Re: Forworders or Root Hints?
- From: Johan Strange <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 9 Oct 2007 09:45:00 -0700
At some stage your DNS needs to use an external source regardless of the
topology, root hints and forwarders are methods of doing this. I know what
you’re saying and you seem to be very aggressively forcing your point across.
I know that forwarders cause issues, I have seen it and yes you’re right it
is down to others which is reason enough not to use them. Heaven forbid
anyone else has an opinion Jorge. I have said that you have a point, and if
you are an MVP you will, even silently, admit that what I say is also correct
even if it goes against what you say.
For the sake of the argument lets just say you are right and I am wrong,
well done Jorge.
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"Jorge Silva" wrote:
Doesn't sound to me that the stated reasons have anything to do with.
forwarding configuration but rather with changes that were done by other
people in other DNS servers. If you don't trust them DON'T use them "That's
what I'm saying since the beginning (by other words-Especially true for
internal network)" You can have your own Cache only DNS server without being
mess up by others, if that server suffers an attack from public or internal,
bad luck , in less than 5 minutes I have another one in place and didn't
messup my internal DNS server. You talk and talk about external providers,
if you pay attention to my previous posts I said to AVOID using external DNS
servers for direct queiries from your internal DNS servers, if I'm using
external providers root hints, ISPs, etc... My servers go to public, and
that was my point, don't do it (or try not to)...
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8B3E209E-1D8F-463B-A872-6E591DB07424@xxxxxxxxxxxxxxxx
When using Forwarders the query is passed to a DNS Server or Servers that
we
know and trust, these are configured as forwarders, they use their
resolver
to resolve the query and pass the result back to our Windows box. Possibly
we
have our own BIND Server in a DMZ, maybe we use another Windows DNS, but
nevertheless we are reliant on these systems to be available to resolve
the
query on behalf of our Windows box. In return our own DNS remains Secure
and
gets another system doing its work with external hosts resolution. The
last
time I saw an issue with forwarders was with a client that had their DNS
Server querying two BT (British Telecom) DNS Servers. BT had changed the
security on their network and where not responding to my clients DNS
Requests, I will not bore you with BT Logic because I do not understand it
myself. On another instance a consultant had configured a Server to query
an
ISP Name Server from an IP Address assigned to Demon. The ISP who held the
DNS saw the requests from outside their network and decided to add the IP
of
my clients DSL Router to the Hosts Deny file on their Bind. If these users
had been using cache hints then this issue would not have occurred.
It take around 5 seconds to emulate this in a lab. I have never seen a
root
hint failure.
Can you see this as a point Jorge?
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"Jorge Silva" wrote:
Ok, I can live with that, but can you explain why forwaders are easier to
break?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4698336F-9FA1-4AEC-AACF-5E016C4446AD@xxxxxxxxxxxxxxxx
Then its all opinions. I personally see forwaders as easier to break. I
don't
disagree with what you say but I have seen from experience that root
hints
are more solid. But that's my opinion ... :)
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
www.logic42.co.uk
"Jorge Silva" wrote:
Please don't be sorry, that's your opinion and I respect that.
However doesn't make since to me, the reason is simple, the poster
wants
a
solution to solve names outside its domain, so, assuming that is
talking
about public names, he can use root hints (very unsecure-> and if he
loose
connectivity to the root hints servers they won't be able to solve
public
names as well- So I don't see this option as an advantage), Stub Zones
(doesn't make sense to create one stub zone for each public domain,
and
it's
not doable because you have thousands of public domains (You also rely
on
connectivity to the NS to achieve the query results)), Secondary Zones
won't
work (for obvious reasons), at last you have Conditional Forwarding
(not
doable for the same reasons as the stub Zones) and Forwarding.
To me Forwarding is the right way to go for, the reasons are simple,
you
can
control where to send the queries, not to use root hints better from
security perspective, and it's easy to implement.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:2EF254A3-7C35-4F49-AA35-B5ED46BEF083@xxxxxxxxxxxxxxxx
Thank you for that Jorge. I am sorry that what I said goes against
your
explanation. I understand forwarders and conditional forwarders. Can
you
confirm that what I said is never a possibilty?
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
"Jorge Silva" wrote:
You must be joking... That's your reason to not use forwarders?
Remember Forwarders don't have to necessarily be external/public
DNS
servers.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Johan Strange" <JohanStrange@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:B62E3D40-1647-43D6-A946-57B2A1D68474@xxxxxxxxxxxxxxxx
With forwarders you are relaying on set name servers to resolve
requests
that
are not in the resolver cache. Then if these devices can not be
contacted
for
various reasons you can not resolve hostnames for external
resources.
--
Johan Strange
_______________________________
MCSE, MCSA + Messaging, CompA+
Logic42 Computer Solutions - The answer to everything
"Jorge Silva" wrote:
Hi
I vote in Forwarders the reason is security, with forwarders
your
server
won't go to public "you must select the option disable recursion
for
this
domain".
Now, if all your clients do ONLY external resolution why not
have a
cache
only DNS server to do that job?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
"Nutzer" <helo@xxxxxxxxxxx> wrote in message
news:b4SdnUosG-yHr5janZ2dnUVZ_r2nnZ2d@xxxxxxxxxxxxxxx
Hello,
I'm trying to configure my DC servers as a DNS server. Should
I
set
it
for Forworders or Root hint? This is AD integrated DNS. But
all
my
users
will resolve to outside with this DNS server.
- Follow-Ups:
- Re: Forworders or Root Hints?
- From: MS News
- Re: Forworders or Root Hints?
- References:
- Forworders or Root Hints?
- From: Nutzer
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Re: Forworders or Root Hints?
- From: Johan Strange
- Re: Forworders or Root Hints?
- From: Jorge Silva
- Forworders or Root Hints?
- Prev by Date: Re: Add DNS to DC after dcpromo at VPN connected remote site?
- Next by Date: Re: Windows Server Bug?
- Previous by thread: Re: Forworders or Root Hints?
- Next by thread: Re: Forworders or Root Hints?
- Index(es):
Relevant Pages
|
Loading
