LANs & WANs
Subscribe to this site with RSS
Best way to handle DNS
In doing a check of our DNS servers recently, I was surprised to find that they would resolve requests that weren't coming
from our network. We have been experiencing some bandwidth congestion issues lately, and this might be part of the problem.
We're using BIND on a Linux box for secondary DNS and Windows 2000 DNS for our primary external DNS servers. Our internal network points to
our external servers for outside resolution. How can we still allow for our internal network to resolve outside systems but
control what can be done from the outside world?
Via the Internet
This is where you will find which DNS implementation will give you the most protection. The first concern that you have involves something called recursive lookups. If the answer for a request for DNS resolution isn't found on the DNS server in question, that DNS server then goes to one of the root DNS servers to find the information. The root server responds with the name and IP address of one of the DNS servers for the domain in question. If recursive lookups are disabled on your server, this type of request will not get processed. The requesting system will get a message back indicating which root DNS servers may have the information.
The thing you want to try to do is to allow recursive lookups for your internal network while disallowing that type of lookup for requests coming from outside your network. The latest version of BIND (9.3.1) handles this type of configuration easily. Earlier versions can probably handle it to varying degrees, I only had BIND 9.3.1 setup in the lab. You will set up an Access Control List for the range of IP addresses your network is using. This will probably be the public IP addresses assigned by your ISP, assuming you have a firewall between your network and the Internet, and your external DNS servers are sitting between the firewall and the router connecting you to the Internet. In going over the options in Windows 2000 DNS, I could only find the option to disable recursion in total but not a way to selectively allow it.
| Use this form to start a public discussion with other Linux World users on this article. Log In | Register for an account (Why you should) |
Note: Register to have your user name appear; otherwise your comment will show up as "Anonymous."
*Anonymous comments will only appear once they are approved by the moderator.
• Dell puts Linux and Atom in Vostro PCs
• Mozilla names best Firefox 3 add-ons
• Torvalds: Fed up with the 'security circus'
• Dell Latitude ON - big win for Linux
• Open source advocates hail appeals court ruling
LinuxWorld Conference and Expo San Francisco, August 4-7, 2008.
Linux Plumbers Conference Portland, OR, Sept. 16-19, 2008.
FreedomHEC Santa Monica, November 8-9, 2008.
Featured Whitepapers