Solved

A few easy (for an expert) questions about DNS, load balanced IPs, and IP numbers

Posted on 2008-06-20
14
300 Views
Last Modified: 2010-04-21
I am trying to understand the ins and outs of DNS, which is necessary but very hard given my primary role as a developer and the complexity of what I'm trying to set up. My main use for DNS will be to serve redundant website and web application needs rather than clients connecting on an internal network. I have a few questions about DNS as its relates to use with IIS and NLB.

Background:  My server's network card has two IPs assigned to it: if you go to TCP/IP settings for the device, you can see two IPs listed. For the first IP, I have set up my own nameserver at my domain name provider and it points to the IP of my server. For the second IP, our institution is providing institution.edu and my DNS is a subdomain of that: ourdomain.institution.edu. I My IIS websites are set up to keep an eye out for both IPs. One of these IPs I eventually intend to set up as the IP for an NLB cluster.

Question #1: In DNS, in my ourdomain.institution.edu.local folder of my forward lookup zones, BOTH of the IPs mentioned in the previous paragraph have Host (A) records. Is this correct or not? Will this be correct once my clustered IP is set up?

Question #2: What does the ourdomain.institution.edu.local section refer to? Perhaps the local (private) network? This is a basic question about DNS.

Question #3: What does the _msdcs.ourdomain.institution.edu  records refer to/mediate? This is a basic question about DNS.

Question #4: Again in the forward lookup zones, I have nameserver records that include BOTH IPs described in the paragraph above in the following sections:
_msdcs.ourdomain.institution.edu
ourdomain.institution.edu.local
myCustomDomainNameBeingPointedFromMyDomainNameProvider.com
ourdomain.institution.edu.  

I am wondering if both IPs should be listed in the nameserver records in all of the places listed above, especially myCustomDomainNameBeingPointedFromMyDomainNameProvider.com.

Question #5: for redundancy on the name resolution on my websites, I will want to have multiple nameserver entries on the SOA record, correct? This does NOT mean that I want multiple Host(A) records mapping to each of my servers' IPs, unless I have a site set up on each IP, correct? My understanding is that when I finish getting my NLB clustering set up for my IIS websites, in the forward lookup zone associated with a particular website, I should remove the (A) record that corresponds to an individual server IP and only put the cluster IP in place, as an A record, correct or no?  If not what is the right practice?

Question #6: If I right click on the "interfaces" section of my DNS server, I see "Listen only on the following IP addresses". Two are listed as described in my intro paragraph. Should I be listening on all IP addresses? What is the advantage and tradeoff?

Question #7: I understand there is a limit on the use of host header mapping when you are trying to host https-secure websites. What is that limit, generally?

Question #8: My SOA and nameserver records refer to ourdomain.institution.edu.LOCAL [emphasis mine]as the name servers, for both seemingly internal uses (the ourdomain.institution.edu.local and _msdcs.ourdomain.institution.edu sections), and for external uses (e.g. forward lookup zones corresponding to names corresponding to websites. I am wondering if this is perfectly acceptable or not. Both names will resolve from inside the network, I think (.local and non-.local); why use one or the other for this need?

Many thanks for any insights you can offer. I'm finding the whole DNS thing rather difficult, but am slowly but surely learning some of the things I need to know.
0
Comment
Question by:kennethfine
  • 6
  • 4
  • 4
14 Comments
 
LVL 6

Expert Comment

by:DocCan11
ID: 21836112
so many questions.. so little time.. ahhaha.. Ok

I am not exactly clear about this statement

For the first IP, I have set up my own nameserver at my domain name provider and it points to the IP of my server.

I can easily answer all your questions once I understand your environment
0
 
LVL 6

Expert Comment

by:DocCan11
ID: 21836125
if you mean you are running a DNS domain at your ISP and it has an A record that points to one of your IP addresses this is perfect.. Or do you mean at your ISP they have a NS record that points to DNS that is running on this server.. it makes a big difference to the answer.

1.. In a nutshell this is correct.. since your computer has 2 IP's it will register 2 A (host) records.. this way when someone queries DNS for your servername the DNS server will return BOTH records.. and because of DNS round robinning.. it will load balance them..

eg.. if your IP addresses are 1.1.1.1 and 1.1.1.2.. and you have both A records in your DNS domain for them .. then the first person who queries for your servername will get the following IP's returned to them in this order.. 1.1.1.1, 1.1.1.2.. the next client who queries for your name will get them in this order 1.1.1.2, 1.1.1.1 .. each time it will do this.. reverse the order.. the idea is the client always tries to go to the first IP it gets and only tries the second when the first times out.. so you now have a load balance created

If you give me more info I will answer the rest
0
 
LVL 6

Expert Comment

by:DocCan11
ID: 21836130
question 3.. the _msdcs domain is there because you are running Active Directory.. this is where Microsoft stores the SRV records that Microsoft clients look for when they are trying to find Domain Controllers

0
 
LVL 6

Author Comment

by:kennethfine
ID: 21836376
Thanks. I can give you whatever info you want, including dumps of Ipconfig, DCDIAG, netdiag, etc. I still have a ton to learn but it's beginning to make some sense.  Just let me know what's helpful and I'll get it out to you.

For my domain name provider, I set up the nameservers myself by clicking on the link they provided:
"If you want to create or modify a nameserver which is based on uwnews.org click here.... this link is usually meant for people who are running their own DNS server blah blah blah." That's me.
0
 
LVL 6

Author Comment

by:kennethfine
ID: 21836399
In the short term I especially need to figure out the answer to question #5.

I have a domain name registered, let's call it myCustomDomain.com
I have set up the nameservers "based on myCustomDomain.com" at the domain name provider by filling in references back to (A) records on my site (e.g. www.myCustomDomain.com and admin.myCustomDomain.com)

I have all of my zones replicating properly to a secondary domain controller running AD and DNS. I have verified this is working pretty well because as of a couple of hours ago I have DFS running fine, too.

So getting back to the Domain name I'm providing DNS Services/Name services/however you'd phrase it: -- myCustomDomain.com -- right now my setup is extremely badly configured. "www.myCustomDomain.com" and "admin.myCustomDomain.com" are listed as the primary and the secondary nameservers witih my domain name provider and for now BOTH of those are pointed back at the SAME server and IP address. This is stupid given that I now have a fully functional alternate DC/DNS/AD box.

So what I need to know is the step-by-step of what else to add to make this work.

Should I only add my secondary as a nameserver on myCustomDomain's SOA record, and point the domain name provider as follows:

www.myCustomDomain.com     130.95.8.1
admin.myCustomDomain.com      130.95.9.2 (IP of secondary nameserver)

OR, do I also need to be creating an (A) record with the IP of the server? I don't think so, because I don't have a mirror of the content on that second server.

These are somewhat stupid questions in that I could probably find the answers I need with reading. Unfrotunately I'm dealing with live sites and the latencies involved with DNS mean that errors are "expensive." I would rather check it with someone else.

If you can answer this and my other more general questions I'd surely appreciate it! THANKS!!!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21836960

> Question #3:  ... _msdcs.ourdomain.institution.edu

Is that really exactly that and not _msdcs.ourdomain.institution.edu.local?

If is it that, do you have an _msdcs folder under the .local zone as well?

Breaking down question 5 :)

> Question #5: for redundancy on the name resolution on my websites, I will want to
> have multiple nameserver entries on the SOA record, correct?

No, absolutely not.

The SOA, Start Of Authority, is granted to the Primary Name Server in a traditional DNS configuration.

Active Directory Integrated zones break this slightly as each is a Primary version. Therefore, each Domain Controller hosting the zone lists itself as Start of Authority (when you view it from that DNS server).

> This does NOT mean that I want multiple Host(A) records mapping to each of my
> servers' IPs, unless I have a site set up on each IP, correct?

SOA won't have an impact on Host (A) Records for a given resource.

>  I should remove the (A) record that corresponds to an individual server IP and only
> put the cluster IP in place, as an A record, correct or no?  

When you set up NLB you will end up creating a third Cluster IP. That is the IP you need to use for public access to the site. The original two stay as they are, although they aren't necessary in the public zone.

I want to cover some of the other questions as well, then I have some of my own :)

> Question #6: If I right click on the "interfaces" section of my DNS server,
> I see "Listen only on the following IP addresses". Two are listed as described
> in my intro paragraph. Should I be listening on all IP addresses? What is the
> advantage and tradeoff?

The DNS Service needs to listen on every IP you expect it to answer request on. If it doesn't, it simply won't be able to answer the requests.

> Question #7: I understand there is a limit on the use of host header mapping
> when you are trying to host https-secure websites. What is that limit, generally?

You cannot use Host Headers for HTTPS. Host Headers are only valid for HTTP, HTTPS must have distinct IP addresses per site.

> Question #8: My SOA and nameserver records refer to ourdomain.institution.edu.LOCAL
> [emphasis mine] as the name servers, for both seemingly internal uses (the
> ourdomain.institution.edu.local and _msdcs.ourdomain.institution.edu sections),

For a Public Zone it's bad and shouldn't be done. Records in a public zone should be correct for the public.

Before getting into detail we need to drop back a bit otherwise this is going to get very confused. That'll come in the next post though, to keep things moderately clear.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21836998

Okay, back to the beginning again.

We need to make a distinction between Public and Private zones in DNS. The terms aren't official, but they will do to describe a server hosting a mixture like this.

A Public Zone should contain Public Records and IP Addresses only. It shouldn't list or refer to anything in a Private Zone because it's so very easy to break things that way.

A Private Zone is typically one used internally only, perhaps most commonly for systems like Active Directory. It contains records that are only of interest to Internal clients and shouldn't be made public.

If we take a look at Question 4 above you have these Zones:

_msdcs.ourdomain.institution.edu
ourdomain.institution.edu.local
myCustomDomainNameBeingPointedFromMyDomainNameProvider.com
ourdomain.institution.edu.  

Private Zones:

_msdcs.ourdomain.institution.edu
ourdomain.institution.edu.local
ourdomain.institution.edu

Each of these zones looks to be something to do with Active Directory. Hopefully none of those zones are Public.

Because of the _msdcs zone the implication is that "ourdomain.institution.edu" is the main Zone for the Active Directory Domain. With _msdcs delegated out into a separate zone.

You're likely to find Dynamic Updates enabled and each set to Active Directory Integrated.

Public Zones:

myCustomDomainNameBeingPointedFromMyDomainNameProvider.com

This one needs to have records that are correct for the public only. Dynamic Updates should be disabled (if not already).

You should create new Host (A) Records for the Name Server listing only the Public IP Address. That should be used for the NS and SOA Records.

So we end up with something like this (shortening to domain.com for convenience):

domain.com.  IN SOA  ns1.domain.com.  ( Values for SOA ...)

domain.com.  IN NS    ns1.domain.com.
domain.com.  IN NS    ns2.domain.com.

ns1.domain.com.  IN A  130.95.8.1
ns2.domain.com.  IN A   130.95.9.2

www.domain.com.  IN A  <IPOfNLBCluster>

It will look slightly different within the MS DNS console, but that is the essence of it.

If you have more than one Name Server you will need to have another NS Record, although the SOA remains the same.

Whatever you enter for the NS Records should match the entries you created with the Registrar, or the entries at the Registrar should be changed to be consistent.

I have to say it somewhere in this post: Hosting Public DNS Services on an Active Directory Domain Controller cannot be considered good practice. The needs of each are quite different and it makes this configuration more complex and less secure.

Chris
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Author Comment

by:kennethfine
ID: 21838291
Wow, thanks much Chris, that backgroup is so extremely helpful.
I have a bunch of machines at my disposal and in time and when I know enough I will break things up a bit more according to best practices.

Clarifying Question #4, I mis-wrote last night. My forward lookup zones look like this:
_msdcs.domain.com.local
domain.com.local
customdomain1.com
customdomain2.com

Clarifying my question about SOA, this is what I have. If I click on any of the zones, public or private, there is a SOA record that lists the primary server. That primary server is listed as the server machine I'm on, e.g. if I'm looking at records on the DNS console on server1.domain.com the primary server is listed as server1.domain.com.local. Now I am noticing that on my public zones (customdomain.com) that primary server is listed as "server1.domain.com.local" and if I am understanding you correctly that is bad.

Compounding our potential confusion, way back when I set this DNS up and had no idea what I was doing, I appended ".local" as part of a name I should not have, and I have been advised this is functional but "weird."

In the MSFT DNS console, when you double click on Forward Lookup Zones --[zone] --> SOA, it brings up the SOA record that lists the primary server. There is a tab called "nameservers" right next to it. If you click on the nameservers tabs it brings up a list.  

If I am hearing you correctly multiple nameservers should be listed on that tab. They should be described as ns.domain.com, NOT ns.domain,com.local, because that is a confusion of their public and private roles. (right now,I notice my setup lists both: ns.domain.com AND ns.domain.com.local)

If am hearing you correctly I may also want to revisit what I am calling my A records, at least for the purposes of following a convention.

Right now my A records, which serve to create the nameserver that I've pointed my domain name provider at, look as follows in the MSFT DNS console (numbers are fake):

admin    Host (A)    150.90.9.25    static
www   Host (A)     150.90.9.25   static

At my domain name provider, I have pointed them to "admin.domain.com" and "www.domain.com".

What you seem to be suggesting is that (at least as a convention) I should create A records that correspond to my server machine names, one for each machine. So in the MSFT console for a given public zone -- domain.com -- it would look like

machinename1   Host(A)   150.90.9.25   static
machinename2   Host(A)   150.90.9.38   static

The primary server in the SOA record would be tied to an invidual machine, but the multiple nameserver records and the multiple (A) records referenced by my domain name provider would assure redundancy. Is that correct?

Based on my setup this would mean that my server machines would be recognizable on the internet as

machinename1.domain.com
and
machinename.subdomain.institution.edu
 
I will mention one other thing that may or may not matter. I have public zones based off of custom domain names purchased from a provider: domain.com. The names of my systems are based off of my institution: machinename.subdomain.institution.edu. In the nameserver section for the public zones, I am listing machinename1.subdomain.institution.edu and machinename2.subdomain.institution.edu. I don't think this should matter, since the resources are publicly addressable one way or another.

Thanks again for your generous help. I'll learn everything in time.
 
0
 
LVL 6

Author Comment

by:kennethfine
ID: 21838447
Following up on one item: my domain itself is named XXXX.XXXX.XXXX.local. A machine that joins the domain is machinename.xxx.xxx.xxx.local.

This is "wrong", is it not?

Do i need to worry about this?

Do I need to be creating DNS records that reference .local.local?
 
Can this/should this be changed now? I am not connecting many clients to this system: the domain stuff mainly serves web application needs.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21840324

> Clarifying Question #4, I mis-wrote last night. My forward lookup zones look like this:

Ahh good, that's a lot more consistent :)

> Now I am noticing that on my public zones (customdomain.com) that primary
> server is listed as "server1.domain.com.local" and if I am understanding you
> correctly that is bad.

Yep, it is. We want those fully consistent for public use.

We can't do that and have it use AD Integrated zones though. It'll continually "correct" the value for us.

So, pick a server you want to be Primary, then change it's zone type from AD Integrated to Standard Primary.

Make sure Dynamic Updates is disabled, then fix all the NS and SOA records so they look good as far as the public are concerned.

These are the steps for that:

1. Create a Host (A) Record called ns1 (note that this can be whatever you like within reason, it's entirely arbitrary). This record should match the Name Server entries you gave to your Registrar.

2. Modify the NS Records. Remove the old one, add ns1 as the new one (again so it's referencing the public IP). If will ask if you want to remove the Host Record for the old server, you do, it's referring to Glue within the current zone, not the record in the proper zone.

3. Modify the SOA Record. Two fields for this one, the important one is Primary Server. Set that to ns1 (browse is probably easiest). Note the period (dot) it adds to the end of the name, it's important to keep that.

Responsible Person is the other field. That one is an e-mail address. Not exactly in common use these days so you could just put whatever you want there. If you want to put something meaning full the @ symbol is replaced with a period. e.g. hostmaster@yourdomain.com becomes hostmaster.yourdomain.com. for the SOA. Again, note the period suffixed onto the record, it is important to keep that.

4. Add Host and NS Records for ns2 (representing the second DC, and again the name can be whatever you wish).

5. Open the Properties for the zone and select Zone Transfers. Tick allow Transfers and select "Only to the following servers". Add the Private IP address of your second Name Server.

6. Head to the second server, make sure the zone doesn't exist at the moment.

7. Add a new Secondary Zone and enter the Private IP of ns1 as the Master.

8. Test it! Make sure you can right click on the Secondary zone and select Transfer from Master.

9. Make sure if you change it on ns1 you can run Transfer from Master and that you see the change.

And just a few notes on all that.

Periods (dots) after Names:

The period on the name indicates that it's "all" of the name, if it's not there the server will add on the zone name.

That is, if you have a record called "bob.domain.com" (without the period) the server reads that and makes it "bob.domain.com.domain.com.". Basically excluding the period allows you to use shorthand for writing records, but if you forget to add it it'll break things.

MS DNS will add the period for you in almost every instance, but it's worth being aware of.

Zone Transfers:

How frequently a Zone Transfers is based on the values in the SOA Record. If you double click on it you'll see a number of intervals:

Refresh Interval - How frequently the Secondary server will check in with the Primary looking for a change. The default value of 15 minutes is good enough for this.

Retry Interval - How long it will wait before retrying a transfer if one fails (say the primary server is down for a few minutes). The default value of 10 minutes is good enough.

Expiry - How long the secondary keeps it's copy of the zone before it decides it's too out of date (then it discards the zone data). 1 Day is rubbish. I recommend increasing this to 48 Days. Makes you a lot safer in the event of server failure on the Primary.

The minimum TTL (Time To Live) is treated differently on different servers. Here it defines the default value for the Time To Live on records, I'd set that to 1 Day unless you feel you'll change records around a great deal.

> Compounding our potential confusion, way back when I set this DNS up and had no
> idea what I was doing, I appended ".local" as part of a name I should not have, and
> I have been advised this is functional but "weird."

That's fine and common for a Private domain (such as one for Active Directory). .local may cause problems with Apple Mac's but that is the extent of those. It's certainly not weird :)

You will find there are a lot of differing opinions on that naming convention around the Internet. What you have is valid, there are other valid choices too. People like to argue about what the "right" valid choice is, all very silly.

> What you seem to be suggesting is that (at least as a convention) I should
> create A records that correspond to my server machine names, one for each machine.
> So in the MSFT console for a given public zone -- domain.com -- it would look like

That would be fine as well, and would happily replace ns1 / ns2 in the examples above. All we care about is making the publicly accessible.

Chris
0
 
LVL 6

Expert Comment

by:DocCan11
ID: 21841205
sorry I lost track of this thread I was flying acroos the country yesterday..  I will keep an eye on it and jump in when necesarry
0
 
LVL 6

Author Comment

by:kennethfine
ID: 21843211
This help is all just exemplary, Chris, thank you so much for your help. I just earned a Premium membership (with one day's effort!) and now that I know how Expert Exchange works I'm going to close this Q, award points, and start asking my questions one at a time.

Thanks again for helping me out, it's really a wonderful thing. You guys rock.

0
 
LVL 6

Author Closing Comment

by:kennethfine
ID: 31469372
amazing help, thank you so much. I am smarter, now. ;)
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21844397

You're welcome :)

Chris
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now