Re: Restricting what a DNS server returns to a client

3 msg	named-checkzone ignoring flags?
4 msg	Drop forwarded requests
2 msg	Quota error message
5 msg	BIND 9.4.2 on Solaris 8
2 msg	Assertion failure: what to do next?
2 msg	Blackhole option statement in BIND
1 msg	X per-query

Restricting what a DNS server returns to a client
\ Alex Sharaz (29 Nov 2007)
. \ Chris Buxton (29 Nov 2007)
. \ Alex Sharaz (2 Dec 2007)

4 msg	dig server problem
3 msg	How to forward specific zones?
3 msg	facebook.com delegation
6 msg	Recursive Domain Query on Restricted Recursive DNS
3 msg	Vista machines DOSing our bind servers
4 msg	Root for private network
1 msg	Restricting what a DNS server returns
9 msg	How to define views that differ only minimally?
5 msg	Query Denied bind 9.4
7 msg	Emails being wrongly delivered after DNS change
3 msg	master notification issue
1 msg	BIND 9.4.1-P1 Crashes with rbt.c ...

Subject:	Re: Restricting what a DNS server returns to a client
Group:	Bind-users
From:	Chris Buxton
Date:	29 Nov 2007

This is normally not a great idea, but in your situation it may be
appropriate. I've never done this myself, but I'm pretty sure it will
work.

On the DNS server (or view) that is seen on the unprivileged LAN,
create a master root zone with a wildcard A record pointing to your
default web server. Then create a forward zone named windowsupdate.com
pointing to another name server that you control, that doesn't have
the bogus master root zone. I *believe* the presence of this forward
zone will override the wildcard A record in the root zone.

You may need to create other exceptions in similar fashion, for other
domains, such as windowsupdate.microsoft.com.

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbuxton
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.

On Nov 29, 2007, at 2:52 AM, Alex Sharaz wrote:

> Chaps,
>
>
>
>
> Looking for a bit of advice / pointers to appropriate web pages
>
>
>
>
>
>
>
> We are currently running a pilot 802.1x authenticated wired network in
> one of our halls of residence. Basically if authentication works the
> client system is placed in a VLAN that has a "less restrictive" set of
> firewall rules associated with it. If authentication fails, the client
> machine is placed in a seriously restricted VLAN that blocks all
> access
> to the outside world and only allows access to certain http hosts on
> our
> network.
>
>
>
>
>
>
>
> One of the problems we've got is that there are a lot of systems out
> there that have never seen a Windows update and we'd like to configure
> things so that even if a user is on our restricted vlan they can
> access
> the windows update site. I can use our dhcp server to hand out a
> different DNS server ip address to any system on the restricted
> network.
>
> What I'd like to do then is either restrict or alter what the dns
> server
> returns to the client. E.g.
>
>
>
>
>
>
>
> 1). Running windows update on the client machine will correctly return
> IP addresses for the Microsoft update service and "just work"
>
>
>
> 2). Resolution of a number of local machines will "just work"
>
>
>
> 3). All other attempts to resolve a FQDN into an IP address return a
> single local IP address associated with a particular web server on our
> network.
>
>
>
>
>
>
>
> Any suggestions as to how i might do this using bind 9.4.1-P1,which is
> what I'm currently running would be appreciated.
>
>
>
> Alex
>
>
>
>
>
>
>
>