Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS Encryption.

Status
Not open for further replies.

apc1234

Technical User
Jun 19, 2009
17
US
Hi,

Has anyone tried or set up DNS encryption in Windows 2008?

Thanks.
 
For internal or external DNS?

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog
 
Hi,

Internal -primarily. The way the environment is set up is:

Domain controller's (no secure/dynamic updates), file server, SQL servers, DNS servers are all inside and on separate subnets. The webserver is outside on the DMZ and can access all the internal servers. Access to the outside world is allowed only for the DNS and webservers.

The requirement is for DNS to be encrypted. I have been testing with IPSec policies.

All help is much appreciated.

Thanks.
 
Hi all,

Just wondering if anyone has any ideas regarding encrypting DNS.

Thanks.
 
IPSec would be your only option. If you encrypt the data within the DNS zone file your clients wouldn't know what to do with it.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog
 
Then the question is: IPSec applied to all machines within the domain or select machines?

Reason is that when I applied an IPSec policy that requires security and uses Kerberos authentication, the following happens:

1. name resolution works
2. ping fails
3. cannot use remote desktop to connect, and
4. authentication through the website fails

Any ideas or suggestions?

Thanks.
 
It is applied to all machines that the policy is applied to. You can make it a policy that is applied to the entire domain or only a few critical systems, or any combination of them.

You might also want to step back from requiring IPSec to requesting IPSec, except for those most "high security" servers. That way if both the client and server support the encryption it will use it, otherwise it will fall back to unencrypted for compatibility.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator
 
I wanted to go the 'request' route but the client wants us to require encryption.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top