nkeables
asked on
Server 2016 and DNS DName entries
We use a DNS DName entry to force YouTube Moderate Search settings for our users. the DName translates "youtube.com" to "restrictmoderate.youtube.
The YouTube site suggests that I create a CName entry for the Domain, but Microsoft will not support a CName entry in a DNS zone of the same name - that's why we used a DName entry. An "A" record will not work either. Using the IP returned from an NSLookup request (against my 2012 R2 servers) in my browser returns a Google search page, not a YouTube page. So an IP mapping doesn't help.
Using the NSlookup tool, I can successfully resolve my DName entries against my remaining 2012 R2 Domain Controllers, but not against any of my 6, 2016 DC's.
I found a KB article that addresses this behavior in 2012 R2, but says nothing about server 2016. The KB is KB3133954.
Please help. How do I configure a DName Alias on a 2016 server running AD integrated DNS and make it work?
The YouTube site suggests that I create a CName entry for the Domain, but Microsoft will not support a CName entry in a DNS zone of the same name - that's why we used a DName entry. An "A" record will not work either. Using the IP returned from an NSLookup request (against my 2012 R2 servers) in my browser returns a Google search page, not a YouTube page. So an IP mapping doesn't help.
Using the NSlookup tool, I can successfully resolve my DName entries against my remaining 2012 R2 Domain Controllers, but not against any of my 6, 2016 DC's.
I found a KB article that addresses this behavior in 2012 R2, but says nothing about server 2016. The KB is KB3133954.
Please help. How do I configure a DName Alias on a 2016 server running AD integrated DNS and make it work?
As Cliff said, if you were able to hack some version of DNS + fool it into returning restrictmoderate.youtube.c
1) All DNS traffic is forced through your DNS servers, so TDP/UDP IPV4 + IPV6 traffic to port 53 is blocked + everyone must point to your custom DNS entries.
2) The DNS server you're running is buggy, so you can spoof zone delegation for youtube.com in some way.
Newer versions of DNS servers likely will catch oddities like this, which break correct resolution + just ignore this type of DNS zone file setup.
1) All DNS traffic is forced through your DNS servers, so TDP/UDP IPV4 + IPV6 traffic to port 53 is blocked + everyone must point to your custom DNS entries.
2) The DNS server you're running is buggy, so you can spoof zone delegation for youtube.com in some way.
Newer versions of DNS servers likely will catch oddities like this, which break correct resolution + just ignore this type of DNS zone file setup.
ASKER
Only our DC's doing forward lookup's are allowed through the firewall, and then only to specific outside DNS servers. The firewall rule restricting this is an app based rule, so its doing a much deeper inspection than simple port traversal awareness. We can, and have been , effectively owning the resolution of www.youtube.com.
The solution suggested by Google is linked below. Google suggests using a DNS CName entry. But Microsoft won't allow me to do that in a zone with the same name.
How does one successfully use a 'DNAME' entry in server 2016. Is it the intent of the standard to only use these entries for zones that we're authoritative for, why then can't I choose to be authoritative for any zone I choose (within the boundary of my network)? And since when has Microsoft cared about conforming to DNS standards? My only option at this point, seems to be to revert my 2016 DC back to 2012.
https://support.google.com/a/answer/6214622?hl=en&ref_topic=6248111
The solution suggested by Google is linked below. Google suggests using a DNS CName entry. But Microsoft won't allow me to do that in a zone with the same name.
How does one successfully use a 'DNAME' entry in server 2016. Is it the intent of the standard to only use these entries for zones that we're authoritative for, why then can't I choose to be authoritative for any zone I choose (within the boundary of my network)? And since when has Microsoft cared about conforming to DNS standards? My only option at this point, seems to be to revert my 2016 DC back to 2012.
https://support.google.com/a/answer/6214622?hl=en&ref_topic=6248111
One successfully uses a DNAME record on 2016 for domains they are *ACTUALLY* authoritative for.
Why can't you chose to be authoritative for any zone you choose? Because legitimate real attacks have used MitM and DNS poison attacks, so DNS standards have evolved to mitigate this. Claiming authority and BEING authoritative are two different things, and if you don't own the domain, you shouldn't pretend to be authoritative. Blame the hackers, not Microsoft.
Since when has Microsoft cared aboeu conforming to DNS standards? Since at least 2003. Which is why you can't add a CNAME record to as a root zone. That's against RFC and isn't Microsoft's arbitrary rule. Google is recommend a non-spec fix. Blame Google.
You can revert to a less secure solution, sure. If you see that as your only option...go for it. The *right* solution though is to use real content filtering. Which any reasonable UTM can do without breaking spec. And when 2012 goes into end-of-life, you'll need to do anyways, as BIND (and most good unix DNS servers) have similar "limitations" by following spec.
Why can't you chose to be authoritative for any zone you choose? Because legitimate real attacks have used MitM and DNS poison attacks, so DNS standards have evolved to mitigate this. Claiming authority and BEING authoritative are two different things, and if you don't own the domain, you shouldn't pretend to be authoritative. Blame the hackers, not Microsoft.
Since when has Microsoft cared aboeu conforming to DNS standards? Since at least 2003. Which is why you can't add a CNAME record to as a root zone. That's against RFC and isn't Microsoft's arbitrary rule. Google is recommend a non-spec fix. Blame Google.
You can revert to a less secure solution, sure. If you see that as your only option...go for it. The *right* solution though is to use real content filtering. Which any reasonable UTM can do without breaking spec. And when 2012 goes into end-of-life, you'll need to do anyways, as BIND (and most good unix DNS servers) have similar "limitations" by following spec.
ASKER
Cliff,
Thank you for your comments. I do not disagree. Instead, I am frustrated by the loss of function - even if it's due to standards adherence.
Microsoft has not always followed standards, I think back to 2000/2003 with Microsoft's acceptance of the Non-RFC standard underscore character in DNS Host names. This caused us some naming convention problems then. So while my comment was meant more in jest, it's not entirely wrong.
You are correct however, the real issue lies with Google. For the time being, I have re-directed all my internal DNS traffic to my two remaining Win 2k12 DC's, at least until we decide how we're going to address this situation.
As for real content filtering, we have an HA pair of PaloAlto devices, capable of a wide variety of DPI, SSL decryption, and as complex an ACL as you'd like to build with App-ID or port based rule sets. What it doesn't do, is header re-writes. So, even with real URL filtering, I am still stuck.
Thank you for your comments.
Thank you for your comments. I do not disagree. Instead, I am frustrated by the loss of function - even if it's due to standards adherence.
Microsoft has not always followed standards, I think back to 2000/2003 with Microsoft's acceptance of the Non-RFC standard underscore character in DNS Host names. This caused us some naming convention problems then. So while my comment was meant more in jest, it's not entirely wrong.
You are correct however, the real issue lies with Google. For the time being, I have re-directed all my internal DNS traffic to my two remaining Win 2k12 DC's, at least until we decide how we're going to address this situation.
As for real content filtering, we have an HA pair of PaloAlto devices, capable of a wide variety of DPI, SSL decryption, and as complex an ACL as you'd like to build with App-ID or port based rule sets. What it doesn't do, is header re-writes. So, even with real URL filtering, I am still stuck.
Thank you for your comments.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cliff,
You are correct. I apologize. You did answer the question as asked.
I really should have asked what a valid workaround is for someone in my situation (having lost the ability to use DName entries), needing to force "moderate search" settings in YouTube, who doesn't have a device that modifies header content. I should have re-read my initial question before closing.
You are correct. I apologize. You did answer the question as asked.
I really should have asked what a valid workaround is for someone in my situation (having lost the ability to use DName entries), needing to force "moderate search" settings in YouTube, who doesn't have a device that modifies header content. I should have re-read my initial question before closing.
-Cliff