Link to home
Start Free TrialLog in
Avatar of g0swell
g0swell

asked on

DNS configuration question

I will soon be implementing our Active Directory and DNS structure and I have a question concerning the proper way to configure the system.  All of our current DNS services are handled by our ISP, we have no local DNS servers.  When I implement Active Directory I will be using a local Win2k DNS server and the AD will only contain server records for the time being.  We also do not plan on taking control of our public DNS records at this time.  In short, the only records that will be in our local Win2k DNS will be the servers in the Active Directory.  All of our clients use the ISP for DNS resolution.  How should I configure our clients to resolve DNS queries
when I add a local Win2k DNS server.  The problem is clients need to be aware of both our local DNS and the ISP's DNS,  what is the best way to do that.  Our local DNS will be located on our corporate LAN and we are
connected to our ISP by a T1 (saturated).
Thanks
Avatar of Jonf
Jonf

You'll need to setup forwarding on your Win2k DNS server.  If you setup AD and DNS with no other DNS servers accessible your new W2K DNS server will be the root for the zone.  In order to enable forwarding you'll have to delete the root zone (the . zone).
In the DNS console, get the properties for your server, on the forwarders tab enter in the IP addresses of your ISP DNS servers.
This allows your W2K DNS server to answer queries for the zone it is authorative for (your domain) and it forwards any queries it can't answer to the ISP's DNS server, then returns the response to the client.
It's a good idea to tick the box on the forwarders tab that says "Do not use recursion", this stop the server from trying other methods to resolve names if the ISP's DNS server fails to resolve a query.
I've done this on my implementation of W2K and it works a treat.
Maybe someone else has got another opinion on this?
Jon
ASKER CERTIFIED SOLUTION
Avatar of matt023
matt023

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
matt023 is correct in saying that all clients need to use the Win2k DNS server as their DNS server, otherwise AD lookups will not work.
If you use forwarders and the "do not use recursion" option, this uses forwarders exclusively for name resolution for queries that the Win2k server does not have zones for.  My reading has lead me to believe that the forwarders (ISP DNS Servers) would check it's cache and local databases first and if the answer is not there it will perform an iterative query through the root hints process.
Thus the Win2k DNS server will search it's own zone database first, if it cannot resolve the query it will forward it on to the ISP DNS server which will return the answer or fail the query.  With "do not use recursion" enabled the Win2k DNS server will accept this answer and not try to resolve the query itself (after all it's already been told that the name does not exist).
Jon
Avatar of g0swell

ASKER

I spent yesterday testing different situations and that is the exact method I decided to use.  One of my concerns was that if our local DNS servers died it would cut people off from the internet (may as well cut their hands off) so I decided to add the ISP's DNS server second in the list given by DHCP.  That should cover all the bases.
With the "do not use recursion" turned on, the Win2k DNS server will not ask the ISP DNS server to do all the work and give it a definite answer.  If the ISP DNS server doesn't have the answer, it will not query other DNS servers.  The Win2k DNS server will then have to do it by itself - through iterative query.  Since all clients previously used the ISP DNS servers to resolve names, it is save to say that the ISP DNS servers will find the correct name resolutions.  By turning off the "do not use recursion" option (which means "use recursion"), you're using a technique called "DNS Proxy" and allowing the ISP DNS servers to do all the work and return the query back as they did for the clients prior to the implementation of the Win2k DNS server.  This way, the network traffic between the internal Win2k DNS server and the Internet is reduced.  Security can also be heightened by setting a firewall rule to only allow the internal Win2k DNS server to only communicate with one (or more) Internet host(s) - the forwarder.  
With the "do not use recursion" turned on, the Win2k DNS server will not ask the ISP DNS server to do all the work and give it a definite answer.  If the ISP DNS server doesn't have the answer, it will not query other DNS servers.  The Win2k DNS server will then have to do it by itself - through iterative query.  Since all clients previously used the ISP DNS servers to resolve names, it is save to say that the ISP DNS servers will find the correct name resolutions.  By turning off the "do not use recursion" option (which means "use recursion"), you're using a technique called "DNS Proxy" and allowing the ISP DNS servers to do all the work and return the query back as they did for the clients prior to the implementation of the Win2k DNS server.  This way, the network traffic between the internal Win2k DNS server and the Internet is reduced.  Security can also be heightened by setting a firewall rule to only allow the internal Win2k DNS server to only communicate with one (or more) Internet host(s) - the forwarder.  
g0swell, that is one solution.  However, you must keep in mind that if the Win2k DNS server is down and the clients are using your ISP DNS server, they won't be able to update their resource records.  In addition, they won't be able to logon to your Win2k domain because your ISP DNS server doesn't have your AD information.  A better solution is to put up an additional DNS server for redundancy.  good luck.
g0swell, take matt023's advice and definitely setup another DNS server.  If you are using AD integrated zones (recommended) just install DNS on another domain controller and add that DC's IP address to your list configured via DHCP.

Still on the "do not use recursion" option.  Sorry Matt, but I do want to get this right purely because this is the option I use and want to make sure that I'm doing the right thing.
Microsoft's help on DNS states: "A server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries itself to resolve the name. Instead, it fails the query if it does not get a successful query response from any of the forwarders."
The issue is with what the external DNS servers do (the forwarders).  When you send a standard query to an ISP's DNS server it will try to resolve the query, using root hints if it has to.  Why is a forwarded request any different? I use the do not use recursion option and do not have any root hints setup and all name querys are being resolved correctly.
Is there something I'm missing?
Jon
Jon,  after doing more research, I have to say that you're correct.  I apologize for the misinformation.  I got it reversed.  I thought that when you turn on recursion, the forwarding DNS server will act as a DNS client and issue a recursive query to the forwarder, demand a definite answer, and does an iterative query when the forwarder fails.  Unfortunately, this is not the case.  It's the reverse.  However, turning on recursion can provide fault tolerant - no?  If the forwarder is down, then the forwarding DNS server can still resolve Internet names - assuming you have root hints defined.  Of course, more traffic and security issue will come to play.  Sorry again.  g0swell, may be you should give Jon some points too.  He deserves it.  Take care.
Thanks Matt, glad it's sorted.  Good luck g0swell.