't seem
to make sense to me). Are there *some* addresses in the zone that *do* need
to be externally resolvable? Is it also from internal clients that you want
to hide the addresses? Are the addresses that you wish to hide those of
servers?

Laura A. Robinson
----- Original Message -----
From: "James Fullerton" <James@RS25.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, October 26, 2001 11:39 AM
Subject: MS DNS and AD question

> I'm using MS DNS and AD, and AD publishes my internal IP addresses to
anyone
> who wants to see them (using nslookup for example). I would like to
prevent
> that from happening, and keep my internal IP addresses hidden (i.e.,
> 10.0.0.2 should not be visible). Short of setting up separate internal
and
> external DNS servers, can this be done? If so, can someone please direct
me
> to directions or provide details?
>
> Microsoft's weak answer:
> It is possible to keep the two zones on one server and to integrate the
zone
> with the Active Directory security features. With proper access control to
> the DNS files in Active Directory, one might be able to restrict internal
> DNS queries to authenticated users only. However, we have not verified
this
> solution. The complexity of this solution would require extensive testing
to
> ensure proper settings are being made and no internal information is being
> erroneously exported to the Internet.
>
> Thanks,
>
>
> James F
> James@RS25.com
> (303) 913 - 6998
>
>

Relevant Pages

  • Re: How Secure is ".Local?"
    ... > dozen servers and ~500 websites/public domains. ... Shadow DNS ... Is your DC on the Internet? ... >>It is not going to provide your zone info to anyone ...
    (microsoft.public.win2000.dns)
  • RE: New Forest - Old Domain - Plus DMZ - Help Please
    ... Make sure Windows XP client should use the AD DNS ... The Cert should match the name in Internet. ... New Forest - Old Domain - Plus DMZ - Help Please ... vast majority of our inside production equipment is 2003 servers and XP ...
    (microsoft.public.windows.server.migration)
  • Re: Traveling Users Unable to Authenticate to AD
    ... authenticate to your AD while on the NDS network and you believe that DNS is ... One question that comes to mind is what DNS server is the client machine ... domain on the us.parent.com name servers. ... > MYCO.US.PARENT.COM Active Directory, get their mapped drives, access to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory and child DNS Zone
    ... > Our internal and external DNS domains are both the same - mycompany.com. ... > hosts our external domain and it only contains entries for our web servers ... >>> but the test bed isn't a true picture (no internet access to test VPN, ...
    (microsoft.public.windows.server.dns)
  • Re: DNS design questions
    ... We're a medium size college campus with about 10,000 users and the CIO wants to have DNS locally housed. ... only a hand full to a few dozen max "Internet servers" while ... how big of a security issue really is allowing the "external" DNS server pull a zone transfer from an internal one? ...
    (microsoft.public.windows.server.dns)