Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS Encryption.

Status
Not open for further replies.
apc1234

apc1234

Technical User
Jun 19, 2009
17
US
Hi,

Has anyone tried or set up DNS encryption in Windows 2008?

Thanks.
 
Sort by date Sort by votes
For internal or external DNS?

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog
 
Upvote 0 Downvote
Hi,

Internal -primarily. The way the environment is set up is:

Domain controller's (no secure/dynamic updates), file server, SQL servers, DNS servers are all inside and on separate subnets. The webserver is outside on the DMZ and can access all the internal servers. Access to the outside world is allowed only for the DNS and webservers.

The requirement is for DNS to be encrypted. I have been testing with IPSec policies.

All help is much appreciated.

Thanks.
 
Upvote 0 Downvote
Hi all,

Just wondering if anyone has any ideas regarding encrypting DNS.

Thanks.
 
Upvote 0 Downvote
IPSec would be your only option. If you encrypt the data within the DNS zone file your clients wouldn't know what to do with it.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog
 
Upvote 0 Downvote
Then the question is: IPSec applied to all machines within the domain or select machines?

Reason is that when I applied an IPSec policy that requires security and uses Kerberos authentication, the following happens:

1. name resolution works
2. ping fails
3. cannot use remote desktop to connect, and
4. authentication through the website fails

Any ideas or suggestions?

Thanks.
 
Upvote 0 Downvote
It is applied to all machines that the policy is applied to. You can make it a policy that is applied to the entire domain or only a few critical systems, or any combination of them.

You might also want to step back from requiring IPSec to requesting IPSec, except for those most "high security" servers. That way if both the client and server support the encryption it will use it, otherwise it will fall back to unencrypted for compatibility.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator
 
Upvote 0 Downvote
I wanted to go the 'request' route but the client wants us to require encryption.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
292
suncit
suncit
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
321
fredmartinmaine
fredmartinmaine
FreeSoldier
  • Locked
  • Question
Server 2012 R2 VPN Encryption
Replies
1
Views
100
tacohunter
tacohunter
telecotek1
  • Locked
  • Question
strange DNS issue
Replies
1
Views
141
telecotek1
telecotek1
evr72
  • Locked
  • Question
Wundows Server 2003 DNS can resolve names but not ip addresses
Replies
0
Views
54
evr72
evr72

Part and Inventory Search

Sponsor

Back
Top