Re: DNS forwarders
- From: v-stwang@xxxxxxxxxxxxxxxxxxxx (Steven Wang [MSFT])
- Date: Wed, 09 Nov 2005 13:17:48 GMT
Hi Jerry,
I appreciate your update and response, and I am glad to hear that the
information is able to address your concern. Your prompt and detailed
responses have not only made my job much easier but also more enjoyable.
It has been a pleasure to work with you on this service request.
If you have any other questions or concerns, please do not hesitate to
contact us. It is always our pleasure to be of assistance.
Have a nice day!
Steven Wang
Microsoft CSS Online Newsgroup Support
--------------------
>From: "Jerry" <jerry.giacinto@xxxxxxxxxxxxxxxxxxxxxx>
>References: <#UtAJsK4FHA.3636@xxxxxxxxxxxxxxxxxxxx>
<39pti1S4FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
<ip4UtEF5FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: DNS forwarders
>Date: Tue, 8 Nov 2005 08:45:22 -0700
>Lines: 290
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 5.00.3018.1300
>X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
>Message-ID: <ewtWGtH5FHA.1416@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.dns
>NNTP-Posting-Host: 12.9.129.10
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.dns:17099
>X-Tomcat-NG: microsoft.public.windows.server.dns
>
>Steven,
>
> Thank you for your thorough response - it is very helpful. I have
changed
>my configuration as you've suggested and am not having any problems.
>Although DNS resolution has been working fine on my network up to this
>point, I'm sure these changes provide a much cleaner and efficient setup.
>
> In regard to my question about whether or not I would need forwarder
>entries on my remote DNS servers, I thought there might be a chance that
>with DNS in 2003 Server, there would be some cohesion by which the DNS
>servers would "know" to look to another DNS server on the domain.
>Obviously, that's not the case, and using forwarders to the primary DNS
>servers is the way to go.
>
>Thanks again,
> Jerry
>
>"Steven Wang [MSFT]" <v-stwang@xxxxxxxxxxxxxxxxxxxx> wrote in message
>news:ip4UtEF5FHA.3936@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hello Jerry,
>>
>> Sorry for my delayed response due to the weekend. I hope this has not
>> caused you too much inconvenience, and I appreciate your patience.
>>
>> From your post, my understanding of this issue is: You would like to know
>> which is better regarding the following two DNS configuration scenarios,
>> and some related questions:
>> 1. Remove forwarders altogether and use root hints.
>> 2. Remove the ISP forwarder entries from all the remote sites and replace
>> them with the address of the main DNS server at Site A.
>>
>> If this is not correct, please feel free to let me know.
>>
>> Based on my experience, I would suggest we use the option 2. If we use
>the
>> option 1, all DNS servers can send queries outside of a network using
>their
>> root hints. As a result, a lot of internal, and possibly critical, DNS
>> information can be exposed on the Internet. In addition to this security
>> and privacy issue, this method of resolution can result in a large volume
>> of external traffic that is costly and inefficient for a network with a
>> slow Internet connection or a company with high Internet service costs.
>>
>> If we use the option 2, you make that forwarder responsible for handling
>> external traffic, thereby limiting DNS server exposure to the Internet.
A
>> forwarder will build up a large cache of external DNS information because
>> all of the external DNS queries in the network are resolved through it.
>In
>> a small amount of time, a forwarder will resolve a good portion of
>external
>> DNS queries using this cached data and thereby decrease the Internet
>> traffic over the network and the response time for DNS clients.
>>
>> In addition, I would suggest we configure the forwarder entries on all
the
>> DNS servers on remote sites with both the addresses of the main and
>> redundant DNS server at Site A. Also keep the ISP forwarder entries on
>the
>> redundant DNS server at Site A.
>>
>> Regarding your question, "If I went with option 2, is it even necessary
to
>> specify a forwarder at the remote sites, or will DNS "figure it out?", I
>am
>> not sure what you mean. Even with your current configuration, there is
>not
>> a forwarder at the remote sites. It is unnecessary to specify a
forwarder
>> at the remote sites.
>>
>> Regarding the "Do not use recursion for this domain" option, I would like
>> to explain that there are two name querying methods in the DNS name
>> queries: recursive and iterative queries. With a recursive name query,
>the
>> DNS client requires that the DNS server respond to the client with either
>> the requested resource record or an error message stating that the record
>> or domain name does not exist. The DNS server cannot just refer the DNS
>> client to a different DNS server.
>>
>> An iterative name query is one in which a DNS client allows the DNS
server
>> to return the best answer it can give based on its cache or zone data. If
>> the queried DNS server does not have an exact match for the queried name,
>> the best possible information it can return is a referral (that is, a
>> pointer to a DNS server authoritative for a lower level of the domain
>> namespace). The DNS client can then query the DNS server for which it
>> obtained a referral. It continues this process until it locates a DNS
>> server that is authoritative for the queried name, or until an error or
>> time-out condition is met.
>>
>> This option is not checked by default, and usually, we should not check
>it.
>>
>> More Information
>> ==============
>> Deploying Domain Name System (DNS): Using Forwarding:
>>
><http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Dep
K
>> it/0104be3c-0405-4455-b011-6950875c0446.mspx>
>>
>> Understanding forwarders:
>>
><http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Ser
v
>> erHelp/a3cf0184-0594-4e78-8247-609f03843438.mspx>
>>
>> Managing DNS Servers: Using forwarders:
>>
><http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Ser
v
>> erHelp/1cd13da9-ed0a-4814-b0bb-e46e8ac1e321.mspx>
>>
>> Recursive and Iterative Queries
>>
><http://www.microsoft.com/resources/documentation/Windows/2000/server/reski
t
>> /en-us/cnet/cncc_dns_eqhi.asp>
>>
>> Recursive Name Resolution
>>
><http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Dep
K
>> it/b9b888e5-895e-4f63-a327-ec9137372787.mspx>
>>
>> Hope the above information is able to address your concern. If anything
>is
>> unclear or you have any concerns, please feel free to post back. I am
>glad
>> to be of assistance.
>>
>> Have a nice day!
>>
>> Steven Wang (MSFT)
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>> =====================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>rights.
>>
>> --------------------
>> >X-Tomcat-ID: 200578714
>> >References: <#UtAJsK4FHA.3636@xxxxxxxxxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain
>> >Content-Transfer-Encoding: 7bit
>> >From: v-stwang@xxxxxxxxxxxxxxxxxxxx (Steven Wang [MSFT])
>> >Organization: Microsoft
>> >Date: Fri, 04 Nov 2005 10:49:05 GMT
>> >Subject: RE: DNS forwarders
>> >X-Tomcat-NG: microsoft.public.windows.server.dns
>> >Message-ID: <39pti1S4FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
>> >Newsgroups: microsoft.public.windows.server.dns
>> >Lines: 102
>> >Path: TK2MSFTNGXA01.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.dns:17013
>> >NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
>> >
>> >Hello Jerry,
>> >
>> >Thank you for posting.
>> >
>> >This is a quick note to let you know that I am researching your issue
and
>> >will get back to you as soon as possible. I appreciate your patience.
>> >
>> >Have a great weekend!
>> >
>> >Steven Wang (MSFT)
>> >Microsoft CSS Online Newsgroup Support
>> >
>> >Get Secure! - www.microsoft.com/security
>> >=====================================================
>> >This newsgroup only focuses on SBS technical issues. If you have issues
>> >regarding other Microsoft products, you'd better post in the
>corresponding
>> >newsgroups so that they can be resolved in an efficient and timely
>manner.
>> >You can locate the newsgroup here:
>> >http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> >
>> >When opening a new thread via the web interface, we recommend you check
>> the
>> >"Notify me of replies" box to receive e-mail notifications when there
are
>> >any updates in your thread. When responding to posts via your
newsreader,
>> >please "Reply to Group" so that others may learn and benefit from your
>> >issue.
>> >
>> >Microsoft engineers can only focus on one issue per thread. Although we
>> >provide other information for your reference, we recommend you post
>> >different incidents in different threads to keep the thread clean. In
>> doing
>> >so, it will ensure your issues are resolved in a timely manner.
>> >
>> >For urgent issues, you may want to contact Microsoft CSS directly.
Please
>> >check http://support.microsoft.com for regional support phone numbers.
>> >
>> >Any input or comments in this thread are highly appreciated.
>> >=====================================================
>> >This posting is provided "AS IS" with no warranties, and confers no
>rights.
>> >
>> >--------------------
>> >>From: "Jerry" <jerry.giacinto@xxxxxxxxxxxxxxxxxxxxxx>
>> >>Subject: DNS forwarders
>> >>Date: Thu, 3 Nov 2005 12:17:07 -0700
>> >>Lines: 35
>> >>X-Priority: 3
>> >>X-MSMail-Priority: Normal
>> >>X-Newsreader: Microsoft Outlook Express 5.00.3018.1300
>> >>X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
>> >>Message-ID: <#UtAJsK4FHA.3636@xxxxxxxxxxxxxxxxxxxx>
>> >>Newsgroups: microsoft.public.windows.server.dns
>> >>NNTP-Posting-Host: 12.9.129.10
>> >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
>> >>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.dns:16994
>> >>X-Tomcat-NG: microsoft.public.windows.server.dns
>> >>
>> >>Hi. I'm Running Windows Server 2003, SP1. I have 5 sites connected
>> >through
>> >>T1 WAN links. My internet connection is at Site A, and all other sites
>> >>(I'll call them the "remote sites") use the same internet connection.
>At
>> >>each site I have a DC, which is also running DNS, and at Site A I have
a
>> >>second DC with DNS for redundancy. Each one of these DNS servers is
>> >>configured with forwarders, which are servers at my ISP. Clients at
>Site
>> A
>> >>are configured with the main DNS server at Site A as the primary, and
>the
>> >>redundant server at Site A as the secondary. Clients at remote sites
>are
>> >>configured with the DNS server at their site as the primary, and the
>main
>> >>DNS server at Site A as the secondary.
>> >>
>> >>Recently, a consultant suggested that I either:
>> >>1) Remove forwarders altogether and use root hints.
>> >>2) Remove the ISP forwarder entries from all the remote sites and
>replace
>> >>them with the address of the main DNS server at Site A. Then only the
>> main
>> >>DNS server at Site A would use internet traffic to forward queries to
>the
>> >>ISP's resolvers.
>> >>
>> >>I'm not sure which of these options is better or how exactly they'll
>> affect
>> >>DNS resolution. If I went with option 2, is it even necessary to
>specify
>> a
>> >>forwarder at the remote sites, or will DNS "figure it out?" Also, I
>would
>> >>guess that with this option, I would still want to keep the ISP
>forwarder
>> >>entries on my redundant DNS server at Site A in case the main DNS
server
>> >>went down?
>> >>
>> >>I'm also not sure if I should check or uncheck the "Do not use
recursion
>> >for
>> >>this domain" checkbox on the Forwarders tab in any of the scenarios
I've
>> >>listed, including my current configuration.
>> >>
>> >>Looking for a little guidance, please.
>> >>
>> >>Thank you,
>> >> Jerry
>> >>
>> >>
>> >>
>> >
>> >
>>
>
>
>
.
- References:
- DNS forwarders
- From: Jerry
- RE: DNS forwarders
- From: Steven Wang [MSFT]
- RE: DNS forwarders
- From: Steven Wang [MSFT]
- Re: DNS forwarders
- From: Jerry
- DNS forwarders
- Prev by Date: Re: DNS Error 6702
- Next by Date: Mapped Drives won't respond to a DNS change
- Previous by thread: Re: DNS forwarders
- Next by thread: Re: DNS and Active Directory
- Index(es):
Relevant Pages
|
