Win95 machine not looking at 2nd and 3rd DNS

Mon Mar 13 11:41:38 UTC 2000

Kevin (and everyone else)

I'v given up.  I'v set the internal Nameserver to forward to the
external IPS nameservers.

I'v then given the Internet router a a list of static IP addresses to
not allow through (ie. the unauthorised users).  Much better results
over all.  There are reasons for me not doing this straight away (mainly
company politics).  But know I'v just put it in, and I'll see if anyone
complains.

I'v toyed with the idea of a firewall on linux, but we are moving to a
new ISP in the coming months who is providing Firewall-1 to us, so I'v
not spent the time looking

Thanks for the help

Mark Taylor

> 
> Sounds like you need multiple DNS servers then, some (perhaps only 1) of which
> only knowing internal names, and some (perhaps only 1) which can also forward to
> resolve Internet names. To take this a step further, you could use the
> "allow-query" mechanism on the "Internet-aware" server(s) to prevent
> "unauthorized" clients from resolving Internet names, assuming they all have
> static addresses. If on the other hand you're using DHCP to assign addresses
> dynamically, then you should be able to selectively provide the
> "Internet-aware" DNS server address parameters to only the "authorized" clients.
> 
> But, you're right, it's a dumb, security-by-obscurity way to control Internet
> access, since any savvy user who has an alternate way of resolving Internet
> names can bypass the controls. I think there are even some web sites that
> provide public resolver service, aren't there? And if you aren't preventing the
> users from tinkering with their resolver settings, then this "security" is even
> less effective, to the point of being almost non-existent. Real control of
> Internet access requires authenticated paths through a firewall or packet
> filter.
> 
> - Kevin
> 
> nobody wrote:
> 
> > Delmer
> >
> > I specifically don't want the internal to work as a forwarder.  We are
> > only allowing those users with "Internet Access", to have the ISP DSN's
> > in their setup, everyone else should not be able to see them.
> >
> > This is a rather dumb way of stopping unauthorised users accessing the
> > internet, I know, but at present its the only method we have
> >
> > Mark
> >
> > Delmer Harris wrote:
> > >
> > > I think this has come up before and was determined to be a misunderstanding
> > > about the multiple resolvers in the local equivalent of resolv.conf.  The
> > > correct behavior is as you described - if the resolver on W95 receives any
> > > response from DNS#1 it will _not_ go to DNS#2 or DNS#3.  It is only when
> > > there is no response from DNS#1 that it will go to DNS#2.
> > >
> > > You could achieve what you appear to desire by configuring your internal
> > > DNS to use the ISP's DNS as 'forwarder' DNS machines.  Then your internal
> > > DNS will check itself first, then ask the ISP's DNS to resolve what it
> > > can't resolve and return the answer to the W98 machines.
> > >
> > > YMMV
> > >
> > > nobody <nobody at nowhere.com> on 03/09/2000 11:36:19 AM
> > >
> > >
> > >
> > >  To:      comp-protocols-dns-bind at moderators.isc.org
> > >
> > >  cc:
> > >
> > >
> > >
> > >  Subject: Win95 machine not looking at 2nd and 3rd DNS
> > >
> > >
> > > Hi All
> > >
> > > I have a Win 95 machine which is set up to look at 3 DNS servers.  The
> > > first is our internal, and the second and third are the ISP's.  If I
> > > look for a web address, the machine will query only the internal then
> > > give up (checked this with a packet sniffer).
> > >
> > > The internal DNS is sat on a linux box and serves subdomains beneath our
> > > internet registered domain (ie. registed domain foo.com, this box does
> > > london.foo.com and paris.foo.com).  The machine has no zone for root
> > > ".".
> > >
> > > However, other machines I have seem to work fine (a linux box (not the
> > > name server), and an NT box.  I'v done a quick test and it seems I have
> > > the same problem with another win95 machine as well.
> > >
> > > Any ideas (i'm sure it was working before)
> > >
> > > Mark Taylor