Solved

DNS questions on 2008 R2 server core

Posted on 2014-07-27
2
506 Views
Last Modified: 2014-07-30
Hi all,
I am in the process of changing the current  DNS strategy at work. We currently use AD DNS integrated services. The DNS Int servers all use configured forwarders which are a couple of Linux virtual servers that despite having an external facing IP address they are currently VMs sitting inside a production VMWare stack so hopefully this will be obvious to you as to why the change is being recommended.
Clients are issued 2 active directory DNS servers via DHCP scopes. All AD DNS servers are currently pointing to the virtual forwarders which are being discontinued.
Couple of little points I want to engage you experts in.

1. We do not have the budget to pay for an external ISP for DNS queries so I have 2 choices. I am installing 2 server core 2008 R2 into the DMZ but i can't decide whether to allow the servers to use root hints (if i do, i don't need to configure  any zones is that right?) or configure them to use Google 8.8.8.8 and 8.8.4.4. It just doesn't seem right to be using Google?- do lots of companies use Google? as i have not come across a company before that do not have their own ISP? Also, i hear that the root hints are subject to change and so i'm wondering whether if i use them it will cause me more issues down the line.

I have one last question. I want to allow TCP 53 from the 2 servers through the firewall to my internal Ad DNS servers, im doing this because im reading more and more that its required with IP6 and dnssec and also that if a host can't be resolved using UDP 53 it will then try TCP 53. Here is my question - If im not setting up any zones on the external DNS servers, i don't need to worry about limiting zone transfers betweens hosts? I guess im asking the same question as above in that am i right that i don't need any zones if all the servers are doing is resolving DNS queries to external resources?
If you are still reading this than many thanks :)
0
Comment
Question by:Jason Thomas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40222858
You are right.

You don't have to setup any dns zones on caching only dns servers, its duty is to cache any name lookups he did and store it in cache so that it save time for resolving repeated name resolution queries

You can either use forwarders or Root Hints, but not both at same times, what i mean is if you don't have forwarder set, you don't have any option other than using Root Hints.
http://technet.microsoft.com/en-us/library/cc302677.aspx

The difference between TWO:
If you use forwarders, your caching only dns server will make recursive query  to forwarder dns means it will ask confirm answer to forwarder dns server and it is duty of forwarder server to make any iterative queries to root servers \ top level dns servers out on the internet to get resolution.
If your forwarder are unavailable, DNS server can use root hints (Setting is available in DNS forwarders tab)

If you don't have forwarder servers, you are forced to use root hints where your caching only server has to make iterative queries to root servers \ top level domain dns servers on the internet through root hints.

Hence using forwarders is the best option in my understanding

Also you don't have to open 53 port from caching only servers to internal servers because all queries will be initiated by internal dns servers and not by caching only servers, in short caching only servers will never make any queries to internal dns servers, they will just answer queries raised by internal DNS servers

You can try below
use tool (NameBench) to identify fast public dns server for your location.
Then configure that server IPs as forwarders on your caching only dns server and check if how they works

Mahesh.
0
 
LVL 1

Author Closing Comment

by:Jason Thomas
ID: 40228625
Thank you.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question