And to add one more point.... Filtering for queries just from root servers wouldn't work either. It's not the root server that sends the query. The root server responds to the requesting server with the address of the authoritative server for a name. Then the requesting server asks the authoritative server. So the queries come from all over the place, not just from root servers.
It sounds like the filter would work to avoid just anyone using a caching server, to avoid overuse of the server, for example. But it would be impractical to filter queries to a server that is acting as the authority for names. There are probably entire Web sites devoted to the issues of DNS and security. Someday I will have to look at them! ;-) Priscilla At 04:09 PM 2/18/02, Patrick Ramsey wrote: >not to add any heat underneath anyone behind, but I routinely use >UUNET/Mindspring/Earthlink/Qwest... (their caching of course) > >to be honest with you, I have never run into an isp that wouldn't allow >lookups from external hosts... I mean...for authoratative servers, how >would you propagate your zones without allowing lookups from other caching >servers? Unless you restricted lookups from root servers only...But >wouldn't that be kinda unefficient? > >-Patrick > > >>> "Priscilla Oppenheimer" 02/18/02 03:50PM >>> >Yes, I can use that DNS server that you mentioned without any problem. I >have my PC set to use it right now. And I know of others that anyone can >use too, but I'm not going to give details in case they would not like this >info to get out. ;-) > >Priscilla > >At 03:24 PM 2/18/02, Chuck wrote: > >the simple way to test this would be to set your workstation with some other > >ISP's DNS address, and see how things go. In one of my posts I provided the > >real IP of an active DNS server. Someone want to give it a try? or post one > >that you know about. I'll be happy to test. > > > >I wish the guy who posted the original question would get back to us with > >his results. > > > >Chuck > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > > > >Any decent ISP will refuse DNS recursion from any IP address that is not > > > >within its own address space. > > > > > > He wasn't asking about recursion. He was asking about the initial query > > > from the end host. Although I could believe you that a service provider > > > should make sure these queries only come from customers, my experience is > > > that service providers don't do this. I can set my PC to use a variety of > > > DNS servers around the Internet and it works. > > > > > > I think it's because it's tricky to do, especially for small ISPs. Some > > > ISPs might have only one DNS server. The same server that provides DNS > > > services to Internet-access customers may also be the authority for > >various > > > names managed by the ISP. The ISP may be doing Web hosting and be the > > > authority for a bunch of names. In that case, it can't filter out DNS > > > queries coming from the Internet. > > > > > > For example, say your PC asks your local DNS server to resolve > > > www.priscilla.com. Your server can't do it. It asks its upstream server, > > > probably one of the root servers. The root server figures out that > > > petiteisp.com owns www.priscilla.com and tells your server the IP address > > > of the authoritative name server at petiteisp.com. Your server queries > > > petiteisp.com which gives your server the IP address for > >www.priscilla.com. > > > Your server finally responds to your PC. > > > > > > Notice that the query to petiteisp.com came from some unexpected IP > >address > > > that can't be anticipated in a filter. If petiteisp.com had a filter to > > > allow queries only from its customers, the query from your server would > > > have failed. > > > > > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > > > ISPs have more than one DNS server, one for Internet access customers, >and > > > one that is the authority for names owned by the ISP. > > > > > > Priscilla > > > > > > > This is fundamental to DNS security. > > > >You need to rewrite the destination IP address. Note that Cisco's NAT > > > >is not suitable for this because of the DNS ALG. The easiest thing to > > > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > > > >addresses. If you've got a lot of workstations and a decent bandwidth > > > >to the Internet, you will probably find that running your own DNS cache > > > >will be more satisfactory anyway. > > > >rgds > > > >Marc TXK > > > > > > > > > > > >Godswill HO wrote: > > > > > > > > > > You can still use your former ISP's DNS records while using the new > >ISP's > > > > > bandwidth. It does not matter who owns the DNS server. Everybody have > > > >access > > > > > to it once they are in the internet. Except when they are >specifically > > > > > filtered. > > > > > > > > > > The only drawn back is that, Your new ISP have to forward the packet > >in a > > > > > round trip to the old ISP's network through the internet before they > >are > > > > > resolved and sent back to you machine, had it been you are using the > >DNS > > > of > > > > > your new ISP, these request would stop there. Do not loose your >sleep, > > > > > because at the worst these delays are in milisseconds and not easily > > > > > noticeable by the eye, more each machine have a cache so it does not > > > >forward > > > > > every request. Great if you have a Cache Engine to compliment the > > > machine's > > > > > cache. > > > > > > > > > > Whatever, you are kool and everything will be fine, switch to your >new > > > ISP > > > > > and enjoy. > > > > > > > > > > Regards. > > > > > Oletu > > > > > ----- Original Message ----- > > > > > From: Michael Hair > > > > > To: > > > > > Sent: Sunday, February 17, 2002 8:07 PM > > > > > Subject: DNS Request Redirection [7:35703] > > > > > > > > > > > I was wondering what is the best way to take care of the following: > > > > > > > > > > > > I have been using a private address space behind a Cisco 4500 >router > > > > > > connected up to our current ISP using NAT, now we want to move our > > > > > > connection from our current ISP to a new ISP with better bandwidth. > >My > > > > > > problem is that we don't want to change all our client machines > >TCP/IP > > > > > > settings, which are all static, for some reason or another they >were > > > all > > > > > > setup to use our ISP's DNS. Not my idea but that another problem. >So > > > how > > > > > can > > > > > > I setup our router to forward requests looking from our current > >ISP's > > > DNS > > > > > to > > > > > > our new ISP's DNS without touching all the client machines. > > > > > > > > > > > > Would the best way be to use policy-base routing? > > > > > > > > > > > > Would a static route work? > > > > > > > > > > > > Could I use a static route under NAT? > > > > > > > > > > > > If someone could proved me a sample of how you could do this I >would > >be > > > > > > greatful... > > > > > > > > > > > > Thanks > > > > > > Michael > > > > > _________________________________________________________ > > > > > Do You Yahoo!? > > > > > Get your free @yahoo.com address at http://mail.yahoo.com > > > ________________________ > > > > > > Priscilla Oppenheimer > > > http://www.priscilla.com >________________________ > >Priscilla Oppenheimer >http://www.priscilla.com > >>>>>>>>>>>>> Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and >/or proprietary information in the possession of WellStar Health System, >Inc. ("WellStar") and is intended only for the individual or entity to >whom addressed. This email may contain information that is held to be >privileged, confidential and exempt from disclosure under applicable law. >If the reader of this message is not the intended recipient, you are >hereby notified that any unauthorized access, dissemination, distribution >or copying of any information from this email is strictly prohibited, and >may subject you to criminal and/or civil liability. If you have received >this email in error, please notify the sender by reply email and then >delete this email and its attachments from your computer. Thank you. > >================================================================ ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35784&t=35703 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
