DNS Question

Mmartin_47

Currently have a Windows Server 2003 machine running as a DNS server and a Windows vista machine.

Setup a stub zone on my server for example yahoo.com
Ran nslookup set type=ns and pulled all the name server IP addresses.
Created a stub zone named yahoo.com and entered the name server IP's for the master servers

Set my vista machines DNS address to my windows server 2003's IP

Question is, why am I still able to browse to other sites? I flushed the DNS cache locally. Shouldn't I not be able to access other sites besides yahoo.com?

Just saw that in CBT nuggets and wanted to give it a shot.

Essendon

Just clearing the DNS cache doesnt stop you from accessing websites. When you clear the cache, it takes just a little bit longer for the host name to be resolved into an IP address, and the cache gets built again.

Perhaps, I misunderstood your question? Are you referring to using ipconfig /flushdns or just deleting the cache.dns file?

Mmartin_47

MobilOne wrote:

Just clearing the DNS cache doesnt stop you from accessing websites. When you clear the cache, it takes just a little bit longer for the host name to be resolved into an IP address, and the cache gets built again.

Perhaps, I misunderstood your question? Are you referring to using ipconfig /flushdns or just deleting the cache.dns file?

ipconfig/flushdns

Let me restate my question, heres what I got.
1) DNS server running 2003 with 192.168.1.1 gateway.
2) Vista-Home Premium with DNS server as my 2003 server, with also 192.168.1.1 gateway.

Ran nslookup set type=ns
Created a stub zone on my DNS server for example yahoo.com by using their name server's IP's
Now I try to access other websites on my Vista machine besides yahoo.com and it works. Why is that? Is it because I have my gateway configured? I thought only yahoo.com is supposed to be resolved, no other sites.

Essendon

Of course you can access other websites other than yahoo.com (with or without stub zones). Consider this, why would you create a stub zone? You create these to conserve bandwidth because you dont have to query a root server all the way to the host that you want.

So if you didnt configure a stub for let's say ibm.com, you would query the root servers to get to www.ibm.com. So your still able to access sites that you dont have a stub for.

From what I have learned so far, a local secondary server would be better than a stub zone,
because you wouldn't have to query the remote server across the WAN link (thus conserving bandwidth). The local secondary server would already have the dns information you need to access a site.

Hope this makes things better.

dynamik

If it doesn't have a record for it, it's just going to go out to the root servers and look for it that way. You can disabled recursion, make your server a root server, or delete all the root servers if you don't want that behavior.

This article provides a good look at how dns works: http://technet2.microsoft.com/windowsserver/en/library/e1fe9dff-e87b-44ae-ac82-8e76d19d9c371033.mspx?mfr=true

Mmartin_47

MobilOne wrote:

Of course you can access other websites other than yahoo.com (with or without stub zones). Consider this, why would you create a stub zone? You create these to conserve bandwidth because you dont have to query a root server all the way to the host that you want.

So if you didnt configure a stub for let's say ibm.com, you would query the root servers to get to www.ibm.com. So your still able to access sites that you dont have a stub for.

From what I have learned so far, a local secondary server would be better than a stub zone,
because you wouldn't have to query the remote server across the WAN link (thus conserving bandwidth). The local secondary server would already have the dns information you need to access a site.

Hope this makes things better.

I see, to prevent clients from querying root, I just delete the root hints file?

Essendon

Mmartin_47 wrote:

I see, to prevent clients from querying root, I just delete the root hints file?

Only if you are configuring a root "." DNS server.

Mmartin_47

MobilOne wrote:

Mmartin_47 wrote:

I see, to prevent clients from querying root, I just delete the root hints file?

Only if you are configuring a root "." DNS server.

Can stub zones be used to prevent internal clients from accessing sites?

Essendon

Nope, I dont think you can use them as a firewall. Maybe some DNS God has been able to do so!

Stub zones:

1. Make name resolution more efficient, by reducing the number of hops between name servers.
2. Keep zone delegation information up-to-date.

Have a read of this, top article.

http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

Essendon

In addition, if you deleted the root hints file, the clients just dont have a starting point to access something they want to (if it's not in the cache)

undomiel

If you wanted to use DNS to block a certain domain then you could set up a conditional forwarder for that domain and point it to nowhere. Then whenever they attempt to look up that domain it will dead end.

dynamik

Better yet, set up a zone for it and forward it to a site that pays for referrals, so you can make some $$$