Security and DNS

--____FIVYRACBLJROFPKWMWQS____
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hi all:

We're running DNS on Netware 6.5 SP2 as a clustered resource. It is =
working very well (thanks for asking!)
We have been running through our year end security self audit and I have =
been tweaking our DNS setup up.=20
What I have done is this:

Each client on LAN:  gets 2 DNS entries. One local DNS server and one at a =
remote office (both Netware). Offices are interconnected by private lines =
so this process is all behind the firewall.

Each Netware DNS server - is configured to query 3 remote DNS servers (on =
internet).  (eg: 3 nameserver entries in their resolve.cfg)=20
This is locked down with firewall rules. No inbound DNS queries are =
allowed (since we are not authoritative for our zone) and no queries to =
other DNS servers are allowed.=20

This is working well, but I see on the firewall logs that my DNS server is =
periodically trying to get out to various root servers - k.root-servers.net=
, etc.=20
What is it doing, and should I allow it to do this?=20

Thanks for any insight you would care to share on this.

- Joe

--____FIVYRACBLJROFPKWMWQS____
Content-Type: multipart/related; boundary="____RPEKMCNHAOEQAAQWJZLU____"


--____RPEKMCNHAOEQAAQWJZLU____
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"=
>
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Hi all:</DIV>
<DIV>&nbsp;</DIV>
<DIV>We're running DNS on Netware 6.5 SP2 as a clustered resource. It is =
working very well (thanks for asking!)</DIV>
<DIV>We have been running through our year end security self audit and I =
have been tweaking our DNS setup up. </DIV>
<DIV>What I have done is this:</DIV>
<DIV>&nbsp;</DIV>
<DIV>Each client on LAN:&nbsp; gets 2 DNS entries. One local DNS server =
and one at a remote office (both Netware). Offices are interconnected by =
private lines so this process is all behind the firewall.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Each Netware DNS server - is configured to query 3 remote DNS servers =
(on internet).&nbsp; (eg: 3 nameserver entries in their resolve.cfg) =
</DIV>
<DIV>This is locked down with firewall rules. No inbound DNS queries are =
allowed (since we are not authoritative for our zone) and no queries to =
other DNS servers are allowed. </DIV>
<DIV>&nbsp;</DIV>
<DIV>This is working well, but I see on the firewall logs that my DNS =
server is periodically trying to get out to various root servers - =
k.root-servers.net, etc. </DIV>
<DIV>What is it doing, and should I allow it to do this? </DIV>
<DIV>&nbsp;</DIV>
<DIV>Thanks for any insight you would care to share on this.</DIV>
<DIV>&nbsp;</DIV>
<DIV>- Joe</DIV></BODY></HTML>

--____RPEKMCNHAOEQAAQWJZLU____--

--____FIVYRACBLJROFPKWMWQS____--
0
Joe
12/28/2004 4:04:49 PM
novell.netware.dns-dhcp 3183 articles. 0 followers. Follow

19 Replies
718 Views

Similar Articles

[PageSpeed] 22
Get it on Google Play
Get it on Apple App Store

In article <BufAd.11067$Ei5.3765@prv-forum2.provo.novell.com>, Joe 
wrote:
> Each Netware DNS server - is configured to query 3 remote DNS
> servers (on internet).  (eg: 3 nameserver entries in their
> resolve.cfg)
>
Mmmm... nope, they're not.  resolv.cfg tells the server what DNS 
servers to use when it is a DNS *client*, e.g. running 'ping' or 
'nslookup' from the server console.  Each DNS server should list itself 
in resolv.cfg.  Other servers in the list will only be queried if DNS 
is not running at the time of the query.

For forwarding, you need to add DNS servers to the server's Forwarding 
List.  It will try these, and if they fail to respond, it will try the 
root servers.  If you do not allow access to the root servers, you run 
the risk of some queries not resolving, but as long as your forwarders 
are reliable, that should not happen.

bd
NSC Volunteer SysOp


0
Brad
12/29/2004 5:00:08 AM
--____GYPEGKOLJYSXDYYWVZEO____
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Thanks!  That makes sense. So my choices are:

1 - add the 3 (or however many) servers I want to use in the "Forwarding =
List" and match that to the firewall config
or
2 - make a group of the 13 root DNS servers and allow our DNS servers to  =
query them.=20

Only 'gripe' is that the DNS request appears to not be coming from the DNS =
cluster resource IP, but from the primary IP of the server which is =
hosting DNS at that time - which means I have to open the firewall on all =
primary server IP's since any cluster member can host DNS. It would be =
more secure IMHO if the 'from' address was the IP of the cluster resource. =
 JM2C..

Thanks for the help!


>>> Brad Doster<bd@NSCSysOps.net> 12/29 12:00 AM >>>

In article <BufAd.11067$Ei5.3765@prv-forum2.provo.novell.com>, Joe=20
wrote:
> Each Netware DNS server - is configured to query 3 remote DNS
> servers (on internet).  (eg: 3 nameserver entries in their
> resolve.cfg)
>
Mmmm... nope, they're not.  resolv.cfg tells the server what DNS=20
servers to use when it is a DNS *client*, e.g. running 'ping' or=20
'nslookup' from the server console.  Each DNS server should list itself=20
in resolv.cfg.  Other servers in the list will only be queried if DNS=20
is not running at the time of the query.

For forwarding, you need to add DNS servers to the server's Forwarding=20
List.  It will try these, and if they fail to respond, it will try the=20
root servers.  If you do not allow access to the root servers, you run=20
the risk of some queries not resolving, but as long as your forwarders=20
are reliable, that should not happen.

bd
NSC Volunteer SysOp

--____GYPEGKOLJYSXDYYWVZEO____
Content-Type: multipart/related; boundary="____JULWTUKJNOGBLVRCOTZL____"


--____JULWTUKJNOGBLVRCOTZL____
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"=
>
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Thanks!&nbsp; That makes sense. So my choices are:</DIV>
<DIV>&nbsp;</DIV>
<DIV>1 - add the 3 (or however many) servers I want to use in the =
"Forwarding List" and match that to the firewall config</DIV>
<DIV>or</DIV>
<DIV>2 - make a group of the 13 root DNS servers and allow our DNS servers =
to&nbsp; query them. </DIV>
<DIV>&nbsp;</DIV>
<DIV>Only 'gripe' is that the DNS request appears to not be coming from =
the DNS cluster resource IP, but from the primary IP of the server which =
is hosting DNS at that time - which means I have to open the firewall on =
all primary server IP's since any cluster member can host DNS. It would be =
more secure IMHO if the 'from' address was the IP of the cluster resource.&=
nbsp; JM2C..</DIV>
<DIV>&nbsp;</DIV>
<DIV>Thanks for the help!</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>&gt;&gt;&gt; Brad Doster&lt;bd@NSCSysOps.net&gt; 12/29 12:00 AM =
&gt;&gt;&gt;<BR></DIV>
<DIV style=3D"COLOR: #000000">In article &lt;BufAd.11067$Ei5.3765@prv-forum=
2.provo.novell.com&gt;, Joe <BR>wrote:<BR>&gt; Each Netware DNS server - =
is configured to query 3 remote DNS<BR>&gt; servers (on internet).&nbsp; =
(eg: 3 nameserver entries in their<BR>&gt; resolve.cfg)<BR>&gt;<BR>Mmmm... =
nope, they're not.&nbsp; resolv.cfg tells the server what DNS <BR>servers =
to use when it is a DNS *client*, e.g. running 'ping' or <BR>'nslookup' =
from the server console.&nbsp; Each DNS server should list itself <BR>in =
resolv.cfg.&nbsp; Other servers in the list will only be queried if DNS =
<BR>is not running at the time of the query.<BR><BR>For forwarding, you =
need to add DNS servers to the server's Forwarding <BR>List.&nbsp; It will =
try these, and if they fail to respond, it will try the <BR>root servers.&n=
bsp; If you do not allow access to the root servers, you run <BR>the risk =
of some queries not resolving, but as long as your forwarders <BR>are =
reliable, that should not happen.<BR><BR>bd<BR>NSC Volunteer SysOp<BR><BR><=
BR><BR><BR></DIV></BODY></HTML>

--____JULWTUKJNOGBLVRCOTZL____--

--____GYPEGKOLJYSXDYYWVZEO____--
0
Joe
12/29/2004 4:58:18 PM
Yep, that sounds like a good plan.  And don't forget to change the 
resolv.cfg files -- note that the changes there are not active until 
SERVER.EXE is run again (DOWN, SERVER or RESET SERVER, but not RESTART 
SERVER).

In article <KmBAd.11768$Ei5.5094@prv-forum2.provo.novell.com>, Joe 
wrote:
> It would be more secure IMHO if the 'from' address was the IP of the
> cluster resource.  JM2C..
>
I agree.  You may want to post that at 
http://support.novell.com/enhancement.

bd
NSC Volunteer SysOp


0
Brad
12/30/2004 4:06:46 AM
--____VNXPSBWWCFOOFXHFAGOJ____
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hi - and thanks again.  Quick? question on that -=20

I thought you could use the feature in the winsock to reload stuff on the =
fly?

I got the following from the most recent winsock patch readme:

WS2_32 RELOAD HOSTS       -Reload the SYS:\ETC\HOSTS
WS2_32 RELOAD PROTOCOL    -Reload the SYS:\ETC\PROTOCOL
WS2_32 RELOAD SERVICES    -Reload the SYS:\ETC\SERVICES
WS2_32 RELOAD RESOLVE     -Reload the SYS:\ETC\RESOLV.CFG
WS2_32 RELOAD NWSWITCH    -Reload the SYS:\ETC\NWSWITCH.CONF

I have tested it with hosts - eg: I edited hosts, added a new hostname =
(not in dns), saved the change and then was immediately able to ping the =
host from the console. That seemed like a good sign.  Have not tested with =
resolve.. will post back on that.=20

also - when I make sure each server is in the resolve.conf, what I have =
already is: (all ip's are dummies but you get the idea..)=20

domain   mydomain.com

nameserver 192.168.100.76                 (IP of cluster resource)
nameserver 10.3.46.78                        a public dns server
nameserver 172.34.56.78                     another public dns server

should I be adding a new line at the beginning of the nameserver section =
which is

nameserver   <primary ip of this server>?

and then the others..  I had thought that using the IP of the cluster =
resource would be ok, but now I am not so sure..=20

Thanks again for your time and assistance with this.=20

- Joe


>>> Brad Doster<bd@NSCSysOps.net> 12/29 11:06 PM >>>

Yep, that sounds like a good plan.  And don't forget to change the=20
resolv.cfg files -- note that the changes there are not active until=20
SERVER.EXE is run again (DOWN, SERVER or RESET SERVER, but not RESTART=20
SERVER).

In article <KmBAd.11768$Ei5.5094@prv-forum2.provo.novell.com>, Joe=20
wrote:
> It would be more secure IMHO if the 'from' address was the IP of the
> cluster resource.  JM2C..
>
I agree.  You may want to post that at=20
http://support.novell.com/enhancement.

bd
NSC Volunteer SysOp

--____VNXPSBWWCFOOFXHFAGOJ____
Content-Type: multipart/related; boundary="____OHNFRQROUOHRPOVCGTBI____"


--____OHNFRQROUOHRPOVCGTBI____
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"=
>
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Hi - and thanks again.&nbsp; Quick? question on that - </DIV>
<DIV>&nbsp;</DIV>
<DIV>I thought you could use the feature in the winsock to reload stuff on =
the fly?</DIV>
<DIV>&nbsp;</DIV>
<DIV>I&nbsp;got the following from the most recent winsock patch readme:</D=
IV>
<DIV>&nbsp;</DIV>
<DIV>WS2_32 RELOAD HOSTS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -Reload the =
SYS:\ETC\HOSTS<BR>WS2_32 RELOAD PROTOCOL&nbsp;&nbsp;&nbsp; -Reload the =
SYS:\ETC\PROTOCOL<BR>WS2_32 RELOAD SERVICES&nbsp;&nbsp;&nbsp; -Reload the =
SYS:\ETC\SERVICES<BR>WS2_32 RELOAD RESOLVE&nbsp;&nbsp;&nbsp;&nbsp; -Reload =
the SYS:\ETC\RESOLV.CFG<BR>WS2_32 RELOAD NWSWITCH&nbsp;&nbsp;&nbsp; =
-Reload the SYS:\ETC\NWSWITCH.CONF<BR></DIV>
<DIV>I have tested it with hosts - eg: I edited hosts, added a new =
hostname (not in dns), saved the change and then was immediately able to =
ping the host from the console. That seemed like a good sign.&nbsp; Have =
not tested with resolve.. will post back on that. </DIV>
<DIV>&nbsp;</DIV>
<DIV>also - when I make sure each server is in the resolve.conf, what I =
have already is: (all ip's are dummies but you get the idea..) </DIV>
<DIV>&nbsp;</DIV>
<DIV>domain&nbsp;&nbsp; mydomain.com</DIV>
<DIV>&nbsp;</DIV>
<DIV>nameserver 192.168.100.76&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (IP of cluster =
resource)</DIV>
<DIV>nameserver&nbsp;10.3.46.78&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; a public dns server</DIV>
<DIV>nameserver 172.34.56.78&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
another public dns server</DIV>
<DIV>&nbsp;</DIV>
<DIV>should I be adding a new line at the beginning of the nameserver =
section which is</DIV>
<DIV>&nbsp;</DIV>
<DIV>nameserver&nbsp;&nbsp; &lt;primary ip of this server&gt;?</DIV>
<DIV>&nbsp;</DIV>
<DIV>and then the others..&nbsp; I had thought that using the IP of the =
cluster resource would be ok, but now I am not so sure.. </DIV>
<DIV><BR>Thanks again for your time and assistance with this. </DIV>
<DIV>&nbsp;</DIV>
<DIV>- Joe</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>&gt;&gt;&gt; Brad Doster&lt;bd@NSCSysOps.net&gt; 12/29 11:06 PM =
&gt;&gt;&gt;<BR></DIV>
<DIV style=3D"COLOR: #000000">Yep, that sounds like a good plan.&nbsp; And =
don't forget to change the <BR>resolv.cfg files -- note that the changes =
there are not active until <BR>SERVER.EXE is run again (DOWN, SERVER or =
RESET SERVER, but not RESTART <BR>SERVER).<BR><BR>In article &lt;KmBAd.1176=
8$Ei5.5094@prv-forum2.provo.novell.com&gt;, Joe <BR>wrote:<BR>&gt; It =
would be more secure IMHO if the 'from' address was the IP of the<BR>&gt; =
cluster resource.&nbsp; JM2C..<BR>&gt;<BR>I agree.&nbsp; You may want to =
post that at <BR><A href=3D"http://support.novell.com/enhancement.">http://=
support.novell.com/enhancement.</A><BR><BR>bd<BR>NSC Volunteer SysOp<BR><BR=
><BR><BR><BR></DIV></BODY></HTML>

--____OHNFRQROUOHRPOVCGTBI____--

--____VNXPSBWWCFOOFXHFAGOJ____--
0
Joe
12/30/2004 3:13:20 PM
In article <kWUAd.12395$Ei5.3849@prv-forum2.provo.novell.com>, Joe 
wrote:
> I got the following from the most recent winsock patch readme:
>
Hey, that's cool stuff!  I hadn't seen it before.  And I just tested 
resolv.cfg, and it seems some changes have been made in NW65 (SP2) -- 
if I change the name server list, then run nslookup, the change is 
recognized immediately, even without the winsock reload.

> I had thought that using the IP of the cluster resource would be ok,
> but now I am not so sure..
>
Hmmm... good question.  The cluster resource address does make the most 
sense since the server itself may not be running the application.

bd
NSC Volunteer SysOp


0
Brad
12/30/2004 4:25:53 PM
The reload hosts bit works on an 6.5SP2 server without any other
updates,

OPAL:m ws2_32                                                  
WS2_32.NLM                                                     
  Loaded from [C:\NWSERVER\]                                   
  (Address Space = OS)                                         
  NetWare Winsock 2.0 NLM                                      
  Version 6.21.06 15 June 2004                                 
  Copyright 1984-2004 Novell, Inc.  All rights reserved.       

which neatly solves a problem with this server, all the others hosts
refreshed of its own accord eventually, but this one wouldn't. So
thanks for the tip Joe <g>

Cheers Dave


-- 

Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/
0
Dave
12/30/2004 5:32:51 PM
I'm not Joe, but I'm glad we could help! :-)

bd
NSC Volunteer SysOp


0
Brad
12/31/2004 5:55:19 AM
Well, seeing as it is you - when I tried it on the *correct* server
<g>, it didn't seem to refresh although all the right messafes came up
on the screen. So it either does need the new files, or it won't change
an entry that is already cached, but has the wrong IP address, ho hum

Cheers Dave


-- 

Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/
0
Dave
12/31/2004 12:02:21 PM
--____ZAHREWULBASHRBICRRIY____
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hey - thanks to both of you!  And have a great New Years! :)

>>> Dave Parkes<Dave@Norgren.co.uk> 12/31 7:02 AM >>>

Well, seeing as it is you - when I tried it on the *correct* server
<g>, it didn't seem to refresh although all the right messafes came up
on the screen. So it either does need the new files, or it won't change
an entry that is already cached, but has the wrong IP address, ho hum

Cheers Dave


--=20

Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/

--____ZAHREWULBASHRBICRRIY____
Content-Type: multipart/related; boundary="____TVSVHQNVKWVVHUFWRNOR____"


--____TVSVHQNVKWVVHUFWRNOR____
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"=
>
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">Hey - thanks to =
both of you!&nbsp; And have a great New Years! :)<BR><BR>&gt;&gt;&gt; Dave =
Parkes&lt;Dave@Norgren.co.uk&gt; 12/31 7:02 AM &gt;&gt;&gt;<BR>
<DIV style=3D"COLOR: #000000">Well, seeing as it is you - when I tried it =
on the *correct* server<BR>&lt;g&gt;, it didn't seem to refresh although =
all the right messafes came up<BR>on the screen. So it either does need =
the new files, or it won't change<BR>an entry that is already cached, but =
has the wrong IP address, ho hum<BR><BR>Cheers Dave<BR><BR><BR>-- =
<BR><BR>Dave Parkes [NSCS]<BR>Occasionally resident at <A href=3D"http://su=
pport-forums.novell.com/">http://support-forums.novell.com/</A><BR><BR><BR>=
</DIV></BODY></HTML>

--____TVSVHQNVKWVVHUFWRNOR____--

--____ZAHREWULBASHRBICRRIY____--
0
Joe
12/31/2004 4:22:05 PM
In article <xn0drnz2i3f91o008@support-forums.novell.com>, Dave Parkes 
wrote:
> So it either does need the new files, or it won't change
> an entry that is already cached, but has the wrong IP address, ho hum
>
Well, if you recall (I know that gets more difficult, especially on 
days like *today*), please let us know what you find when you try the 
updates. :-)

bd
NSC Volunteer SysOp


0
Brad
12/31/2004 7:51:33 PM
Glad to help.

bd
NSC Volunteer SysOp


0
Brad
12/31/2004 7:51:34 PM
That means taking the server over, and I'd like to get at least a couple 
of them in green on the MRTG stats :-)

Cheers Dave


-- 

Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/
0
Dave
1/1/2005 10:22:26 AM
Also 'ws2_32 help' helps :-)

Cheers Dave


-- 

Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/
0
Dave
1/1/2005 2:00:45 PM
oh, details, details... :)

bd
NSC Volunteer SysOp


0
Brad
1/2/2005 6:42:38 PM
imagine that! :-)

bd
NSC Volunteer SysOp


0
Brad
1/2/2005 6:42:38 PM
Also, now that the host file is fixed, rebooting will work anyway <g>

Cheers Dave


-- 

Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/
0
Dave
1/3/2005 10:09:22 AM
Damn cunning, these foreigners

Cheers Dave


-- 

Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/
0
Dave
1/3/2005 10:09:39 AM
:-)

bd
NSC Volunteer SysOp


0
Brad
1/3/2005 2:14:02 PM
uh-huh

bd
NSC Volunteer SysOp


0
Brad
1/3/2005 2:14:03 PM
Reply: