How do I resolve my DNS issues

Network seems to have lots of latency for opening web pages.

Firewall DNS points to Opendns and Comcast
Internal DC01 points to other internal DNS under forwarder, and Internal DC02 points to DC01.

Have I got something goofy?
I also have listen on all IP's under the INterfaces tab in DNS
I do not have use root hints selected.

I am running Server 2008 R2
Who is Participating?
TheCleanerConnect With a Mentor Commented:
MS has gone back and forth over the years.  I personally like them pointing to themselves for their primary.

See below:

After you have verified that replication has completed successfully, DNS may be configured on each Domain Controller in either of two ways, depending on the requirements of the environment. The configuration options are:

    Configure the Preferred DNS server in TCP/IP properties on each Domain Controller to use itself as Primary DNS Server.
        Ensures that DNS queries originating from the Domain Controller will be resolved locally if possible. Will minimize impact of Domain Controller’s DNS queries on the network
        Dependant on Active Directory replication to ensure that DNS zone is up to date. Lengthy replication failures may result in an incomplete set of entries in the zone.

    Configure all Domain Controllers to use a centralized DNS server as their Preferred DNS Server.
            Minimizes the reliance on Active Directory replication for DNS zone updates of Domain Controller locator records. This includes faster discovery of new or updated Domain Controller locator records, as replication lag time is not an issue.
            Provides a single authoritative DNS server, which may be useful when troubleshooting Active Directory replication issues
            Will more heavily utilize the network to resolve DNS queries originating from the Domain Controller
            DNS name resolution may be dependant on network stability; loss of connectivity to the Preferred DNS server will result in failure to resolve DNS queries from the Domain Controller. This may result in apparent loss of connectivity, even to locations that are not across the lost network segment.

A combination of the two strategies is possible, with the remote DNS server set as Preferred DNS server, and the local Domain Controller set as Alternate (or vice versa). While this strategy has many advantages, there are factors that should be considered before making this configuration change:

    The DNS client does not utilize each of the DNS servers listed in TCP/IP configuration for each query. By default, on startup the DNS client will attempt to utilize the server in the Preferred DNS server entry. If this server fails to respond for any reason, the DNS client will switch to the server listed in the alternate DNS server entry. The DNS client will continue to use this alternate DNS server until:
        It fails to respond to a DNS query, or:
        The ServerPriorityTimeLimit value is reached (15 minutes by default). For more information, click the following article number to view the article in the Microsoft Knowledge Base:
        286834  The DNS Client service does not revert to using the first server in the list
    Please note, only a failure to respond will cause the DNS client to switch Preferred DNS servers; receiving an authoritative but incorrect response does not cause the DNS client to try another server. As a result, configuring a Domain Controller with itself and another DNS server as Preferred and Alternate servers helps to ensure that a response is received, but it does not guarantee accuracy of that response. DNS record update failures on either of the servers may result in an inconsistent name resolution experience.
Are both DC's running AD-DNS and replicating fine?  Are they both in the same site?

If so:

DC01 - point to itself
DC02 - point to itself

Both should have forwarders to your ISP's DNS or another valid external DNS server or even using the root hints servers.

Firewall DNS pointing anywhere is pretty pointless unless it is for reverse DNS lookups or something.

Clients set via DHCP scopes to point to DC01 as primary and DC02 as secondary.

That's how I'd set it up...
According to MS BPA for DNS, DCs running DNS should point to another DNS as primary, and themselves as secondary.
I definitely agree that it's not clear cut, and recommendations vary.  I'm including the below just for interesting reading.  The BPA for DNS in 2008 R2 uses these as guidelines (including many others of course).

What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?

It depends on who you ask. :-) We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:

1.If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
2.If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.
4.Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).
5.DC’s should have at least two DNS client entries.
6.Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.
7.We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.
8.(Other things I didn’t say that are people’s pet peeves, leading to even more arguments).
manelson05Author Commented:
Very thorough and informative analysis.
Thank you

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.