Re: DNS Server set to forwarder randomly going out to root servers

In news:46AF4F11-FBCA-4E08-92CF-4C11145E450A@xxxxxxxxxxxxx,
Fred L <FredL@xxxxxxxxxxxxxxxxxxxxxxxxx> posted this:
> We implemented the EDNS0 change to no avail.
>
> The firewall is actually acting as a caching DNS server. It has rules
> specifically to block all port 53 traffic from traversing the firewall
> regardless if it is UDP or TCP. It is meant to service the request
> of the forwarder.
>
> What I am really trying to understand is if the 2003 Server has a
> forwarder set why does it also randomly try and go to the root
> servers. What happens then is the firewall sees this attempt and
> purposely drops the traffic because of the rules we have set.
>
> Again what I don't understand is why the 2003 Server attempts to
> bypass the forwarder that is set and go to the root to traverse down
> the DNS tree. Can you stop this behaviour? I would prefer the DNS
> query just fail and then deal with the problem of why the Firewall as
> a Caching DNS server is not correctly servicing it's downstream
> clients.

You can stop the Win2k3 DNS from attempting to use Root Hints by checking
the box, "Do not use recursion" on the forwarders tab. This has the effect
of disabling root hints, so any query the Firewall cannot resolve will fail
the query instead of causing your DNS server to use its root hints.



--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Updating forwarder and root hints - Windows 2000 DNS
    ... I did clear caches during testing - and even restarted the DNS Server ... It looks as though the forwarder settings may be cached somewhere - ... forwarding AND your root hints set to the same DNS ...
    (microsoft.public.windows.server.dns)
  • Re: DNS ACTIVE DIRECTORY SETUP.
    ... are no root servers configured (in root hints) or if the ... DNS servers in Windows will use configured Forwarders, ... (this is the time-out that can be set on the Forwarder config tab) ... if DNS server does get an answer back from ...
    (microsoft.public.windows.server.dns)
  • Re: Firewalls - Reviewed
    ... :I'm looking for a solid but fairly priced firewall that will ... I've ever encountered a firewall appliance that was also a DNS server. ... Port forwarding is very common, even in low-end devices that do not ... DNS address translation is a convenience. ...
    (comp.security.firewalls)
  • Re: Can Not Ping By Name
    ... >>> Make sure there's no firewall packaged with the VPN client. ... >>DNS server is the same physical server as the Exchange, ... > Network problem solving - general advice: ...
    (microsoft.public.windowsxp.network_web)
  • RE: ICMP/UDP flood
    ... when it can't resolve an address it then queries the upstream DNS server ... The Source is coming from my firewall box and the ... Destination is a DNS server on the Internet. ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)
Loading