This is a late response to this thread but there's an important point I
wanted to add:

Since DNS servers listen and respond to UDP packets, they are highly
vulnerable to spoofing attacks. Using the IP address to limit access to
certain features certainly would not be effective. Since people often use
recursive DNS queries in DDoS attacks, it would be best to make a DNS server
that allows recursive queries only accessible to your trusted networks.

Of course, ingress filtering on your router or firewall will limit your
exposure and IP address restrictions certainly are better than placing an
open recursive DNS server on the internet but the point here is that DNS
servers cannot effectively rely on IP address restrictions on their own.

To answer your original question, although the built-in Windows DNS server
cannot do that, there is a product, Simple DNS Plus
(http://www.simpledns.com) that allows you to restrict recursive queries by
IP address. Just be careful how you use it.

Mark Burnett

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Laura A. Robinson
Sent: Thursday, November 16, 2006 12:09 PM
To: 'SHON, DAN'; 'Mailinglists Address'; 'dubaisans dubai'
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: DNS recursive

This could also be done with IPsec, but I'm curious as to what it is that
the OP wants to accomplish...

Laura

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of SHON, DAN
> Sent: Wednesday, November 15, 2006 12:34 PM
> To: Mailinglists Address; dubaisans dubai
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: DNS recursive
>
> You can always set up ACL's to block or allow UDP 53 on the router.
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Mailinglists Address
> Sent: Wednesday, November 15, 2006 8:18 AM
> To: 'dubaisans dubai'
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: DNS recursive
>
>
> >> -----Original Message-----
> >> From: listbounce (at) securityfocus (dot) com [email concealed]
> >> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of dubaisans dubai
> >> Sent: Monday, November 13, 2006 4:16 AM
> >> To: focus-ms (at) securityfocus (dot) com [email concealed]
> >> Subject: DNS recursive
> >>
> >>
> >>> On Windows 200/2003 is it possible to restrict DNS
> >>>
> >> recursive queries
> >>
> >>> to only a specific subnet of IP addresses
> >>>
> >>>
> Coming in late on this thread, but according to everything I
> have read there is no way to restrict recursive lookups from
> a specific network using Microsoft DNS. You will need to use
> another DNS server software in order to accomplish this.
>
> I would recommend the win32 version of Bind9 as it has the
> functionality you are looking for.
>
> Tom Walsh
> Express Web Systems, Inc.
> http://www.expresswebsystems.com/
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]