Restricting what a DNS server returns to a client

Chris Buxton cbuxton at menandmice.com
Thu Nov 29 20:26:38 UTC 2007 

This is normally not a great idea, but in your situation it may be  
appropriate. I've never done this myself, but I'm pretty sure it will  
work.

On the DNS server (or view) that is seen on the unprivileged LAN,  
create a master root zone with a wildcard A record pointing to your  
default web server. Then create a forward zone named windowsupdate.com  
pointing to another name server that you control, that doesn't have  
the bogus master root zone. I *believe* the presence of this forward  
zone will override the wildcard A record in the root zone.

You may need to create other exceptions in similar fashion, for other  
domains, such as windowsupdate.microsoft.com.

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and  
privileged information only intended for the person or entity to which  
it is addressed. If the reader of this message is not the intended  
recipient, you are hereby notified that any retention, dissemination,  
distribution or copy of this e-mail is strictly prohibited. If you  
have received this e-mail in error, please notify us immediately by  
reply e-mail and immediately delete this message and all its attachment.



On Nov 29, 2007, at 2:52 AM, Alex Sharaz wrote:

> Chaps,
>
>
>
>
> Looking for a bit of advice / pointers to appropriate web pages
>
>
>
>
>
>
>
> We are currently running a pilot 802.1x authenticated wired network in
> one of our halls of residence. Basically if authentication works the
> client system is placed in a VLAN that has a "less restrictive" set of
> firewall rules associated with it. If authentication fails, the client
> machine is placed in a seriously restricted VLAN that blocks all  
> access
> to the outside world and only allows access to certain http hosts on  
> our
> network.
>
>
>
>
>
>
>
> One of the problems we've got is that there are a lot of systems out
> there that have never seen a Windows update and we'd like to configure
> things so that  even if a user is on our restricted vlan they can  
> access
> the windows update site. I can use our dhcp server to hand out a
> different DNS server ip address to any system on the restricted  
> network.
>
> What I'd like to do then is either restrict or alter what the dns  
> server
> returns to the client. E.g.
>
>
>
>
>
>
>
> 1). Running windows update on the client machine will correctly return
> IP addresses for the Microsoft update service and "just work"
>
>
>
> 2). Resolution of a number of local machines will "just work"
>
>
>
> 3). All other attempts to resolve a FQDN into an IP address return a
> single local IP address associated with a particular web server on our
> network.
>
>
>
>
>
>
>
> Any suggestions as to how i might do this using bind 9.4.1-P1,which is
> what I'm currently running would be appreciated.
>
>
>
> Alex
>
>
>
>
>
>
>
>

More information about the bind-users mailing list