|
You should never have an AD domain controller doing your outside DNS. Let them have the DNS for the world and you keep it for the inside on the domain controllers. Name your Domain different than your actual web presence (that may be too late). This way if it doesn't find it in your DNS then it will look at the Forwarders which will be your world DNS or you could not use the forwarders at all. The security guy will be none the wiser. I just got back from an MS security sponsored class. They recommend that no AD controllers not even be accessible to world along with the AD DNS. There is too much info an AD DNS could give up about your organization. Hack that and the bad guy is half way home. You know the machine names, and ip. All you need then is a few free hack tools to start banging away at the administrator accounts on the PDCs. HTH Joe Sargent -----Original Message----- From: DeGrands, Charles [ mailto:[EMAIL PROTECTED]]Sent: Tuesday, March 12, 2002 3:42 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DNS control
Hello all, I need some advice on DNS, please. Who controls DNS in your organization? We currently use Y2K DNS for our internal and external zones. The security team has brought up the possibility of taking over the DNS structure. We, on the AD team, feel it would be a bad deal for internal resolution but we'll give up external zones. We are concerned that the new security officer came from old school DNS and doesn't understand the tight integration that Y2K involves. This is just sort and sweet to see if I can generate any comments for you. Thanks in advance. Charles
List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ |
- [ActiveDir] DNS control DeGrands, Charles
- RE: [ActiveDir] DNS control William Lefkovics
- Joe Sargent
