Improve company productivity with a Business Account.Sign Up

x
?
Solved

Authoritative DNS Servers at Main and DR Site Advice

Posted on 2015-02-12
4
Medium Priority
?
104 Views
Last Modified: 2015-02-15
We use our own authoritative DNS Servers, 4 of them (the maximum).  Our Main site (3 DNS servers there), and a DR site (1 DNS server there).  The DR site authoritative DNS server is kept disabled (but would be enabled in the event of an unlikely DR situation).

The DR site DNS server is the "last" (highest) host name in the list.  They are NS1, NS2, NS3, and NS4 (NS4 is the DR site DNS server).

We have used this arrangement for many years.

Recently, I had a cranky new customer notify me that some of their DNS queries had went to the DR site DNS server, and it was taking "too long" for their needs, as their DNS query would timeout with no response (well of course, since that DNS server is disabled).  He said that Windows normally uses the last DNS server first (in which I really didn't believe), and then he later said it was round-robin (a more plausible possibility I guess).  

I guess it would be nice to perhaps find a little better approach to this, but without doing a lot of changes in terms of the total general design.  Maybe a nice tweak at the DR site, perhaps.  Having that DR site DNS server timeout is an issue I guess, in general, although for a long time no one else has said anything about it.

We use Barracuda Link Ba lancers for this process.  They have a firewall in them, and the authoritative DNS servers.

Thoughts anyone?
0
Comment
Question by:racone
  • 2
  • 2
4 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 40607560
Presumably NS4 gives out different answers to NS1, 2 and 3 to support your DR mode?

> He said that Windows normally uses the last DNS server first (in which I really didn't believe)

I like it, fantastically unsubstantiated :)

> and then he later said it was round-robin (a more plausible possibility I guess).

This is true, loose NS record load-balancing. However a reasonable DNS server won't die unless all NS records fail to respond, that's the point of being able to publish multiple after all.

Many DNS server implementations (unsubstantiated too) use the first Name Server in the list where the list is returned using Round Robin ordering. Larger services may choose to optimize name server selection based on a response times, but this is generally limited to very large name servers (root, extremely popular domains, etc).

Having a (mostly) permanent lame name server isn't, perhaps, entirely ideal. But it shouldn't cause failure unless all of the other name servers have also failed.

This method is discussed in RFC 1034 5.3.3.

https://www.ietf.org/rfc/rfc1034.txt

2 and 3 are a short loop to attempt to locate an answer and will happily deal with an unresponsive name server (such as your DR server when all is well).

Chris
0
 
LVL 1

Author Comment

by:racone
ID: 40610987
Thanks for the reply!

In our networking equipment, we can disable a domain from replying to name service queries.  This is what we do at the DR site.  I did ask for a feature request to have another option to simply have some empty response rather than no respone.  This would help with clients having to time out on their name service requests to the DR site server.  Your thoughts?  Curious, what would be the best "empty response" a name server could do so it acts like it has no information, and the client would move on to the next name server?  Thanks!
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 40611028
No response is better than an empty response. None will make a requesting iterative resolver ask other name servers. An empty response will be treated as authoritative and will stop resolution there.

Chris
0
 
LVL 1

Author Closing Comment

by:racone
ID: 40611479
Excellent responses!
0

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their VPS hosting experience that much smoother.
If you are looking for an automated solution for backup single or multiple Office 365 user mailboxes to Outlook data file, then you can use Kernel Office 365 Backup & Restore tool. Go through the video to check out the steps to backup single or mult…
Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question