Determine if Server 2016 DNS is set to forward external IP address requests to public DNS servers

IT Guy
IT Guy used Ask the Experts™
on
How can I determine if a Server 2016 DNS server is set to forward external IP address requests to public DNS servers on the internet?

An organization I consult for currently has these DNS server addresses assigned to client computers via DHCP:

10.10.10.20 (internal IP address of primary domain controller (PDC)
8.8.8.8 (secondary DNS server IP address)
8.8.4.4 (third DNS server IP)

I would like to change this DHCP DNS scope to be:

10.10.10.20 (internal IP address of primary domain controller (PDC)
10.10.10.25 (internal IP address of second Active Directory domain controller)
8.8.8.8 (third DNS server IP address)

This second set of DNS server addresses will provide better redundancy in case the primary domain controller (PDC) goes down.

But before doing this I want to test these two Server 2016 domain controller DNS servers to make sure that they will forward any external IP addresses to the public internet.

How can this type of testing or evaluation be done?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
First, don't include 8.8.8.8

NEVER include a public DNS server when using Active Directory. Full stop. No excuses. If both DCs are down simultaneously, you have bigger problems.  There is NEVER a reason to do this. And it does cause problems.  

As for testing, the DNS server has this built in.  Out of the box it uses root hints and I usually don't recommend changing this behavior.  As for testing, open the DNS server MMC.  Right click on the DNS server (you can do this for remote servers as well) and hit properties.  Hit the monitoring tab. There are two checkboxes to test simple and recursive queries.  

Test done.
Director of Information Technology
Commented:
First and for most never set an external dns server on your domain. DHCP should only advertise your DC's.  

To if forwarding is enabled open DNS.msc and right click the server > properties > there is a forwarding tab. There you enter in your external dns servers (8.8.8.8)

https://technet.microsoft.com/en-us/library/cc754941(v=ws.11).aspx
AlanConsultant
Commented:
Is DNS (Service) installed and running on the server?

If installed and running, please check what forwarders (if any) you have setup in DNS on that server, and if root hints are also configured.

If so, then that server will forward DNS queries, for which it does not already know the answer, to either root hints (best option) or one of the forwarders (if configured) which is a second best option in my opinion (unless there is a cogent reason for it).


Alan.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

yo_beeDirector of Information Technology
Commented:
Note from personal experience leave the default timeout at 3 seconds. I changed mine to 1 second and it caused issues.

Also I am sorry for any repeated information. At the time I started to write up something there were no replies, but it just enforces that no external dns should ever be pushed to internal computers.

I only use external dns when troubleshooting and that is manually set on a single client.
Distinguished Expert 2017
Commented:
Echo Cliff's and yo_bee statement on NEVER EVER EVER including public DNS servers to the AD member systems.
IMHO!, these days using forwarders to google or opendns is an unnecessary complication for the following reason.  Your DNS server have dual roles, serving YOUR AD and fulfilling your users requests. When queried directly, your DNS servers cache the responses such that it does not generate unnecessary requests. When using forwarders one you are reliant on the remote servers, dependent on a path to those servers, while not caching meaning
If two users want to go to www.google.com without forwarders, your server will generate a single request to resolve the name to IP, and provided it is receiving the request thin the specified time of the record validity (TTL) the second and subsequent response will be from its own memory.

In a forwarding setup each request will be sent out.

Conditional forwarders for a specific domain to a specific IP and this is often only used when traffic needs to be routed through a VPN. Or other custom needs.

Why would you want Google to know the destination, sites you/your organization frequents? (They'll know it based on the ads loaded in your user's browsers.
Commented:
I also echo previous comments NEVER use external DNS servers when you have AD.  It can slow down or stop AD related stuff happennig from logons to accessing file shares etc.  

And to repeat the above, I always set up external forwarders on the servers I manage.  I use Open DNS (208.67.222.22) and google (8.8.8.8)

There was a Server 2008 bug which meant that certain sites didn't resolve without forwarders or repeated DNS restarts.  This is gone in 2016,m but I still like to use forwarders.  This improves performance for recursive queries.  

I'm not bothered about google knowing the sites we browse by looking at DNS requests, because google analytics is on most sites and most searches are through google, so they know anyway.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial