kennethfine
asked on
A few easy (for an expert) questions about DNS, load balanced IPs, and IP numbers
I am trying to understand the ins and outs of DNS, which is necessary but very hard given my primary role as a developer and the complexity of what I'm trying to set up. My main use for DNS will be to serve redundant website and web application needs rather than clients connecting on an internal network. I have a few questions about DNS as its relates to use with IIS and NLB.
Background: My server's network card has two IPs assigned to it: if you go to TCP/IP settings for the device, you can see two IPs listed. For the first IP, I have set up my own nameserver at my domain name provider and it points to the IP of my server. For the second IP, our institution is providing institution.edu and my DNS is a subdomain of that: ourdomain.institution.edu.
Question #1: In DNS, in my ourdomain.institution.edu.
Question #2: What does the ourdomain.institution.edu.
Question #3: What does the _msdcs.ourdomain.instituti
Question #4: Again in the forward lookup zones, I have nameserver records that include BOTH IPs described in the paragraph above in the following sections:
_msdcs.ourdomain.instituti
ourdomain.institution.edu.
myCustomDomainNameBeingPoi
ourdomain.institution.edu.
I am wondering if both IPs should be listed in the nameserver records in all of the places listed above, especially myCustomDomainNameBeingPoi
Question #5: for redundancy on the name resolution on my websites, I will want to have multiple nameserver entries on the SOA record, correct? This does NOT mean that I want multiple Host(A) records mapping to each of my servers' IPs, unless I have a site set up on each IP, correct? My understanding is that when I finish getting my NLB clustering set up for my IIS websites, in the forward lookup zone associated with a particular website, I should remove the (A) record that corresponds to an individual server IP and only put the cluster IP in place, as an A record, correct or no? If not what is the right practice?
Question #6: If I right click on the "interfaces" section of my DNS server, I see "Listen only on the following IP addresses". Two are listed as described in my intro paragraph. Should I be listening on all IP addresses? What is the advantage and tradeoff?
Question #7: I understand there is a limit on the use of host header mapping when you are trying to host https-secure websites. What is that limit, generally?
Question #8: My SOA and nameserver records refer to ourdomain.institution.edu.
Many thanks for any insights you can offer. I'm finding the whole DNS thing rather difficult, but am slowly but surely learning some of the things I need to know.
Background: My server's network card has two IPs assigned to it: if you go to TCP/IP settings for the device, you can see two IPs listed. For the first IP, I have set up my own nameserver at my domain name provider and it points to the IP of my server. For the second IP, our institution is providing institution.edu and my DNS is a subdomain of that: ourdomain.institution.edu.
Question #1: In DNS, in my ourdomain.institution.edu.
Question #2: What does the ourdomain.institution.edu.
Question #3: What does the _msdcs.ourdomain.instituti
Question #4: Again in the forward lookup zones, I have nameserver records that include BOTH IPs described in the paragraph above in the following sections:
_msdcs.ourdomain.instituti
ourdomain.institution.edu.
myCustomDomainNameBeingPoi
ourdomain.institution.edu.
I am wondering if both IPs should be listed in the nameserver records in all of the places listed above, especially myCustomDomainNameBeingPoi
Question #5: for redundancy on the name resolution on my websites, I will want to have multiple nameserver entries on the SOA record, correct? This does NOT mean that I want multiple Host(A) records mapping to each of my servers' IPs, unless I have a site set up on each IP, correct? My understanding is that when I finish getting my NLB clustering set up for my IIS websites, in the forward lookup zone associated with a particular website, I should remove the (A) record that corresponds to an individual server IP and only put the cluster IP in place, as an A record, correct or no? If not what is the right practice?
Question #6: If I right click on the "interfaces" section of my DNS server, I see "Listen only on the following IP addresses". Two are listed as described in my intro paragraph. Should I be listening on all IP addresses? What is the advantage and tradeoff?
Question #7: I understand there is a limit on the use of host header mapping when you are trying to host https-secure websites. What is that limit, generally?
Question #8: My SOA and nameserver records refer to ourdomain.institution.edu.
Many thanks for any insights you can offer. I'm finding the whole DNS thing rather difficult, but am slowly but surely learning some of the things I need to know.
if you mean you are running a DNS domain at your ISP and it has an A record that points to one of your IP addresses this is perfect.. Or do you mean at your ISP they have a NS record that points to DNS that is running on this server.. it makes a big difference to the answer.
1.. In a nutshell this is correct.. since your computer has 2 IP's it will register 2 A (host) records.. this way when someone queries DNS for your servername the DNS server will return BOTH records.. and because of DNS round robinning.. it will load balance them..
eg.. if your IP addresses are 1.1.1.1 and 1.1.1.2.. and you have both A records in your DNS domain for them .. then the first person who queries for your servername will get the following IP's returned to them in this order.. 1.1.1.1, 1.1.1.2.. the next client who queries for your name will get them in this order 1.1.1.2, 1.1.1.1 .. each time it will do this.. reverse the order.. the idea is the client always tries to go to the first IP it gets and only tries the second when the first times out.. so you now have a load balance created
If you give me more info I will answer the rest
1.. In a nutshell this is correct.. since your computer has 2 IP's it will register 2 A (host) records.. this way when someone queries DNS for your servername the DNS server will return BOTH records.. and because of DNS round robinning.. it will load balance them..
eg.. if your IP addresses are 1.1.1.1 and 1.1.1.2.. and you have both A records in your DNS domain for them .. then the first person who queries for your servername will get the following IP's returned to them in this order.. 1.1.1.1, 1.1.1.2.. the next client who queries for your name will get them in this order 1.1.1.2, 1.1.1.1 .. each time it will do this.. reverse the order.. the idea is the client always tries to go to the first IP it gets and only tries the second when the first times out.. so you now have a load balance created
If you give me more info I will answer the rest
question 3.. the _msdcs domain is there because you are running Active Directory.. this is where Microsoft stores the SRV records that Microsoft clients look for when they are trying to find Domain Controllers
ASKER
Thanks. I can give you whatever info you want, including dumps of Ipconfig, DCDIAG, netdiag, etc. I still have a ton to learn but it's beginning to make some sense. Just let me know what's helpful and I'll get it out to you.
For my domain name provider, I set up the nameservers myself by clicking on the link they provided:
"If you want to create or modify a nameserver which is based on uwnews.org click here.... this link is usually meant for people who are running their own DNS server blah blah blah." That's me.
For my domain name provider, I set up the nameservers myself by clicking on the link they provided:
"If you want to create or modify a nameserver which is based on uwnews.org click here.... this link is usually meant for people who are running their own DNS server blah blah blah." That's me.
ASKER
In the short term I especially need to figure out the answer to question #5.
I have a domain name registered, let's call it myCustomDomain.com
I have set up the nameservers "based on myCustomDomain.com" at the domain name provider by filling in references back to (A) records on my site (e.g. www.myCustomDomain.com and admin.myCustomDomain.com)
I have all of my zones replicating properly to a secondary domain controller running AD and DNS. I have verified this is working pretty well because as of a couple of hours ago I have DFS running fine, too.
So getting back to the Domain name I'm providing DNS Services/Name services/however you'd phrase it: -- myCustomDomain.com -- right now my setup is extremely badly configured. "www.myCustomDomain.com" and "admin.myCustomDomain.com"
So what I need to know is the step-by-step of what else to add to make this work.
Should I only add my secondary as a nameserver on myCustomDomain's SOA record, and point the domain name provider as follows:
www.myCustomDomain.com 130.95.8.1
admin.myCustomDomain.com 130.95.9.2 (IP of secondary nameserver)
OR, do I also need to be creating an (A) record with the IP of the server? I don't think so, because I don't have a mirror of the content on that second server.
These are somewhat stupid questions in that I could probably find the answers I need with reading. Unfrotunately I'm dealing with live sites and the latencies involved with DNS mean that errors are "expensive." I would rather check it with someone else.
If you can answer this and my other more general questions I'd surely appreciate it! THANKS!!!
I have a domain name registered, let's call it myCustomDomain.com
I have set up the nameservers "based on myCustomDomain.com" at the domain name provider by filling in references back to (A) records on my site (e.g. www.myCustomDomain.com and admin.myCustomDomain.com)
I have all of my zones replicating properly to a secondary domain controller running AD and DNS. I have verified this is working pretty well because as of a couple of hours ago I have DFS running fine, too.
So getting back to the Domain name I'm providing DNS Services/Name services/however you'd phrase it: -- myCustomDomain.com -- right now my setup is extremely badly configured. "www.myCustomDomain.com" and "admin.myCustomDomain.com"
So what I need to know is the step-by-step of what else to add to make this work.
Should I only add my secondary as a nameserver on myCustomDomain's SOA record, and point the domain name provider as follows:
www.myCustomDomain.com 130.95.8.1
admin.myCustomDomain.com 130.95.9.2 (IP of secondary nameserver)
OR, do I also need to be creating an (A) record with the IP of the server? I don't think so, because I don't have a mirror of the content on that second server.
These are somewhat stupid questions in that I could probably find the answers I need with reading. Unfrotunately I'm dealing with live sites and the latencies involved with DNS mean that errors are "expensive." I would rather check it with someone else.
If you can answer this and my other more general questions I'd surely appreciate it! THANKS!!!
> Question #3: ... _msdcs.ourdomain.instituti
Is that really exactly that and not _msdcs.ourdomain.instituti
If is it that, do you have an _msdcs folder under the .local zone as well?
Breaking down question 5 :)
> Question #5: for redundancy on the name resolution on my websites, I will want to
> have multiple nameserver entries on the SOA record, correct?
No, absolutely not.
The SOA, Start Of Authority, is granted to the Primary Name Server in a traditional DNS configuration.
Active Directory Integrated zones break this slightly as each is a Primary version. Therefore, each Domain Controller hosting the zone lists itself as Start of Authority (when you view it from that DNS server).
> This does NOT mean that I want multiple Host(A) records mapping to each of my
> servers' IPs, unless I have a site set up on each IP, correct?
SOA won't have an impact on Host (A) Records for a given resource.
> I should remove the (A) record that corresponds to an individual server IP and only
> put the cluster IP in place, as an A record, correct or no?
When you set up NLB you will end up creating a third Cluster IP. That is the IP you need to use for public access to the site. The original two stay as they are, although they aren't necessary in the public zone.
I want to cover some of the other questions as well, then I have some of my own :)
> Question #6: If I right click on the "interfaces" section of my DNS server,
> I see "Listen only on the following IP addresses". Two are listed as described
> in my intro paragraph. Should I be listening on all IP addresses? What is the
> advantage and tradeoff?
The DNS Service needs to listen on every IP you expect it to answer request on. If it doesn't, it simply won't be able to answer the requests.
> Question #7: I understand there is a limit on the use of host header mapping
> when you are trying to host https-secure websites. What is that limit, generally?
You cannot use Host Headers for HTTPS. Host Headers are only valid for HTTP, HTTPS must have distinct IP addresses per site.
> Question #8: My SOA and nameserver records refer to ourdomain.institution.edu.
> [emphasis mine] as the name servers, for both seemingly internal uses (the
> ourdomain.institution.edu.
For a Public Zone it's bad and shouldn't be done. Records in a public zone should be correct for the public.
Before getting into detail we need to drop back a bit otherwise this is going to get very confused. That'll come in the next post though, to keep things moderately clear.
Chris
Okay, back to the beginning again.
We need to make a distinction between Public and Private zones in DNS. The terms aren't official, but they will do to describe a server hosting a mixture like this.
A Public Zone should contain Public Records and IP Addresses only. It shouldn't list or refer to anything in a Private Zone because it's so very easy to break things that way.
A Private Zone is typically one used internally only, perhaps most commonly for systems like Active Directory. It contains records that are only of interest to Internal clients and shouldn't be made public.
If we take a look at Question 4 above you have these Zones:
_msdcs.ourdomain.instituti
ourdomain.institution.edu.
myCustomDomainNameBeingPoi
ourdomain.institution.edu.
Private Zones:
_msdcs.ourdomain.instituti
ourdomain.institution.edu.
ourdomain.institution.edu
Each of these zones looks to be something to do with Active Directory. Hopefully none of those zones are Public.
Because of the _msdcs zone the implication is that "ourdomain.institution.edu
You're likely to find Dynamic Updates enabled and each set to Active Directory Integrated.
Public Zones:
myCustomDomainNameBeingPoi
This one needs to have records that are correct for the public only. Dynamic Updates should be disabled (if not already).
You should create new Host (A) Records for the Name Server listing only the Public IP Address. That should be used for the NS and SOA Records.
So we end up with something like this (shortening to domain.com for convenience):
domain.com. IN SOA ns1.domain.com. ( Values for SOA ...)
domain.com. IN NS ns1.domain.com.
domain.com. IN NS ns2.domain.com.
ns1.domain.com. IN A 130.95.8.1
ns2.domain.com. IN A 130.95.9.2
www.domain.com. IN A <IPOfNLBCluster>
It will look slightly different within the MS DNS console, but that is the essence of it.
If you have more than one Name Server you will need to have another NS Record, although the SOA remains the same.
Whatever you enter for the NS Records should match the entries you created with the Registrar, or the entries at the Registrar should be changed to be consistent.
I have to say it somewhere in this post: Hosting Public DNS Services on an Active Directory Domain Controller cannot be considered good practice. The needs of each are quite different and it makes this configuration more complex and less secure.
Chris
ASKER
Wow, thanks much Chris, that backgroup is so extremely helpful.
I have a bunch of machines at my disposal and in time and when I know enough I will break things up a bit more according to best practices.
Clarifying Question #4, I mis-wrote last night. My forward lookup zones look like this:
_msdcs.domain.com.local
domain.com.local
customdomain1.com
customdomain2.com
Clarifying my question about SOA, this is what I have. If I click on any of the zones, public or private, there is a SOA record that lists the primary server. That primary server is listed as the server machine I'm on, e.g. if I'm looking at records on the DNS console on server1.domain.com the primary server is listed as server1.domain.com.local. Now I am noticing that on my public zones (customdomain.com) that primary server is listed as "server1.domain.com.local"
Compounding our potential confusion, way back when I set this DNS up and had no idea what I was doing, I appended ".local" as part of a name I should not have, and I have been advised this is functional but "weird."
In the MSFT DNS console, when you double click on Forward Lookup Zones --[zone] --> SOA, it brings up the SOA record that lists the primary server. There is a tab called "nameservers" right next to it. If you click on the nameservers tabs it brings up a list.
If I am hearing you correctly multiple nameservers should be listed on that tab. They should be described as ns.domain.com, NOT ns.domain,com.local, because that is a confusion of their public and private roles. (right now,I notice my setup lists both: ns.domain.com AND ns.domain.com.local)
If am hearing you correctly I may also want to revisit what I am calling my A records, at least for the purposes of following a convention.
Right now my A records, which serve to create the nameserver that I've pointed my domain name provider at, look as follows in the MSFT DNS console (numbers are fake):
admin Host (A) 150.90.9.25 static
www Host (A) 150.90.9.25 static
At my domain name provider, I have pointed them to "admin.domain.com" and "www.domain.com".
What you seem to be suggesting is that (at least as a convention) I should create A records that correspond to my server machine names, one for each machine. So in the MSFT console for a given public zone -- domain.com -- it would look like
machinename1 Host(A) 150.90.9.25 static
machinename2 Host(A) 150.90.9.38 static
The primary server in the SOA record would be tied to an invidual machine, but the multiple nameserver records and the multiple (A) records referenced by my domain name provider would assure redundancy. Is that correct?
Based on my setup this would mean that my server machines would be recognizable on the internet as
machinename1.domain.com
and
machinename.subdomain.inst
I will mention one other thing that may or may not matter. I have public zones based off of custom domain names purchased from a provider: domain.com. The names of my systems are based off of my institution: machinename.subdomain.inst
Thanks again for your generous help. I'll learn everything in time.
I have a bunch of machines at my disposal and in time and when I know enough I will break things up a bit more according to best practices.
Clarifying Question #4, I mis-wrote last night. My forward lookup zones look like this:
_msdcs.domain.com.local
domain.com.local
customdomain1.com
customdomain2.com
Clarifying my question about SOA, this is what I have. If I click on any of the zones, public or private, there is a SOA record that lists the primary server. That primary server is listed as the server machine I'm on, e.g. if I'm looking at records on the DNS console on server1.domain.com the primary server is listed as server1.domain.com.local. Now I am noticing that on my public zones (customdomain.com) that primary server is listed as "server1.domain.com.local"
Compounding our potential confusion, way back when I set this DNS up and had no idea what I was doing, I appended ".local" as part of a name I should not have, and I have been advised this is functional but "weird."
In the MSFT DNS console, when you double click on Forward Lookup Zones --[zone] --> SOA, it brings up the SOA record that lists the primary server. There is a tab called "nameservers" right next to it. If you click on the nameservers tabs it brings up a list.
If I am hearing you correctly multiple nameservers should be listed on that tab. They should be described as ns.domain.com, NOT ns.domain,com.local, because that is a confusion of their public and private roles. (right now,I notice my setup lists both: ns.domain.com AND ns.domain.com.local)
If am hearing you correctly I may also want to revisit what I am calling my A records, at least for the purposes of following a convention.
Right now my A records, which serve to create the nameserver that I've pointed my domain name provider at, look as follows in the MSFT DNS console (numbers are fake):
admin Host (A) 150.90.9.25 static
www Host (A) 150.90.9.25 static
At my domain name provider, I have pointed them to "admin.domain.com" and "www.domain.com".
What you seem to be suggesting is that (at least as a convention) I should create A records that correspond to my server machine names, one for each machine. So in the MSFT console for a given public zone -- domain.com -- it would look like
machinename1 Host(A) 150.90.9.25 static
machinename2 Host(A) 150.90.9.38 static
The primary server in the SOA record would be tied to an invidual machine, but the multiple nameserver records and the multiple (A) records referenced by my domain name provider would assure redundancy. Is that correct?
Based on my setup this would mean that my server machines would be recognizable on the internet as
machinename1.domain.com
and
machinename.subdomain.inst
I will mention one other thing that may or may not matter. I have public zones based off of custom domain names purchased from a provider: domain.com. The names of my systems are based off of my institution: machinename.subdomain.inst
Thanks again for your generous help. I'll learn everything in time.
ASKER
Following up on one item: my domain itself is named XXXX.XXXX.XXXX.local. A machine that joins the domain is machinename.xxx.xxx.xxx.lo
This is "wrong", is it not?
Do i need to worry about this?
Do I need to be creating DNS records that reference .local.local?
Can this/should this be changed now? I am not connecting many clients to this system: the domain stuff mainly serves web application needs.
This is "wrong", is it not?
Do i need to worry about this?
Do I need to be creating DNS records that reference .local.local?
Can this/should this be changed now? I am not connecting many clients to this system: the domain stuff mainly serves web application needs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sorry I lost track of this thread I was flying acroos the country yesterday.. I will keep an eye on it and jump in when necesarry
ASKER
This help is all just exemplary, Chris, thank you so much for your help. I just earned a Premium membership (with one day's effort!) and now that I know how Expert Exchange works I'm going to close this Q, award points, and start asking my questions one at a time.
Thanks again for helping me out, it's really a wonderful thing. You guys rock.
Thanks again for helping me out, it's really a wonderful thing. You guys rock.
ASKER
amazing help, thank you so much. I am smarter, now. ;)
You're welcome :)
Chris
I am not exactly clear about this statement
For the first IP, I have set up my own nameserver at my domain name provider and it points to the IP of my server.
I can easily answer all your questions once I understand your environment