Why not use root hints instead?
<cough> in our little SBS wizard... at the screen where you are prompted
to enter dns forwarders, you hit 'cancel' and it sets up root hints
http://www.sbslinks.com/images/time.h71.gif
If you are concerned about dns forwarding... which you should be ....
you don't even want to forward from internal requests.
Us little SBS boxes are wizard recommended to DNS forwarders.. BUT... if
we forward to an upstream BIND 5 or 7... even though we look inward for
our DNS and do not expose our port 53, we are reliant on the kindness
and patching of those BIND servers.
Microsoft DNS servers since Windows 2003 sp3 [if I remember right] have
been prevented from poisoning 'to' other folks. But if we rely [forward]
on a poisoned BIND DNS server, we can get nailed.
I don't know if I ever got back to this but one of the Networking guys
walked me through setting up this
DNS:
http://www.sbslinks.com/DNS.htm
Edwin wrote:
Is it possible within MSFT DNS to only accept DNS forwards from
internal requests?
Please consider the fact that a domain may not always be configured to
look at internal DNS servers only. Also, it is not required for a
domain to be used when DNS services are required. DNS may be
configured on a machine that is for either internal or external use or
both.
If this is possible, this will help with “DNS Smurfing” attacks that
could affect a network.
If you haven’t read it already, you may find the information in the
URL http://www.measurement-factory.com/press/20051024.html useful.
This article brings me to my question about preventing external DNS
forwards.
Thanks,
Edwin
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/