|
Posted by Miha Pihler [MVP] on September 21, 2005, 10:01 pm
Please log in for more thread options Hi,
You have few options.
Could you allow external DNS resolution just for IP addresses used by the
SIP phones and block for all other clients and servers?
You could block on firewall UDP port 53 just for your Active Directory DNS
server. This will prevent this server from resolving external hosts.
Another option would be to remove Root Hints. Personally, I would go with
first or second option. If you don't then users could still do e.g.
nslookup www.cnn.com 193.2.1.66
where 193.2.1.66 is IP address of external DNS server...
--
Mike
Microsoft MVP - Windows Security
> Hi,
>
> Thanks for the reply. I would like to resolve internal hosts, but would
> like
> to disallow all internal hosts to resolve any name outside my internal
> domain
> especially public IP. I have few SIP phone users which need port 53 to
> resolve from ISP. There is no forwarders configured for the server. If I
> remove Root Hints, will there be any effect on name resolution for
> internal
> hosts?
>
>
> Miha Pihler [MVP] wrote:
>>Hi,
>>
>>If I understand you question, you would like to disallow any name
>>resolution
>>outside your internal domain.
>>
>>If this is so you have few options:
>>a) close UDP port 53 -- this will prevent any queries
>>b) make sure you don't have any forwarders set on your DNS servers (right
>>click on DNS server and click on Forwarders tab)
>>c) remove Root Hints from DNS servers (right click on DNS server and click
>>on Root Hints tab)
>>
>>Most useful would be option a. Even if you do b. and c. users could still
>>do
>>e.g.:
>>
>>nslookup www.microsoft.com 193.2.1.66
>>
>>where 193.2.1.66 is external DNS server.
>>
>>I hope this helps,
>>
>>> Hi,
>>>
>>[quoted text clipped - 8 lines]
>>>
>>> Thanks.
>
>
> --
> Message posted via http://www.winserverkb.com
| 
XML Sitemap