Solved

Best practice for choosing a secondary DNS server on a one DNS server network

Posted on 2013-01-24
6
697 Views
Last Modified: 2013-01-28
We're having a debate about best practice for configuring a secondary DNS server on a one DNS server network.

On a one server (Windows / DC / DNS / DHCP / File) network, DHCP will be configured to give out the Domain Controller' s address as the Primary DNS server.

What's the best practice for configuring a secondary DNS server?

One school of thought is that for this small network with no other servers, there would be no viable second DNS server to give out so it shouldn't be configured.
Another school of thought is that an external, public DNS server should be listed.  This has the advantage that clients would still be able to use the Internet if their DNS server is offline.  This disadvantage is that the public DNS server would be worthless at resolving internal resources and could cause problems on a healthy network.

I've been unable to find any best practices to refer to settle this dispute.

Thoughts?
0
Comment
Question by:limeleap
6 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 38815091
You really should have a second dns server even if its a second hand computer. Is this a AD site?
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 38816959
Another school of thought is that an external, public DNS server should be listed.
You don't want to use an external DNS server as an alternate.  This will cause more problems than it solves, as any clients that end up using that server for whatever reason (a temporary lack of response from the internal server, for example) won't automatically fail back and will be unable to resolve any names that they don't have cached.  (And BTW, those negative responses get cached too, so even if a client reverts to using the preferred DNS server, it still won't be able to resolve any internal names that it's got a cached negative response for until the cached record expires or the client's resolver cache is flushed.)
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38817158
The best practice for configuring a secondary DNS server is to... HAVE a secondary DNS server :)

But i'm sure you've thought of that and if you really can't, then that means you probably have a very small network, domain, user base,.. so i would probably grab all the critical internal hostnames (exchange, intranet, servers, etc.). compile them on a hosts file and be ready to deploy those hosts files to all users/servers remotely in case of an emergency, and configure secondary DNS server to point to my ISP.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:mgpremkumar
ID: 38817731
Running with one domain controller is risky as if it goes down there are no other servers to take over the role which means there will be hours or probably days of downtime depending on the scenario.

If the DNS is down then the AD cannot function as well, and hence having an additional DNS server becomes necessary.

You also have DHCP. This service can also be installed and athorized on the second server. You can then backup the DHCP configuration and restore on the second server when necessary.

You can also move all the roles to the second servers as and when required and put the first server in maintenance with out impacting business or working after business hours. Also doing maintenance acitivities during business hours means you would have people in the office for any help required as opposed to working afterhours when everyone is away.

Offcourse all this comes with extra cost but I think the benefits that it provides would  justify the cost.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 38819320
Looking back at my previous post, I see I forgot to state that bringing up a second DC/DNS server in the domain is the ideal solution here.  Then you've got redundancy for AD as well as DNS, so domain operations and Internet access don't get interrupted if one box goes down.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
The ISP server won't return nothing, though; it'll return an NXDOMAIN response (basically, "record not found"), and that response will be cached on the client.  (I believe negative responses get cached for five minutes by default, but this is configurable via the registry.)  Further queries by that client for that same record won't even hit a DNS server until the cached record expires or the cache is flushed.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.
If it's that important to him to get to Facebook/Reddit/imgur when the server is down, he'll spring for a second server.  :)
0
 

Author Comment

by:limeleap
ID: 38828853
Thanks for the responses.  While I set up multiple DC's on larger networks including my own, a second server is not an option in this scenario.  Small businesses with only a few users wont tolerate the associated costs.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now