> Unix has nothing to do it.
>
> BIND runs on windows, too. It configures with a text
> file but it uses he same zone RFC files as Win DNS.
>
> ACL is access control list. BIND controls access to the
> recursion function by various params, such (list of) subnet.
>
> But if you're GUI only, then use the firewall to block
> access from internet to port 53 and turn recursion back on.
>
> Len
We just went through this at our company not too long ago, determining how
we can better secure our DNS. These were the conclusions I believe we have
reached:
1. If you have zones for which you are authoritative, you must allow
traffic on UDP and TCP port 53 from public DNS Clients, to allow lookups for
your zones.
2. If you have DNS Clients that need to do public DNS lookups (lookups of
zones for which your MSDNS servers are non-authoritative), AND you want to
use the same MSDNS servers that are serving your authoritative zones, you
must enable recursion on your MSDNS servers.
3. Allowing recursion on authoritative servers for the public Internet is
not recommended.
4. MSDNS does not allow you to be descriminatory with regards to which DNS
Clients are permitted to use recursion. It's all or nothing with recursion
on MSDNS.
5. Given the rules, the best solutions are (1) Have public, non-recursive
MSDNS servers for your authoritative zones, and set up private recursive
MSDNS servers for your internal use, or (2) Use DNS server software OTHER
than MSDNS to do the job(s).
We're opting to get away from Microsoft DNS altogether.
Not a DNS "expert" (do have substantial experience), so I welcome comments
here.
Marc
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
