Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Root Hints - Windows DNS

Posted on 2016-10-27
8
Medium Priority
?
100 Views
Last Modified: 2016-10-27
I have a Windows 2012 R2 DNS server sitting in a DMZ that need to access root hints. We allowed the IPs listed in cache.dns, but the DNS server appears to be talking to other root servers not on that list. For instance this was in root hints

@                       NS      b.root-servers.net.
b.root-servers.net      A      192.228.79.201

But we found it trying to talk to 199.253.182.182 which resolves to b.ip6-servers.arpa.

I see the quad records in the file for IPV6, but why is it talking to these on IPV4 and why when they are not present in the cache.dns file? If you can help clarify great and if you have any howtos on DMZ DNS servers and root hints that would be great. Thanks.
0
Comment
Question by:Jerry Dunning
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41862374
You really need to let your DNS servers talk to any DNS server, not just the root hints. I get trying to be secure, but because DNS is iteratively recursive, allowing *only* root hints will make most lookups fail. Great, root hints gold your server where .com records are held, but now your server can't look up Google.com because it can't contact .com servers.

That is effectively where you are at now.
1
 

Author Comment

by:Jerry Dunning
ID: 41862404
Thank you for the input, but it doesn't really answer my question. I will clarify what I omitted... it will be using forwarders but I need root hints as a backup in the event they are not available. I currently cannot get to them because it is using IPs different than expected. So I still want to be able to access root hints should my forward not be available.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41862414
You missed my point. If you wiresharked it, you'd see that your server is hitting root hints. But then it'll recursively try to hit the next batch of servers. Root hints alone are near worthless.
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 

Author Comment

by:Jerry Dunning
ID: 41862492
I didn't miss your point, it was unclear and didn't answer my question. Again I do not intend to use root hints alone, I need it as a backup. But I need to know what IPs it will use to allow it through the FW. These "next batch of servers" are not in cache.dns so where does the server get them from? Thanks again for you input.
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 41862517
Yes, you did miss my point. And still are. Root hints (even only as a backup) don't work alone. That would totally destroy the nature of DNS.

Put another way, why did the attack on Dyn last week take down so many sites, even though root servers weren't attacked?? The answer is DNS is recursive by design.

The "next batch" is returned by the root hints. And then your server will query them. And they may in turn, suggest yet more servers. And then your server will query THOSE servers. Which can in turn suggest yet more servers.... that's the definition of reversion. And since many larger organizations run short TTLs so they can make changes rapidly, even cached records expire quickly.

A DNS *server* behind a firewall should have almost NO IP restrictions. Block ports besides 53, but not IPs...except known malicious sites if you have access to such a list.

DNS clients can be heavily restricted. Servers should not be. They don't operate the same way and you break them when they can't perform recursive queries.
1
 

Author Comment

by:Jerry Dunning
ID: 41862554
I missed the point because you were unclear, whether you accept that or not.

THAT explanation was much better and made sense as I do know what recursion is. I appreciate you walking me though the logic as I was missing it obviously, minus the condescending tone. Keep in mind we are asking questions here because we don't know and are looking for help.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41862605
And you  "keep on mind" that experts  volunteer their  time. I don't do so to be insulted. I was never condescending. I explained., and patiently explained again, and more patiently explained a third time. If I were condescending, I'd have just told you that you clearly should never touch a server and leave me alone. But I didn't. Thanks for the flaming/trolling *after* I helped you though. Appreciate it.
0
 

Author Comment

by:Jerry Dunning
ID: 41863026
I never insulted you, I stated how your answers came off... and we pay for this service not to be insulted either. I wasn't trying to "troll" or "flame" you, I was simply stating that I felt you were being condescending. You didn't have to keep coming back. I didn't beg you to answer my question and if you noticed, I still stayed civil each time.  If you don't want to help us plebeians, don't. I stand by my comments you didn't explain it well until the third try; it was vague and unclear. But I awarded full points for the final answer.  I appreciated your assistance and said so, but if you can't handle a little criticism maybe being an expert is not for you.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question