Solved

Authoritative DNS Servers at Main and DR Site Advice

Posted on 2015-02-12
4
89 Views
Last Modified: 2015-02-15
We use our own authoritative DNS Servers, 4 of them (the maximum).  Our Main site (3 DNS servers there), and a DR site (1 DNS server there).  The DR site authoritative DNS server is kept disabled (but would be enabled in the event of an unlikely DR situation).

The DR site DNS server is the "last" (highest) host name in the list.  They are NS1, NS2, NS3, and NS4 (NS4 is the DR site DNS server).

We have used this arrangement for many years.

Recently, I had a cranky new customer notify me that some of their DNS queries had went to the DR site DNS server, and it was taking "too long" for their needs, as their DNS query would timeout with no response (well of course, since that DNS server is disabled).  He said that Windows normally uses the last DNS server first (in which I really didn't believe), and then he later said it was round-robin (a more plausible possibility I guess).  

I guess it would be nice to perhaps find a little better approach to this, but without doing a lot of changes in terms of the total general design.  Maybe a nice tweak at the DR site, perhaps.  Having that DR site DNS server timeout is an issue I guess, in general, although for a long time no one else has said anything about it.

We use Barracuda Link Ba lancers for this process.  They have a firewall in them, and the authoritative DNS servers.

Thoughts anyone?
0
Comment
Question by:racone
  • 2
  • 2
4 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40607560
Presumably NS4 gives out different answers to NS1, 2 and 3 to support your DR mode?

> He said that Windows normally uses the last DNS server first (in which I really didn't believe)

I like it, fantastically unsubstantiated :)

> and then he later said it was round-robin (a more plausible possibility I guess).

This is true, loose NS record load-balancing. However a reasonable DNS server won't die unless all NS records fail to respond, that's the point of being able to publish multiple after all.

Many DNS server implementations (unsubstantiated too) use the first Name Server in the list where the list is returned using Round Robin ordering. Larger services may choose to optimize name server selection based on a response times, but this is generally limited to very large name servers (root, extremely popular domains, etc).

Having a (mostly) permanent lame name server isn't, perhaps, entirely ideal. But it shouldn't cause failure unless all of the other name servers have also failed.

This method is discussed in RFC 1034 5.3.3.

https://www.ietf.org/rfc/rfc1034.txt

2 and 3 are a short loop to attempt to locate an answer and will happily deal with an unresponsive name server (such as your DR server when all is well).

Chris
0
 
LVL 1

Author Comment

by:racone
ID: 40610987
Thanks for the reply!

In our networking equipment, we can disable a domain from replying to name service queries.  This is what we do at the DR site.  I did ask for a feature request to have another option to simply have some empty response rather than no respone.  This would help with clients having to time out on their name service requests to the DR site server.  Your thoughts?  Curious, what would be the best "empty response" a name server could do so it acts like it has no information, and the client would move on to the next name server?  Thanks!
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 40611028
No response is better than an empty response. None will make a requesting iterative resolver ask other name servers. An empty response will be treated as authoritative and will stop resolution there.

Chris
0
 
LVL 1

Author Closing Comment

by:racone
ID: 40611479
Excellent responses!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Restore DNS Record 5 89
DNS with WiFi Network 5 64
domain controller migration seems succesful, however.... 9 72
Server 2008 to 2016 Essentials migration problem 6 39
Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question