Restrict DNS zone transfers to specific hosts?

Similar Messages

• DNS zones for Mail virtual host

  Hello,
  We have a split DNS server hosting mail for company.com. So we have a DNS zone called company.com with the appropriate records (A, MX).
  We now need in the same box to host mail for another domain, company.org. Do we have to create a separate DNS zone for company.org with another A record for the server?
  Regards
  Kostas

  If you're going strictly for mail and with no other network services are associated, then Camelot is quite correct and you can use an MX, and enable virtual hosting within the mail server.
  If you're doing "other stuff" with that domain, then you'll need the zone.
  Given the usual fondness for, well, "incomplete" questions and for server configurations and networks that, um, "evolve", then the answer I'd use is "yes"; add the zone.  (If for no other reason than somebody's eventually going to want a web server with the domain, or...)
  I'm not a big fan of split-horizon though I can and do use it for specific cases. I prefer to partition "inside" from "outside", and that avoids this quagmire.
  And FWIW, "example.com", "example.org" and "example.net" are RFC-reserved domain names available for posting obfuscated examples and questions, for documentation, and related use.  "company.com" and "company.org" are real and registered domains. 

• How to change DNS zone, or how to host email outside of BC

  I have BC from Creative Cloud Suite, so I have the cheapest possible plan for BC.  Meaning I don't get any email hosting.  So I was looking to host email outside of BC.  I looked it up on google to see if it could be done (I'm really new with all this hosting stuff!), and I found that if you change the DNS zone and MX records to certain things you could.  I had to delete the MX record I had set up prior to finding out BC won't host my email, and I went to set up an Advance DNS Records.. But I'm not sure what to do! There's a lot of information I'm not sure about, and I don't know what goes where!
  I'd like to have godaddy host my email, and what I found is that I need to change my DNS zone to: mailstore1.secureserver.net and change MX records to 0 smtp.secureserver.net 10 mailstore1.secureserver.net
  I may end up finding somewhere else to host email at a later point, but right now I just want to try to figure out how to do this so I'll be able to in the future.  Any and all help is appreciated! Thank you

  Hi
  All you need to do is go to Admin > Site Settings > Site Domains and activate your new domain. You’ll have to enter an MX record for e-mail to be setup, which will be provided by godaddy.
  Here’s a similar article on the same topic:
  http://forums.adobe.com/message/4997019#4997019
  Let me know how it goes

• Limiting DNS Zone Transfers Correctly

  I am setting up the DNS server. I have encountered a limitation when trying to limit zone transfers. Obviously I want to allow only zone transfers to my secondary DNS.
  The advice given in the user manual seems incorrect. The user manual says to limit zone transfers using your firewall to limit TCP connections on port 53. However, my understanding is that regular DNS clients need to be able to use TCP to obtain DNS responses that are greater than 512 octets.
  Does somebody know of a way to correctly limit the zone transfers without breaking the DNS GUI or breaking large responses?

  you can add the statement... it should not break Server Admin.
  While you are there, you may want to add forwarders for efficiency.
  Add the bold code
  options {
  directory "/var/named";
  forwarders {
  0.0.0.0;
  0.0.0.0;
  forward first;
  recursion true;
  replace 0.0.0.0 with your ISPs name servers
  Jeff

• DNS: Zone name vs. Host name question

  My little office OSX Server setup has been working fine, but I realized my DNS setup was a little weird. I think the primary zone and first host machine record were setup during the initial install/setup process, and it doesn't seem to match what Hoffman recommends in his excellent DNS Setup guide.
  My primary zone was named "files.example.com", and my server host record was also named "files.example.com". Everything seemed to work, but I realized when I wanted to add some additional hosts and aliases, I was getting something like "mail.files.example.com", when what I wanted was "www.example.com".
  Hoffman, and others, recommend trashing the default zone and records, and making a new zone named "example.com", then making a machine record for the server, "files.example.com".
  That makes perfect sense, except I don't understand one thing: how, with this setup, can I get the dns to cough up an ip address for hostname "example.com"? Can I make a machine record with a blank hostname, thus yielding a hostname that is the same as the zone name?
  Thanks.

  RobertNichols wrote:
  My little office OSX Server setup has been working fine, but I realized my DNS setup was a little weird. I think the primary zone and first host machine record were setup during the initial install/setup process, and it doesn't seem to match what Hoffman recommends in his excellent DNS Setup guide.
  My primary zone was named "files.example.com", and my server host record was also named "files.example.com". Everything seemed to work, but I realized when I wanted to add some additional hosts and aliases, I was getting something like "mail.files.example.com", when what I wanted was "www.example.com".
  Hoffman, and others, recommend trashing the default zone and records, and making a new zone named "example.com", then making a machine record for the server, "files.example.com".
  That makes perfect sense, except I don't understand one thing: how, with this setup, can I get the dns to cough up an ip address for hostname "example.com"? Can I make a machine record with a blank hostname, thus yielding a hostname that is the same as the zone name?
  Thanks.
  Apple setup wizard creates a zonename like files.example.com i.e. the same as the host name. I totally agree with Hoffman this is wrong (and I reported it as a bug to Apple) but that is the way Apple do it until 10.7 at least.
  I therefore do the same as Hoffman and trash Apple's auto-created zone and do it myself.
  Note: The auto-zone format used by Apple will work and might be 'good enough' for a small simple internal only setup, but if your doing a more complex multi-server setup and especially if your going to do split-horizon DNS, it is a terrible setup.

• Routing DNS requests in a zone to a default host

  Hi,
  What I'd like to do is to direct all DNS requests for non-existent hosts to a single host by default. So even if I haven't defined a hostname in my zone, the request will still resolve (to this default host). Any ideas?
  Ben

  It's possible to do via wildcard DNS, but you cannot do it via Server Admin (it doesn't permit the * for the wildcard name), therefore you have to get under the hood and edit your zone file directly.
  You'll need to find your zone's domain file in /var/named and add a line like:
  *  IN  A  1.2.3.4
  (where 1.2.3.4 is, obviously, the IP address you want all unknown addresses to point to).
  You'll also need to increment the serial number in the SOA record near the top of the file (otherwise your change won't be noticed)
  Restart named (e.g. via killall -HUP named or via Server Admin), and now any lookup for an unknown host will return the specified address.

• Number of recipients restricted with specific host exceptions

  iMS Version: 6.1
  I have a need to restrict all senders of email to 10 recipients in a single email message. However, one specific host needs to be able to send to an unlimited (or just a large number) number of recipients on a single message.
  From some reading, this isn't all that easy to set up. However, since the exception host is known (by IP/name), we are hoping that simplifies things. Any thoughts?
  (the exception host is a server which houses a learning management system. That system allows the professor to send email to the students in the course)

  Hi,
  Possible to achieve. Requires a few steps though.
  1. Isolate off traffic from your LMS system (in this example represented by 1.2.3.4) to a new source channel:
  Create a new mapping table in the style of the INTERNAL_IP mapping table (add to the mappings file) e.g. FRIENDLY_IP
  FRIENDLY_IP
    $(1.2.3.4/32)  $Y
    *  $NAdd a rewrite rule (imta.cnf) to direct traffic from the FRIENDLY_IP range to the tcp_friendly source channel (needs to be ABOVE the INTERNAL_IP rewrite rule which looks almost the same):
  ! Do mapping lookup for "friendly", non-internal IP addresses
  [] $E$R${FRIENDLY_IP,$L}$U%[$L]@tcp_friendly-daemonCreate a new tcp_friendly channel. This should look the same as your existing tcp_intranet channel e.g.
  ! tcp_friendly
  tcp_friendly smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel saslswitchchannel tcp_auth missingrecipientpolicy 4
  tcp_friendly-daemon2. Increase the recipient level on the tcp_friendly channel by adding the "recipientlimit <limit>" keyword e.g.
  tcp_friendly smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel saslswitchchannel tcp_auth missingrecipientpolicy 4 recipientlimit 1003. Lock down the recipient limit for other traffic.
  Edit the channel definitions for other source channels (such as tcp_local/tcp_intranet/tcp_submit/tcp_auth) and add a smaller recipient (recipientlimit 10) e.g.
  tcp_intranet smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel saslswitchchann
  el tcp_auth missingrecipientpolicy 4 recipientlimit 10Then run ./imsimta cnbuild ; ./imsimta restart for it to take effect. You should see emails from your LMS system coming from tcp_friendly rather then tcp_local/tcp_intranet.
  Recommend you run through and test these steps on a development/test system first of course.
  Regards,
  Shane.

• Hosting Multiple DNS Zones on different servers How To?

  Hello, I have an issue that I would like one of the experts to help out with.
  I am currently facing an issue with DNS. I currently need to be able to ping certain machines on my internal domain by their external IP address.
  Example: machineA.domain.local has IP address 192.168.1.10 but from the inside of my network I would need to be able to ping machineA.domain.local and have it resolve to my EXTERNAL IP ADDRESS.
  Now as far as I know using a split DNS would solve this issue. Herein lies my issue.
  My DNS works half the time. Sometimes I will ping machineA.domain.local and it will resolve the internal address and sometimes it would resolve the public IP address (which I set manually in my split DNS)
  Now, my reasoning for this is because there are multiple entries with the same machine name on the same domain controller that resolve to different IP addresses. So when I ping machineA.domain.local the reply will be a "confused" reply.
  Here is what I tried to do to correct the issue. I created another Windows Server 2008 R2 machine with only the DNS role installed. I then removed the split DNS from my domain controller and added the zone "zone.domain.com" with the A record "machineA.domain.com"
  I did not join the domain with the new machine as I did not believe it to be necessary.
  The machines on the inside still cannot ping "machineA.domain.com", nor can my new server successfully ping "machineA.domain.local". It can resolve "machineA.domain.com" but I am fairly certain this is because I added it in
  the DNS zone.
  I tried to go a little further and tried to connect to the domain controller DNS via the MMC snap in on my new server. I get an error telling me that the access is denied.
  In order to attempt to fix that I added the computer in the properties of the DNS in the security tab. I also added the newly created server to the DNS admins group.
  Nothing works I am not sure what I am doing incorrect but I would need to know how I can do the following
  A) Successfully (if possible) have 2 different zones on the same domain
  example: internal.domain.local and external.domain.com
  I would need to know how to be able to successfully ping the machines I need to ping that resolves to  the external IP address from the inside without having the internal A record in the DNS zone interfere.
  I would also need to know how I could connect to the domain controllers DNS via another computer (the new server) without having the access is denied error.
  Once again, I tried to use a split DNS on the same server which yielded mixed results. I cannot have the machines replying randomly or go down because 2 DNS zones are on the same machine.
  Thank you hope to get an answer ASAP!

  Anyone have any ideas on this?

• Active Directory Integrated DNS Zones, replicate only to specific domain controllers

  I have a customer with a fairly large Active Directory forest with many domains that they are trying to consolidate into a single domain which likely take 18 to 24 months according to their timeline.  During this time, they would like all DNS zones
  to be serviced directly from the new domain controllers, meaning, domain A would have replicas of domain B, C, D, E, etc.  Because the environment is complex and some domain controllers in domains other than A are in a very sad state and replication problems
  abound, they would like to avoid replicating all zones forest wide.  
  I've never done this before, or even considered it necessary, is it even possible?  I don't have a ton of time for trial and error, but based on this there seems to be some hope:
  https://technet.microsoft.com/en-us/library/cc753801.aspx?f=255&MSPPError=-2147217396
  Is this telling me how to do what I want to do?
  Thanks
  J
  Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

  He actually didn't specify much about dynamic updates requirements for old domains, if they don't need secure dynamic updates then a primary zone would work:
  The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server that is configured to load
  either a standard primary or directory-integrated zone.
  REF: Understanding Dynamic updates
  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

• Is it possible to patch Global Zone and only specific Non-Global Zones?

  Hi Champs,
  Is it possible to patch Global Zone and only specific Non-Global Zones? Idea is to patch DEV-zones only on the system & test applications and then patch only the STG-zones on same server!
  Not sure if it is possible but just throwing a question...
  Cheers,
  Nitin

  M10vir wrote:
  Yes, if you have branded (non-sparse) zone!Branded zones and sparse zones don't have the relation that you imply. In Solaris 10, native zones can be sparse or whole-root (non-sparse, as you say). Zones that are not native zones are branded zones. Branded zones on Solaris 10 include Solaris Legacy Containers, previously known as Solaris 8 Containers and Solaris 9 Containers. That add-on product allows you to run Solaris 8 and Solaris 9 application environments under a thin layer of virtualization provided by the brands framework. solaris8 and solaris9 branded zones can be patched independently of each other and of the global zone.
  Solaris 11 has no "native zones" - all zones use the brands framework. The "solaris" brand does no emulation and in that respect is very similar to native zones on Solaris 10. Solaris 11 also provides Solaris 10 Zones via the solaris10 brand. This allows zones or the global zone from a Solaris 10 system to be transferred to a Solaris 11 system and run as solaris10 zones. When running on Solaris 11, solaris10 zones can each be patched independently from each other and the Solaris 11 global zone. Technically, Solaris 11 doesn't have patches - it just has newer versions of packages to which the system is updated.

• External DNS zone on Internal DNS servers

  We currently have a 2 domain forest with DNS running on all domain controllers. All domain controllers are 2012 or 2012 R2 and our Domain and forest functional level is set at 2008 R2 due to the existence of an exchange 2003 server which wont be retired
  for several months. We have 2 DNS servers in the root domain and 4 DNS servers in the child domain. This is a centralized DNS setup. Our parent domain is DOMAIN.LOCAL and the child domain is XX.DOMAIN.LOCAL. Externally, our DNS is MYDOMAIN.com. we
  do not have a public facing DNS server and our DNS records are hosted by a 3rd party
  We want to add the MYDOMAIN.COM DNS zone internally (AD Integrated) since we have several instances where applications do not really work well with the XX.DOMAIN.LOCAL DNS. We want this zone to host several DNS records for internal resolution
  only since we do not have any public facing applications or web servers such as SharePoint etc.
  My question(s) is this?
  How is the best way to do this and how will it affect the zones we currently have in place.
  Is it as simple as creating a new forward lookup zone, adding static records?
  How do we (or do we) handle delegation?
  Any information or suggestions to get me started would be greatly appreciated.
  Russ

  Hi,
  I’m not quite understand your question, do you want to create a new primary DNS zone on your current DNS server? If so, you
  just need to create a new primary, you can create the additional primary DNS zone.
  The related KB:
  Configuring a new primary server
  http://technet.microsoft.com/en-us/library/cc776365(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Disable Portable Home Directories on specific hosts for all users?

  Hello All,
  Would it be possible to block any and all Portable Home Directory services for specific hosts? Something like "MobileAccountNeverAsk-<user>" but for the whole workstation? We have a network with both portable and stationary machines. I'd like our users to be able to use all machines, going portable on the MacBook and not bothering with syncing when logged into iMacs or Mac Pros.
  The Open Directory servers are running Snow Leopard (for now) and all clients are running Lion.
  Thanks
  Paul

  Darren,
  Yes. The clients are Solaris 10 as well. And the domain is the same on both server and clients.
  The files should be owned by real users.
  If a user ssh's into the server directly, the permissions display properly. But on the clients it is nobody. Other than the permission displaying wrong, I haven't noticed any permission-related restrictions on the clients.
  -Jim
  Edited by: cr8rface on Sep 22, 2008 10:30 AM

• Another DNS Zone Question! :)

  I have several geographic sites all with their own leopard servers (ten or so). Each are open directory masters managing public ip subnets. We do have an external dns server and all of our servers have registered names that are part of the same domain....
  My question is this... when setting up dns on each server, do I need to create zones, or can I just make the dns forward to our external name server. I am worried that having more that one ns authoritative for the same domain will cause problems with our isp dns server? I have one server running just fine without zones... just forwarders ... and all is running smoothly, ical, wiki's, mcx, mobile accounts, etc...
  Looking forward to finding out whether having zones at other locations and authoritative dns servers is a bad thing or not.
  Thanks.

  As long as the external DNS server has all of the info you need, there's no need to set up duplicate zones on your servers; as you note, it could even cause problems if the info got out of sync. In fact, you don't even need to act as a forwarder, you could just turn off DNS service and configure all your computers (servers & clients) to use your ISP's DNS servers.
  In your situation, I see two reasons you might want to run DNS service: in case your internet link goes down (losing access to DNS tends to make it hard to find servers, even if they're on the same LAN), or if the public DNS servers don't have the reverse DNS (IP number -> domain name) entries you need. If you're worried about the first, you could set your servers as secondaries (aka slaves) for the relevant zones, in which case they'll download the zone files from the master and automatically keep in sync. If the second is an issue, you're probably best off bugging your ISP -- since the reverse records are tied to your IP numbers, and those're "owned by" the ISP, they're generally in charge of the reverse DNS no matter who's hosting your forward DNS zones.

• Child DNS Zone changing PTR record of OD Master

  Grretings,
  I am setting up a new OD master server for our school that will also host our DNS. Home folders will be on another server. I am using the DNS GUI for now. Setup master DNS zone of ourschool.lan. OD master has FQDN of admin.ourschool.lan with an IP address of 172.16.2.254. Forward and reverse lookups of OD master are great.
  #host admin.ourschool.lan returns 172.16.2.254
  #host 172.16.2.254 returns admin.ourschool.lan
  When I go to set up a child zone, highschool.ourschool.lan, on this server I set the nameserver to ns1.highschool.ourschool.lan and IP address of 172.16.2.254, I have had the following happen:
  #host admin.ourschool.lan returns 172.16.2.254
  #host 172.16.2.254 returns ns1.highschool.ourschool.lan (not what I want!)
  I understand forward and reverse lookups to OD master need to be rock solid. The changing of the PTR record is going to ruin this. Has anyone else seen this behavior. Should I just do the DNS through terminal and forget the GUI?
  Thank you for any feedback. I searched this discussion list and didn't find anything similar to this in the postings.
  Best Regards,
  Steve
  OS X Server and Client   Mac OS X (10.4.6)  

  Your problem stems from the fact you're trying to create two separate A records for the same IP address.
  The GUI will automatically create a reverse DNS entry for each a record. Since you have two A records that point to 172.16.2.254 that's where your problem lies.
  Your solution is either to use a CNAME (or alias) for the second hostname (e.g. ns1.highschool.ourschool.lan CNAME admin.ourschool.lan), or manage the DNS by hand and don't use the GUI tools.

• Adding a new DNS zone to OD master for use as mail server

  hi all,
  i recently migrated form apple's postfix to kerio mail server. i am usung an xserve to run OD master, DNS, Jabber, Windows PDC and kerio mail.
  server name is mail.domain1.com and i am hosting it on local IP 192.168.0.4 and using NAT on my firewall.
  i would liek to setuop another kerio domain and mail server on the same box but not sure how to approach DNS.
  i need to add mail.domain2.com
  i am abel to add the second mail server in kerio but not sure if i need to setuo a second DNS zone on the same server on order to be able to have my local clients conect to the new domain. i only have 4 users for domain2.com and plan to use kerios built in autrhentication so i dont realy need another LDAP or user authentication server for now.
  currently i am using the hosting package of my provider to server mail.domain2.com as well as www.domain2.com
  i would liek to keep the site wit he hosting company but just move the mail server with my kerio server. that is teh setup i have for domain1 - i host mail server mail.domain1.com on premices and i have my domain reqistration site host the site for www.domain1.com
  i assme i can do this with virtual domains?
  any help is appreciated.
  thanks
  martin

  hi all,
  i recently migrated form apple's postfix to kerio mail server. i am usung an xserve to run OD master, DNS, Jabber, Windows PDC and kerio mail.
  server name is mail.domain1.com and i am hosting it on local IP 192.168.0.4 and using NAT on my firewall.
  i would liek to setuop another kerio domain and mail server on the same box but not sure how to approach DNS.
  i need to add mail.domain2.com
  i am abel to add the second mail server in kerio but not sure if i need to setuo a second DNS zone on the same server on order to be able to have my local clients conect to the new domain. i only have 4 users for domain2.com and plan to use kerios built in autrhentication so i dont realy need another LDAP or user authentication server for now.
  currently i am using the hosting package of my provider to server mail.domain2.com as well as www.domain2.com
  i would liek to keep the site wit he hosting company but just move the mail server with my kerio server. that is teh setup i have for domain1 - i host mail server mail.domain1.com on premices and i have my domain reqistration site host the site for www.domain1.com
  i assme i can do this with virtual domains?
  any help is appreciated.
  thanks
  martin