Solved

Where should I point my DNS forwarders if my ISP does not provide an authoritative server?

Posted on 2006-07-18
10
380 Views
Last Modified: 2013-11-30
I am setting up a small AD environment on a non business class dsl and enabled DNS forwarders but need secure DNS servers to point to.
0
Comment
Question by:mantic1
  • 2
  • 2
  • 2
  • +3
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17131623
You can't use anyone's DNS servers.
I normally say to use the ISPs. Otherwise see who the ISPs upstream provider is and use their's.
If you are getting a web site hosted then see if you can use the host's DNS servers.

Simon.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17131631
what has your ISP given you for DNS resolution for your hosts?

That is what I would point it at also if you set up your local host to be a caching name server it will use the root name servers on the internet.

http://www.root-servers.org/

check that out if they have not given you anything.

Thanks
Scott
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17131826
O.K.  Lets make sure we understand everything.  

DNS forwarders are not the same thing as authorive DNS servers.  I have never heard of a ISP not providing DNS reslovers.

What do you mean by "secure DNS servers?"  Do you mean that you need to find some, secure meaning acquire the IP address of them?  Or do you mean that they need to be secure in the sense they are protected.

Do you really need to have DNS servers on the Internet that reslove host name for your IP domain?
0
 

Author Comment

by:mantic1
ID: 17131975
I'm use to having an agreement w/ your corporate ISP to use their DNS servers as forwarders.   What do you use instead if your dont have a business class solution?  I understand that you can't simply point to a DNS server your home ISP server provides and selecting a random DNS server could compromise your network.  Hence, i want a secure DNS server that is available as a forwarder.  btw - I'm using this article as reference  http://mcpmag.com/Features/article.asp?editorialsid=413


0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17132000
so are you talking about dynamic DNS?  one that changes if your IP address changes?

If this is the case; I have been using zoneedit.com for awhile now and they work great and they will dynamically update your dns.

Thanks
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 104

Expert Comment

by:Sembee
ID: 17132078
Your ISP isn't going to know whether it is a Windows XP machine or a server doing the DNS requests. All ISPs offer DNS services of some kind or another.

What I meant by my comment above is that you cannot use the DNS servers belonging to another ISP. You must use either your own, or use the root servers.

I don't see anything in that article that relates to your question.
It refers to securing DNS servers - that is very different from secure DNS servers.
Furthermore, you should be running public facing DNS servers from your AD DNS servers anyway.

Simon.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17132086
I think what you want is:

The DNS service running on your Domain controller to foward to your ISP's DNS servers.  Instead of this you can load the hints file and have it use the root servers as Scotty_cisco  refered to.

All boxes on your network should be setup to point to your domain controller as their DNS server, this includes the domain controller.

Everything in your network sends resolution requests to the DNS service running on your Domain controller.  This will reslove all IP host names as needed.  

For the IP domains that your DNS server is authorive for, it will reslove them itself.  For any IP domains that your DNS server is NOT authoritive for (ibm.com, microsoft.com, experts-exchange.com, etc), it will forward to your ISP's DNS servers or the root servers.  Which will reslove the names.
0
 

Author Comment

by:mantic1
ID: 17132180
Ok, we are more on the same page w the last comment.  I need to fill in the Forwarders tab on my DNS Server.  Like the example below...

http://mcpmag.com/images/0504mcp_DNS5.gif


Here's the type of forwarding I'm ultimately would like to achieve in the link below...

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

I just need the correct FORWARDER server IP Address that's normally provided by a corporate ISP but in this scenario I am not in a corporate environment.


0
 
LVL 9

Assisted Solution

by:NYtechGuy
NYtechGuy earned 75 total points
ID: 17132243


You can use your ISPs DNS servers, or you can contract with an outside service.  UltraDNS is a world renowned provider- they do authoritative DNS for companies such as Amazon.com, ebay.com etc.  They also provide recursive DNS - which is what you are looking for.

Highly recommended.
0
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 50 total points
ID: 17132247
you CAN point it to any public DNS server on the internet such as
4.2.2.2
66.218.71.63

actually you don't have to enter anything on the forwarders tab since your DNS server will use the "root hints" servers if nothing is listed there.  I always list a few forwarders since the root hints servers are often busy and slow.


the link below straight from MS will answer most of your windows DNS questions:

http://support.microsoft.com/kb/291382
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Let’s list some of the technologies that enable smooth teleworking. 
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now