BIND 8.2.2P5, Windows 2000, and security
Tim Maestas
tmaestas at idc.dhs.org
Tue May 2 08:13:42 UTC 2000
We are (beginning) to support a W2k environment using BIND dns servers.
There is no reason that I can think of, or that we have run across, that
should require you to allow updates from workstations. In fact, part of
the requirements that we (the infrastructure group) are passing to the
workstation build team, is the disabling on all workstations of automatic
forward and reverse zone updates. Domain controllers we will allow to
update, as they need to update all their SRV records. But that's it.
Period. Our DHCP servers will be the only servers to dynamically update
DNS, and those only under tightly controlled prerequisites.
-Tim
On Mon, 1 May 2000, Delmer Harris wrote:
>
>
> I am running 8.2.2P5 on Solaris 2.7 in a test setup, trying to support
> Windows
>
> 2000 for our server development group. I have allowed updates from the
> domain
>
> controllers and thought all was well. Now the Windows 2000 server group
> tells
>
> me I must allow updates from all workstations as well. This goes against
> my
>
> security instincts, as I don't trust all the workstations on our network.
>
> My questions are to anyone who has tried to support Windows 2000 from a
> Un*x
>
> DNS.
>
> Do I really need to allow every workstation to update DNS?
>
> If I do, what would I gain by creating a subdomain for Windows 2000 and
> letting
>
> the server group maintain the DNS for that subdomain. I think I would
> still
>
> have all those entries propagated to my DNS servers.
>
> Thanks.
>
>
>
>
More information about the bind-users
mailing list