Public DNS Requests from Domain Controller?

[Dave]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi all,

Should I permit (on my firewall) outbound/public DNS
requests from my domain controllers?

I am employing split-brain DNS, whereby 2 domain
controllers resolve domain lookups, but forward public
lookups to our two public DNS servers.

Now, if all non-domain DNS requests are forwarding through
our public DNS servers, then why would my domain
controllers show outbound DNS (port 53) connection attempts
in my firewall's logs?

Do I enable the port or suspect a trojan? Or, have I
perhaps misconfigured DNS in my domain controllers?

Any advice is greatly appreciated.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Dave" <anonymous@discussions.microsoft.com> wrote in message
news:25a701c512d3$d8f0db30$a401280a@phx.gbl...
> Hi all,
>
> Should I permit (on my firewall) outbound/public DNS
> requests from my domain controllers?

I advise against it.

> I am employing split-brain DNS, whereby 2 domain
> controllers resolve domain lookups, but forward public
> lookups to our two public DNS servers.

Then you already have half of the solution -- forwarding
to another server for Internet resolution.

> Now, if all non-domain DNS requests are forwarding through
> our public DNS servers, then why would my domain
> controllers show outbound DNS (port 53) connection attempts
> in my firewall's logs?

Because on the Forwarders tab (assumming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Disadvantage is that Internet resolution is now dependent
on the reliability of the Forwarder.

> Do I enable the port or suspect a trojan? Or, have I
> perhaps misconfigured DNS in my domain controllers?

Probably not a trojan. Probably you just didn't chech the
box.

> Any advice is greatly appreciated.

Do NOT check the (other) box in "Advanced" which
say "Disable Recursion" -- it disables physical recursion
AND forwarding.

--
Herb Martin

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Dave" <anonymous@discussions.microsoft.com> wrote in message
news:25a701c512d3$d8f0db30$a401280a@phx.gbl...
> Hi all,
>
> Should I permit (on my firewall) outbound/public DNS
> requests from my domain controllers?

I advise against it.

> I am employing split-brain DNS, whereby 2 domain
> controllers resolve domain lookups, but forward public
> lookups to our two public DNS servers.

Then you already have half of the solution -- forwarding
to another server for Internet resolution.

> Now, if all non-domain DNS requests are forwarding through
> our public DNS servers, then why would my domain
> controllers show outbound DNS (port 53) connection attempts
> in my firewall's logs?

Because on the Forwarders tab (assuming the DCs
are also DNS server) of the DNS server there is an
optional check box: "Do not use recursion."

Check it to disable physical recursion by the DNS server.

Disadvantage is that Internet resolution is now dependent
on the reliability of the Forwarder.

> Do I enable the port or suspect a trojan? Or, have I
> perhaps misconfigured DNS in my domain controllers?

Probably not a trojan. Probably you just didn't check the
box.

> Any advice is greatly appreciated.

Do NOT check the (other) box in "Advanced" which
say "Disable Recursion" -- it disables physical recursion
AND forwarding.

--
Herb Martin