Need advice when switching from Windows DNS to Linux DNS

if you have active directory you need a windows DNS server internally. Use Linux externally or for non-domain things, but you need a windows DNS server for AD.

Any reason for this? Windows DNS integrates better with Active Directory and provides secure updates and very efficient replication via AD replication and integration with DHCP.

If you must move to another DNS then make sure that the DNS supports SRV records and dynamic updates this is a requirement for a windows domain. You will need to set up the DNS zone on the linux box and make sure that all of your clients and servers are reconfigured to use the new DNS server as the preferred DNS server. This may involve manually chnaging TCP/IP settings and/or DHCP options.

Well for some reason lately my DNS server stops forwarding to my external internet providers DNS. So basically my whole companies internet dies because it cannot resolve any names. I can resolve anything internally still and I can go to google.com by the ip but not by name. Sometimes it comes back by itself after 5 minutes and other times I have to completely reboot the DNS server for it to come back. I have check event logs and find no reason for such behavior. I figured I would just throw in 2 duel Linux DNS servers to solve the problem but it's sounding like that may not be such a good idea.

Any ideas?

It very much depends on your internal network and your LAN as to whether you really need a Windows DNS server.

Do you use AD?

You realy need to sort this out rather than move to a Linux DNS just for this reason, there is no guarantee that a Linux based DNS will not do the same and it has the potential to introduce a lot more problems.

First thing to check is that ALL clients and servers including the windows server running DNS point to the Windows DNS server as their prferred DNS server. If you have multiple Domain Controllers with DNS installed then clients can be configured with the address of another internal DNS server as the alternate DNS server. DNS servers themselves however should not have an alternate DNS specified and on no account should any external DNS servers be set as preferred or Alternate DNS servers anywhere.

Your ISPs DNS servers should appear in DNS as (unconditional) forwarders - on the properties  tab of the DNS server in the DNS console. You can provide other public DNS servers aslo in the case of issues with your ISPs DNS servers  (4.2.2.1 and 4.2.2.2 are used quite commonly as a backups to ISPs DNS servers)

Hi,

From the initial problem description, it looks like you have a network issue, since pinging from the windows dns server works, while it does not work from the linux workstation.

Why do you need to forward your dns queries to your isp dns servers? If you have a full fledged dns server, then it should work independent of your isp dns servers.

It is always a good idea to have more than one dns server in your network, and I do not see any problem in getting linux based dns server work.

omarfarid:

This could be a network or configuration issue

Forwarders are required to resolve external names efficiently (much more efficiant than root hints)

Yes multiple servers a better (but lets get the one running first)

Yes you could use Linux based DNS - providing it meets the requirements - but if its a network or configuration problem its not going to solve the issue and could result in more problems

Hi,

KCTS:

Thank you for your comments, and would like to assure you that aim is help resolving the problem not complicate it.

If you read my comments carefully, you will find that I was commenting on not being able to ping from the other node.

Also, WTarlton showed interest in adding more dns servers to the network. You yourself agreed that it is a better idea.

In my opinion the problem is in communicating to the external network, and in relying on the ISP dns servers which could have their own problems as well.

DNS server will always meet requirements of a DNS server, but it could be other MS stuff that may not work with the Linux DNS server.

I am sure you are trying to assist but I was trying to simplify the situation in order to determine the root cause of the problem and putting in additional DNS servers while we are still trying to determine this is not going to help much - in the longer term yes, additional DNS servers (and DCs) is awlays a good idea but I'm not convinced that a Linux based DNS is the answer.

I'm not suggesting you cannot use a Linux based DNS but as all the machines are Windows (apart from the experimental linux machine), there seems little merit in this approach and it seems to me it only serves to complicate the issue. On that point any old DNS server will not do, DNS must support SRV and dynamic update and while MOST do SOME do not.

Once it is confirmed that the DNS configuration is correct, then we can begin to narrow down the problem if it still exists. The basic DNS recursive query test and NSLOOKUP tests being the next stage I would think.

Hi,

Thank you KCTS :)

The current situation is that  the main dns server (the windows server) has a problem of not being able to resolve external sites and hence users are not able to browse the Internet.

Also, a new dns server (the linux one) was introduced to the network and it has a problem as well.

Now, we have a situation of users not being able to access the Internet, otherwise everything else seams ok.

I think priority is to make users have the ability to browse the Internet.

This could be by solving current dns server problem (which might take time before fixing it).

Or, by adding another dns server (regardless windows or linux based) that can resolve external sites.

Once, this problem is resolved, adding additional dns servers can be studied.

Now, to see if there is a network problem or not, I recommend the following:

From any node:

- run nslookup to resolve from other dns servers (e.g. ns1.cisco.com)
nslookup
> server 128.107.241.185
> www.yahoo.com

If the above works, then I would say that there is no network issue related to routing or UDP (DNS) traffic.

If it did not work, then there could be an issue that requires investigation with the network administrator or the ISP.


Thanks

True you don't NEED windows DNS, but id you are going to use an alternative it must be BIND 8.2.2 or later since it MUST support both SRV records and dynamic updates.

My personal opinion is still that it is folly to seek to replace Windows DNS with BIND unless there is some compling reason for doing and I don't think that is the case here.

Hi,

Whether to replace Windows DNS server with some other DNS server or not is not the current problem.

This can be considered later if better options are required.

AWTarlton:

Any progress / update on the issue?

Sorry, but I'm afraid I still don't agree with your first point -- you also do not _need_ dynamic update (secure or otherwise), though as I said, it is indeed advisable for sanity's and (in the case of secure dynamic update) security's sake.  In addition, my BIND reference was accurate -- per http://support.microsoft.com/kb/237675, BIND 8.1.2 is the stated supportable minimum though by no means the recommendation.

Regarding your last comment, what that I agree entirely.  While there are absolutely compelling reasons to use BIND DNS, I haven't identified any within this thread.

I think we'll call that a draw - OK it is 8.1.2 not 8.2.2 but dynamic update IS required (see http://technet2.microsoft.com/windowsserver/en/library/73c0ae36-8058-43d1-8809-046eb03b73fb1033.mspx?mfr=true)

Anyway I think we are drifting off the point here and should draw this to a close. We should be concentrating on the WTarlton's problem

Any update ?

I wasn't trying to win in the first place, I tried only to state a technical fact as I see it.  To my mind, this conversation is entirely relevant to the OP's question and, as such, I'm comfortable proceeding.  That said -- seriously ... dynamic ipdate is NOT required, I have implemented many an AD in this manner ... not by design but by requirement.  The Internet is rife with information to that effect; to quote the article you directed me toward (verbatim I might add) -

"Support for dynamic updates is recommended but not essential"

Please understand that (most of) my responses aren't meant to be argumentative (but we're all human), they just represent a difference of opinion which I'm comfortable volunteering :0)

Sorry all I just got into work. I find MSE-dwells comment might be right on with the symptoms im seeing:

WTarlton:  There is a known issue with Windows 2003 DNS implementations that cause intermittent name resolution failures.  EDNS0 is a mechanism allowing DNS requestors to advertise the size of their UDP packets (based on their MTU) to facilitate the transfer of DNS messages containing more possible responses.  When a DNS server receives a request over UDP (which is the default for resolution attempts), it determines the requestors UDP packet size and attempts to scale its response such that it contains as many records as permitted by that packet size ... something that any number of routers between the two end-points may dislike and subsequently drop.  You can disable EDNS0 support using the registry (restart the DNS server once implemented) -

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

Value [REG_DWORD]: EnableEDNSProbes = 0x0

... to disable EDNS0



I do not think this is any kind of network problem just DNS. Like I said when the DNS bombs out I just cant resolve names but I can still get to the internet via ip addresses and all internal DNS names still function (they may be cached if it happens again i will flushdns just to verify) I have made the registry change and will see if the symptoms continue. Do you know if I need to reboot the server or restart the DNS service for this change to take place?

And just to be clear I would rather stay with my Windows DNS but I don't have the luxury to really fix that server because it is the only DC we have and it's running all the home shares and some critical databases. I would like to split that stuff up into multiple servers but we are a small company and the boss don't wanna spend the $$$ :)

A restart is required for the change to take effect ... bouncing the entire box will achieve that obviously but is a tad extreme :0)

So far so good. If the DNS stays up without crashing for 1 more day I will award points to you MSE-dwells :)

... holding my breath ;0)

hasnt crashed yet!!! thanks