thanks, Cil. I guess we can lay this one to rest. the network in question probably needs make no changes and life will be dandy.
Chuck ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yes, I can use that DNS server that you mentioned without any problem. I > have my PC set to use it right now. And I know of others that anyone can > use too, but I'm not going to give details in case they would not like this > info to get out. ;-) > > Priscilla > > At 03:24 PM 2/18/02, Chuck wrote: > >the simple way to test this would be to set your workstation with some other > >ISP's DNS address, and see how things go. In one of my posts I provided the > >real IP of an active DNS server. Someone want to give it a try? or post one > >that you know about. I'll be happy to test. > > > >I wish the guy who posted the original question would get back to us with > >his results. > > > >Chuck > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > > > >Any decent ISP will refuse DNS recursion from any IP address that is not > > > >within its own address space. > > > > > > He wasn't asking about recursion. He was asking about the initial query > > > from the end host. Although I could believe you that a service provider > > > should make sure these queries only come from customers, my experience is > > > that service providers don't do this. I can set my PC to use a variety of > > > DNS servers around the Internet and it works. > > > > > > I think it's because it's tricky to do, especially for small ISPs. Some > > > ISPs might have only one DNS server. The same server that provides DNS > > > services to Internet-access customers may also be the authority for > >various > > > names managed by the ISP. The ISP may be doing Web hosting and be the > > > authority for a bunch of names. In that case, it can't filter out DNS > > > queries coming from the Internet. > > > > > > For example, say your PC asks your local DNS server to resolve > > > www.priscilla.com. Your server can't do it. It asks its upstream server, > > > probably one of the root servers. The root server figures out that > > > petiteisp.com owns www.priscilla.com and tells your server the IP address > > > of the authoritative name server at petiteisp.com. Your server queries > > > petiteisp.com which gives your server the IP address for > >www.priscilla.com. > > > Your server finally responds to your PC. > > > > > > Notice that the query to petiteisp.com came from some unexpected IP > >address > > > that can't be anticipated in a filter. If petiteisp.com had a filter to > > > allow queries only from its customers, the query from your server would > > > have failed. > > > > > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > > > ISPs have more than one DNS server, one for Internet access customers, > and > > > one that is the authority for names owned by the ISP. > > > > > > Priscilla > > > > > > > This is fundamental to DNS security. > > > >You need to rewrite the destination IP address. Note that Cisco's NAT > > > >is not suitable for this because of the DNS ALG. The easiest thing to > > > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > > > >addresses. If you've got a lot of workstations and a decent bandwidth > > > >to the Internet, you will probably find that running your own DNS cache > > > >will be more satisfactory anyway. > > > >rgds > > > >Marc TXK > > > > > > > > > > > >Godswill HO wrote: > > > > > > > > > > You can still use your former ISP's DNS records while using the new > >ISP's > > > > > bandwidth. It does not matter who owns the DNS server. Everybody have > > > >access > > > > > to it once they are in the internet. Except when they are > specifically > > > > > filtered. > > > > > > > > > > The only drawn back is that, Your new ISP have to forward the packet > >in a > > > > > round trip to the old ISP's network through the internet before they > >are > > > > > resolved and sent back to you machine, had it been you are using the > >DNS > > > of > > > > > your new ISP, these request would stop there. Do not loose your > sleep, > > > > > because at the worst these delays are in milisseconds and not easily > > > > > noticeable by the eye, more each machine have a cache so it does not > > > >forward > > > > > every request. Great if you have a Cache Engine to compliment the > > > machine's > > > > > cache. > > > > > > > > > > Whatever, you are kool and everything will be fine, switch to your > new > > > ISP > > > > > and enjoy. > > > > > > > > > > Regards. > > > > > Oletu > > > > > ----- Original Message ----- > > > > > From: Michael Hair > > > > > To: > > > > > Sent: Sunday, February 17, 2002 8:07 PM > > > > > Subject: DNS Request Redirection [7:35703] > > > > > > > > > > > I was wondering what is the best way to take care of the following: > > > > > > > > > > > > I have been using a private address space behind a Cisco 4500 > router > > > > > > connected up to our current ISP using NAT, now we want to move our > > > > > > connection from our current ISP to a new ISP with better bandwidth. > >My > > > > > > problem is that we don't want to change all our client machines > >TCP/IP > > > > > > settings, which are all static, for some reason or another they > were > > > all > > > > > > setup to use our ISP's DNS. Not my idea but that another problem. > So > > > how > > > > > can > > > > > > I setup our router to forward requests looking from our current > >ISP's > > > DNS > > > > > to > > > > > > our new ISP's DNS without touching all the client machines. > > > > > > > > > > > > Would the best way be to use policy-base routing? > > > > > > > > > > > > Would a static route work? > > > > > > > > > > > > Could I use a static route under NAT? > > > > > > > > > > > > If someone could proved me a sample of how you could do this I > would > >be > > > > > > greatful... > > > > > > > > > > > > Thanks > > > > > > Michael > > > > > _________________________________________________________ > > > > > Do You Yahoo!? > > > > > Get your free @yahoo.com address at http://mail.yahoo.com > > > ________________________ > > > > > > Priscilla Oppenheimer > > > http://www.priscilla.com > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35778&t=35703 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
