Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

DNS questions on 2008 R2 server core

Posted on 2014-07-27
2
503 Views
Last Modified: 2014-07-30
Hi all,
I am in the process of changing the current  DNS strategy at work. We currently use AD DNS integrated services. The DNS Int servers all use configured forwarders which are a couple of Linux virtual servers that despite having an external facing IP address they are currently VMs sitting inside a production VMWare stack so hopefully this will be obvious to you as to why the change is being recommended.
Clients are issued 2 active directory DNS servers via DHCP scopes. All AD DNS servers are currently pointing to the virtual forwarders which are being discontinued.
Couple of little points I want to engage you experts in.

1. We do not have the budget to pay for an external ISP for DNS queries so I have 2 choices. I am installing 2 server core 2008 R2 into the DMZ but i can't decide whether to allow the servers to use root hints (if i do, i don't need to configure  any zones is that right?) or configure them to use Google 8.8.8.8 and 8.8.4.4. It just doesn't seem right to be using Google?- do lots of companies use Google? as i have not come across a company before that do not have their own ISP? Also, i hear that the root hints are subject to change and so i'm wondering whether if i use them it will cause me more issues down the line.

I have one last question. I want to allow TCP 53 from the 2 servers through the firewall to my internal Ad DNS servers, im doing this because im reading more and more that its required with IP6 and dnssec and also that if a host can't be resolved using UDP 53 it will then try TCP 53. Here is my question - If im not setting up any zones on the external DNS servers, i don't need to worry about limiting zone transfers betweens hosts? I guess im asking the same question as above in that am i right that i don't need any zones if all the servers are doing is resolving DNS queries to external resources?
If you are still reading this than many thanks :)
0
Comment
Question by:Jason Thomas
2 Comments
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40222858
You are right.

You don't have to setup any dns zones on caching only dns servers, its duty is to cache any name lookups he did and store it in cache so that it save time for resolving repeated name resolution queries

You can either use forwarders or Root Hints, but not both at same times, what i mean is if you don't have forwarder set, you don't have any option other than using Root Hints.
http://technet.microsoft.com/en-us/library/cc302677.aspx

The difference between TWO:
If you use forwarders, your caching only dns server will make recursive query  to forwarder dns means it will ask confirm answer to forwarder dns server and it is duty of forwarder server to make any iterative queries to root servers \ top level dns servers out on the internet to get resolution.
If your forwarder are unavailable, DNS server can use root hints (Setting is available in DNS forwarders tab)

If you don't have forwarder servers, you are forced to use root hints where your caching only server has to make iterative queries to root servers \ top level domain dns servers on the internet through root hints.

Hence using forwarders is the best option in my understanding

Also you don't have to open 53 port from caching only servers to internal servers because all queries will be initiated by internal dns servers and not by caching only servers, in short caching only servers will never make any queries to internal dns servers, they will just answer queries raised by internal DNS servers

You can try below
use tool (NameBench) to identify fast public dns server for your location.
Then configure that server IPs as forwarders on your caching only dns server and check if how they works

Mahesh.
0
 
LVL 1

Author Closing Comment

by:Jason Thomas
ID: 40228625
Thank you.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question