the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test.
I wish the guy who posted the original question would get back to us with his results. Chuck ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > >Any decent ISP will refuse DNS recursion from any IP address that is not > >within its own address space. > > He wasn't asking about recursion. He was asking about the initial query > from the end host. Although I could believe you that a service provider > should make sure these queries only come from customers, my experience is > that service providers don't do this. I can set my PC to use a variety of > DNS servers around the Internet and it works. > > I think it's because it's tricky to do, especially for small ISPs. Some > ISPs might have only one DNS server. The same server that provides DNS > services to Internet-access customers may also be the authority for various > names managed by the ISP. The ISP may be doing Web hosting and be the > authority for a bunch of names. In that case, it can't filter out DNS > queries coming from the Internet. > > For example, say your PC asks your local DNS server to resolve > www.priscilla.com. Your server can't do it. It asks its upstream server, > probably one of the root servers. The root server figures out that > petiteisp.com owns www.priscilla.com and tells your server the IP address > of the authoritative name server at petiteisp.com. Your server queries > petiteisp.com which gives your server the IP address for www.priscilla.com. > Your server finally responds to your PC. > > Notice that the query to petiteisp.com came from some unexpected IP address > that can't be anticipated in a filter. If petiteisp.com had a filter to > allow queries only from its customers, the query from your server would > have failed. > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > ISPs have more than one DNS server, one for Internet access customers, and > one that is the authority for names owned by the ISP. > > Priscilla > > > This is fundamental to DNS security. > >You need to rewrite the destination IP address. Note that Cisco's NAT > >is not suitable for this because of the DNS ALG. The easiest thing to > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > >addresses. If you've got a lot of workstations and a decent bandwidth > >to the Internet, you will probably find that running your own DNS cache > >will be more satisfactory anyway. > >rgds > >Marc TXK > > > > > >Godswill HO wrote: > > > > > > You can still use your former ISP's DNS records while using the new ISP's > > > bandwidth. It does not matter who owns the DNS server. Everybody have > >access > > > to it once they are in the internet. Except when they are specifically > > > filtered. > > > > > > The only drawn back is that, Your new ISP have to forward the packet in a > > > round trip to the old ISP's network through the internet before they are > > > resolved and sent back to you machine, had it been you are using the DNS > of > > > your new ISP, these request would stop there. Do not loose your sleep, > > > because at the worst these delays are in milisseconds and not easily > > > noticeable by the eye, more each machine have a cache so it does not > >forward > > > every request. Great if you have a Cache Engine to compliment the > machine's > > > cache. > > > > > > Whatever, you are kool and everything will be fine, switch to your new > ISP > > > and enjoy. > > > > > > Regards. > > > Oletu > > > ----- Original Message ----- > > > From: Michael Hair > > > To: > > > Sent: Sunday, February 17, 2002 8:07 PM > > > Subject: DNS Request Redirection [7:35703] > > > > > > > I was wondering what is the best way to take care of the following: > > > > > > > > I have been using a private address space behind a Cisco 4500 router > > > > connected up to our current ISP using NAT, now we want to move our > > > > connection from our current ISP to a new ISP with better bandwidth. My > > > > problem is that we don't want to change all our client machines TCP/IP > > > > settings, which are all static, for some reason or another they were > all > > > > setup to use our ISP's DNS. Not my idea but that another problem. So > how > > > can > > > > I setup our router to forward requests looking from our current ISP's > DNS > > > to > > > > our new ISP's DNS without touching all the client machines. > > > > > > > > Would the best way be to use policy-base routing? > > > > > > > > Would a static route work? > > > > > > > > Could I use a static route under NAT? > > > > > > > > If someone could proved me a sample of how you could do this I would be > > > > greatful... > > > > > > > > Thanks > > > > Michael > > > _________________________________________________________ > > > Do You Yahoo!? > > > Get your free @yahoo.com address at http://mail.yahoo.com > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35769&t=35703 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
