Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Authoritative DNS Servers at Main and DR Site Advice

Posted on 2015-02-12
4
93 Views
Last Modified: 2015-02-15
We use our own authoritative DNS Servers, 4 of them (the maximum).  Our Main site (3 DNS servers there), and a DR site (1 DNS server there).  The DR site authoritative DNS server is kept disabled (but would be enabled in the event of an unlikely DR situation).

The DR site DNS server is the "last" (highest) host name in the list.  They are NS1, NS2, NS3, and NS4 (NS4 is the DR site DNS server).

We have used this arrangement for many years.

Recently, I had a cranky new customer notify me that some of their DNS queries had went to the DR site DNS server, and it was taking "too long" for their needs, as their DNS query would timeout with no response (well of course, since that DNS server is disabled).  He said that Windows normally uses the last DNS server first (in which I really didn't believe), and then he later said it was round-robin (a more plausible possibility I guess).  

I guess it would be nice to perhaps find a little better approach to this, but without doing a lot of changes in terms of the total general design.  Maybe a nice tweak at the DR site, perhaps.  Having that DR site DNS server timeout is an issue I guess, in general, although for a long time no one else has said anything about it.

We use Barracuda Link Ba lancers for this process.  They have a firewall in them, and the authoritative DNS servers.

Thoughts anyone?
0
Comment
Question by:racone
  • 2
  • 2
4 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40607560
Presumably NS4 gives out different answers to NS1, 2 and 3 to support your DR mode?

> He said that Windows normally uses the last DNS server first (in which I really didn't believe)

I like it, fantastically unsubstantiated :)

> and then he later said it was round-robin (a more plausible possibility I guess).

This is true, loose NS record load-balancing. However a reasonable DNS server won't die unless all NS records fail to respond, that's the point of being able to publish multiple after all.

Many DNS server implementations (unsubstantiated too) use the first Name Server in the list where the list is returned using Round Robin ordering. Larger services may choose to optimize name server selection based on a response times, but this is generally limited to very large name servers (root, extremely popular domains, etc).

Having a (mostly) permanent lame name server isn't, perhaps, entirely ideal. But it shouldn't cause failure unless all of the other name servers have also failed.

This method is discussed in RFC 1034 5.3.3.

https://www.ietf.org/rfc/rfc1034.txt

2 and 3 are a short loop to attempt to locate an answer and will happily deal with an unresponsive name server (such as your DR server when all is well).

Chris
0
 
LVL 1

Author Comment

by:racone
ID: 40610987
Thanks for the reply!

In our networking equipment, we can disable a domain from replying to name service queries.  This is what we do at the DR site.  I did ask for a feature request to have another option to simply have some empty response rather than no respone.  This would help with clients having to time out on their name service requests to the DR site server.  Your thoughts?  Curious, what would be the best "empty response" a name server could do so it acts like it has no information, and the client would move on to the next name server?  Thanks!
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 40611028
No response is better than an empty response. None will make a requesting iterative resolver ask other name servers. An empty response will be treated as authoritative and will stop resolution there.

Chris
0
 
LVL 1

Author Closing Comment

by:racone
ID: 40611479
Excellent responses!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Creating a reverse DNS record 3 69
VMware 6.0 3 82
DNS Server Service Missing on Domain Controller Server 2012 R2 19 57
How IXFR works with BIND name server? 6 26
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question