Zones Needed for Windows Update

In order for client systems to successfully run Windows Update, the following DNS zones must be accessible:

microsoft.com
akadns.com
akadns.net
akamai.com
akamai.net
download.windowsupdate.com
msft.com
msft.net
nsatc.net
nsatc.com
ntservicepack.microsoft.com
windows.com
windows.net
windowsupdate.com
windowsupdate.microsoft.com
windowsupdate.net
wustat.windows.com
footprint.net (not confirmed as necessary yet)
edgesuite.net
yoursearchdomainnamehere.edu (Clients will append their configured search domain to some DNS queries. You may need to forward requests for this zone, too.)

In order for client systems to successfully run Symantec LiveUpdate, the following DNS zones must be accessible:

symantec.com
symantecliveupdate.com
d4p.net
speedera.net

My Crummy BIND Samples

With the help of Jim Mayne from TCU and Phil Rodrigues from NYU, we were able to implement the selective forwarding/split DNS system using BIND as a selective forwarder. There are links to the two files needed below. The first is our named.conf (unsanitized), the second is a file called fake-root, which is a substitute root hints file. We're using BIND 9.2.1. Our BIND lives in /etc/bind/. If yours isn't there, you will have to adjust the path for the hint file at the end of named.conf. I'm told that the server 10.98.1.103 { }; line can be removed, unless you want to add some parameters into the command.

10.98.1.103 is the IP of our forwarding DNS server (where the named.conf and fake-root files live). All quarantined clients are assigned this as their DNS server.

10.98.1.1 is a "good/normal" DNS sever that can resolve all addresses. We forward our self-help DNS requests to this box.

10.98.1.9 is a fake root server named romulus. It's configured to think that everything in the "." zone--which is everything--resolves to our quarantine network web server. The fake-root root hints file points to romulus.

You may notice that we have fairfield.edu in our list of domains who's requests get forwarded to the real DNS. We did this for two reasons: 1) Windows clients like to append their "home" zone onto the end of all DNS queries. So when we tried to resolve microsoft.com, Windows clients actually asked for microsoft.com.fairfield.edu, which broke the system. 2) We want to allow our quarantined students to get to some of our in-house resources that live in the fairfield.edu zone. Nslookup is your friend while testing this. Also remember ipconfig /flushdns when testing your Windows clients.

named.conf
fake-root (replaces db.root)
root.dns This is the root zone file that lives on romulus. Romulus is a Windows 2000 server.

Help Keep This List Up-To-Date

Please send any updates you discover to jazze@mail.fairfield.edu for inclusion on this list. I'd be happy to include inforamtion on how to reach any other common self-help sites, including other AV vendors. I'd also like to include information on how people are using BIND Views along with selective forwarding. Others out there are using Squid Web Proxy Cache with this list of zones. I'd be happy to make this page more complete by posting sample configuration files if anyone would like to share.

Changelog

July 19, 2004 version 1 posted

July 22, 2004 added edgesuite.net

August 26, 2004 added Symantec section. Thanks to Geoff LeBoldus of Queen's University for additional zone information.

August 26, 2004 added request for sample config files.

August 26, 2004 added sample BIND config files.

August 26, 2004 fixed typo in the BIND samples section. 10.98.1.100 should have been 10.98.1.103. Thanks to Ricardo Stella for letting me know.

September 7, 2004 added symantecliveupdate.com to Symantec section.