Solved

Root Hints - Windows DNS

Posted on 2016-10-27
8
56 Views
Last Modified: 2016-10-27
I have a Windows 2012 R2 DNS server sitting in a DMZ that need to access root hints. We allowed the IPs listed in cache.dns, but the DNS server appears to be talking to other root servers not on that list. For instance this was in root hints

@                       NS      b.root-servers.net.
b.root-servers.net      A      192.228.79.201

But we found it trying to talk to 199.253.182.182 which resolves to b.ip6-servers.arpa.

I see the quad records in the file for IPV6, but why is it talking to these on IPV4 and why when they are not present in the cache.dns file? If you can help clarify great and if you have any howtos on DMZ DNS servers and root hints that would be great. Thanks.
0
Comment
Question by:Jerry Dunning
  • 4
  • 4
8 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41862374
You really need to let your DNS servers talk to any DNS server, not just the root hints. I get trying to be secure, but because DNS is iteratively recursive, allowing *only* root hints will make most lookups fail. Great, root hints gold your server where .com records are held, but now your server can't look up Google.com because it can't contact .com servers.

That is effectively where you are at now.
1
 

Author Comment

by:Jerry Dunning
ID: 41862404
Thank you for the input, but it doesn't really answer my question. I will clarify what I omitted... it will be using forwarders but I need root hints as a backup in the event they are not available. I currently cannot get to them because it is using IPs different than expected. So I still want to be able to access root hints should my forward not be available.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41862414
You missed my point. If you wiresharked it, you'd see that your server is hitting root hints. But then it'll recursively try to hit the next batch of servers. Root hints alone are near worthless.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:Jerry Dunning
ID: 41862492
I didn't miss your point, it was unclear and didn't answer my question. Again I do not intend to use root hints alone, I need it as a backup. But I need to know what IPs it will use to allow it through the FW. These "next batch of servers" are not in cache.dns so where does the server get them from? Thanks again for you input.
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 41862517
Yes, you did miss my point. And still are. Root hints (even only as a backup) don't work alone. That would totally destroy the nature of DNS.

Put another way, why did the attack on Dyn last week take down so many sites, even though root servers weren't attacked?? The answer is DNS is recursive by design.

The "next batch" is returned by the root hints. And then your server will query them. And they may in turn, suggest yet more servers. And then your server will query THOSE servers. Which can in turn suggest yet more servers.... that's the definition of reversion. And since many larger organizations run short TTLs so they can make changes rapidly, even cached records expire quickly.

A DNS *server* behind a firewall should have almost NO IP restrictions. Block ports besides 53, but not IPs...except known malicious sites if you have access to such a list.

DNS clients can be heavily restricted. Servers should not be. They don't operate the same way and you break them when they can't perform recursive queries.
1
 

Author Comment

by:Jerry Dunning
ID: 41862554
I missed the point because you were unclear, whether you accept that or not.

THAT explanation was much better and made sense as I do know what recursion is. I appreciate you walking me though the logic as I was missing it obviously, minus the condescending tone. Keep in mind we are asking questions here because we don't know and are looking for help.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41862605
And you  "keep on mind" that experts  volunteer their  time. I don't do so to be insulted. I was never condescending. I explained., and patiently explained again, and more patiently explained a third time. If I were condescending, I'd have just told you that you clearly should never touch a server and leave me alone. But I didn't. Thanks for the flaming/trolling *after* I helped you though. Appreciate it.
0
 

Author Comment

by:Jerry Dunning
ID: 41863026
I never insulted you, I stated how your answers came off... and we pay for this service not to be insulted either. I wasn't trying to "troll" or "flame" you, I was simply stating that I felt you were being condescending. You didn't have to keep coming back. I didn't beg you to answer my question and if you noticed, I still stayed civil each time.  If you don't want to help us plebeians, don't. I stand by my comments you didn't explain it well until the third try; it was vague and unclear. But I awarded full points for the final answer.  I appreciated your assistance and said so, but if you can't handle a little criticism maybe being an expert is not for you.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question