Solved

Creating Forward LookUp zones on Windows dns server

Posted on 2015-02-17
15
233 Views
Last Modified: 2015-02-24
Hello Experts,

I am following these steps for setting up a DNS server on Windows 2008 R2:

What you need to do is the following...(high level steps)
- Leave the DNS server on a workgroup - DONE
- Change the DNS suffix on  the machine to the same as your AD domain - DONE
- Create the zones on the DNS server
*** I am unclear about this step. I went through the wizard and created the default Forward Lookup zone With (SAO) and (NS).Do I need to configure it further???  ***

- Configure root hints and add your domain controller to it
*** What does this mean exactly and how do you do it ? ***

- Restart your DNS server
- Point a client to the new DNS server and test it
- Add your internet DNS settings under the forwarder on the new DNS server
*** I know I want all sites on the Internet to resolve on this DNS server before going to client but how do you do this for all sites on the Internet?? ***

Thanks!
0
Comment
Question by:Saxitalis
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 72 total points
ID: 40616563
> Create the zones on the DNS server

What's the zone going to be used for? You might configure dynamic updates if you wish records to be added automatically.

Otherwise you're likely to want to add more of your own records otherwise it's not doing very much.

> Configure root hints and add your domain controller to it

Yeah, I'm not clear why you would want to do that.

Root Hints is there by default and used if you don't configure Forwarders. Whether you need to do anything with that depends on your reason for running a DNS server.

However, I cannot see why you would possibly want to add a single server to the list. I advise you do not.

> Add your internet DNS settings under the forwarder on the new DNS server

If you don't do this Root Hints will be used. Your DNS server would follow a path to a domain from root to get to a name.

For example, www.experts-exchange.com would be resolved by first asking one of those Root Hint servers, then the servers for .com, then the servers for experts-exchange.com who will hopefully know about www.

If you configure forwarders all the hard work is passed off to the forwarder. Essentially your server shrugs then goes off to ask the forwarder.

So, either way it can resolve everything. It's up to you whether you want to use forwarders or not.

Chris
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 143 total points
ID: 40616571
What is it you are trying to do?
Root hints is how a DNS server looks up requests that do not exist in the list of forward zones (authoritative domains)
as long as you do not define your DNS server as a root server, the root hints will be autopopulated with NS records that will match the query nslookup -q=ns . 198.41.0.4
a.root-servers.net - m.root-servers.net

Are you intending on external requests hitting your DNS server?
in an AD the DCs often have a dns server.
To retain control of managing your DNS zone while having few external access would be to configure what is called a master/slave DNS configuration. Check whether the entity through which you registered your domain supports this.

The effect is whithin your DNS you would configure the forward zone, and allow query to your registrars servers.
In your DNS zone, the DNS records (NS) will be those of the registrar.
On the registrar, you would configure their DNS as slaves to your DNS such that they will contact your DNS server to retrieve a copy of the domain records. Make sure to separate out of your forward zone the _msd so that information does not leak out if you have the misfortune of using your public domain as your AD domain name.

Withing your DNS, also configure the notify tab to generate alerts to the Registrar DNS server to expedite the update process (governed by the refresh setting in the SOA if the notify of a change is not received)  The notify event triggers the process of scheduling the update given the current data is now marked as expired.

your last comment is confusing.
Your DNS server will only be queried by systems configured with it as their DNS server (name server) or if a domain is registered and its Name server records with the registrar point to it.

If you would clarify your setup to include detail and what it is you are trying to do, I'll try and help you clarify/complete the task.
0
 
LVL 15

Assisted Solution

by:weinberk
weinberk earned 285 total points
ID: 40616759
I found your original post @ http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28618796.html which describes the issue at hand: PC's (on a workgroup) can't seem to access websites  - host not found.


You don't need to create zones on the DNS server to lookup external zones.  Candidly, I wouldn't have bothered with an external dns server in this case (but that's outside the scope of your question).

I think the problem is that you've set the AD server at the remote site as the forwarder.  That's not going to work since you probably don't have access to the other site (where the AD server is if I understood the other thread correctly).

- Create the zones on the DNS server
*** I am unclear about this step. I went through the wizard and created the default Forward Lookup zone With (SAO) and (NS).Do I need to configure it further???  ***
Don't create any zones.  Zones are used if this DNS server needs to answer DNS queries resolving to internal only hosts OR if you were creating a public DNS server for domain names you own.

- Configure root hints and add your domain controller to it
*** What does this mean exactly and how do you do it ? ***
Here's how you configure root hints: https://technet.microsoft.com/en-us/library/cc730735.aspx
Essentially root hints tell the server what servers to hit to figure out what DNS server to ultimately ask
If you have forwarders setup, you don't need to worry about root hints.

- Add your internet DNS settings under the forwarder on the new DNS server
*** I know I want all sites on the Internet to resolve on this DNS server before going to client but how do you do this for all sites on the Internet?? ***
Either leave forwarders blank and rely on root hints or use google's servers 8.8.8.8 and 8.8.4.4, opendns's servers, your ISP's dns servers, or some other serer that you have access to as the forwarders.

The REAL test is to see if the machines on the network, including the server, can use DNS.  
Here's how I would do it:
1)  open a command prompt
2) type "nslookup", hit enter
3) type "www.experts-exchange.com" , hit enter  (this will be using whatever DNS server the machine uses by default)
Do you get the ip address for www.experts-exchange.com?
if not
4) type "server 8.8.8.8" hit enter  (this will use google's DNS server instead)
5) type "www.experts-exchange.com" hit enter
Now do you get the IP address?  

If individual machines can lookup ip's via Google's servers, then you should be good to go.  Either use google's dns servers on each machine or use google as a forwarder on the now internal DNS server and point the machines to that DNS server.

If individual machines can't use google's DNS servers, you'e got to look to your firewall.  Are there firewall rules prohibiting DNS traffic in and out?  (I know in this thread or the other you said it was good, but double check).  Does the ISP block all outbound DNS traffic except to their servers?  Can you do a DNS check / lookup from the firewall as a test.  That's my guess: that the firewall or ISP isn't allowing DNS traffic.

Hope this helps.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40616883
Do you have active directory ?
OR all your clients in workgroup?
0
 
LVL 15

Expert Comment

by:weinberk
ID: 40616895
@Mahesh-   According to OP and last thread, it's all workgroup.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40616938
Where is the DHCP and what name servers does it push to the clients or are they all setup with static IPS and no name server records.
0
 

Author Comment

by:Saxitalis
ID: 40619731
Hello All - Thanks for all your comments. I believe I have this working now.

I used a forwarder to my firewall (The primary DNS before although I had been pointing to Google and OpenDNS on each client as well) and understand Root Hints will take over if forwarder does not resolve queries.

I did not enable Dynamic updates when creating my forward lookup zone but would to try this in a couple of days as they are still getting a couple of "Host not Found: messages.

1. With Dynamic updates enabled will the the DNS file keep building for sites/ips as they are requested?
2. Can this give me a better local cache and less page failures due to host not found?
3. I remember this option when I set up the DNS server but did not enable it at that time. I am looking at the properties of my forward lookup zone now on the General tab but it won't let me enable Dynamic Updates there.

Do I need to delete the forward lookup zone and recreate it in odder to enable dynamic updates?

Thanks!
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 76

Assisted Solution

by:arnold
arnold earned 143 total points
ID: 40619855
Root hints are the preferred route, once you set a forwarder, your DNS will no longer lookup anything outside what is in its forward zones for which it is authoritative.  If the forwarders stop responding to your requests your DNS server will not go out to get the information on its own and your workstations will .....

There is no need to define forwarders.
Your DNS server will cache the responses it gets based on the standard set by the respective zone admin.

What type of zone are you talking about, check the properties of the zone and it will under general have a reference to dynamic updates, and gives you the option to adjust secure, etc.
0
 
LVL 15

Assisted Solution

by:weinberk
weinberk earned 285 total points
ID: 40620140
A couple of things:

1) Root hints require occasional maintenance.  We prefer no forwarders too, BUT forwarders don't if you're using google. And if google's 8.8.8.8 and 8.8.4.4 stop responding we've got bigger problems....  If we're looking for a set it and forget it solution, forwarders would be preferred in this case IMO.

2) Dynamic updates doesn't have anything to do with the workstations still not working.  Dynamic updates allow your internal hosts to dynamically update their own DNS entries on the DNS server.  It doesn't sound like your hosts will have any entry at all since this isn't an AD installation.  (See https://technet.microsoft.com/en-us/library/cc771255.aspx)

3) Local cache is fine, but you shouldn't need one.  The local cache just speeds things up, but you shouldn't be getting host not found for valid hosts ever.

4) I don't understand why you'd need a windows based DNS server at all that forwards to your firewall's dns server.  I don't see a reason that you couldn't just use the firewall's dns server for the client machines in this small environment.
0
 

Author Comment

by:Saxitalis
ID: 40624616
Thanks:



2) Dynamic updates doesn't have anything to do with the workstations still not working.  Dynamic updates allow your internal hosts to dynamically update their own DNS entries on the DNS server.  It doesn't sound like your hosts will have any entry at all since this isn't an AD installation.  (See https://technet.microsoft.com/en-us/library/cc771255.aspx)

***
OK - I think I understand. Dynamic updates will not build a table of DNS entries on the DNS server that is not already on the client computers?
***


3) Local cache is fine, but you shouldn't need one.  The local cache just speeds things up, but you shouldn't be getting host not found for valid hosts ever.

***
They are getting Host Not Found messages sporadically when accessing the same websites. It seems to happen when the connection is bottle necked (128 K and maxed out). I figured anyway to speed up the DNS resolving process the better?
***

4) I don't understand why you'd need a windows based DNS server at all that forwards to your firewall's dns server.  I don't see a reason that you couldn't just use the firewall's dns server for the client machines in this small environment.

***
I had been (and still am using) the firewall's DNS server but they were getting Host Not Found messages. (usually but not always during high congestion times)
***
0
 
LVL 15

Assisted Solution

by:weinberk
weinberk earned 285 total points
ID: 40624674
OK.  addressing your questions.

OK - I think I understand. Dynamic updates will not build a table of DNS entries on the DNS server that is not already on the client computers?
Dynamic updates have nothing to do with anything going on here.  Dynamic updates are a way that local hosts can register themselves with your local DNS server.  Workstation1 = 192.168.1.100 for example.  It has nothing to do with name resolution of internet hosts.

They are getting Host Not Found messages sporadically when accessing the same websites. It seems to happen when the connection is bottle necked (128 K and maxed out). I figured anyway to speed up the DNS resolving process the better?
A local cache would help with that.  How many users are on this 128k line?


I had been (and still am using) the firewall's DNS server but they were getting Host Not Found messages. (usually but not always during high congestion times)
So get rid of the firewall's dns server.  Why not just set forwarders right in the windows DNS server.  Use 8.8.8.8 and 8.8.4.4.  That will completely bypass your firewall's DNS server.  WHy have an internal dns server (Windows DNS) ask another internal dns server (firewall) that then has to ask outside anyway?
0
 

Author Comment

by:Saxitalis
ID: 40624761
Ok thanks...

"A local cache would help with that.  How many users are on this 128k line?"

10 - 15 users. Will my Windows DNS Server set up a local cache if it is not forwarding?

"So get rid of the firewall's dns server.  Why not just set forwarders right in the windows DNS server.  Use 8.8.8.8 and 8.8.4.4.  That will completely bypass your firewall's DNS server.  WHy have an internal dns server (Windows DNS) ask another internal dns server (firewall) that then has to ask outside anyway?"

Hmm - good  question  

1. So if I set up my windows DNS server (call it x.x.x.2) to forward directly to Google DNS servers will it also build a cache of websites as users access them? This is what I am really trying to accomplish here (to prevent requests going out and back from Google DNS on the web for every single website for every user). Bandwidth is at a premium here.

2. Configure each client to use x.x.x.2 DNS as primary and firewall DNS as secondary. This way x.x.x.2 will always be used first with a local cache and firewall DNS will only be used if Windows DNS (x.x.x.2) doesn't work for some reason.

Does this sound reasonable?

Thanks!
0
 
LVL 15

Accepted Solution

by:
weinberk earned 285 total points
ID: 40624768
I don't know how strict Windows PC's are with the order that DNS servers are entered.  i've never really tested it, but sure, put the firewall as a 2nd DNS server do give some redundancy.

Windows DNS servers automatically cache, so you should be set.  

DNS lookups don't use much data, so even though you're only on a 128 line, I wonder if there might be something else going on, like bandwidth being used up for by other data.  Maybe you could use QoS to reserve bandwidth for DNS?

And of course, with 10-15 users, if you can get and can afford a faster line, get one!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40625367
> I don't know how strict Windows PC's are with the order that DNS servers are entered.

Not really relevant, but:

Moderately so, but it can cause problems in instances where the primary DNS service is providing responses about internal resources and where any other DNS service listed cannot. Negative responses are cached, and if the client does slip onto the secondary / tertiary / quaternary DNS servers listed it won't shift back very quickly (nominally 15 minutes).

Linux and Unix have the problem the other way around (without a bit of tweaking), they always queries DNS servers in order (have no local caching client). This can lead to slow service operation which isn't ideal either.

Anyway, if there are no local resources to resolve it's moot.

Chris
0
 

Author Closing Comment

by:Saxitalis
ID: 40629323
Thanks All!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now