Win95 machine not looking at 2nd and 3rd DNS

Fri Mar 10 22:01:24 UTC 2000

Sounds like you need multiple DNS servers then, some (perhaps only 1) of which
only knowing internal names, and some (perhaps only 1) which can also forward to
resolve Internet names. To take this a step further, you could use the
"allow-query" mechanism on the "Internet-aware" server(s) to prevent
"unauthorized" clients from resolving Internet names, assuming they all have
static addresses. If on the other hand you're using DHCP to assign addresses
dynamically, then you should be able to selectively provide the
"Internet-aware" DNS server address parameters to only the "authorized" clients.

But, you're right, it's a dumb, security-by-obscurity way to control Internet
access, since any savvy user who has an alternate way of resolving Internet
names can bypass the controls. I think there are even some web sites that
provide public resolver service, aren't there? And if you aren't preventing the
users from tinkering with their resolver settings, then this "security" is even
less effective, to the point of being almost non-existent. Real control of
Internet access requires authenticated paths through a firewall or packet
filter.

- Kevin

nobody wrote:

> Delmer
>
> I specifically don't want the internal to work as a forwarder.  We are
> only allowing those users with "Internet Access", to have the ISP DSN's
> in their setup, everyone else should not be able to see them.
>
> This is a rather dumb way of stopping unauthorised users accessing the
> internet, I know, but at present its the only method we have
>
> Mark
>
> Delmer Harris wrote:
> >
> > I think this has come up before and was determined to be a misunderstanding
> > about the multiple resolvers in the local equivalent of resolv.conf.  The
> > correct behavior is as you described - if the resolver on W95 receives any
> > response from DNS#1 it will _not_ go to DNS#2 or DNS#3.  It is only when
> > there is no response from DNS#1 that it will go to DNS#2.
> >
> > You could achieve what you appear to desire by configuring your internal
> > DNS to use the ISP's DNS as 'forwarder' DNS machines.  Then your internal
> > DNS will check itself first, then ask the ISP's DNS to resolve what it
> > can't resolve and return the answer to the W98 machines.
> >
> > YMMV
> >
> > nobody <nobody at nowhere.com> on 03/09/2000 11:36:19 AM
> >
> >
> >
> >  To:      comp-protocols-dns-bind at moderators.isc.org
> >
> >  cc:
> >
> >
> >
> >  Subject: Win95 machine not looking at 2nd and 3rd DNS
> >
> >
> > Hi All
> >
> > I have a Win 95 machine which is set up to look at 3 DNS servers.  The
> > first is our internal, and the second and third are the ISP's.  If I
> > look for a web address, the machine will query only the internal then
> > give up (checked this with a packet sniffer).
> >
> > The internal DNS is sat on a linux box and serves subdomains beneath our
> > internet registered domain (ie. registed domain foo.com, this box does
> > london.foo.com and paris.foo.com).  The machine has no zone for root
> > ".".
> >
> > However, other machines I have seem to work fine (a linux box (not the
> > name server), and an NT box.  I'v done a quick test and it seems I have
> > the same problem with another win95 machine as well.
> >
> > Any ideas (i'm sure it was working before)
> >
> > Mark Taylor