I find it to not be of concern. I would never have it happen, because it's a bizarre and problematic way to handle internal DNS. But anyone who can exploit private IP mapping can figure it out without DNS in the first place. So I see no reason to want to hide it.

With Appflow you need to make sure you have authentication enabled for the users so it tracks per user. The Data Collection is for sure nice but it is only the top sites and no much information.
https://www.sonicwall.com/support/knowledge-base/help-with-user-level-authentication-settings-like-local-users-ldap-radius/170503274714653/

https://www.sonicwall.com/support/knowledge-base/configuring-app-flow-monitor-to-view-real-time-incoming-and-outgoing-network-data/170505632951042/

https://www.sonicwall.com/support/knowledge-base/how-can-i-track-which-users-or-ip-addresses-are-accessing-a-certain-website-using-appflow/170505832815323/

https://www.sonicwall.com/support/knowledge-base/how-can-i-collect-traffic-details-by-ip-address-on-the-firewall-through-log-reports-and-appflow/170503950787011/

@Pete-S said in How does name resolution work in AD?:

@Dashrender said in How does name resolution work in AD?:

@scottalanmiller said in How does name resolution work in AD?:

@Pete-S said in How does name resolution work in AD?:

I was wondering how it works because we see a problem where a couple of Win 10 clients can resolve all the internal Windows servers names, but not the statically assigned names of linux servers.

I thought if the name resolution works over different mechanisms and uses different ports it could be an firewall or L3 switch somewhere that has been misconfigured.

This is common in situations where Linux is not given an opportunity to auto-update the DNS entries, no one makes them manually, and they are not joined to AD.

Exactly - have you or anyone else added these servers to AD's DNS?

They have been added manually. The name of the service is also not the name as the server. So if a webserver is abc001.company.com the name in the DNS that will send you to that server might be logistics.company.com.

if you're being sent to logistics, that's the entry that must be in DNS.. you can have as many entries as are needed for a single server.
each name is it's own entry.

Turns out that there was a wildcard A record in DomainA2.com

@Obsolesce said in Why big ISPs aren’t happy about Google’s plans for encrypted DNS:

That all said, even though I don't care, I'd still prefer the ISP is totally out of the loop and am for encrypted DNS.

Glad to see you come back with this.

The old adage, if ya got nothing to hide/done nothing wrong, then what do you have to worry about, Sadly, this is so not true.

@dafyre said in Network routing question:

@dafyre said in Network routing question:

DNS server is at 10.50.235.235

Configure your computer to look to 235.235 for DNS... and configure the DNS server at 235.235 to forward anything it doesn't recognize along to your Meraki?

I added 235.235 as an additional DNS in the 250.254 network.

I tried this yesterday but silly me forgot to "refresh" the NIC so it could grab the new settings.

All is good & working.

@JaredBusch said in DNS Help ...:

@EddieJennings said in DNS Help ...:

@JaredBusch said in DNS Help ...:

@Dashrender said in DNS Help ...:

@JaredBusch said in DNS Help ...:

PTR records are handled by the ISP.

They are not something that should ever result in a domain name like this. but at some point in history, people always tried to contact their ISP to have PTR updated to thier mail server DNS name.

it's part of anti-spamming.

No, it is not.

This kind of thing might be what Dash is thinking of.
https://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=KBA-01904

While not explicitly a tool for anti-spam, I remember an MDaemon installation I inherited have reverse lookups enabled.

NO, old guides used to claim that you needed to setup PTR for on site Exchange to make sure you had not SPAM issues. I know what he is talking about. Jus tthat it has never been fact, no matter what people used to say.

I'm with Jared on this. Yes, historically it was common to do this thing but it was a myth. It's just one of those things that people repeated a lot but had no technical reasoning behind it. People generally don't understand DNS and so DNS becomes one of those magic black boxes and once someone made up that PTR could have something to do with SPAM people ran with it. But it was never part of a spam blocking or reduction mechanism, it was just a random, foolish technical mistake that people made thinking that it might have something to do with something else that they didn't understand.

@pattonb said in DNS PTR Record with 2 FQDN Entries with SPAM Check:

@JaredBusch incorrect, Scott has summarized succinctly

That is what you asked. But going with that is not what you actually wanted, then the answer to your original post is that you don't fix anything.

You whitelist the domain in question and move on.

The sender's ISP is in charge of setting the PTR record and there is not a damned thing you can do about it.

@Dashrender I just checked a couple of clients and Time To Live where set to 3600 at most and counting down.

@Obsolesce If it's default then one hour it is.

dhcp

Like this.

be78d39b-4bf6-4b74-a15e-ec044e88ed03-image.png
04f1585b-838d-46eb-826c-be15fd766645-image.png

@Pete-S said in DNS woes:

If I understand correctly, DNS propagates everywhere anyway so what difference does it make? Or are the DNS records not cached/replicated?

It does, and they do. Propagation, caching, etc. all happens with DNS. But that doesn't mean that you don't still want your master DNS to be screaming fast, globally distributed, highly available, etc. If your DNS goes down, most DNS providers (Google, etc.) will known almost immediately and see your infrastructure as offline as part of their security system.

@dyasny said in KVM/QEMU DNS:

libvirt has dnsmasq built in, to serve DHCP. It can also be configured to serve DNS to the libvirt NAT network, and the host.

This is an example of a working configuration: https://fabianlee.org/2018/10/22/kvm-using-dnsmasq-for-libvirt-dns-resolution/

Pretty cool. Thanks.

@fuznutz04 said in FreePBX and DNS settings:

@scottalanmiller said in FreePBX and DNS settings:

@fuznutz04 said in FreePBX and DNS settings:

@Scott says not to set it. You say to set it to 127.0.0.1 and the Vultr DNS.

No, Scott says he doesn't use it, not that you shouldn't. Not the same thing 😉

But doesn't this just write it to the /etc/resolve file anyway? I could set DNS statically via the file, but I'm still unclear what the best practice is for FreePBX in regards to DNS.

To not fuck with it unless you have a reason to.

FreePBX is an appliance. A software appliance, but an appliance. You don’t fuck with it under the hood unless you have a good reason to do so.

@scottalanmiller said in [Solved] All computers cannot access 1 specific site:

@manxam Well that worked out then 🙂

I did. We're not ones for forcing tech on clients but there's a limit to client risks that we're willing to live with.
This particular client deals with a LOT of sensitive data and it always bothered me that they had a known vulnerable router in place that we had to admin with a 5 year old version of Firefox.