Re: Forworders or Root Hints?
- From: Johan Strange <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 8 Oct 2007 12:21:15 -0700
When using Forwarders the query is passed to a DNS Server or Servers that we
know and trust, these are configured as forwarders, they use their resolver
to resolve the query and pass the result back to our Windows box. Possibly we
have our own BIND Server in a DMZ, maybe we use another Windows DNS, but
nevertheless we are reliant on these systems to be available to resolve the
query on behalf of our Windows box. In return our own DNS remains Secure and
gets another system doing its work with external hosts resolution. The last
time I saw an issue with forwarders was with a client that had their DNS
Server querying two BT (British Telecom) DNS Servers. BT had changed the
security on their network and where not responding to my clients DNS
Requests, I will not bore you with BT Logic because I do not understand it
myself. On another instance a consultant had configured a Server to query an
ISP Name Server from an IP Address assigned to Demon. The ISP who held the
DNS saw the requests from outside their network and decided to add the IP of
my clients DSL Router to the Hosts Deny file on their Bind. If these users
had been using cache hints then this issue would not have occurred.
It take around 5 seconds to emulate this in a lab. I have never seen a root
hint failure.
Can you see this as a point Jorge?
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"Jorge Silva" wrote:
Ok, I can live with that, but can you explain why forwaders are easier to.
break?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4698336F-9FA1-4AEC-AACF-5E016C4446AD@xxxxxxxxxxxxxxxx
Then its all opinions. I personally see forwaders as easier to break. I
don't
disagree with what you say but I have seen from experience that root hints
are more solid. But that's my opinion ... :)
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"Jorge Silva" wrote:
Please don't be sorry, that's your opinion and I respect that.
However doesn't make since to me, the reason is simple, the poster wants
a
solution to solve names outside its domain, so, assuming that is talking
about public names, he can use root hints (very unsecure-> and if he
loose
connectivity to the root hints servers they won't be able to solve public
names as well- So I don't see this option as an advantage), Stub Zones
(doesn't make sense to create one stub zone for each public domain, and
it's
not doable because you have thousands of public domains (You also rely on
connectivity to the NS to achieve the query results)), Secondary Zones
won't
work (for obvious reasons), at last you have Conditional Forwarding (not
doable for the same reasons as the stub Zones) and Forwarding.
To me Forwarding is the right way to go for, the reasons are simple, you
can
control where to send the queries, not to use root hints better from
security perspective, and it's easy to implement.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2EF254A3-7C35-4F49-AA35-B5ED46BEF083@xxxxxxxxxxxxxxxx
Thank you for that Jorge. I am sorry that what I said goes against your
explanation. I understand forwarders and conditional forwarders. Can
you
confirm that what I said is never a possibilty?
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
"Jorge Silva" wrote:
You must be joking... That's your reason to not use forwarders?
Remember Forwarders don't have to necessarily be external/public DNS
servers.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:B62E3D40-1647-43D6-A946-57B2A1D68474@xxxxxxxxxxxxxxxx
With forwarders you are relaying on set name servers to resolve
requests
that
are not in the resolver cache. Then if these devices can not be
contacted
for
various reasons you can not resolve hostnames for external
resources.
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
"Jorge Silva" wrote:
Hi
I vote in Forwarders the reason is security, with forwarders your
server
won't go to public "you must select the option disable recursion
for
this
domain".
Now, if all your clients do ONLY external resolution why not have a
cache
only DNS server to do that job?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Nutzer" <helo@xxxxxxxxxxx> wrote in message
news:b4SdnUosG-yHr5janZ2dnUVZ_r2nnZ2d@xxxxxxxxxxxxxxx
Hello,
I'm trying to configure my DC servers as a DNS server. Should I
set
it
for Forworders or Root hint? This is AD integrated DNS. But all
my
users
will resolve to outside with this DNS server.
- Follow-Ups:
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- References:
- Forworders or Root Hints?
- From: Nutzer
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Forworders or Root Hints?
- Prev by Date: Add DNS to DC after dcpromo at VPN connected remote site?
- Next by Date: Re: Add DNS to DC after dcpromo at VPN connected remote site?
- Previous by thread: Re: Forworders or Root Hints?
- Next by thread: Re: Forworders or Root Hints?
- Index(es):
Relevant Pages
|
Loading
