Re: Using Forwarders
From: Herb Martin (news_at_LearnQuick.com)
Date: 01/05/05
- Previous message: Herb Martin: "Re: Additional AD Integrated DNS servers???"
- In reply to: April: "Re: Using Forwarders"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 5 Jan 2005 15:18:57 -0600
"April" <April@discussions.microsoft.com> wrote in message
news:4ABDE69A-37EE-4EFA-8599-C389D1E8EBD1@microsoft.com...
>
> Excellent stuff!
>
> One thing worth to mention is that this issue may get its way in a large
> enterprise, with DNS servers at different levels. In that case,
forwarding
> may only be set up at the bottom.
Actually, it doesn't work well to use Forwarding
"at the bottom" only -- in fact only the top can
safely forward with only one setting since physical
recursion and forwarding are incompatible except
as a backup method -- i.e., if you don't know WHERE
the address will be resolved it doesn't work for the
internal servers to forward what may be an exteral
name but could just as easily be an internal name,
and thereby missed if the request goes outside and
comes back NXDomain (that ends the whole recursion.)
I have a way to fix this - I modified the config of the
BIND server to do what amounts to a Negative-Stub,
it returns queried denied for the zones I specific so
they get reflected back into the internal DNS server
set (to the Internal root). I use permissions for this.
[Those may not all be the exact technical terms; I
don't do BINS every day but I can hack the source
code when I must -- the above though is straight
bind with no hack.]
The other schemes include cross secondaries (every
DNS holds a secondary for the others in at least it's
parent chain) -- this works on Win2000, or cross
stubs and conditional forwarding -- the last two only
working on Win2003.
> BTW, it seems stub zones behave the same way as forwarding, ignoring all
the
> non-recursive queries.
Again, I would not say ignoring, but rather "only servicing
them locally" .
I am not sure about Stubs, but an argument
can be made (from logic) for either behavior.
-- Herb Martin > > > "Herb Martin" wrote: > > > "April" <April@discussions.microsoft.com> wrote in message > > news:7EC539A2-1761-46CE-ACA4-90DDB366ECA7@microsoft.com... > > > > > > A comment on this. Only can a forwarding server be set up to serve the > > > client resolvers directly using it. In another word, the forwarding > > servers > > > should only be set up on local name servers, or on the ones normally serve > > as > > > "preferred" or "Alternate" name servers for client resolvers. Have not > > seen > > > a warning of this limitation on use of forwarding/forwarders, and I > > believed > > > this should be mentioned in the training materials. > > > > I usually word it the other way around (since that is the > > way the vast majority of people mess it up): > > > > 1) The internal clients must all use ONLY the internal DNS > > server (set) in their NIC->IP properties -- i.e., they must > > not use external DNS server or try to mix these. > > > > 2) The internal DNS server should (typically) be set to forward > > to the gateway or ISP DNS server which will perform the > > actual recursion of the Internet namespace from the root down. > > > > 3) Rememember that servers, including DNS servers and especially > > DCs are "DNS clients" too - so rule #1 applies. > > > > Here's my standard AD support for DNS message: > > > > DNS for AD > > 1) Dynamic for the zone supporting AD > > 2) All internal DNS clients NIC\IP properties must specify SOLELY > > that internal, dynamic DNS server (set.) > > 3) DCs and even DNS servers are DNS clients too -- see #2 > > > > Restart NetLogon on any DC if you change any of the above that > > affects a DC and/or use: > > > > nltest /dsregdns /server:DC-ServerNameGoesHere > > > > Ensure that DNS zones/domains are fully replicated to all DNS > > servers for that (internal) zone/domain. > > > > -- > > Herb Martin > > > > > > > > > > > > > "Herb Martin" wrote: > > > > > > > "April" <April@discussions.microsoft.com> wrote in message > > > > news:4F535DD3-BB4E-40BA-97CB-D0BFE9C5EAA7@microsoft.com... > > > > > > > > > > > > > > > Just thought that once you set a machine as a forwarding server, it's > > > > > behavior might get changed when receiving an iterative query. So you > > are > > > > > saying that's not the case? > > > > > > > > No. > > > > > > > > I have said it above but the terms are confusing. > > > > > > > > An iterative query really means, "Tell me if YOU > > > > know the answer, otherwise don't bother." > > > > > > > > A recursive query says, "Tell me if you know or > > > > if you can find the answer through physical recursion, > > > > or forwarding, or by witchcraft but I really need > > > > you to answer it for me if there is a way that you support." > > > > > > > > Now there is a check box on the forwarding server, > > > > on the Forwarders tab below where you set the forwarders, > > > > and it allows you to disable (physical) recursion -- > > > > "do not use recursion" is the label I believe -- This > > > > means the forwarding server either KNOWS the answer > > > > or is dependent on the Forwarder DNS to find it. > > > > > > > > This setting is GOOD for DCs who should forward ONLY > > > > for names outside the LAN -- forward to the gateway or > > > > ISP DNS and don't even try to recurse (physically) on > > > > their own. > > > > > > > > There is another setting in the Advanced tab where it > > > > says "Disable recursion" in Windows 2000, but it really > > > > means Disable the servicing of recursive queries because > > > > it also disables forwarding from this server -- it was so > > > > confusion they change it in Win2003 to say (something like) > > > > "Disable Recursion including Forwarding." > > > > > > > > This latter setting should seldom be used except by those > > > > who really know the precise behavior they wish -- e.g., > > > > for an INTERNET exposed authoritative server that should > > > > NOT be servicing recursive queries for which it does not > > > > know the answer. In other words, it services it's own > > > > zone(s) ONLY. > > > > > > > > > > > > -- > > > > Herb Martin > > > > > > > > > > > > > > > > > > Thanks for the offer. > > > > > > > > > > "Herb Martin" wrote: > > > > > > > > > > > "April" <April@discussions.microsoft.com> wrote in message > > > > > > news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com... > > > > > > > Thanks guys for trying to help. > > > > > > > > > > > > > > I believe I'm not confused by the terms, ;-) > > > > > > > > > > > > Good but be quick to ask for clarification or > > > > > > do what you are doing here and just state it so > > > > > > we can check for you.... > > > > > > > > > > > > > Is this statement true? > > > > > > > > > > > > > > "A forwarding server will issue a recursive query to the > > forwarder, > > > > after > > > > > > it > > > > > > > cannot find an answer locally, regardless the original query type > > sent > > > > to > > > > > > the > > > > > > > forwarding server". > > > > > > > > > > > > Terminology looks fine but that should not happen. > > > > > > > > > > > > If you query a server with a non-recursive, i.e., iterative, > > > > > > request, it should neither forward nor perform physical > > > > > > recursion. > > > > > > > > > > > > This is part of the confusion between packet/request type > > > > > > and the server's settings. > > > > > > > > > > > > A server set to disable serving recursive requests will > > > > > > (generally) not forward either. > > > > > > > > > > > > > > > > > > > I have n a design issue at hand and need to clarify this first. > > > > > > > > > > > > You might just try the design issue to get faster and more > > > > > > focused help. > > > > > > > > > > > > You can also call me if you wish....phone number is on > > > > > > my website: http://www.LearnQuick.Com > > > > > > -- > > > > > > Herb Martin > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "Herb Martin" wrote: > > > > > > > > > > > > > > > > "Roger Abell" wrote: > > > > > > > > > > > > > > > > > > > The config of a DNS server to use forwarders, and the > > > > > > > > > > config of allowing it to accept interative only or recursive > > > > > > > > > > queries are two separate, independent config options. > > > > > > > > > > The forwarding server just forwards on the accepted > > > > > > > > > > query and returns the result obtained from its forwarder. > > > > > > > > > > > > > > > > > > > > > > > > > > "April" <April@discussions.microsoft.com> wrote in message > > > > > > > > news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com... > > > > > > > > > > > > > > > > > > The question in this situation actually is, will the > > forwarding > > > > server > > > > > > > > > answer an iterative request with a recursive response > > > > (forwarding)? > > > > > > > > > > > > > > > > Roger is correct and you are still conflating the > > > > > > > > a couple of issues: an interative and a recursive > > > > > > > > query are not the same (nor the same issue) as > > > > > > > > recursion, forwarding etc. > > > > > > > > > > > > > > > > The former (query type) is how the actual packet > > > > > > > > is marked -- whether it requests recurion or not. > > > > > > > > > > > > > > > > Typically clients make their queries this way and > > > > > > > > DNS servers which are performing their own > > > > > > > > RECURSION do not -- they don't request recursion > > > > > > > > since they are doing it themselves. > > > > > > > > > > > > > > > > Whether the queries servers are WILLING to do the > > > > > > > > recursion (directly) or forward (to another DNS > > > > > > > > server) or merely refuse such requests is actually > > > > > > > > a separate issue. > > > > > > > > > > > > > > > > Normally a server will NOT recurse when it receives > > > > > > > > an iterative query (nor forward) as it assumes the > > > > > > > > requester wants a direct answer or nothing. > > > > > > > > > > > > > > > > However, a server set to disable recursion will not > > > > > > > > recurse just because the packet requests it. > > > > > > > > > > > > > > > > BTW, is there some underlying question or problem > > > > > > > > you are really trying to solve? > > > > > > > > > > > > > > > > -- > > > > > > > > Herb Martin > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Roger Abell > > > > > > > > > > Microsoft MVP (Windows Security) > > > > > > > > > > MCSE (W2k3,W2k,Nt4) MCDBA > > > > > > > > > > "April" <April@discussions.microsoft.com> wrote in message > > > > > > > > > > news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com... > > > > > > > > > > > Does a forwarding server answer iterative queries, i.e. > > > > letting > > > > > > other > > > > > > > > name > > > > > > > > > > > servers use its forwarders, or only it can answer > > recursive > > > > > > queries, > > > > > > > > from > > > > > > > > > > its > > > > > > > > > > > client resolvers? > > > > > > > > > > > > > > > > > > > > > > Got this question recently. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Previous message: Herb Martin: "Re: Additional AD Integrated DNS servers???"
- In reply to: April: "Re: Using Forwarders"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
