Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 110
  • Last Modified:

Root Hints - Windows DNS

I have a Windows 2012 R2 DNS server sitting in a DMZ that need to access root hints. We allowed the IPs listed in cache.dns, but the DNS server appears to be talking to other root servers not on that list. For instance this was in root hints

@                       NS      b.root-servers.net.
b.root-servers.net      A      192.228.79.201

But we found it trying to talk to 199.253.182.182 which resolves to b.ip6-servers.arpa.

I see the quad records in the file for IPV6, but why is it talking to these on IPV4 and why when they are not present in the cache.dns file? If you can help clarify great and if you have any howtos on DMZ DNS servers and root hints that would be great. Thanks.
0
Jerry Dunning
Asked:
Jerry Dunning
  • 4
  • 4
1 Solution
 
Cliff GaliherCommented:
You really need to let your DNS servers talk to any DNS server, not just the root hints. I get trying to be secure, but because DNS is iteratively recursive, allowing *only* root hints will make most lookups fail. Great, root hints gold your server where .com records are held, but now your server can't look up Google.com because it can't contact .com servers.

That is effectively where you are at now.
1
 
Jerry DunningAuthor Commented:
Thank you for the input, but it doesn't really answer my question. I will clarify what I omitted... it will be using forwarders but I need root hints as a backup in the event they are not available. I currently cannot get to them because it is using IPs different than expected. So I still want to be able to access root hints should my forward not be available.
0
 
Cliff GaliherCommented:
You missed my point. If you wiresharked it, you'd see that your server is hitting root hints. But then it'll recursively try to hit the next batch of servers. Root hints alone are near worthless.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
Jerry DunningAuthor Commented:
I didn't miss your point, it was unclear and didn't answer my question. Again I do not intend to use root hints alone, I need it as a backup. But I need to know what IPs it will use to allow it through the FW. These "next batch of servers" are not in cache.dns so where does the server get them from? Thanks again for you input.
0
 
Cliff GaliherCommented:
Yes, you did miss my point. And still are. Root hints (even only as a backup) don't work alone. That would totally destroy the nature of DNS.

Put another way, why did the attack on Dyn last week take down so many sites, even though root servers weren't attacked?? The answer is DNS is recursive by design.

The "next batch" is returned by the root hints. And then your server will query them. And they may in turn, suggest yet more servers. And then your server will query THOSE servers. Which can in turn suggest yet more servers.... that's the definition of reversion. And since many larger organizations run short TTLs so they can make changes rapidly, even cached records expire quickly.

A DNS *server* behind a firewall should have almost NO IP restrictions. Block ports besides 53, but not IPs...except known malicious sites if you have access to such a list.

DNS clients can be heavily restricted. Servers should not be. They don't operate the same way and you break them when they can't perform recursive queries.
1
 
Jerry DunningAuthor Commented:
I missed the point because you were unclear, whether you accept that or not.

THAT explanation was much better and made sense as I do know what recursion is. I appreciate you walking me though the logic as I was missing it obviously, minus the condescending tone. Keep in mind we are asking questions here because we don't know and are looking for help.
0
 
Cliff GaliherCommented:
And you  "keep on mind" that experts  volunteer their  time. I don't do so to be insulted. I was never condescending. I explained., and patiently explained again, and more patiently explained a third time. If I were condescending, I'd have just told you that you clearly should never touch a server and leave me alone. But I didn't. Thanks for the flaming/trolling *after* I helped you though. Appreciate it.
0
 
Jerry DunningAuthor Commented:
I never insulted you, I stated how your answers came off... and we pay for this service not to be insulted either. I wasn't trying to "troll" or "flame" you, I was simply stating that I felt you were being condescending. You didn't have to keep coming back. I didn't beg you to answer my question and if you noticed, I still stayed civil each time.  If you don't want to help us plebeians, don't. I stand by my comments you didn't explain it well until the third try; it was vague and unclear. But I awarded full points for the final answer.  I appreciated your assistance and said so, but if you can't handle a little criticism maybe being an expert is not for you.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now