none
how to restrict our dns server to reply to only some dns servers ?

    Question

  • hi all

    as you know , for example when someone creates the stub zone related to our dns zone, without allowing zone transfer , he receives ( transfers ) our zone SOA , NS & A Glue records , so comes and queries our dns server for our internal private network resource records .

    how can we  restrict our dns server to reply to queries which come only from some specific dns servers ( some specific ip addresses ?

    thanks in advance

    Saturday, October 22, 2011 12:22 AM

Answers

  • Where is or are the DNS server(s) where the user created the stub zone? Is it within your network subnet, or outside the company? Is it a rogue DNS server?

    Stub zones won't work unless zone transfers were specifically allowed on the master zone to either the IP of the DNS server hosting the stub that is requesting SOA records of the zone, or if zone transfers were set to "to any server."

    So you are saying that Zone transfers are disabled, yet someone is able to create a stub zone? I don't see this as possible, however, the other person could have created a Conditional Forwarder, which does not require zone transfers.

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Proposed as answer by Tiger Li Monday, October 24, 2011 9:40 AM
    • Marked as answer by Tiger Li Thursday, October 27, 2011 12:49 PM
    Saturday, October 22, 2011 4:11 PM
  • In addition to Ace's response, DNS itself doesnt really have "built-in" security for replying to queries (sort of depending on whether you have recursion enabled or not, but this is not what you are referring to).  

    To prevent a specific list of DNS servers from reaching your server, you can easily configure your firewall to block all TCP/UCP port 53 traffic from ALL nodes except the list of DNS servers that you allow.

     


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube
    • Proposed as answer by Tiger Li Monday, October 24, 2011 9:40 AM
    • Marked as answer by Tiger Li Thursday, October 27, 2011 12:49 PM
    Saturday, October 22, 2011 4:40 PM

All replies

  • Where is or are the DNS server(s) where the user created the stub zone? Is it within your network subnet, or outside the company? Is it a rogue DNS server?

    Stub zones won't work unless zone transfers were specifically allowed on the master zone to either the IP of the DNS server hosting the stub that is requesting SOA records of the zone, or if zone transfers were set to "to any server."

    So you are saying that Zone transfers are disabled, yet someone is able to create a stub zone? I don't see this as possible, however, the other person could have created a Conditional Forwarder, which does not require zone transfers.

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Proposed as answer by Tiger Li Monday, October 24, 2011 9:40 AM
    • Marked as answer by Tiger Li Thursday, October 27, 2011 12:49 PM
    Saturday, October 22, 2011 4:11 PM
  • In addition to Ace's response, DNS itself doesnt really have "built-in" security for replying to queries (sort of depending on whether you have recursion enabled or not, but this is not what you are referring to).  

    To prevent a specific list of DNS servers from reaching your server, you can easily configure your firewall to block all TCP/UCP port 53 traffic from ALL nodes except the list of DNS servers that you allow.

     


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube
    • Proposed as answer by Tiger Li Monday, October 24, 2011 9:40 AM
    • Marked as answer by Tiger Li Thursday, October 27, 2011 12:49 PM
    Saturday, October 22, 2011 4:40 PM