From: Robert Lowe (Robert.H.Lowe@lawrence.edu)
Date: Wed Jul 07 2004 - 14:16:54 CDT
Azze, Jason wrote:
Jason,
This is the simplest approach (stub zones might be another), but since
it would be expected that most folks also drop packets from unregistered
clients at a border router or firewall, it's only half of the solution.
The other half is not as easily solved. I haven't given this any serious
thought, but a carefully configured proxy, e.g. squid, along with a few
wildcard DNS RRs pointed at it, might provide a more complete solution
and a secure means of allowing in-/outbound Internet traffic to unregistered
clients. Just a thought... if someone tries it, let us know!
-Robert
> I posted this over on resnet-l, but I thought it might be of interest
> here, too. Executive summary: If you want to let your bogus DNS allow
> access to Windows Update (or other "self-help" sites), you can use this
> method.
>
> =========================
>
> With the help of Jim Mayne from TCU and Phil Rodrigues from NYU, we were
> able to implement the selective forwarding/split DNS system using BIND
> as a selective forwarder. I'll post the contents of the two files needed
> below. The first is our named.conf (unsanitized), the second is a file
> called fake-root, which is a substitute root hints file. We're using
> BIND 9.2.1. Our BIND lives in /etc/bind/. If yours isn't there, you will
> have to adjust the path for the hint file at the end of named.conf.
>
> 10.98.1.100 is the IP of our forwarding DNS server (where the named.conf
> and fake-root files live). All quarantined clients are assigned this as
> their DNS server.
>
> 10.98.1.1 is a "good/normal" DNS sever that can resolve all addresses.
> We forward our self-help DNS requests to this box.
>
> 10.98.1.9 is a fake root server named romulus. It's configured to think
> that everything in the "." zone--which is everything--resolves to our
> quarantine network web server. The fake-root root hints file points to
> romulus.
>
> You may notice that we have fairfield.edu in our list of domains who's
> requests get forwarded to the real DNS. We did this for two reasons: 1)
> Windows clients like to append their "home" zone onto the end of all DNS
> queries. So when we tried to resolve microsoft.com, Windows clients
> actually asked for microsoft.com.fairfield.edu, which broke the system.
> 2) We want to allow our quarantined students to get to some of our
> in-house resources that live in the fairfield.edu zone. Nslookup is your
> friend while testing this. Also remember ipconfig /flushdns when testing
> your Windows clients.
>
> End of lecture!
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:46 CDT