1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root Hints

Discussion in 'Network Infrastructure' started by zimbo, Jan 25, 2007.

  1. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    I was under the assumption that if you removed the Root Hints from DNS you are in effect removing internet access?



    [​IMG]



    As you can see i removed them, i can open some websites and some i cant? Am i missing something here? :blink
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  2. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    anyone? :(
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  3. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
  4. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    well it was a brand new installed Vm... it was the first pages i have installed.. also if you delete them you not supposed to get connection to any pages right?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  5. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    bump! :(
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Zim, do you have any forwarders configured? Also have you flushed the DNS cache? 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    looks like flush dns did the trick... is this a best practice btw? to remove the root hints to prevent internet access?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  8. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Never done that before. The best way would be to lock down port 80 outbound on the firewall if you want to block web traffic. This can scupper Windows updates and AV updates so you could deploy a WSUS server and trust that I.P outbound on the firewall and the clients would pull updates from the WSUS server.

    Depending on the firewall you can usually trust the URLs for Windows update but block all other web traffic.

    Hope this helps! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  9. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    By default Server 2003 and Windows 2000 DNS servers directly query the Internet root DNS servers in order to resolve DNS queries for itself and the clients.

    If you set up Forwarders, your DNS server will query those forwarders first and if it can't contact them it will contact the root servers.

    If you don't want it to contact the root servers you should delete the *.* in the forward look up zones.

    If you have no *.* and no forwarders for external name resolution the DNS server can only return queries from it's cache.

    If you do the above and flush the cache, that should stop external DNS queries working.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  10. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Well not really because all you are doing is crippling DNS, you do not need DNS to access a web site, you can skip it and enter the IP address instead. So, blocking port 80 and 443 as well as employing a WSUS server for updates would be the way to go.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  11. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Cheers pete! :thumbleft
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics

Share This Page

Loading...