Hi, I was watching a cbt nuggets video on dns, and the guy showed you could see a lot of detailed information about a domain ie all servers and ip's. eg. nslookup >set type ns >yahoo.com and the dnslint command. So presumably this work only on dmz nodes. So is there a way to hide this information without affecting services.?

in a given example this information (the list of authoritative name servers) must be available publically, because this information is used during iterative name resolving process. Here is a simple example: A user types http://www.example.com in the Address field of their Internet browser. When the user presses the ENTER key, the browser makes a Windows Sockets function call, either gethostbyname() or getaddrinfo(), to resolve the name http://www.example.com to an IP address. For the DNS portion of the Windows host name resolution process, the following occurs: The DNS resolver on the DNS client sends a recursive query to its configured DNS server, requesting the IP address corresponding to the name "www.example.com". The DNS server for that client is responsible for resolving the name and cannot refer the DNS client to another DNS server. The DNS server that received the initial recursive query checks its zones and finds no zones corresponding to the requested domain name; the DNS server is not authoritative for the example.com domain. Because the DNS server has no information about the IP addresses of DNS servers that are authoritative for example.com. or com., it sends an iterative query for www.example.com. to a root name server. The root name server is authoritative for the root domain and has information about name servers that are authoritative for top-level domain names. It is not authoritative for the example.com. domain. Therefore, the root name server replies with the IP address of a name server for the com. top-level domain. The DNS server of the DNS client sends an iterative query for www.example.com. to the name server that is authoritative for the com. top-level domain. The com. name server is authoritative for the com. domain and has information about the IP addresses of name servers that are authoritative for second-level domain names of the com. domain. It is not authoritative for the example.com. domain. Therefore, the com. name server replies with the IP address of the name server that is authoritative for the example.com. domain. The DNS server of the DNS client sends an iterative query for www.example.com. to the name server that is authoritative for the example.com. domain. The example.com. name server replies with the IP address corresponding to the FQDN www.example.com. The DNS server of the DNS client sends the IP address of www.example.com to the DNS client. Iterative queries always uses NS type records to resolve target host name. For additional info please refer to: About name resulution process: http://technet.microsoft.com/en-us/library/bb727005.aspx http://technet.microsoft.com/en-us/library/bb727007.aspx DNS server security: http://technet.microsoft.com/en-us/library/cc756835(WS.10).aspx http://en-us.sysadmins.lv

Thanks for the information. I guess its unavoidable. But he did mention that google have hidden some of the info, possibly from the dnslint command. I have a test network with dmz, hiding behind a router and firewall. So are my dmz nodes (dns/web server/mail) automatically more secure because I have nat enabled on the router?

> So are my dmz nodes (dns/web server/mail) automatically more secure because I have nat enabled on the router? not always, becuase you need to forward required service ports (53, 80,443,25,110, etc) and malicious user can use them to access to private data maintained by these servers. For example, user can download entire DNS zone by running simple command and will have information about any names within this zone. To avoid this you must configure zone transfer rules (specify permitted DNS server addresses that are allowed to download entire zone) and so on. This is just example and this example tell you that NAT is not enough security measurement and you need to configure each service security separately.http://en-us.sysadmins.lv