RE: DNS recursive



This is a late response to this thread but there's an important point I
wanted to add:

Since DNS servers listen and respond to UDP packets, they are highly
vulnerable to spoofing attacks. Using the IP address to limit access to
certain features certainly would not be effective. Since people often use
recursive DNS queries in DDoS attacks, it would be best to make a DNS server
that allows recursive queries only accessible to your trusted networks.

Of course, ingress filtering on your router or firewall will limit your
exposure and IP address restrictions certainly are better than placing an
open recursive DNS server on the internet but the point here is that DNS
servers cannot effectively rely on IP address restrictions on their own.

To answer your original question, although the built-in Windows DNS server
cannot do that, there is a product, Simple DNS Plus
(http://www.simpledns.com) that allows you to restrict recursive queries by
IP address. Just be careful how you use it.


Mark Burnett




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Laura A. Robinson
Sent: Thursday, November 16, 2006 12:09 PM
To: 'SHON, DAN'; 'Mailinglists Address'; 'dubaisans dubai'
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: DNS recursive

This could also be done with IPsec, but I'm curious as to what it is that
the OP wants to accomplish...

Laura

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of SHON, DAN
Sent: Wednesday, November 15, 2006 12:34 PM
To: Mailinglists Address; dubaisans dubai
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: DNS recursive

You can always set up ACL's to block or allow UDP 53 on the router.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Mailinglists Address
Sent: Wednesday, November 15, 2006 8:18 AM
To: 'dubaisans dubai'
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: DNS recursive


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai
Sent: Monday, November 13, 2006 4:16 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: DNS recursive


On Windows 200/2003 is it possible to restrict DNS

recursive queries

to only a specific subnet of IP addresses


Coming in late on this thread, but according to everything I
have read there is no way to restrict recursive lookups from
a specific network using Microsoft DNS. You will need to use
another DNS server software in order to accomplish this.

I would recommend the win32 version of Bind9 as it has the
functionality you are looking for.

Tom Walsh
Express Web Systems, Inc.
http://www.expresswebsystems.com/

--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Replication issues
    ... I wanted to say Zone Transfers not Zone Forwarding. ... AD-Integrated DNS does not do zone transfers between the ... your DNS server will bypass ...
    (microsoft.public.windows.server.active_directory)
  • Re: Servers hang on boot
    ... The last DC at that site (not a DNS server). ... EventID: 0x00000457 ... (Event String could not be retrieved) ...
    (microsoft.public.windows.server.networking)
  • Re: DNS Redesign Issue
    ... set the new child domain DNS server as primary for the domain controllers? ... -If you are going to create a new AD Integrated Zone in each child domain, ...
    (microsoft.public.windows.server.dns)
  • Re: Internet connection wizard
    ... turn on DHCP on the workstation. ... Connection-specific DNS Suffix. ... calling CNetCommit::ValidateRouterConnectionProperties. ... Call to Reading preferred DNS server IP returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: DCDIAG DNS Failure
    ... I have looked at most of the articles you sited and I have configured DNS ... The DNS server lists only itself as the preferred server with no ... Best practices for DNS client settings in Windows 2000 Server and in Windows ... -Exchange configuration. ...
    (microsoft.public.windows.server.dns)