Re: Forwarders versus root hints

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/24/05

• Next message: trehkopf: "Intra-site DNS problems"
• Previous message: Thelazyadmin.com: "Re: Log Error 4091 LSASRV SPNEGO"
• In reply to: workinghard_at_news.postalias: "Re: Forwarders versus root hints"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 24 Jan 2005 17:03:41 -0600

<workinghard@news.postalias> wrote in message
news:OKKrcrjAFHA.3236@TK2MSFTNGP15.phx.gbl...
> OK thx ,
>
> There was some confusion on my part about the benfits forwarding offers
> about but you've cleared things up, and thing as you explained them now
are
> as I taught. I misunderstood some of your answers and you had me worried
> there for a moment.
>
> In your solution:
>
> 1) Internal Servers all forward to the Firewall/Gateway
> "caching only" DNS server(s).
>
> I was thinking of letting all internal DNS servers forward to the DNS
> rootserver(s) -and yes I mean Domain root DNS servers - and only have
> that/those internal root server(s) handle all forwarding to the Caching
Only
> DNS server

This can work, but if you are using another caching only
DNS server on the firewall/gateway (e.g., to keep this
very imporant server from visiting the Internet) it just adds
an extra layer of forwarding with no real advantage.

Forwarding is good BUT EVENTUALLY too much forwarding
can cause time out failures when the advantage is less than
the increased delays from doing things like checking empty
caches and re-issuing the request.

And it will not work on a TRUE DNS 'root', only on a domain
root at a lower level of the hierarchy.

(which need not be a domain member or even a Windows machine)

True.

FYI, FWIW: My gateway/router here is a Windows machine
and even in the domain -- but get this: It's OWN CLIENT
settings (i.e., on the NIC-IP properties) point to the INTERNAL
DNS servers since it is (from this point of view) and internal
client.

It does this even though it is itself a caching only DNS server --
or because of that. If it were to ask 'itself' first, it would never
resolve any internal names because it know none of them
(as a DNS server) but always try, and fail, to find it on the
Internet.

> 2) The Firewall/Gateway caching only server(s) forward
> to the ISP
>
> Yup, I'm happy with that.
>
>
> 3) No internal DNS is allowed to perform Internet root
> recursion (Do not use recursion)
>
> And I'm even happier with that.
>
> #2's advantage is the consolidation of the INTERNAL cache
> of resolutions, AND it doesn't require my internal servers
> to EVER pass the firewall. (Faster and protects the WAN
> from redundent use.)
>
> For multiple trees internally, I use use (mostly) Conditional
> Forwarders on Win2003, and "cross secondaries" on
> Win2000.
>
> I was under the impression that this was possible and OK but so many text
> only imply roothints when dealing with the internal DNS configuration ...
> but perhaps that's my misunderstanding of the English language.

You might notice that I don't even really like to use the
term "root hints" to describe this, but think rather in terms
of doing (physical) recursion (using those root hints to find
the top of the hierarchy) or forwarding to another DNS
server and letting THAT ONE deal with the issue.

But I don't think it is a problem with your English as I have
talked with many people who have a slightly skewed view
of the whole thing AFTER reading the books.

The MENTAL keys I follow and teach are this:

1) Separate internal resolution FOR YOUR clients from the
holding of zones for "others" to resolve your resources.

(They can be on the same server, and frequently are, but
don't think about them, or troubleshoot them as one subject.)

2) For your resource zones, never "THINK" about more than
one zone at a time -- again, one server can hold many zones
but don't "think" about the design this way, use that to optimize
and patch together after you understand how it will lay out.

> Thank you very much for having taken the time to disscuss this with me at
> such length. I apreciate it.
>

You are welcome.

-- 
Herb Martin
>
>

---

• Next message: trehkopf: "Intra-site DNS problems"
• Previous message: Thelazyadmin.com: "Re: Log Error 4091 LSASRV SPNEGO"
• In reply to: workinghard_at_news.postalias: "Re: Forwarders versus root hints"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: nslookup fails ... Does this DNS server have a Forwarder configured? ... you may need to run the root query several times to resolve ... google.com nameserver = ns1.google.com ... ns1.google.com internet address = 216.239.32.10 ... (microsoft.public.windows.server.dns) Re: Seperate namespace ... If you configure your Root domain's DNS server as a "Root" server, ... Forwarding out does not apply here. ... Or choose to forward from the Forest Root domain's DNS server to your ... (microsoft.public.win2000.dns) Re: DNS doesnt work with neither forwardes nor root servers ... forwarders/ root servers for some reason. ... Assuming you mean that your DNS server can neither forward nor ... Disabling Recursion (and forwarding) in the ADVANCED tab ... DNS OR from doing the actual recursion itself. ... (microsoft.public.windows.server.dns) Re: Different DNS and AD domain structures ... 'BusUnit2.AD.company.com' etc with 'ad.company.com' as the forest root. ... server which can either resolve every name. ... This last means that every DNS server ... For EVERYONE who will still resolve "The Internet", ... (microsoft.public.win2000.dns) Re: Domain Name Registration ... All names in the Internet "namespace" must be findable ... from the "root down". ... Each of these top level servers delegate to what we normally ... A client or DNS server helping a client, ... (microsoft.public.windows.server.dns)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)