DNS

[Aaron]

Hi everyone

Just want to check something which is on our server but to be honest i am not fully sure if it should even be there. On my DNS server under forward lookup zone i have two zones one is my Domain and the other is _msdcs.domain.com i am not even sure were this came from the _msdcs one? Can anyone tell me should it even be there or should it not just be my Domain under the forward lookup zone.

I have attached a print screen which what i have hopefully someone can tell me if i even need this.

Thank you

[srochford]

It's put there by active directory and it's needed for machines to log on, find domain controllers, global catalogs etc.

It's also why you must never, ever give out your external (ISP) DNS to a workstation - if the workstation uses that rather than the internal DNS it won't be able to find the servers and all sorts of things go wrong :-)

[powdarrmonkey]

do you realise how wrong it is to use a valid second-level domain that you don't own as an internal name?

[SC-UK]

do you realise how wrong it is to use a valid second-level domain that you don't own as an internal name?

Just what I was thinking!

Quite surprised it hasn't caused any issues - even massive log on times as everything will surely be trying to qualify over the net?

Tom

[powdarrmonkey]

Just what I was thinking!
Quite surprised it hasn't caused any issues - even massive log on times as everything will surely be trying to qualify over the net?

No, you're thinking the problem backwards. Any resolution of school.com inside will only ever return local records, not the ones published by the legitimate registrant of the domain.

It reminds me of the problem faced by an organisation I shall not name who just picked a range of public IPs for their internal scope, instead of requesting a proper range from IANA or using a private range. Then they leased a handful of dedicated servers in a datacentre, and by complete chance they were allocated the same range as they had picked for internal machines. Result: had to totally redesign their internal range because they couldn't route to their shiny new (and very expensive) dedicated rack.

[Aaron]

i dont understand guys explain it to me again have i this all wrong? our logon times are very quick down to around less than 10seconds with local profiles and the only issue would be startup times.

But have i done something wrong in setting the DNS up the way i have it?

[Aaron]

All the workstations at the moment from what i can see are getting their DNS settings from the main DNS server which is fine i logged onto a group of workstations and run the ipconfig /all to make sure they were getting the DNS off the main server and also DHCP off the server and everything has come back correct

[Aaron]

I didnt think there was an issue with the Domain name as this was the name originally set up with the old severs years ago i have just taken the settings from them (these go back YEARS) and added them to ours settings like Domain name and DNS server addresses? i didnt think there was an issue using this as this is how it was set up for us originally?

[powdarrmonkey]

Forget the slow logon times, it was a red herring. The problem is that your DNS domain is school.com which, unless your name is "Office Depot, Inc." is not registered to you on the global Internet, nor do you control it. Within your network, that's only really a problem if you want to visit School Supplies: Teachers & Classroom Supplies at Office Depot (or any other related address), since it'll resolve (or not) to an internal address, which will probably tell you to go away.

However, it's a significant vulnerability because according to the rest of the world, you don't control it. One example: imagine a laptop taken outside and connected to the internet at home:

1. Internet Exploder tries to do automatic proxy detection and requests wpad.school.com (WPAD)
2. a rogue administrator at Office Depot, Inc notices your DNS requests and decides to make it resolve to a server, so your browser requests /wpad.dat from it
3. rogue configures the browser with /wpad.dat to use his proxy server, and IE happily fetches it and acts on the contents
4. now all your traffic belongs to him, including passwords, credit card details, etc. User doesn't notice because, let's face it, they don't

Seems innocuous enough until you look at it like that.

[Aaron]

I am going to take you advice and change the Domain over the summer thank you for getting back to me about this