In order for client systems to successfully run Windows Update, the following DNS zones must be accessible: (not confirmed as necessary yet) (Clients will append their configured search domain to some DNS queries. You may need to forward requests for this zone, too.)

In order for client systems to successfully run Symantec LiveUpdate, the following DNS zones must be accessible:

My Crummy BIND Samples

With the help of Jim Mayne from TCU and Phil Rodrigues from NYU, we were able to implement the selective forwarding/split DNS system using BIND as a selective forwarder. There are links to the two files needed below. The first is our named.conf (unsanitized), the second is a file called fake-root, which is a substitute root hints file. We're using BIND 9.2.1. Our BIND lives in /etc/bind/. If yours isn't there, you will have to adjust the path for the hint file at the end of named.conf. I'm told that the server { }; line can be removed, unless you want to add some parameters into the command. is the IP of our forwarding DNS server (where the named.conf and fake-root files live). All quarantined clients are assigned this as their DNS server. is a "good/normal" DNS sever that can resolve all addresses. We forward our self-help DNS requests to this box. is a fake root server named romulus. It's configured to think that everything in the "." zone--which is everything--resolves to our quarantine network web server. The fake-root root hints file points to romulus.

You may notice that we have in our list of domains who's requests get forwarded to the real DNS. We did this for two reasons: 1) Windows clients like to append their "home" zone onto the end of all DNS queries. So when we tried to resolve, Windows clients actually asked for, which broke the system. 2) We want to allow our quarantined students to get to some of our in-house resources that live in the zone. Nslookup is your friend while testing this. Also remember ipconfig /flushdns when testing your Windows clients.

fake-root (replaces db.root)
root.dns This is the root zone file that lives on romulus. Romulus is a Windows 2000 server.

Help Keep This List Up-To-Date

Please send any updates you discover to for inclusion on this list. I'd be happy to include inforamtion on how to reach any other common self-help sites, including other AV vendors. I'd also like to include information on how people are using BIND Views along with selective forwarding. Others out there are using Squid Web Proxy Cache with this list of zones. I'd be happy to make this page more complete by posting sample configuration files if anyone would like to share.


July 19, 2004 version 1 posted

July 22, 2004 added

August 26, 2004 added Symantec section. Thanks to Geoff LeBoldus of Queen's University for additional zone information.

August 26, 2004 added request for sample config files.

August 26, 2004 added sample BIND config files.

August 26, 2004 fixed typo in the BIND samples section. should have been Thanks to Ricardo Stella for letting me know.

September 7, 2004 added to Symantec section.