Re: DNS Server set to forwarder randomly going out to root servers
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Tue, 19 Jul 2005 23:44:47 -0400
In news:B03DCA84-72DD-4C17-8264-0A30157EAFB8@xxxxxxxxxxxxx,
Fred L <FredL@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I then commented on
below:
> Hi,
>
> The problem we are having is intermittent DNS lookup failures tring to
> resolve Public Internet based Web Services or Pages.
>
> I have a W2K3 SP1 single forest single domain with integrated AD/DNS
> established.
>
> The clients (XP SP2) are set to resolve from a specific DC enabled
> for DNS in the domain. (Set via DHCP Scope)
>
> The Domain is Fred.Local
>
> The DNS Server is configured with 1 forwarder which points to the
> Internal interface of the Firewall. The DNS Server is not configured
> as a root server "." The Firewall is configured as DNS proxy.
>
> The Firewall also has a rule set that says that no internal machine
> may make DNS requests to external DNS hosts.
>
> Here is where I don't know how to configure the internal DNS server
> correctly. I would like to stop the Internal DNS Server (forwarder)
> from going out to the root servers for lookups. When it does this
> the firewall rule blocks the request (as it should) and the request
> times out which returns to the client as a failed request.
>
> So can you stop the DNS Server from doing this? Do you want to?
> What am I misunderstanding about this?
>
> Thanks in advance!
>
> Fred Lobmeyer
It sounds like your firewall is not properly setup to proxy DNS forwarding
requests, hence why it is reverting to the Roots. Check and ensure your
firewall has UDP and TCP 53 open to allow that sort of traffic. You will
need to double check your settings.
Since you are using Windows 2003, it uses EDNS0, a new industry
implementation that Windows 2003 uses to allows UDP packets greater than 512
bytes. The old method uses UDP upto 512, then reverts to TCP above 512.
EDNS0 is more efficient, however many older firewalls just do not support it
or need to be updated. Check your firewall docs to see if it supports it.
828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/?id=828263
All in all, you can allow DNS traffic to the Win2003 server only, as long as
it supports EDNS0. This will eliminate an extra query hop and increase
efficiency. If the firewall doesn't, you can always disable EDNS0. The above
article shows you that option as well.
--
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
.
- Follow-Ups:
- References:
- Prev by Date: Re: Using ipconfig /flushdns a lot!
- Next by Date: Re: RE: multiple IP - one Dns name
- Previous by thread: DNS Server set to forwarder randomly going out to root servers
- Next by thread: Re: DNS Server set to forwarder randomly going out to root servers
- Index(es):
Relevant Pages
|
Loading
