Announcement

Collapse
No announcement yet.

Stopping DNS recursion kills internet access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stopping DNS recursion kills internet access

    When I disable Recursion (also disable forwarders) on this DNS server it cannot connect to the Internet (Primary DNS is pointed to itself). Therefore I cannot get Windows updates, patches, virus defs., etc.

    I need this server to also go out on the Internet, but not offer recursion. Simple DNS Plus offers the choice to:
    -----------------------------------------------------------------------------
    Perform DNS recursion
    - For everyone
    - Only for the following client IP addresses.
    -----------------------------------------------------------------------------

    So in Simple DNS Plus I add this server's network (and my secondary DNS server's network) to "Only for the following client IP addresses." and everything works great.

    Can I do this in Windows 2003 DNS? I want to have a closed DNS server but still have the DNS server access the Internet by using itself as Primary DNS provider.

    Thanks.
    Edit/Delete Message

  • #2
    Re: Stopping DNS recursion kills internet access

    Pretty sure MS DNS doesn't give that functionality. You would be better blocking internet access on your router for hosts you don't want to go out. A host could always just use IP or their own DNS servers to work around that I would think
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Stopping DNS recursion kills internet access

      When I disable Recursion (also disable forwarders) on this DNS server it cannot connect to the Internet (Primary DNS is pointed to itself). Therefore I cannot get Windows updates, patches, virus defs., etc.
      Yes, that's right. You've basically told it not to go hunting for IP addresses and just use the ones it knows already. So, if it doesn't know the IP address then it won't be able to find it. No idea why you'd do this voluntarily to be honest lol

      from what I understand, you need that server to get on the internet but not offer any DNS services internally? if so, remove the DNS service and giving it access to an external DNS server would work pretty well or at least stopping the DNS server service.

      I notice you said you need "a closed DNS server" why is this? What are you trying to achieve as an end result?
      This message represents the official view of the voices in my head

      Comment


      • #4
        Re: Stopping DNS recursion kills internet access

        The other solution in your case would be to implement another DNS server and configure it with the root hints . This can be used for resolving external domain names only.
        You can configure the forwarder to accept recoursive queries only from your internal DNS.
        In your internal DNS (MS DNS can do that pretty well) enable recoursive queries for all DNS clients and configure the server to forward all requests it can't resolve to the DNS configured as the Forwarder.
        I am not quite sure how Simple DNS Plus interaction with MS DNS is but an all MSDNS solution would do that pretty well.

        Cheers
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Stopping DNS recursion kills internet access

          AFAIK, the root hint servers will not perform recursion so if you disable recursion and you don't use forwarders you will get no "external" DNS name resolution. Personally, I don't use forwarders, I use recursion and root hints. My DNS server looks up the SOA and NS records for external domains by querying the root hint servers and then performs recursion on behalf of my clients. The reason I don't use forwarders is that I don't like to rely on my ISP DNS servers, which I don't manage or control and if they have a problem then I will have a problem.

          Comment


          • #6
            Re: Stopping DNS recursion kills internet access

            Originally posted by joeqwerty View Post
            Personally, I don't use forwarders, I use recursion and root hints. My DNS server looks up the SOA and NS records for external domains by querying the root hint servers and then performs recursion on behalf of my clients. The reason I don't use forwarders is that I don't like to rely on my ISP DNS servers, which I don't manage or control and if they have a problem then I will have a problem.
            I know where you are comming from with that! I could be months before any problem is being looked at by the ISP.
            The forwarder doesn't have to be your ISP DNS server though, it could be another DNS server on the organisation.
            To what I can gather from the original question is that he wants to use the internal DNS server just for internal DNS queries (which makes sense from a security prospective).
            That's why I suggested a forwarder can be used for this purpose that can sit behind a firewall configured to allow only outgoing DNS traffic for added security.

            Ta
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: Stopping DNS recursion kills internet access

              Originally posted by joeqwerty View Post
              ...The reason I don't use forwarders is that I don't like to rely on my ISP DNS servers, which I don't manage or control and if they have a problem then I will have a problem.
              That's what I want to do - use my own DNS. SBC delegated reverse DNS to me. I have two servers: NS1 and NS2 on two separate networks. NS1 handles mail and web services and NS2 handles backup mail and web.

              So if I forward to SBC am I not where I was before? I just want everything to be in-house, so to speak. I also use these two machines to get out on the web. I can kill recursion and forwarders and I can point the preferred DNS on the servers to SBC's DNS servers, but I kinda' don't want to do that. I want them to point to themselves.

              Am I doing something wrong or just silly?

              Thanks.

              Comment


              • #8
                Re: Stopping DNS recursion kills internet access

                OK, I "fixed" it.

                Since I have two networks (16x.x.x.x and 20x.x.x.x) I had to figure a way for the machines on both networks to use a common DNS server that is not exposed to the Internet.

                So I installed XP inside VMware on my primary DNS server and I used VMnet1 to tie into one network (16x.x.x.x) and VMnet 6 to tie into the other network (20x.x.x.x). Then I attached XP to both networks and my LAN (Vmnet4). Inside XP I now use Simple DNS for ns.local.dns. Simple DNS offers DNS recursion only for 192.168.x.x. So my primary & secondary DNS servers (one on each network) just answer queries and use ns.local.dns (at 192.168.x.x) to get to the Net.

                As per DNSSTUFF.COM report:
                "PASS - Open DNS servers - OK. Your DNS servers do not announce that they are open DNS servers."

                My other 3 Win2K3 servers, my 3 XP boxes, and the 2 Linux boxes now all use the XP VMware at 192.168.x.x as their primary DNS. I added SBC's DNS as secondary for redundancy, just in case. But I don't care much about that, since if my primary server goes down (the one running VMware) then I have bigger problems than just not having DNS. But if that does happen, the other machines will still have SBC.

                So now all my servers and workstations are able to get on the net by using my own (reverse/)DNS at 192.168.x.x, nobody can relay off my DNS servers since they can't get to 192.168.x.x, everything is very fast because it's on the LAN, and my 2 main DNS servers are closed.

                And most importantly, Active Directory has not complained about this AT ALL!!!

                Thanks.

                Late.

                Comment

                Working...
                X