I use root hints here and at home just fine as my DNS resolution scheme
and have removed DNS forwarding for external requests.
Removing DNS forwarders just means that it takes a smidge longer to
resolve external requests.
I look inward to the DC for my DNS, it then uses root hints. There's
two stages going on in my network.
Edwin wrote:
Lets say that a DNS packet is sent across the network to a DNS server and is
"x" in size. Everything works as it should be and all is great.
But someone wants to have fun and then send out a DNS request that is "xxx"
ore greater in packet size to a DNS Server. The packets are small enough
not to come across to the DNS servers as a valid request.
DNS does not know how to resolve it so it bounces the request to a Root
Server or other configured DNS servers. The request never gets resolved
because the packet is not correct.
The end result is a DDOS on the network.
Removing forwarding is not an option in MSFT DNS (as far as I can tell).
The *nix servers do not have this problem.
I think the confusion is because I mentioned "DNS Smurfing" which is of
concern without putting emphasis on DDOS.
The internal network would still need to resolve external non authoritative
requests.
Thanks,
Edwin
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, October 27, 2005 10:35 AM
To: [email protected]
Subject: Re: [ActiveDir] DNS Forwarding
Why not use root hints instead?
<cough> in our little SBS wizard... at the screen where you are prompted
to enter dns forwarders, you hit 'cancel' and it sets up root hints
http://www.sbslinks.com/images/time.h71.gif
If you are concerned about dns forwarding... which you should be ....
you don't even want to forward from internal requests.
Us little SBS boxes are wizard recommended to DNS forwarders.. BUT... if
we forward to an upstream BIND 5 or 7... even though we look inward for
our DNS and do not expose our port 53, we are reliant on the kindness
and patching of those BIND servers.
Microsoft DNS servers since Windows 2003 sp3 [if I remember right] have
been prevented from poisoning 'to' other folks. But if we rely [forward]
on a poisoned BIND DNS server, we can get nailed.
I don't know if I ever got back to this but one of the Networking guys
walked me through setting up this
DNS:
http://www.sbslinks.com/DNS.htm
Edwin wrote:
Is it possible within MSFT DNS to only accept DNS forwards from
internal requests?
Please consider the fact that a domain may not always be configured to
look at internal DNS servers only. Also, it is not required for a
domain to be used when DNS services are required. DNS may be
configured on a machine that is for either internal or external use or
both.
If this is possible, this will help with "DNS Smurfing" attacks that
could affect a network.
If you haven't read it already, you may find the information in the
URL http://www.measurement-factory.com/press/20051024.html useful.
This article brings me to my question about preventing external DNS
forwards.
Thanks,
Edwin
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
