Solved

Best practice for choosing a secondary DNS server on a one DNS server network

Posted on 2013-01-24
6
704 Views
Last Modified: 2013-01-28
We're having a debate about best practice for configuring a secondary DNS server on a one DNS server network.

On a one server (Windows / DC / DNS / DHCP / File) network, DHCP will be configured to give out the Domain Controller' s address as the Primary DNS server.

What's the best practice for configuring a secondary DNS server?

One school of thought is that for this small network with no other servers, there would be no viable second DNS server to give out so it shouldn't be configured.
Another school of thought is that an external, public DNS server should be listed.  This has the advantage that clients would still be able to use the Internet if their DNS server is offline.  This disadvantage is that the public DNS server would be worthless at resolving internal resources and could cause problems on a healthy network.

I've been unable to find any best practices to refer to settle this dispute.

Thoughts?
0
Comment
Question by:limeleap
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 38815091
You really should have a second dns server even if its a second hand computer. Is this a AD site?
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 38816959
Another school of thought is that an external, public DNS server should be listed.
You don't want to use an external DNS server as an alternate.  This will cause more problems than it solves, as any clients that end up using that server for whatever reason (a temporary lack of response from the internal server, for example) won't automatically fail back and will be unable to resolve any names that they don't have cached.  (And BTW, those negative responses get cached too, so even if a client reverts to using the preferred DNS server, it still won't be able to resolve any internal names that it's got a cached negative response for until the cached record expires or the client's resolver cache is flushed.)
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38817158
The best practice for configuring a secondary DNS server is to... HAVE a secondary DNS server :)

But i'm sure you've thought of that and if you really can't, then that means you probably have a very small network, domain, user base,.. so i would probably grab all the critical internal hostnames (exchange, intranet, servers, etc.). compile them on a hosts file and be ready to deploy those hosts files to all users/servers remotely in case of an emergency, and configure secondary DNS server to point to my ISP.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 4

Expert Comment

by:mgpremkumar
ID: 38817731
Running with one domain controller is risky as if it goes down there are no other servers to take over the role which means there will be hours or probably days of downtime depending on the scenario.

If the DNS is down then the AD cannot function as well, and hence having an additional DNS server becomes necessary.

You also have DHCP. This service can also be installed and athorized on the second server. You can then backup the DHCP configuration and restore on the second server when necessary.

You can also move all the roles to the second servers as and when required and put the first server in maintenance with out impacting business or working after business hours. Also doing maintenance acitivities during business hours means you would have people in the office for any help required as opposed to working afterhours when everyone is away.

Offcourse all this comes with extra cost but I think the benefits that it provides would  justify the cost.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 38819320
Looking back at my previous post, I see I forgot to state that bringing up a second DC/DNS server in the domain is the ideal solution here.  Then you've got redundancy for AD as well as DNS, so domain operations and Internet access don't get interrupted if one box goes down.

Also, if you set your secondary DNS server to the ISP, and you query an internal server such as hostname.domain.local, chances are ISP DNS will simply not return anything because there probably aren't any authoritative ns servers on the internet for your domain and you won't cache anything for your local domain.
The ISP server won't return nothing, though; it'll return an NXDOMAIN response (basically, "record not found"), and that response will be cached on the client.  (I believe negative responses get cached for five minutes by default, but this is configurable via the registry.)  Further queries by that client for that same record won't even hit a DNS server until the cached record expires or the cache is flushed.

Internet > No Internet. bottom line. I think your boss, ceo, owner of the company would much rather be able to get to the internet.
If it's that important to him to get to Facebook/Reddit/imgur when the server is down, he'll spring for a second server.  :)
0
 

Author Comment

by:limeleap
ID: 38828853
Thanks for the responses.  While I set up multiple DC's on larger networks including my own, a second server is not an option in this scenario.  Small businesses with only a few users wont tolerate the associated costs.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question