Solved

Authoritative DNS Servers at Main and DR Site Advice

Posted on 2015-02-12
4
97 Views
Last Modified: 2015-02-15
We use our own authoritative DNS Servers, 4 of them (the maximum).  Our Main site (3 DNS servers there), and a DR site (1 DNS server there).  The DR site authoritative DNS server is kept disabled (but would be enabled in the event of an unlikely DR situation).

The DR site DNS server is the "last" (highest) host name in the list.  They are NS1, NS2, NS3, and NS4 (NS4 is the DR site DNS server).

We have used this arrangement for many years.

Recently, I had a cranky new customer notify me that some of their DNS queries had went to the DR site DNS server, and it was taking "too long" for their needs, as their DNS query would timeout with no response (well of course, since that DNS server is disabled).  He said that Windows normally uses the last DNS server first (in which I really didn't believe), and then he later said it was round-robin (a more plausible possibility I guess).  

I guess it would be nice to perhaps find a little better approach to this, but without doing a lot of changes in terms of the total general design.  Maybe a nice tweak at the DR site, perhaps.  Having that DR site DNS server timeout is an issue I guess, in general, although for a long time no one else has said anything about it.

We use Barracuda Link Ba lancers for this process.  They have a firewall in them, and the authoritative DNS servers.

Thoughts anyone?
0
Comment
Question by:racone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 40607560
Presumably NS4 gives out different answers to NS1, 2 and 3 to support your DR mode?

> He said that Windows normally uses the last DNS server first (in which I really didn't believe)

I like it, fantastically unsubstantiated :)

> and then he later said it was round-robin (a more plausible possibility I guess).

This is true, loose NS record load-balancing. However a reasonable DNS server won't die unless all NS records fail to respond, that's the point of being able to publish multiple after all.

Many DNS server implementations (unsubstantiated too) use the first Name Server in the list where the list is returned using Round Robin ordering. Larger services may choose to optimize name server selection based on a response times, but this is generally limited to very large name servers (root, extremely popular domains, etc).

Having a (mostly) permanent lame name server isn't, perhaps, entirely ideal. But it shouldn't cause failure unless all of the other name servers have also failed.

This method is discussed in RFC 1034 5.3.3.

https://www.ietf.org/rfc/rfc1034.txt

2 and 3 are a short loop to attempt to locate an answer and will happily deal with an unresponsive name server (such as your DR server when all is well).

Chris
0
 
LVL 1

Author Comment

by:racone
ID: 40610987
Thanks for the reply!

In our networking equipment, we can disable a domain from replying to name service queries.  This is what we do at the DR site.  I did ask for a feature request to have another option to simply have some empty response rather than no respone.  This would help with clients having to time out on their name service requests to the DR site server.  Your thoughts?  Curious, what would be the best "empty response" a name server could do so it acts like it has no information, and the client would move on to the next name server?  Thanks!
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 40611028
No response is better than an empty response. None will make a requesting iterative resolver ask other name servers. An empty response will be treated as authoritative and will stop resolution there.

Chris
0
 
LVL 1

Author Closing Comment

by:racone
ID: 40611479
Excellent responses!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question