Best practices for resolving external DNS queries

Posted on 2006-05-16
Medium Priority
Last Modified: 2010-03-18
We are currently running Microsoft DNS on two Windows 2000 servers and we currently have our ISP's DNS servers specified in our forwarder list.  I have heard two different stories about forwarders and I'm trying t get a feel for what te best practice regarding forwarders is.  In the blue corner are those that insist that is is a best practice to forward your external DNS request to your ISP's DNS servers as these servers perhaps have common addresses cached on the server making for a quick answer to you.  In the red corner are those that believe that you should not be specifying your ISP's DNS as a forwarder but get all your answers from the root hints servers.  The basis of this is that your ISP's DNS might go down and you can't get any resolutions while they are down.  In addition to this the proponents of using the root hints servers say that you will always get the correct answer from the root hints as they are not allowed to cash answers and you avoid the possibility of getting a poluted cached response if your ISP's cache is corrupt.  Any  help would be appreciated.
Question by:wchull
  • 4

Accepted Solution

Mad_Jasper earned 100 total points
ID: 16693147
I had this discussion with a Microsoft support tech a couple fo years ago. The Microsoft tech chastised me for not using forwarders and proclaimed that not using forwaders was the root of all evil in the world. The problem I had with using fowarding, is our ISP apparently played musical IP address with its DNS servers and we would find frequent errors in the event log. I discontinuing forwarders and the event log errors went way. Now that we have a stable ISP, we use forwarders and have done so for the last 1 1/2 years and we have experienced no problems that I am aware of.

So in conclusion, I am not sure that it mattered whether we used forwarders or root hints. Even when we recieved event log errors, there were no noticeable problems. It just looked ugly in the event viewer.

If I can find a list of pros and cons, I will post it for you.

Expert Comment

ID: 16693203
Well, there is the one point. I think that it is probable faster for your ISP's DNS servers to resolve queries ( a la "forwarders") since they will have more cached entries on their DNS servers. If you use root hints, then your DNS server resolves the query on its own. Maybe this could become an issue on an older server or a server that runs many services i.e., DNS, SQL, DHCP, AD.

But I really don't know how much a difference it could be.
LVL 26

Assisted Solution

jar3817 earned 100 total points
ID: 16693311
I'm on the opposite side of the fence. I have 4 nameservers on my network. 2 are for active directory and they both forward to the other tho which are authoritative for other domains and reverse dns. These top level dns servers are recursive and use the root hints to find the answers. I COULD forward these servers to my ISP's servers but...then you are at the mercy of your ISP. If they change addresses and don't tell you, if they go down, cache gets poisoned or have any other problems, you feel it.

The whole "it's faster because you're using your isp's cache" idea isn't always valid either. My top level nameservers act as a cache for the rest of my network. They are VERY stable (uptime in years) so the cache is never destroyed. Sure the first time someone asks for a name it'll take a little longer to resolve..but then after that it is cached locally. Who knows how often your isp's nameservers get restarted/crash/dump the cache.  

"The Microsoft tech chastised me for not using forwarders and proclaimed that not using forwaders was the root of all evil in the world."
Now that is a case of the pot calling the kettle black if I've ever heard one. That is rediculous.

Expert Comment

ID: 16693756
"That is rediculous."

Doesn't that describe Microsoft tech support?

Expert Comment

ID: 16698553
I checked my DNS properties this morning and dsicovered that I am using root-hints, not forwarders. I shows how much it matters - I could not tell which one I am using.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Resolve DNS query failed errors for Exchange
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question