Guide on how to setup internal DNS

My organization has a SonicWALL TZ600 firewall and two Server 2016 servers with the DNS role that handle DNS for our organization.

A previous IT administrator setup the SonicWALL TZ600 firewall so that it dynamincally assigns IP addresses to the Windows 10 client computers and assigns the following DNS server addresses:

172.16.0.26 (the static IP address of one of the Server 2016 domain controllers)
Two other IP addresses are also assigned:
8.8.8.8
8.8.4.4

The reason that these public DNS server addresses are being used and we aren't using the DNS server IP addresses associated with our ISP is because we have a primary ISP and a fail over ISP connected to our firewall. That way if the primary ISP goes down then the secondary ISP will pick up in its place until the primary ISP comes back online. This is important since we have had several times where our primary ISP has gone offline.

However, I have been told in other postings here that the two DNS server addresses of 8.8.8.8 & 8.8.4.4 shouldn't be assigned to the Windows 10 client computers.

We need to make sure that our network is completely self sufficient so that if either one of the Server 2016 domain controllers/DNS servers go offline then the Windows 10 client computers will still be able to connect to websites on the internet even while the two servers are down.

So what is the right way to properly setup or organization's internal DNS?

Please let me know if any further information is needed.
IT GuyNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
The proper way to set this up is to have your 2 Domain controllers as DNS servers.  This is the way they are setup by default when they become Domain Controllers.

Ensure that DNS is replicating between them.  On the NIC of DC1, set the DNS to itself and the second DNS to the DC2.  On DC2, set the NIC for DNS to DC1 and itself as secondary.

Now, in the DNS server, ensure your Forward Lookup Zone for your domain is populating and make sure you setup a Reverse Lookup Zone for that subnet.

Remove any forwarders or conditional forwarders. You do not need them as your DNS servers will go to the Internet Root servers to resolve addresses when it needs to.  

In your DHCP, when addresses are given out, point DNS Primary to DC1 and DNS Secondary to DC2.  In a domain environment, you do not want your DNS going to google as it's primary.  Your ISP selection is not an issue if you are setup this way as this is Microsoft's Best practices.  

Lastly, with a Domain, setup DHCP on a couple of servers. You can use these DC's if you want. In the DHCP scope you can also specify there the proper settings for DNS as well as other things. You can set up both servers for redundancy.

Finally, if you are not using a DC for your DHCP and still want to use the SonicWALL, then that needs to be added to the group DNSUpdateProxy in active directory.

Use the KISS method and keep it simple.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
footechCommented:
Your DC/DNS servers should be configured with root hints or forwarders.  If using root hints, then it does matter which ISP you're using; and if using forwarders, you can use 8.8.8.8 and 8.8.4.4 and it won't matter which ISP you're using.

I have to disagree with the following statement (as I understand it).
We need to make sure that our network is completely self sufficient so that if either one of the Server 2016 domain controllers/DNS servers go offline then the Windows 10 client computers will still be able to connect to websites on the internet even while the two servers are down.
I'd say it's a bigger concern to guard against both DC/DNS servers being down.  That's one of the biggest points of having more than one - to provide fault tolerance.  Your internal clients should be configured with both of the DC/DNS servers in the NIC properties.  Then one being down won't be a problem.  If both are down, you've got a bigger problem than being concerned about who can reach the internet.
0
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Using root hints does not matter for the ISP.  The DNS server will look at itself for internal addresses and route accordingly. This is why you do not want your clients going outside to google to attempt to get name resolution.  They need to resolve internally first and if they need to go outside, let your internal DNS servers do what they were designed to do and resolve those addresses, caching the information and then making subsequent requests get the information from the cache.

If your DNS is setup properly, the DNS server will send any Internet requests to the router which will send that request out whatever pipe is working for resolution. Plain and Simple.  Your DNS server does not care if you are attached to CenturyLink today or Comcast tomorrow. All it wants is a pipe to the internet to route traffic.

Forwarders DO make a difference, so footech you have your statement backwards.  If ISP 1 goes down and you are using it's DNS servers in the forwarders, it MAY not work, but then again, just because your section of the ISP 1 pipe is down, does not mean that its DNS servers are not accessible from ISP 2's pipe.  Using root hints, as long as there is a pipe, no matter whose, it will go out to those root servers to resolve.

Again, KISS.  Don't use forwarders unless you have to and let you internal DNS Servers work like they were designed to do.
0
IT GuyNetwork EngineerAuthor Commented:
Are there any online guides or books that describe how to properly set this up?
0
footechCommented:
From my post...
If using root hints, then it does matter which ISP you're using
that was a mis-type.  I meant to say it does not matter.

I'm glad you caught that Steve.
RE: forwarders, I specifically mentioned 8.8.8.8 and 8.8.4.4 because use of those does not depend on which ISP you're connected to.  I know some people don't like forwarders, but I'm not one of them.  Using forwarders or root hints is typically a choice made after weighing different factors:
 - by measuring responses and choosing which gives you better performance
 - whether the use of forwarders gives you any filtering benefit (for example, OpenDNS)
At one point there was also a bug with Server 2008 R2 with using root hints.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.