Best way to handle DNS

In doing a check of our DNS servers recently, I was surprised to find that they would resolve requests that weren't coming from our network. We have been experiencing some bandwidth congestion issues lately, and this might be part of the problem. We're using BIND on a Linux box for secondary DNS and Windows 2000 DNS for our primary external DNS servers. Our internal network points to our external servers for outside resolution. How can we still allow for our internal network to resolve outside systems but control what can be done from the outside world?
Via the Internet

This is where you will find which DNS implementation will give you the most protection. The first concern that you have involves something called recursive lookups. If the answer for a request for DNS resolution isn't found on the DNS server in question, that DNS server then goes to one of the root DNS servers to find the information. The root server responds with the name and IP address of one of the DNS servers for the domain in question. If recursive lookups are disabled on your server, this type of request will not get processed. The requesting system will get a message back indicating which root DNS servers may have the information.

The thing you want to try to do is to allow recursive lookups for your internal network while disallowing that type of lookup for requests coming from outside your network. The latest version of BIND (9.3.1) handles this type of configuration easily. Earlier versions can probably handle it to varying degrees, I only had BIND 9.3.1 setup in the lab. You will set up an Access Control List for the range of IP addresses your network is using. This will probably be the public IP addresses assigned by your ISP, assuming you have a firewall between your network and the Internet, and your external DNS servers are sitting between the firewall and the router connecting you to the Internet. In going over the options in Windows 2000 DNS, I could only find the option to disable recursion in total but not a way to selectively allow it.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In doing a check of our DNS servers recently, I was surprised to find that they would resolve requests that weren't coming from our network. We have been experiencing some bandwidth congestion issues lately, and this might be part of the problem. We're using BIND on a Linux box for secondary DNS and Windows 2000 DNS for our primary external DNS servers. Our internal network points to our external servers for outside resolution. How can we still allow for our internal network to resolve outside systems but control what can be done from the outside world?
Via the Internet

This is where you will find which DNS implementation will give you the most protection. The first concern that you have involves something called recursive lookups. If the answer for a request for DNS resolution isn't found on the DNS server in question, that DNS server then goes to one of the root DNS servers to find the information. The root server responds with the name and IP address of one of the DNS servers for the domain in question. If recursive lookups are disabled on your server, this type of request will not get processed. The requesting system will get a message back indicating which root DNS servers may have the information.

The thing you want to try to do is to allow recursive lookups for your internal network while disallowing that type of lookup for requests coming from outside your network. The latest version of BIND (9.3.1) handles this type of configuration easily. Earlier versions can probably handle it to varying degrees, I only had BIND 9.3.1 setup in the lab. You will set up an Access Control List for the range of IP addresses your network is using. This will probably be the public IP addresses assigned by your ISP, assuming you have a firewall between your network and the Internet, and your external DNS servers are sitting between the firewall and the router connecting you to the Internet. In going over the options in Windows 2000 DNS, I could only find the option to disable recursion in total but not a way to selectively allow it.

I would strongly recommend getting a copy of DNS and BIND written by Paul Albitz and Cricket Liu from O'Reilly Press. This is the best guide I have found for working with BIND and it can answer a lot of your questions. By going to www.isc.org, you can also get access to some listservs where you should be able to get any questions you have about implementing BIND answered. Don't be surprised if you get an answer to a question by one of the authors of DNS and BIND from O'Reilly.