Re: Root Hints or forwarders?

From: huff-n-puff (huffnpuff_at_discussions.microsoft.com)
Date: 10/15/04 

Date: Fri, 15 Oct 2004 11:27:02 -0700

Hi

You say to use forwarders but on which servers the internal or DMZ? Which
should have "do not use recursion" set? Internal or DMZ?

Thanks

M

"Herb Martin" wrote:

> Forwarders. <grin>
>
> > I have 2 DNS servers AD integrated authoratitive for the internal DNS zone
> > only, I also have 2 external DNS servers on our DMZ as primary/secondary
> for
> > our internet facing zones.
> >
> > I want to keep the internal DNS servers from querying anything other than
> > the 2 DMZ based DNS servers when looking up external hostnames.
>
> Use Forwarders, and check "do not user recursion" on that SAME
> "Forwarders" dialog page (not in advanced since that disables
> forwarders TOO.)
>
> Without that checkbox you internal servers will both forward AND
> physically recurse the root.
>
> > I also want the 2 DMZ DNS servers to only query our ISPs DNS servers when
> > they do lookups.
>
> Good too -- you can use the ISP for forwarding, or you
> can use your own external servers for that if you don't
> even want your DCs going as far as the ISP.
>
> Generally, you DCs should be firewall/filtered so they
> cannot reach the Internet even if you forgot to stop such.
>
> (You can make exceptions for places like Windows Update
> OR you can just run an Internal SUS server for there updates.)
>
> > What is the best way to do this? Forwarders or replacing the root hints,
> > should I turn off recursion on the servers anywhere?
>
> Forwarders. (and check the do not use recursion, making it unnecessary
> to mess with the root hints.)
>
> > Thanks for any help.
> >
> > M
>
>
>

Relevant Pages

  • Re: Recursion Issues
    ... the forwarders in the dmz and if the forwarders fail then error out. ... I can see traffic on my firewall for one of my internal dns servers ... going to root servers on the internet. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Recursive Query
    ... server going to OTHER DNS servers to answer the request. ... or by performing the actual recursion from the ROOT ... configured with root hints to recurse from the Internet Root ...
    (microsoft.public.win2000.dns)
  • RE: Do not use recursion on this domain
    ... my point is to continue to have the name resolution in case if the ... “Do not use recursion on this domain” on the DNS setting. ... Don’t let your internal servers roam the Internet looking for name servers.( ...
    (microsoft.public.windows.server.dns)
  • Re: Recursion Issues
    ... you have forwarders configured and have selected the check ... box "do not use recursion for this domain" on the forwarders tab. ... use the DNS servers listed on the forwarders tab, ...
    (microsoft.public.windows.server.dns)
  • Re: Root Hints or forwarders?
    ... > I want to keep the internal DNS servers from querying anything other than ... Use Forwarders, and check "do not user recursion" on that SAME ... cannot reach the Internet even if you forgot to stop such. ...
    (microsoft.public.win2000.dns)