On Thu, 20 Jun 2002, Roger Cornelius wrote: >"Michael O'Quinn" ([EMAIL PROTECTED]) wrote: > >>On Thu, 20 Jun 2002, Roger Cornelius wrote: >> >>> Sorry for not responding sooner. This message was stuck in the mail queue >>> for some reason and only got delivered to my mailbox last night. >>> >>> "Michael O'Quinn" ([EMAIL PROTECTED]) wrote: >>> >>> >On Tue, 18 Jun 2002, Roger Cornelius wrote: >>> > >>> >> Hi, >>> >> >>> >> Apologies because this is only partially related to gnatbox. >>> >> >>> >> We have two win2kserver machines on our network which insist on making >>> >> DNS queries to DNS servers not assigned to us. The other machines on >>> >> our net are win98, win2kpro, and one unix box. This problem occurs only >>> >> with the 2 win2kserver machines. >>> >> >>> >> One machine was previously configured as a domain controller with a name >>> >> of abc. abc is not our registered domain name, but abc.com does exist. >>> >> abc is configured to use xyz (another internal machine) for DNS service. >>> >> abc is not generally used for interactive use. Somehow, abc discovered >>> >> the DNS server IP addresses (the ones listed by whois) for abc.com and >>> >> is using them for queries. >>> > >>> >Is that for all or the majority of queries? It so, that is a >>> >mis-configuration of the Windows box. >>> >>> I just disabled the block and set the GB to log accepted. I'll analyse >>> the results after a day or so and see. Can I assume that a lot of the >>> blocked DNS requests I was seeing were due to the win2kserver box >>> retrying when the initial request was blocked? >> >>I would think that a the majority of those queries, if they are going all >>over or to the root name servers, are simply DNS trying to do its job as it >>should. If they are all going to one site, like the abc.com you >>mentioned, then you probably have a WinDoze mis-configuration. I'm afraid >>someone else will have to help you if that's the case. I've always been >>afraid of WinDoze server products (mostly because of inherent security >>problems, many of which are coming to light these days) and have avoided >>them religiously. >> >>Also, abc.com's DNS servers should NOT be resolving your queries for you. >>It is considered a security risk to resolve recursive queries for domains >>you do not own or at least trust. Maybe your server is querying abc.com >>but THEY are rejecting them. The list of the root name servers can be >>found at <ftp://ftp.rs.internic.net/domain/named.root>. Just another >>thought as you start staring at the logs. > >I just checked the active filter statistics on the GB and the number of >DNS queries which have been accepted since I made the change earlier >today is very low (~500) compared to the number of queries which were >being blocked when I had it in effect (several thousand a day). This >leads me to believe the win boxes were continuosly retrying the blocked >queries. I'll look at this further tomorrow, but I'm beginning to think >the problem I perceived was due to my lack of understanding of the way >DNS works. >Thanks again.
I've been watching the logs of dns queries for the last week after turning off my block, and the daily average number of requests is about what I typed above (<500). I have to assume that the high number of blocked requests I was seeing were due to the two win boxes retrying when the requests failed. Apologies for wasting time on this, but thank you to those who responded, and especially to Michael O'Quinn for the lesson on dns. -- Roger Cornelius [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
