Internal DNS - External DNS Config Question

Discussion in 'DNS Server' started by Guest, Nov 17, 2006.

  1. Guest

    Guest Guest

    Ok..I have a 2003 AD domain using AD integrated DNS for the network. I have
    the DNS server pointing to an external DNS server in order for Exchange to
    be able to deliver mail to external addresses. Because the DHCP server gives
    out the internal DNS ip address , users are able to connect to the internet
    without any additional configuration. I also have an proxy server(non
    microsoft) on the network and users IE configured to use accordingly. My
    problem is that if they figure out how to uncheck the use proxy checkbox,
    they can get out to the internet. How do i configure internal dns to block
    all external requests except for exchange?
    Guest, Nov 17, 2006
    1. Advertisements

  2. Guest

    Herb Martin Guest

    "Pointing to" is an imprecise term -- we must presume
    you mean "forwarding to" which has a technical meaning.
    That is a very normal setup (for those allowing Internet connection.)
    This is not really a DNS function (e.g., since they could
    also figure out how to use IP addresses instead of DNS
    names in the browser).

    This is a firewall job. Configure the proxy to block
    all traffic not permitted by your policy; and to block
    all traffic not using the Proxy ports so that they cannot
    avoid it.
    You cannot do this if the Exchange server and the
    regular clients use the same MS DNS server. All
    clients get the same service.
    Herb Martin, Nov 17, 2006
    1. Advertisements

  3. Guest

    Guest Guest

    The Proxy server is not configured between the network and the internet so
    your solution is not viable. Thanks for the info though

    Guest, Nov 17, 2006
  4. Guest

    Herb Martin Guest

    Then filter on your Internet firewall/route to the

    Your proxy server would do a lot more good if it
    were there as well.

    This is not a DNS function -- trying to do such things
    in DNS is a pretty poor hack at best and is never going
    to be truly secure.

    Herb Martin, MCSE, MVP
    Accelerated MCSE
    [phone number on web site]
    Herb Martin, Nov 17, 2006
  5. In
    I agree with Herb as this is not a DNS function. Also the correct
    terminology would eliminate questions about what one is trying to convey.

    As far as the little checkbox, use a GPO to configure a proxy server for all
    AD users. This way it is grayed out in IE's Intertnet Options. However this
    will not work with other type of browsers.

    How to set advanced settings in Internet Explorer by using Group Policy

    You can also use the IEAK but the GPO method is easier:

    Innovative IT Concepts, Inc (IITCI)
    Willow Grove, PA

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.
    It's easy:

    How to Configure OEx for Internet News

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only constant in life is change...
    Ace Fekay [MVP], Nov 18, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.