Solved

Root Hints - Windows DNS

Posted on 2016-10-27
8
25 Views
Last Modified: 2016-10-27
I have a Windows 2012 R2 DNS server sitting in a DMZ that need to access root hints. We allowed the IPs listed in cache.dns, but the DNS server appears to be talking to other root servers not on that list. For instance this was in root hints

@                       NS      b.root-servers.net.
b.root-servers.net      A      192.228.79.201

But we found it trying to talk to 199.253.182.182 which resolves to b.ip6-servers.arpa.

I see the quad records in the file for IPV6, but why is it talking to these on IPV4 and why when they are not present in the cache.dns file? If you can help clarify great and if you have any howtos on DMZ DNS servers and root hints that would be great. Thanks.
0
Comment
Question by:Jerry Dunning
  • 4
  • 4
8 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41862374
You really need to let your DNS servers talk to any DNS server, not just the root hints. I get trying to be secure, but because DNS is iteratively recursive, allowing *only* root hints will make most lookups fail. Great, root hints gold your server where .com records are held, but now your server can't look up Google.com because it can't contact .com servers.

That is effectively where you are at now.
1
 

Author Comment

by:Jerry Dunning
ID: 41862404
Thank you for the input, but it doesn't really answer my question. I will clarify what I omitted... it will be using forwarders but I need root hints as a backup in the event they are not available. I currently cannot get to them because it is using IPs different than expected. So I still want to be able to access root hints should my forward not be available.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41862414
You missed my point. If you wiresharked it, you'd see that your server is hitting root hints. But then it'll recursively try to hit the next batch of servers. Root hints alone are near worthless.
0
 

Author Comment

by:Jerry Dunning
ID: 41862492
I didn't miss your point, it was unclear and didn't answer my question. Again I do not intend to use root hints alone, I need it as a backup. But I need to know what IPs it will use to allow it through the FW. These "next batch of servers" are not in cache.dns so where does the server get them from? Thanks again for you input.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 41862517
Yes, you did miss my point. And still are. Root hints (even only as a backup) don't work alone. That would totally destroy the nature of DNS.

Put another way, why did the attack on Dyn last week take down so many sites, even though root servers weren't attacked?? The answer is DNS is recursive by design.

The "next batch" is returned by the root hints. And then your server will query them. And they may in turn, suggest yet more servers. And then your server will query THOSE servers. Which can in turn suggest yet more servers.... that's the definition of reversion. And since many larger organizations run short TTLs so they can make changes rapidly, even cached records expire quickly.

A DNS *server* behind a firewall should have almost NO IP restrictions. Block ports besides 53, but not IPs...except known malicious sites if you have access to such a list.

DNS clients can be heavily restricted. Servers should not be. They don't operate the same way and you break them when they can't perform recursive queries.
1
 

Author Comment

by:Jerry Dunning
ID: 41862554
I missed the point because you were unclear, whether you accept that or not.

THAT explanation was much better and made sense as I do know what recursion is. I appreciate you walking me though the logic as I was missing it obviously, minus the condescending tone. Keep in mind we are asking questions here because we don't know and are looking for help.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41862605
And you  "keep on mind" that experts  volunteer their  time. I don't do so to be insulted. I was never condescending. I explained., and patiently explained again, and more patiently explained a third time. If I were condescending, I'd have just told you that you clearly should never touch a server and leave me alone. But I didn't. Thanks for the flaming/trolling *after* I helped you though. Appreciate it.
0
 

Author Comment

by:Jerry Dunning
ID: 41863026
I never insulted you, I stated how your answers came off... and we pay for this service not to be insulted either. I wasn't trying to "troll" or "flame" you, I was simply stating that I felt you were being condescending. You didn't have to keep coming back. I didn't beg you to answer my question and if you noticed, I still stayed civil each time.  If you don't want to help us plebeians, don't. I stand by my comments you didn't explain it well until the third try; it was vague and unclear. But I awarded full points for the final answer.  I appreciated your assistance and said so, but if you can't handle a little criticism maybe being an expert is not for you.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

In my previous 24 VMware Articles (http://www.experts-exchange.com/ARTH_1864316.html?arthOrderBy=3&arthSort=1#arth), most featured Intermediate VMware Topics. My next series of articles concentrated on topics for the VMware Novice;   If you would…
Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now