On Fri, February 22, 2008 9:48 am, Michael J McCafferty wrote: > > ...and that is precisely how it gets around the "security". See your > request to the company internal DNS servers can not be answered without > the internal name servers going out to get the answer. They consult the > root servers to see who is SOA, then go ask them... you make your house > the SOA. > While your company computer is not querying your SOA directly, the > company internal DNS servers are acting as a proxy... in that they are > going out and getting the info from the SOA for the domain your just > asked to resolve... and that SOA is in on your plot to take over the > world. > In one direction your are querying, by way of the internal company > DNSes, and in the other the replies comeback to you, by way of the > internal DNSes. > >
Right, but my internal DNS does not forward requests. It resolves for mycorp.com and that's it. Everything else is dropped. The only servers allowed to make outside lookups are the proxy servers, and they only make lookups on for http requests. Interesting all the same though, I wonder what it would do performance-wise. I'm going to have to play with it. -ajb -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
