Win2k forgets Nameserver?

Marc.Thach at radianz.com Marc.Thach at radianz.com
Fri Sep 28 12:08:16 UTC 2001



Ray,
Your site's security policy is not correctly implemented.  If your security
policy states that you will not accept DNS responses where they have a
different IP than expected, then you should accept that those sites are
"insecure" and not expect to use them.  If this is not your security
poilcy, then you should use a firewall configuration that allows the
correct traffic.
rgds
Marc TXK
________________________________________________________________________
The views expressed are personal and do not necessarily reflect those of
the organisation providing the mail address from which this message was
sent



                                                                                                                   
                    "None"                                                                                         
                    <reply at here.onl        To:     comp-protocols-dns-bind at moderators.isc.org                      
                    y>                     cc:                                                                     
                    Sent by:               Subject:     Re: Win2k forgets Nameserver?                              
                    bind-users-boun                                                                                
                    ce at isc.org                                                                                     
                                                                                                                   
                                                                                                                   
                    28/09/2001                                                                                     
                    03:29                                                                                          
                    Please respond                                                                                 
                    to "None"                                                                                      
                                                                                                                   
                                                                                                                   





That's a problem. We've run into an issue where some DNS systems send
the response back using a different IP address than the query was sent
to. When this happens, we can't resolve the site because the firewall
drops it. Microsoft has a KB article on this.

So, our solution was to use a DNS server outside the firewall provided
by our ISP. It works, but we don't want to put our internal-only IP
addresses on it, of course. I'll try the /flushdns switch when it
happens again. I don't know about it.

Guess we'll just have to dump Win2K for Linux. <g>

Ray

> > Primary DNS is Windows NT 4. Secondary DNS is Windows NT 4. Thirdary
DNS is
> > an external ISP server. Primary and secondary are slaves off our
BIND 8.2.3
> > masters. Thirdary DNS does not have our internal sites.
>
> As described elsewhere in thread, all DNS servers should give
> the same answers. so this is just a configuration error - just
> lose the third DNS server from the list.








More information about the bind-users mailing list