to forward or not to forward??

Discussion in 'DNS Server' started by Andy123, Sep 14, 2005.

  1. Andy123

    Andy123 Guest

    Hi All
    We are just implementing AD and i have a question about DNS forwarding.
    All client PC'S use a proxy server for internet access. (This proxy does the
    DNS lookup so the client doent need to) However we have some sites that we
    MUST have access to that the proxy server cant proxy for one reason or
    another.

    All client PC'S have DNS entries for our AD dns servers. These dns servers
    do NOT forward requests to the net as this is not usually needed because we
    are using a proxy server.
    However i am now being asked to enable forwarding on our dns server so that
    clients can resolve internet names directly.
    I feel this is a risk as it would basilcally allow all internal machines
    full unrestricted access to the net and any internet apps like Kazzaa
    etc.....(the firewall only blocks limited outbound ports.)

    What would be the best option? Am i worrying needlessly?--
    BTW we have around 5000 workstations if this makes a difference.

    Thanks
    Andy
     
    Andy123, Sep 14, 2005
    #1
    1. Advertisements

  2. do NOT forward requests to the net as this is not usually needed because
    Is your proxy server blocking resolution to these sites now? What is keeping
    them from accessing these sites now?


    DDS W 2k MVP MCSE
     
    Danny Sanders, Sep 14, 2005
    #2
    1. Advertisements

  3. Andy123

    Sharad Naik Guest

    Allowing your DNS servers, to resolve external queries is not a real
    security threat,
    ( and I don't consider, restricting DNS configuration not to resolve
    certain domains a good practice, for, anyone having just little knowledge
    about IP addresses and Domain Names can, coolly
    use IP addresses to access whatever he/she wants to).

    Basically even with your present configuration if you really want to block
    certain internet application, you should be using other methods,
    life a firewall blocking those certian outging ports or IPSEC etc.

    So if you want only novices to block access to such sites / programs /
    ports, and won't mind experimentive characters accessing those restriceted,
    programs, you should continue with your DNS servers having the root zone,
    otherwise you can delete the root zone, configure the forwarders, and use
    firewall / IPSEC to properly block the programs / ports you want to.

    Sharad
     
    Sharad Naik, Sep 14, 2005
    #3
  4. Andy123

    Andy123 Guest

    Ok,
    Currently without dns and a proxy no internet access
    With proxy entered into IE internet access. But users cant use things like
    edonky etc as they cant resolve names.
    If however we configure the DNS server that that users is using to forward
    they get internet access even without a proxy.
    I know we could block port 80 and that would stop it but users could still
    get to other things that are not on port 80
     
    Andy123, Sep 15, 2005
    #4
  5. Andy123

    Sharad Naik Guest

    If the "other sites" which you say you want to give access to are a few,
    then you can use conditional forwarding for each of such sites.
    So your DNS server will forward queries on for those sites for which you
    configure conditional forwading.

    Sharad
     
    Sharad Naik, Sep 15, 2005
    #5
  6. With proxy entered into IE internet access. But users cant use things like
    This must be configured *somewhere* on the proxy.

    Like another poster stated DNS is not supposed to be used as a permission
    tool. In your current setup your proxy is the "permission" tool.

    Try forwarding to your proxy server or get an application that is designed
    to do what you want.

    hth
    DDS W 2k MVP MCSE
     
    Danny Sanders, Sep 15, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.