+ Post New Thread
Results 1 to 10 of 10
Windows Server 2008 Thread, DNS in Technical; Hi everyone Just want to check something which is on our server but to be honest i am not fully ...
  1. #1
    Aaron's Avatar
    Join Date
    Feb 2009
    Location
    N.Ireland
    Posts
    251
    Thank Post
    78
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    DNS

    Hi everyone

    Just want to check something which is on our server but to be honest i am not fully sure if it should even be there. On my DNS server under forward lookup zone i have two zones one is my Domain and the other is _msdcs.domain.com i am not even sure were this came from the _msdcs one? Can anyone tell me should it even be there or should it not just be my Domain under the forward lookup zone.

    I have attached a print screen which what i have hopefully someone can tell me if i even need this.

    Thank you
    Last edited by Aaron; 23rd February 2010 at 06:54 PM.

  2. #2

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    It's put there by active directory and it's needed for machines to log on, find domain controllers, global catalogs etc.

    It's also why you must never, ever give out your external (ISP) DNS to a workstation - if the workstation uses that rather than the internal DNS it won't be able to find the servers and all sorts of things go wrong :-)

  3. Thanks to srochford from:

    Aaron (23rd February 2010)

  4. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    do you realise how wrong it is to use a valid second-level domain that you don't own as an internal name?

  5. #4
    SC-UK's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    569
    Thank Post
    36
    Thanked 85 Times in 71 Posts
    Rep Power
    29
    Quote Originally Posted by powdarrmonkey View Post
    do you realise how wrong it is to use a valid second-level domain that you don't own as an internal name?
    Just what I was thinking!

    Quite surprised it hasn't caused any issues - even massive log on times as everything will surely be trying to qualify over the net?

    Tom

  6. #5

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by SC-UK View Post
    Just what I was thinking!
    Quite surprised it hasn't caused any issues - even massive log on times as everything will surely be trying to qualify over the net?
    No, you're thinking the problem backwards. Any resolution of school.com inside will only ever return local records, not the ones published by the legitimate registrant of the domain.

    It reminds me of the problem faced by an organisation I shall not name who just picked a range of public IPs for their internal scope, instead of requesting a proper range from IANA or using a private range. Then they leased a handful of dedicated servers in a datacentre, and by complete chance they were allocated the same range as they had picked for internal machines. Result: had to totally redesign their internal range because they couldn't route to their shiny new (and very expensive) dedicated rack.
    Last edited by powdarrmonkey; 23rd February 2010 at 03:40 PM.

  7. #6
    Aaron's Avatar
    Join Date
    Feb 2009
    Location
    N.Ireland
    Posts
    251
    Thank Post
    78
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    i dont understand guys explain it to me again have i this all wrong? our logon times are very quick down to around less than 10seconds with local profiles and the only issue would be startup times.

    But have i done something wrong in setting the DNS up the way i have it?

  8. #7
    Aaron's Avatar
    Join Date
    Feb 2009
    Location
    N.Ireland
    Posts
    251
    Thank Post
    78
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    All the workstations at the moment from what i can see are getting their DNS settings from the main DNS server which is fine i logged onto a group of workstations and run the ipconfig /all to make sure they were getting the DNS off the main server and also DHCP off the server and everything has come back correct

  9. #8
    Aaron's Avatar
    Join Date
    Feb 2009
    Location
    N.Ireland
    Posts
    251
    Thank Post
    78
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I didnt think there was an issue with the Domain name as this was the name originally set up with the old severs years ago i have just taken the settings from them (these go back YEARS) and added them to ours settings like Domain name and DNS server addresses? i didnt think there was an issue using this as this is how it was set up for us originally?

  10. #9

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Forget the slow logon times, it was a red herring. The problem is that your DNS domain is school.com which, unless your name is "Office Depot, Inc." is not registered to you on the global Internet, nor do you control it. Within your network, that's only really a problem if you want to visit School Supplies: Teachers & Classroom Supplies at Office Depot (or any other related address), since it'll resolve (or not) to an internal address, which will probably tell you to go away.

    However, it's a significant vulnerability because according to the rest of the world, you don't control it. One example: imagine a laptop taken outside and connected to the internet at home:

    1. Internet Exploder tries to do automatic proxy detection and requests wpad.school.com (WPAD)
    2. a rogue administrator at Office Depot, Inc notices your DNS requests and decides to make it resolve to a server, so your browser requests /wpad.dat from it
    3. rogue configures the browser with /wpad.dat to use his proxy server, and IE happily fetches it and acts on the contents
    4. now all your traffic belongs to him, including passwords, credit card details, etc. User doesn't notice because, let's face it, they don't

    Seems innocuous enough until you look at it like that.

  11. Thanks to powdarrmonkey from:

    Aaron (24th February 2010)

  12. #10
    Aaron's Avatar
    Join Date
    Feb 2009
    Location
    N.Ireland
    Posts
    251
    Thank Post
    78
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I am going to take you advice and change the Domain over the summer thank you for getting back to me about this

SHARE:
+ Post New Thread

Similar Threads

  1. DNS Flush / DNS Register
    By brahma in forum Windows
    Replies: 1
    Last Post: 18th July 2008, 09:29 AM
  2. DNS Problems... DCHP correct, DNS wrong
    By burgemaster in forum Windows
    Replies: 7
    Last Post: 27th June 2008, 11:05 AM
  3. DNS
    By kevin_lane in forum Wireless Networks
    Replies: 10
    Last Post: 31st January 2008, 11:49 AM
  4. DNS Help
    By TechMonkey in forum Windows
    Replies: 3
    Last Post: 19th April 2007, 02:13 PM
  5. DNS HELP
    By in forum Windows
    Replies: 19
    Last Post: 21st April 2006, 03:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •