dns updates from a windows client

Sten Carlsen ccc2716 at vip.cybercity.dk
Tue Jan 8 22:25:43 UTC 2008 


Kevin Darcy wrote:
> The search path is only used when a shortname lookup is issued. If you 
> use fully-qualified names (FQDNs), then the search path is irrelevant 
> and you have a lot more flexibility and scalability. Note that shortname 
> resolution can also present a security risk, inasmuch as it introduces 
> uncertainty/ambiguity into client/server interactions, e.g. if I connect 
> to a "zeus" website, using a shortname, is that 
> zeus.good-and-trusted.domain.com or zeus.evil-nasty-hacked.com? It all 
> depends on the contents of my search path, which is administered 
> typically by Windoze whizkids who don't necessarily have a good sense of 
> proper security practices.
>   
I have seen a number of cases where even a FQDN is appended by the
search path(s).

The lookup could then look like: www.example.com.mydomain.com. What I
have observed is that if the first lookup of the asked for name fails,
then every search path is appended to see if that works. I was a bit
surprised by this.

The only way to avoid it seems to be to specify the FQDN including a
period at the end. This was with an older windows version and the
behaviour is from the windows resolver, not bind or other DNS servers.
>                                                                          
>                               - Kevin
>
> Haim [Howard] Roman wrote:
>   
>> I don't know whether this suits your case, but...
>>
>>
>> In our case, our main DNS servers are UNIX-based.  We also have MS
>> domains.  We defined DNS subdomains that the MS domain controllers are
>> masters for, and our main DNS servers are slave for them.  Of course,
>> for this to work well, the DNS search path must be set correctly on the
>> clients.  Alternatively, in your main domain, you could define aliases
>> for hosts in the subdomain, e.g.,
>>
>>
>>     alef.my.org would be an alias to alef.ms.my.org
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Haim (Howard) Roman
>> Computer Center, Jerusalem College of Technology
>> roman at jct.ac.il
>> Phone: 052-8-592-599 (6022 from within Machon Lev)
>>
>>
>>
>> -------- Original Message  --------
>> Subject: dns updates from a windows client
>> From: Paul A <razor at meganet.net>
>> To: bind-users at isc.org
>> Date: Tue Jan 08 2008 00:14:57 GMT+0200 (IST)
>>   
>>     
>>> Hi, we are using bind 9 and have a couple of custoemr who frequnetly want
>>> their DNS info updated. We don't want to give them access to the DNS server
>>> nor do we want to intall something like webmin on the DNS server.
>>>
>>> We have implemented and test dynamic updates with Tsig and it works fine
>>> from another linux machine. I was wondering if there are any free dns
>>> software for windows that is easy to use and allow updates to a DNS server
>>> using tsig updates.
>>>
>>> I also would like to hear what people on this list use in a situation like
>>> this.
>>>
>>> Thanks very much, Paul
>>>
>>>
>>>
>>>   
>>>     
>>>       
>>
>>
>>
>>   
>>     
>
>
>   

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!"

More information about the bind-users mailing list