So far the solutions proposed are ineffective in the given situation.

Disabling UDP53 at the router level will stop recursion completely from the
server if emplaced at or above the network that the server resides on.

Configuring the forwarders is executed at the server level and at the zone
level for individual domains. Thus, it does not provide the granular
selectivity that you are looking for.

At this point in time, the Microsoft implementation of DNS does not include
specific settings for how to configure one set of client request sources in
a different manner than any other request made to the server by the
infrastructure. Thus, in order to setup this kind of partitioning, your
solution is ultimately going to involve either using a different DNS
implementation such as Bind (which I am not fully aware of all the
capabilities that Bind offers along these lines) or in deploying a second,
parallel instance of DNS in the environment. There are two levels that you
can do this at depending on your network infrastructure implementation.

The first is to deploy a DNS server with forwarders enabled on the given
subnet that needs to be able to make the resolution. The general DNS server
to which everyone else sends resolution requests is not forwarder enabled.

The second (and the preferred for enterprise environments) is to deploy both
DNS servers in the infrastructure space and then using routing rules to
specify access to the DNS server of your choice, modifying DHCP and static
DNS assignments as necessary to refer to the correct host.

Wayne S. Anderson
------------------------------------
"Any sufficiently developed bug is indistinguishable
from a feature."

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Dave L
Sent: Wednesday, November 15, 2006 8:55 AM
To: 'dubaisans dubai'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: DNS recursive

If you are talking about limiting the DNS server's
ability to perform recursive queries, this might help:

In the Windows 2000 DNS server, right click on the
server and select properties. Once there select the
"Forwarders" tab. Enable forwarders and key in the
hosts you would like to use, and then put a check in
the "Do not use recursion" box.

> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> > [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of
> dubaisans dubai
> > Sent: Monday, November 13, 2006 4:16 AM
> > To: focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: DNS recursive
> >
> > > On Windows 200/2003 is it possible to restrict
> DNS
> > recursive queries
> > > to only a specific subnet of IP addresses
> > >
> >
> >
>
--------------------------------------------------------------
> > -------------
> >
>
--------------------------------------------------------------
> > -------------
> >
>
>
>
------------------------------------------------------------------------
---
>
------------------------------------------------------------------------
---
>
>

________________________________________________________________________
____
________
Sponsored Link

$200,000 mortgage for $660/ mo -
30/15 yr fixed, reduce debt -
http://yahoo.ratemarketplace.com

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]