[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: MS DNS and AD question
From:       "Jim Harrison (SPG)" <jmharr () microsoft ! com>
Date:       2001-10-26 20:47:13
[Download RAW message or body]

Hi James,

	My first question would be "why is your AD anywhere near the
Internet?"  ..but ignoring that for the moment, you can separate your
internal and external zones without special security settings in two
ways:
1. Create your internal zone as a logical subzone of your external
(int.domain.tld)
2. Create (and register) an entirely separate zone for the AD and its
children

Do you need to provide zone transfers to external folks at all?

* Jim Harrison 
MCP(NT4, 2K), A+, Network+



-----Original Message-----
From: James Fullerton [mailto:James@RS25.com] 
Sent: Friday, October 26, 2001 08:40
To: focus-ms@securityfocus.com
Subject: MS DNS and AD question


I'm using MS DNS and AD, and AD publishes my internal IP addresses to
anyone who wants to see them (using nslookup for example).  I would like
to prevent that from happening, and keep my internal IP addresses hidden
(i.e., 10.0.0.2 should not be visible).  Short of setting up separate
internal and external DNS servers, can this be done?  If so, can someone
please direct me to directions or provide details?

Microsoft's weak answer:
It is possible to keep the two zones on one server and to integrate the
zone with the Active Directory security features. With proper access
control to the DNS files in Active Directory, one might be able to
restrict internal DNS queries to authenticated users only.  However, we
have not verified this solution. The complexity of this solution would
require extensive testing to ensure proper settings are being made and
no internal information is being erroneously exported to the Internet.

Thanks,


James F
James@RS25.com
(303) 913 - 6998

[prev in list] [next in list] [prev in thread] [next in thread]