Determine if Server 2016 DNS is set to forward external IP address requests to public DNS servers

How can I determine if a Server 2016 DNS server is set to forward external IP address requests to public DNS servers on the internet?

An organization I consult for currently has these DNS server addresses assigned to client computers via DHCP:

10.10.10.20 (internal IP address of primary domain controller (PDC)
8.8.8.8 (secondary DNS server IP address)
8.8.4.4 (third DNS server IP)

I would like to change this DHCP DNS scope to be:

10.10.10.20 (internal IP address of primary domain controller (PDC)
10.10.10.25 (internal IP address of second Active Directory domain controller)
8.8.8.8 (third DNS server IP address)

This second set of DNS server addresses will provide better redundancy in case the primary domain controller (PDC) goes down.

But before doing this I want to test these two Server 2016 domain controller DNS servers to make sure that they will forward any external IP addresses to the public internet.

How can this type of testing or evaluation be done?
IT GuyNetwork EngineerAsked:
Who is Participating?
 
yo_beeDirector of Information TechnologyCommented:
First and for most never set an external dns server on your domain. DHCP should only advertise your DC's.  

To if forwarding is enabled open DNS.msc and right click the server > properties > there is a forwarding tab. There you enter in your external dns servers (8.8.8.8)

https://technet.microsoft.com/en-us/library/cc754941(v=ws.11).aspx
0
 
Cliff GaliherCommented:
First, don't include 8.8.8.8

NEVER include a public DNS server when using Active Directory. Full stop. No excuses. If both DCs are down simultaneously, you have bigger problems.  There is NEVER a reason to do this. And it does cause problems.  

As for testing, the DNS server has this built in.  Out of the box it uses root hints and I usually don't recommend changing this behavior.  As for testing, open the DNS server MMC.  Right click on the DNS server (you can do this for remote servers as well) and hit properties.  Hit the monitoring tab. There are two checkboxes to test simple and recursive queries.  

Test done.
2
 
AlanConsultantCommented:
Is DNS (Service) installed and running on the server?

If installed and running, please check what forwarders (if any) you have setup in DNS on that server, and if root hints are also configured.

If so, then that server will forward DNS queries, for which it does not already know the answer, to either root hints (best option) or one of the forwarders (if configured) which is a second best option in my opinion (unless there is a cogent reason for it).


Alan.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
yo_beeDirector of Information TechnologyCommented:
Note from personal experience leave the default timeout at 3 seconds. I changed mine to 1 second and it caused issues.

Also I am sorry for any repeated information. At the time I started to write up something there were no replies, but it just enforces that no external dns should ever be pushed to internal computers.

I only use external dns when troubleshooting and that is manually set on a single client.
0
 
arnoldCommented:
Echo Cliff's and yo_bee statement on NEVER EVER EVER including public DNS servers to the AD member systems.
IMHO!, these days using forwarders to google or opendns is an unnecessary complication for the following reason.  Your DNS server have dual roles, serving YOUR AD and fulfilling your users requests. When queried directly, your DNS servers cache the responses such that it does not generate unnecessary requests. When using forwarders one you are reliant on the remote servers, dependent on a path to those servers, while not caching meaning
If two users want to go to www.google.com without forwarders, your server will generate a single request to resolve the name to IP, and provided it is receiving the request thin the specified time of the record validity (TTL) the second and subsequent response will be from its own memory.

In a forwarding setup each request will be sent out.

Conditional forwarders for a specific domain to a specific IP and this is often only used when traffic needs to be routed through a VPN. Or other custom needs.

Why would you want Google to know the destination, sites you/your organization frequents? (They'll know it based on the ads loaded in your user's browsers.
0
 
JohnCommented:
I also echo previous comments NEVER use external DNS servers when you have AD.  It can slow down or stop AD related stuff happennig from logons to accessing file shares etc.  

And to repeat the above, I always set up external forwarders on the servers I manage.  I use Open DNS (208.67.222.22) and google (8.8.8.8)

There was a Server 2008 bug which meant that certain sites didn't resolve without forwarders or repeated DNS restarts.  This is gone in 2016,m but I still like to use forwarders.  This improves performance for recursive queries.  

I'm not bothered about google knowing the sites we browse by looking at DNS requests, because google analytics is on most sites and most searches are through google, so they know anyway.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.