Internal DNS - External DNS Config Question

Ok..I have a 2003 AD domain using AD integrated DNS for the network. I have
the DNS server pointing to an external DNS server in order for Exchange to
be able to deliver mail to external addresses. Because the DHCP server gives
out the internal DNS ip address , users are able to connect to the internet
without any additional configuration. I also have an proxy server(non
microsoft) on the network and users IE configured to use accordingly. My
problem is that if they figure out how to uncheck the use proxy checkbox,
they can get out to the internet. How do i configure internal dns to block
all external requests except for exchange?

 

"Pointing to" is an imprecise term -- we must presume
you mean "forwarding to" which has a technical meaning.

That is a very normal setup (for those allowing Internet connection.)

This is not really a DNS function (e.g., since they could
also figure out how to use IP addresses instead of DNS
names in the browser).

This is a firewall job. Configure the proxy to block
all traffic not permitted by your policy; and to block
all traffic not using the Proxy ports so that they cannot
avoid it.

You cannot do this if the Exchange server and the
regular clients use the same MS DNS server. All
clients get the same service.

 

The Proxy server is not configured between the network and the internet so
your solution is not viable. Thanks for the info though

 

Then filter on your Internet firewall/route to the
Internet

Your proxy server would do a lot more good if it
were there as well.

This is not a DNS function -- trying to do such things
in DNS is a pretty poor hack at best and is never going
to be truly secure.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

In

I agree with Herb as this is not a DNS function. Also the correct
terminology would eliminate questions about what one is trying to convey.

As far as the little checkbox, use a GPO to configure a proxy server for all
AD users. This way it is grayed out in IE's Intertnet Options. However this
will not work with other type of browsers.

How to set advanced settings in Internet Explorer by using Group Policy
Objects:
http://support.microsoft.com/kb/274846/en-us

You can also use the IEAK but the GPO method is easier:
http://www.microsoft.com/technet/prodtechnol/ie/ieak/default.mspx

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...