RE: DNS forwarders
- From: v-stwang@xxxxxxxxxxxxxxxxxxxx (Steven Wang [MSFT])
- Date: Tue, 08 Nov 2005 10:42:53 GMT
Hello Jerry,
Sorry for my delayed response due to the weekend. I hope this has not
caused you too much inconvenience, and I appreciate your patience.
>From your post, my understanding of this issue is: You would like to know
which is better regarding the following two DNS configuration scenarios,
and some related questions:
1. Remove forwarders altogether and use root hints.
2. Remove the ISP forwarder entries from all the remote sites and replace
them with the address of the main DNS server at Site A.
If this is not correct, please feel free to let me know.
Based on my experience, I would suggest we use the option 2. If we use the
option 1, all DNS servers can send queries outside of a network using their
root hints. As a result, a lot of internal, and possibly critical, DNS
information can be exposed on the Internet. In addition to this security
and privacy issue, this method of resolution can result in a large volume
of external traffic that is costly and inefficient for a network with a
slow Internet connection or a company with high Internet service costs.
If we use the option 2, you make that forwarder responsible for handling
external traffic, thereby limiting DNS server exposure to the Internet. A
forwarder will build up a large cache of external DNS information because
all of the external DNS queries in the network are resolved through it. In
a small amount of time, a forwarder will resolve a good portion of external
DNS queries using this cached data and thereby decrease the Internet
traffic over the network and the response time for DNS clients.
In addition, I would suggest we configure the forwarder entries on all the
DNS servers on remote sites with both the addresses of the main and
redundant DNS server at Site A. Also keep the ISP forwarder entries on the
redundant DNS server at Site A.
Regarding your question, "If I went with option 2, is it even necessary to
specify a forwarder at the remote sites, or will DNS "figure it out?", I am
not sure what you mean. Even with your current configuration, there is not
a forwarder at the remote sites. It is unnecessary to specify a forwarder
at the remote sites.
Regarding the "Do not use recursion for this domain" option, I would like
to explain that there are two name querying methods in the DNS name
queries: recursive and iterative queries. With a recursive name query, the
DNS client requires that the DNS server respond to the client with either
the requested resource record or an error message stating that the record
or domain name does not exist. The DNS server cannot just refer the DNS
client to a different DNS server.
An iterative name query is one in which a DNS client allows the DNS server
to return the best answer it can give based on its cache or zone data. If
the queried DNS server does not have an exact match for the queried name,
the best possible information it can return is a referral (that is, a
pointer to a DNS server authoritative for a lower level of the domain
namespace). The DNS client can then query the DNS server for which it
obtained a referral. It continues this process until it locates a DNS
server that is authoritative for the queried name, or until an error or
time-out condition is met.
This option is not checked by default, and usually, we should not check it.
More Information
==============
Deploying Domain Name System (DNS): Using Forwarding:
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/0104be3c-0405-4455-b011-6950875c0446.mspx>
Understanding forwarders:
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a3cf0184-0594-4e78-8247-609f03843438.mspx>
Managing DNS Servers: Using forwarders:
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/1cd13da9-ed0a-4814-b0bb-e46e8ac1e321.mspx>
Recursive and Iterative Queries
<http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit
/en-us/cnet/cncc_dns_eqhi.asp>
Recursive Name Resolution
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/b9b888e5-895e-4f63-a327-ec9137372787.mspx>
Hope the above information is able to address your concern. If anything is
unclear or you have any concerns, please feel free to post back. I am glad
to be of assistance.
Have a nice day!
Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>X-Tomcat-ID: 200578714
>References: <#UtAJsK4FHA.3636@xxxxxxxxxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>From: v-stwang@xxxxxxxxxxxxxxxxxxxx (Steven Wang [MSFT])
>Organization: Microsoft
>Date: Fri, 04 Nov 2005 10:49:05 GMT
>Subject: RE: DNS forwarders
>X-Tomcat-NG: microsoft.public.windows.server.dns
>Message-ID: <39pti1S4FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.dns
>Lines: 102
>Path: TK2MSFTNGXA01.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.dns:17013
>NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
>
>Hello Jerry,
>
>Thank you for posting.
>
>This is a quick note to let you know that I am researching your issue and
>will get back to you as soon as possible. I appreciate your patience.
>
>Have a great weekend!
>
>Steven Wang (MSFT)
>Microsoft CSS Online Newsgroup Support
>
>Get Secure! - www.microsoft.com/security
>=====================================================
>This newsgroup only focuses on SBS technical issues. If you have issues
>regarding other Microsoft products, you'd better post in the corresponding
>newsgroups so that they can be resolved in an efficient and timely manner.
>You can locate the newsgroup here:
>http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
>When opening a new thread via the web interface, we recommend you check
the
>"Notify me of replies" box to receive e-mail notifications when there are
>any updates in your thread. When responding to posts via your newsreader,
>please "Reply to Group" so that others may learn and benefit from your
>issue.
>
>Microsoft engineers can only focus on one issue per thread. Although we
>provide other information for your reference, we recommend you post
>different incidents in different threads to keep the thread clean. In
doing
>so, it will ensure your issues are resolved in a timely manner.
>
>For urgent issues, you may want to contact Microsoft CSS directly. Please
>check http://support.microsoft.com for regional support phone numbers.
>
>Any input or comments in this thread are highly appreciated.
>=====================================================
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>--------------------
>>From: "Jerry" <jerry.giacinto@xxxxxxxxxxxxxxxxxxxxxx>
>>Subject: DNS forwarders
>>Date: Thu, 3 Nov 2005 12:17:07 -0700
>>Lines: 35
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 5.00.3018.1300
>>X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
>>Message-ID: <#UtAJsK4FHA.3636@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.dns
>>NNTP-Posting-Host: 12.9.129.10
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.dns:16994
>>X-Tomcat-NG: microsoft.public.windows.server.dns
>>
>>Hi. I'm Running Windows Server 2003, SP1. I have 5 sites connected
>through
>>T1 WAN links. My internet connection is at Site A, and all other sites
>>(I'll call them the "remote sites") use the same internet connection. At
>>each site I have a DC, which is also running DNS, and at Site A I have a
>>second DC with DNS for redundancy. Each one of these DNS servers is
>>configured with forwarders, which are servers at my ISP. Clients at Site
A
>>are configured with the main DNS server at Site A as the primary, and the
>>redundant server at Site A as the secondary. Clients at remote sites are
>>configured with the DNS server at their site as the primary, and the main
>>DNS server at Site A as the secondary.
>>
>>Recently, a consultant suggested that I either:
>>1) Remove forwarders altogether and use root hints.
>>2) Remove the ISP forwarder entries from all the remote sites and replace
>>them with the address of the main DNS server at Site A. Then only the
main
>>DNS server at Site A would use internet traffic to forward queries to the
>>ISP's resolvers.
>>
>>I'm not sure which of these options is better or how exactly they'll
affect
>>DNS resolution. If I went with option 2, is it even necessary to specify
a
>>forwarder at the remote sites, or will DNS "figure it out?" Also, I would
>>guess that with this option, I would still want to keep the ISP forwarder
>>entries on my redundant DNS server at Site A in case the main DNS server
>>went down?
>>
>>I'm also not sure if I should check or uncheck the "Do not use recursion
>for
>>this domain" checkbox on the Forwarders tab in any of the scenarios I've
>>listed, including my current configuration.
>>
>>Looking for a little guidance, please.
>>
>>Thank you,
>> Jerry
>>
>>
>>
>
>
.
- Follow-Ups:
- Re: DNS forwarders
- From: Jerry
- Re: DNS forwarders
- References:
- DNS forwarders
- From: Jerry
- RE: DNS forwarders
- From: Steven Wang [MSFT]
- DNS forwarders
- Prev by Date: telnet port 53
- Next by Date: DNS Error 6702
- Previous by thread: RE: DNS forwarders
- Next by thread: Re: DNS forwarders
- Index(es):
Relevant Pages
|
