Re: DNS Server set to forwarder randomly going out to root servers

In news:46AF4F11-FBCA-4E08-92CF-4C11145E450A@xxxxxxxxxxxxx,
Fred L <FredL@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I then commented on
below:
> We implemented the EDNS0 change to no avail.
>
> The firewall is actually acting as a caching DNS server. It has rules
> specifically to block all port 53 traffic from traversing the firewall
> regardless if it is UDP or TCP. It is meant to service the request
> of the forwarder.
>
> What I am really trying to understand is if the 2003 Server has a
> forwarder set why does it also randomly try and go to the root
> servers. What happens then is the firewall sees this attempt and
> purposely drops the traffic because of the rules we have set.
>
> Again what I don't understand is why the 2003 Server attempts to
> bypass the forwarder that is set and go to the root to traverse down
> the DNS tree. Can you stop this behaviour? I would prefer the DNS
> query just fail and then deal with the problem of why the Firewall as
> a Caching DNS server is not correctly servicing it's downstream
> clients.
>
> Thanks for your advise.
>
> Fred Lobmeyer

As I previously mentioned, DNS WILL use the forwarder first. If it doesn't
work, THEN IT GOES to the Root HInts. FolowKevin's suggestions on how to
disable that. If you disable that and it still doesn't work, then maybe the
DNS server you have configured your firewall to forward to is not responding
or working. Have you tested that server out? Or do you have rules blocking
the return traffic from it?

Ace



.

Relevant Pages

  • Re: dns on firewall
    ... A firewall should be as safe from harm as possible. ... > use solely as a DNS server in a DMZ. ... > connection working as well, ...
    (comp.os.linux.security)
  • Re: when connected to a domain. takes forever to login
    ... >> configure the internal DNS server to handle that too. ... Will using it as DNS server make it vulnerable to hackers since ... Your router or firewall will be dropping ...
    (microsoft.public.windowsxp.network_web)
  • Re: DNS event id 5504
    ... > on the advanced properties tab of my DNS server. ... and ONLY use your internal server and make sure all your internal machines ... "Do not use recursion" checkbox that is found under the forwarder tab, ...
    (microsoft.public.windows.server.dns)
  • Re: DNS question...AD and Forwarders
    ... If you're unable to add a forwarder because the "." ... zone and configuring a forwarder will not have any effect ... > Windows 2k server ... > server because it is setup as a root DNS server. ...
    (microsoft.public.windows.server.dns)
  • Re: Placement of web servers?
    ... Netopia best, because of the way it handles multiple IP addresses. ... > addresses, an Email server, DNS server, and 2 web servers, and they all ... > safely behind a nat'd firewall, with the rest of my PC's in the house. ...
    (microsoft.public.inetserver.iis)