DNSRound Robin Question

Evilstealth
Evilstealth used Ask the Experts™
on
Hello,

I have been playing around with DNS round robin, and just need a few things clarified...

The system i have been playing around is configured as follows:

Windows 2003/08 Enviroment
Active Directory
Windows DNS

DNS Settings
Host A Record: blah.company.com 172.16.1.100
Host A Record: blah.company.com 172.16.1.102
Host A Record: blah.company.com 172.16.1.103

I have been trying to understand when the ‘round robin’ comes into effect. I noticed if I ping 'blah.company.com' it returns 172.16.1.100. Then once i 'ipconfig /flushdns' and try to ping 'blah.company.com' it returns the same 172.16.1.100 IP. Could someone could verify if the ‘round robin’ does come into effect here or not?

Another thing I noticed is if I set the TTL for the 'blah.company.com' record to something very small, such as 1 second, the 'round robin effect' seems to work when I do a ipconfig /flushdns then a ping... I understand that this would be creating unnecessary traffic to the DNS servers but just thought someone could shed some light on this too.

Another thing i was looking at is, load balancing Active Directory using this round robin technique. Could someone please tell me the most efficient way to do this or is the round robin technique flawed?

Thanks,

Adam Sammut

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You set up the DNS correctly, A Records pointing to different IP Addresses. Now I am not a Windows guy, but it just happens that I read about Round Robin and as a matter of fact, that's all you need for the DHCPD from ISC.

DHCPD hand's out one IP after the other, if it finds more IP Addresses assigned to one A Record.

Basically the Windows server seems to work fine t and the fact that after a flushdns you get another ip indicates that the windows dns is fine. You have to understand that you have a local dns resolver on every computer, and this dns resolver may cache ip's for DNS names as long as the TTL from the DNS allows them to. So your issue is really client-side issue. Either you could find out if the Windows cache can be configured to forget the caching for specific FQDNs, or you have to lower the TTL as you mentioned you did.

Another thing is, and take this with a grain of salt as I am not a windows guy, but you should not do load balancing for active directory. It's normaly better to position AD Replica servers on strategic points of your network so that not all users have to go to the main server (like, an Replica for each site, each department, each floor, totally depends on your situation).

best regards
Raimund
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Should work fine. Go to DNS server properties to "Advanced" tab and check if you have enabled check box at "Enable round robin" (by default should be enabled)

and check again pinging and flushing

Regards,
Krzysztof
President, IT4SOHO, LLC
Commented:
Assuming your configuration above, there are several explanations why you're getting the same result each time. I think a little explanation of round-robin and DNS may be in order here:

1) When a DNS server has multiple A-records for a single name, it is supposed to use ALL of the names in response to a query.
 1a) There are some advanced DNS servers that take into consideration the geographic location of the client, and try to optimize the reply with addresses that are geographically closer (under the assumption that transmission will be faster)

2) When your DNS server gets a request to resolve "blah.company.com", it is supposed to list the 100 address first 33% of the time, the 102 address 33% of the time, and the 103 address 33% of the time.... but it returns all 3 numbers 100% of the time. There really isn't anything in the standard about ordering the 2nd or 3rd entry returned -- as it is generally assumed you'll try and be successful with the first one 99.999% of the time.

3) When a NON-AUTHORITATIVE DNS server resolves a DNS Query, it will usually cache the return (as you no doubt were trying to remove in your example). But this behavior is true of ALL non-authoritative DNS servers, not just the Windows client you cleared. Just because you cleared your local cache doesn't mean you cleared out other cached values that may be coming into play.

Dinally, instead of PING, use the nslookup tool... primarily because you can tell nslookup to absolutely do a DNS query (no local cache, without having to clear it) -- and more importantly -- where to make the query.

Now, here are some examples of DNS Caching and round-robin results in action...
NOTE: Since I'm using an Internet DNS server, I'm substituting Internet IP Addresses for your 172.16 addresses above)

Let's query blah.company.com at a "public" DNS server:
  nslookup blah.company.com 4.2.2.4
-> returns 1.2.3.100, 1.2.3.102, and 1.2.3.103 (in that order).

So, I query the same server again (directly)
  nslookup blah.company.com 4.2.2.4
-> returns 1.2.3.100, 1.2.3.102, and 1.2.3.103 (in that order).
WHICH IS THE SAME ANSWER!  This is because 4.2.2.4 is NOT an authoritative DNS server for blah.company.com, and so it is returning to you the CACHED value it has stored. (Its job is to give you AN ANSWER as fast as possible -- that's all!)

So, let's try a different server:
  nslookup blah.company.com 4.2.2.3
-> returns 1.2.3.102, 1.2.3.100, and 1.2.3.103 (in that order).

Here I see the effects of the "rotation"...

BUT, what if I query the ACTUAL company.com DNS server?
  nslookup blah.company.com dns.company.com
-> returns 1.2.3.100, 1.2.3.102, and 1.2.3.103 (in that order).

Then immediately re-query:
  nslookup blah.company.com dns.company.com
-> returns 1.2.3.102, 1.2.3.103, and 1.2.3.100 (in that order).

WHOA! I got different answers! This is because dns.company.com is an AUTHORITATIVE DNS server for company.com, and so it is providing "rotating" responses. After all, as opposed to making the fastest response possible, providing rotating responses is part of THIS DNS server's job...

I hope this explanation brings some sanity into your world...

Dan
IT4SOHO
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Commented:
Hi Dan,

nice explanation!

best
Agreed, nicely done.

Author

Commented:
I have to agree! Dan you provided a very good explanation. Thanks.
 
 

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial