Solved

Root Hints - Windows DNS

Posted on 2016-10-27
8
81 Views
Last Modified: 2016-10-27
I have a Windows 2012 R2 DNS server sitting in a DMZ that need to access root hints. We allowed the IPs listed in cache.dns, but the DNS server appears to be talking to other root servers not on that list. For instance this was in root hints

@                       NS      b.root-servers.net.
b.root-servers.net      A      192.228.79.201

But we found it trying to talk to 199.253.182.182 which resolves to b.ip6-servers.arpa.

I see the quad records in the file for IPV6, but why is it talking to these on IPV4 and why when they are not present in the cache.dns file? If you can help clarify great and if you have any howtos on DMZ DNS servers and root hints that would be great. Thanks.
0
Comment
Question by:Jerry Dunning
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41862374
You really need to let your DNS servers talk to any DNS server, not just the root hints. I get trying to be secure, but because DNS is iteratively recursive, allowing *only* root hints will make most lookups fail. Great, root hints gold your server where .com records are held, but now your server can't look up Google.com because it can't contact .com servers.

That is effectively where you are at now.
1
 

Author Comment

by:Jerry Dunning
ID: 41862404
Thank you for the input, but it doesn't really answer my question. I will clarify what I omitted... it will be using forwarders but I need root hints as a backup in the event they are not available. I currently cannot get to them because it is using IPs different than expected. So I still want to be able to access root hints should my forward not be available.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41862414
You missed my point. If you wiresharked it, you'd see that your server is hitting root hints. But then it'll recursively try to hit the next batch of servers. Root hints alone are near worthless.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:Jerry Dunning
ID: 41862492
I didn't miss your point, it was unclear and didn't answer my question. Again I do not intend to use root hints alone, I need it as a backup. But I need to know what IPs it will use to allow it through the FW. These "next batch of servers" are not in cache.dns so where does the server get them from? Thanks again for you input.
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 41862517
Yes, you did miss my point. And still are. Root hints (even only as a backup) don't work alone. That would totally destroy the nature of DNS.

Put another way, why did the attack on Dyn last week take down so many sites, even though root servers weren't attacked?? The answer is DNS is recursive by design.

The "next batch" is returned by the root hints. And then your server will query them. And they may in turn, suggest yet more servers. And then your server will query THOSE servers. Which can in turn suggest yet more servers.... that's the definition of reversion. And since many larger organizations run short TTLs so they can make changes rapidly, even cached records expire quickly.

A DNS *server* behind a firewall should have almost NO IP restrictions. Block ports besides 53, but not IPs...except known malicious sites if you have access to such a list.

DNS clients can be heavily restricted. Servers should not be. They don't operate the same way and you break them when they can't perform recursive queries.
1
 

Author Comment

by:Jerry Dunning
ID: 41862554
I missed the point because you were unclear, whether you accept that or not.

THAT explanation was much better and made sense as I do know what recursion is. I appreciate you walking me though the logic as I was missing it obviously, minus the condescending tone. Keep in mind we are asking questions here because we don't know and are looking for help.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41862605
And you  "keep on mind" that experts  volunteer their  time. I don't do so to be insulted. I was never condescending. I explained., and patiently explained again, and more patiently explained a third time. If I were condescending, I'd have just told you that you clearly should never touch a server and leave me alone. But I didn't. Thanks for the flaming/trolling *after* I helped you though. Appreciate it.
0
 

Author Comment

by:Jerry Dunning
ID: 41863026
I never insulted you, I stated how your answers came off... and we pay for this service not to be insulted either. I wasn't trying to "troll" or "flame" you, I was simply stating that I felt you were being condescending. You didn't have to keep coming back. I didn't beg you to answer my question and if you noticed, I still stayed civil each time.  If you don't want to help us plebeians, don't. I stand by my comments you didn't explain it well until the third try; it was vague and unclear. But I awarded full points for the final answer.  I appreciated your assistance and said so, but if you can't handle a little criticism maybe being an expert is not for you.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question