30 Mar 2012

Secure Microsoft DNS?

Trying to setup a Windows domain with a publicly accessible domain name is more difficult than I had expected.

The setup

Setup two servers as domain controllers with DNS installed. Have all the servers in the domain use the domain controllers as their DNS servers, which means recursive DNS is enabled on the domain's DNS servers / domain controllers.

The problem

If the DNS servers are publicly accessible and recursion is enabled, they are a security risk. But if I switch off recusion the servers within the domain can't find anything outside the domain, including security updates.

First try

Change the DNS setting on the servers in the domain to use a properly configured recursive DNS server (non-Microsoft) and switch off recursion on the domain controllers. This didn't work since the new DNS servers did not return the needed SRV records to find the domain controllers. This can be setup but seemed like a lot of work and a fragile setup. 

Second try

The domain controllers have recursion switched on, but only respond to servers within the domain's network and the two non-Microsoft DNS servers. The non-Microsoft DNS servers act as secondary DNS. So when a DNS query is done externally, the secondaries respond since the primaries block the external queries. This worked reasonable well, but there were failed and slow DNS queries because the primaries don't responded.

Solution

The solution I have currently is; domain controllers respond to external queries and have recursion switched off. The servers in the domain use two Microsoft DNS, not the domain controllers, which have recursion switched on and do not respond to queries from outside the domain. These new DNS servers also have conditional forwarders setup for the domain's dns name pointing at the domain controllers.

The domain controllers and DNS servers are virtual machines, so the resource usage is not as bad a having four physical servers.

The ideal solution would be that Microsoft fixed their DNS server to allow recursion from defined address ranges.

9 Sep 2011

Gorilla in rollerblades with a steadycam #IBC2011

Image

3 Aug 2011

The Debt Ceiling

Debt_ceiling

9 Jun 2011

I dream of a better world ...

Image

17 May 2011

Live 4K streaming from RED camera

Live 4K streaming from a RED camera using a custom designed board built by the Pozan Supercomputing and Networking Centre in Poland.
11 Mar 2011

Blade Runner Captcha

Bladerunnercaptcha

19 Jan 2011

New Hyper-V servers

P388

Just installed 4 new servers to run a Hyper-V cluster.

PowerEdge 1950
Quad 12 core with 256GB of RAM
8 x 1 Gbit/s and 4 x 10 Gbit/s NICs

18 Jan 2011

Recycling bin design with a suggestive lid

via Core77 on 1/17/11

My biggest pet peeve about cleaning up the photo studio I run is picking other people's trash out of the recycling bin. Yes, it's a waste pail just like the garbage pail, but is it not clear that this one's for bottles and that one is for your half-finished pizza, you freaking Philistine?

So I'm digging Qualy Design's recycling bin, which is not only recycleable itself but also has the recycling logo cleverly worked into its lid.

0qualyrecbin.jpg

But who am I fooling, this probably isn't going to stop careless rubbish-tossers. What I need is for the lid to be modified into a mechanical aperture that closes shut on a recycling offender's arm, pinning it with the arrow's points.

(more...)
30 Nov 2010

Snowy Dublin Quay

P377

A shot taken near the Samuel Beckett bridge and the Jeanie Johnston ship.
22 Nov 2010

MacBook Pro problems

P372

My 17" MacBook Pro has break 3 days after the warranty expired. If I was suspicious I would think Apple had a timed it.
Next

Justin Hourigan's Space

My training is in TV production. I've worked as a graphic design, animator and editor on a few TV series and documentaries.
However most of my work in the last 10 years has been in Internet and multimedia development.

Search

Archive

2012 (1)
2011 (8)
2010 (23)
2009 (33)
Obox Design