> OK you got me, I wrote the original one, and I run an NT network with
> Service Pack 4.
>
> I have NO internal DNS - is that so strange for a small company with 50
> machines?
In my world, yes.
> So my DNS is not leaking. I believe quite a few commercial packages -
> WinGate for one recommend you use 192.168.x.x. one 2 to 8+ machines with
> [obviously] no internal DNS.
Yes, Microsoft likes to scoff at any standards that don't originate
with them, and most that do.
> Shouldn't NT query WINS first for a reverse lookup? That would solve a lot
> of problems wouldn't it? For us and IANA!
MS has its own way of doing things, which others are not allowed to
question. But that makes sense to me.
> >From RFC 1918:
> [Indirect references to such addresses should be contained within
> the enterprise. Prominent examples of such references are DNS Resource
> Records and other information referring to internal private addresses. In
> particular, Internet service providers should take measures to prevent such
> leakage. ]
>
> HOW? By stopping all reverse DNS lookups? Not practical is it?
Perfectly practical. Many do it. No need to stop all - just those
which you're using.
> So rfc1918 should require you to have a DNS server? This makes it a lot more
> difficult for small companies to implement 1918 addresses, couldn't DNS
> servers just 'ignore' these. If I set up a machine with no DNS entries in
> TCP/IP and a fixed [1918] address ping -a resolves names just fine, from
> WINS I presume.
I don't w a n t DNS servers to ignore those addresses; I use them.
What's so impractical? Get BIND for MSW-NT from www.isc.org, install
it, configure it, easy as pie.
You don't need a DNS server if you're not attached to the Internet -
I've run tiny detached networks with a /etc/hosts file [that I kept
updating, more fool me, but it preceded BIND]. You do if you are, it
would indeed seem.
> TCP/IP (in MS NT Environment at least) should be patched to
> query WINS first, if available, then,
> IF no response is received from WINS
> IF and only if the address in NOT rfc1918
> query DNS,
> (could it query the responder of a ping? I.e. the addressee?, the host?)
> ELSE trash the query
I don't know how MS-DNS works, but I have heard many people say that
BIND-NT works a lot better. I would still disagree with the IFF ~1918
part.
--
Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
