Forwarders versus root hints
worki...@news.postalias
and root hints:
If i have an AD tree with 3 domains, like test.intenal, child.test.internal
and subchild.child.test.internal and I want the DSN server in the
test.internal to resolve te internet queries, do I use forwarders or root
hints on the child domains to find the test.internal DNS servers (after
deleting the original root hints in the child DNS servers)
Also, when delegating the DNS queries for the children to the child DNS
servers on the test.internal DNS servers, when should I use a forwarder to
have the children find the parent test.internal DNS servers or when to use a
root hint?
Thx
Todd J Heron
255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights
Herb Martin
news:OFRYI8VA...@TK2MSFTNGP09.phx.gbl...
> I have a couple of questions regarding the choice to make between
forwarding
> and root hints:
> If i have an AD tree with 3 domains, like test.intenal,
child.test.internal
> and subchild.child.test.internal and I want the DSN server in the
> test.internal to resolve te internet queries, do I use forwarders or root
> hints on the child domains to find the test.internal DNS servers (after
> deleting the original root hints in the child DNS servers)
There are actually choices here, and it matters that you
are running Win2003 DNS server rather than Win2000
IF you wish to resolve the Internet.
Conditional forwarding gives you the extra flexibility in
Win2003 (not Win2000.)
If you use root hints internally that means you cannot resolve
the Internet since a DNS server will only resolve one true
name space directly, and it will not be able to forward
reliably either.
> Also, when delegating the DNS queries for the children to the child DNS
> servers on the test.internal DNS servers, when should I use a forwarder to
> have the children find the parent test.internal DNS servers or when to use
a
> root hint?
Let's keep it simple( I won't give you all of the choices).
This works (even for the Internet) using Win2003:
Forward to the ISP for Internet resolution
(general/default forwarding, no conditionally entry)
*Conditionally forward to the HIGHEST parent domain(s)
using a conditional forwarding entry to those DNS servers
Optionally, conditionally to any other domains which
are children etc. of that highest parent.
(This is optional since the DNS server can recurse down
from the top.)
Optionally: Disable recursion ONLY on the Forwarding tab.
(not in the advanced tab which also disables forwarding.)
For Win2000 it is tougher since there is no conditional forwarding
but this works for Win2000:
* Substitute a "cross secondary" where the child DNS servers
holds a Secondary DNS zone for the topmost parent in
the tree. Now it has the information for finding the top
of the tree, recursing downward, while using the single
forwarder setting to resolve the Internet.
Part of the difficulting in seeing such solutions is that we tend
to use terms like "child DNS servers" (I did above) as if they
really mean something -- nothing prevents a DNS server that
is PART of one zone/domain from holding OTHER ZONES
from elsewhere in your DNS architecture.
Any DNS server can hold multiple zones.
--
Herb Martin
>
> Thx
>
>
worki...@news.postalias
Thx for your input so far. I gather that when given the choice one should
go for forwarders and not for root hints? I've read in some books that you
use root hints for pointing to the parent domain, forwarders are usually
mentioned for internet name resolution. In fact it seems like we can choose
and be happy if it works. The fact that indeed zones can be hosted on any
server increases the choice we have .... any best practices guides around
for this (it seems like this can get messy quite quickly in complex
environments)
<worki...@news.postalias> wrote in message
news:OFRYI8VA...@TK2MSFTNGP09.phx.gbl...
Herb Martin
news:#c8BxVZA...@TK2MSFTNGP11.phx.gbl...
> Hello,
>
> Thx for your input so far. I gather that when given the choice one should
> go for forwarders and not for root hints?
If that must be answered yes or no, the Yes.
Both work, but in general for external name resolution
do you really want your internal DNS servers, which are
usually DCs even, to be free to go ANYWHERE on the
Internet, inclucing VeryEvilHackers.Com?
When you add that to the efficiencies you derive from letting
the ISP do the bulk of the work, or even answer from a large
cache filled not just by your but by other customers the
benefits are usually clear.
> I've read in some books that you
> use root hints for pointing to the parent domain, forwarders are usually
> mentioned for internet name resolution.
And you cannot MIX these two for the above purpose,
so using root hints internally WHEN you also need to
use the (general*) forwarders not practical.
'General' meaning non-conditional forwarding which is
a new and special case.
> In fact it seems like we can choose
> and be happy if it works.
No, it is not that simple -- they interact (at times) in
some odd ways, e.g., if your forwarder returns NXDomain
before the actual recursion (using root hints) is accomplished
then the recursion not be used.
> The fact that indeed zones can be hosted on any
> server increases the choice we have .... any best practices guides around
> for this (it seems like this can get messy quite quickly in complex
> environments)
Actual, the flexibility was introduced in Win2003 with the
introduction of two new features that address this class of
problems: Conditional Forwarding and Stub Zones.
--
Herb Martin
<worki...@news.postalias> wrote in message
news:#c8BxVZA...@TK2MSFTNGP11.phx.gbl...
worki...@news.postalias
Interesting Topic ....
>> Thx for your input so far. I gather that when given the choice one
>> should
>> go for forwarders and not for root hints?
>
> If that must be answered yes or no, the Yes.
>
> Both work, but in general for external name resolution
> do you really want your internal DNS servers, which are
> usually DCs even, to be free to go ANYWHERE on the
> Internet, inclucing VeryEvilHackers.Com?
Hang on, I don't quite understand, if I use a forwarder to the ISP they let
me go anywhere , if I use root hints, they will also let me go anywhere ...
is blocking access not something that should be taken care of by me
(firewall, router, ...)
>
> When you add that to the efficiencies you derive from letting
> the ISP do the bulk of the work, or even answer from a large
> cache filled not just by your but by other customers the
> benefits are usually clear.
So root hints will give you better performance even if they have to walk
down the DNS tree to find the correct DNS server, when the ISP might have
allready don that but is perhaps more overloaded by all the other customers
... Is this performance issue very clear or doe you have to experiment to
see what works best .... any "rules"
>
>> I've read in some books that you
>> use root hints for pointing to the parent domain, forwarders are usually
>> mentioned for internet name resolution.
>
> And you cannot MIX these two for the above purpose,
> so using root hints internally WHEN you also need to
> use the (general*) forwarders not practical.
My idea was originally to remove the root hints (but i could use forwarders
for this) from all child DNS servers and have only a root hint to the root
internal DNS server from where the delegation "cascade" starts (root
delegates to==> child delegates to ==> grandchild) the root DNS zould then
use root hints or forwarders to get to the internet (directly or via cahcing
only server etc ...) I figure I could also place roothints to all level DNS
servers instead of just the root , like wise for the delegation (instead of
having a cascade i could delegate to all lower levels) but I was thinking to
keep the configurations "simple"
>
> 'General' meaning non-conditional forwarding which is
> a new and special case.
>
>> In fact it seems like we can choose
>> and be happy if it works.
>
> No, it is not that simple -- they interact (at times) in
> some odd ways, e.g., if your forwarder returns NXDomain
> before the actual recursion (using root hints) is accomplished
> then the recursion not be used.
It my understanding that "general" Forwarding to an ISP shortcuts the root
hints but does not disable them correct? and that if root hints need to be
disabled we should remove them?
Herb Martin
news:uYtZKSgA...@TK2MSFTNGP15.phx.gbl...
> Hello,
> Interesting Topic ....
>
> >> Thx for your input so far. I gather that when given the choice one
> >> should
> >> go for forwarders and not for root hints?
> >
> > If that must be answered yes or no, the Yes.
> >
> > Both work, but in general for external name resolution
> > do you really want your internal DNS servers, which are
> > usually DCs even, to be free to go ANYWHERE on the
> > Internet, inclucing VeryEvilHackers.Com?
>
> Hang on, I don't quite understand, if I use a forwarder to the ISP they
let
> me go anywhere ,
Ah, watch the assumptions in the above sentence:
"let me go anywhere" -- when you use a forwarder
YOUR DNS asks the forwarder to perform the actual
root down recursion, so it is the forwarder
which "goes anywhere".
[There is a choice about whether your internal server
will ALSO recurse itself, but with the forward enabled,
you can disable this capability.]
> ...if I use root hints, they will also let me go anywhere ...
> is blocking access not something that should be taken care of by me
> (firewall, router, ...)
In this case the internal server MUST go to the root
and follow the recursion NO MATTER WHERE it
leads.
And it cannot be taken care of by the firewall since
the firewall MUST let your internal server perform
the recursion to (practically) every address on the
Internet AND let it receive answers to work correctly.
At least in theory, the ReallyEvilHackers can craft
bad DNS response packets etc.
> >
> > When you add that to the efficiencies you derive from letting
> > the ISP do the bulk of the work, or even answer from a large
> > cache filled not just by your but by other customers the
> > benefits are usually clear.
>
> So root hints will give you better performance even if they have to walk
> down the DNS tree to find the correct DNS server,
No, other way around.
> ...when the ISP might have
> allready don that but is perhaps more overloaded by all the other
customers
No, DNS servers are usually VERY efficient and it is
almost always faster to make one request of the ISP
than to physically recurse through the DNS hierarchy.
Usually the ISP's machine is "on or close to the backbone"
also, so even if that DNS must physically recurse it
1) Probably has must of the recursion info in cache
(top level and many secondary zones etc.)
2) Can make the request with greater network efficiency
than your server which is likely across a relatively
slow WAN.
> ... Is this performance issue very clear or doe you have to experiment to
> see what works best .... any "rules"
No, but I am betting on the ISP DNS 9 times out of 10,
especially for providers like RoadRunner where
practically everything of interest is likely already in
cache.
> >
> >> I've read in some books that you
> >> use root hints for pointing to the parent domain, forwarders are
usually
> >> mentioned for internet name resolution.
> >
> > And you cannot MIX these two for the above purpose,
> > so using root hints internally WHEN you also need to
> > use the (general*) forwarders not practical.
>
> My idea was originally to remove the root hints (but i could use
forwarders
I wouldn't remove it, but rather use use the ISP as forwarders
and then check "Do not recursion" (only on the forwarders
tab of the dialog).
Now you are dependent on the ISP DNS working but
your internal machine will not attempt the full resolution.
> for this) from all child DNS servers and have only a root hint to the root
> internal DNS server from where the delegation "cascade" starts
Just say "delegation starts" -- that is what the term
means.
> (root
> delegates to==> child delegates to ==> grandchild) the root DNS zould then
> use root hints or forwarders to get to the internet (directly or via
cahcing
> only server etc ...)
The above is unclear when you mention "root DNS"
and "root hints" -- if you mean your internal AD
"root domain" then recognize that AD domains use
the term 'root' differently than DNS and it can become
confusing if you miss these without a clear change of
context marker.
> I figure I could also place roothints to all level DNS
> servers instead of just the root , like wise for the delegation (instead
of
> having a cascade i could delegate to all lower levels) but I was thinking
to
> keep the configurations "simple"
Then all of these must pass the firewall (for DNS) to
ALL DESTINATIONS through the Internet.
> >
> > 'General' meaning non-conditional forwarding which is
> > a new and special case.
> >
> >> In fact it seems like we can choose
> >> and be happy if it works.
> >
> > No, it is not that simple -- they interact (at times) in
> > some odd ways, e.g., if your forwarder returns NXDomain
> > before the actual recursion (using root hints) is accomplished
> > then the recursion not be used.
>
> It my understanding that "general" Forwarding to an ISP shortcuts the
root
> hints but does not disable them correct? and that if root hints need to be
> disabled we should remove them?
Right, unless you check the "Do not use recursion" box
on the forwarders tab -- which you generally should do
IF the ISP provides reliable DNS service.
Here's what I do (unless there is a reason not to):
1) Internal Servers all forward to the Firewall/Gateway
"caching only" DNS server(s).
2) The Firewall/Gateway caching only server(s) forward
to the ISP
3) No internal DNS is allowed to perform Internet root
recursion (Do not use recursion)
#2's advantage is the consolidation of the INTERNAL cache
of resolutions, AND it doesn't require my internal servers
to EVER pass the firewall. (Faster and protects the WAN
from redundent use.)
For multiple trees internally, I use use (mostly) Conditional
Forwarders on Win2003, and "cross secondaries" on
Win2000.
--
Herb Martin
worki...@news.postalias
There was some confusion on my part about the benfits forwarding offers
about but you've cleared things up, and thing as you explained them now are
as I taught. I misunderstood some of your answers and you had me worried
there for a moment.
In your solution:
1) Internal Servers all forward to the Firewall/Gateway
"caching only" DNS server(s).
I was thinking of letting all internal DNS servers forward to the DNS
rootserver(s) -and yes I mean Domain root DNS servers - and only have
that/those internal root server(s) handle all forwarding to the Caching Only
DNS server (which need not be a domain member or even a Windows machine)
2) The Firewall/Gateway caching only server(s) forward
to the ISP
Yup, I'm happy with that.
3) No internal DNS is allowed to perform Internet root
recursion (Do not use recursion)
And I'm even happier with that.
#2's advantage is the consolidation of the INTERNAL cache
of resolutions, AND it doesn't require my internal servers
to EVER pass the firewall. (Faster and protects the WAN
from redundent use.)
For multiple trees internally, I use use (mostly) Conditional
Forwarders on Win2003, and "cross secondaries" on
Win2000.
I was under the impression that this was possible and OK but so many text
only imply roothints when dealing with the internal DNS configuration ...
but perhaps that's my misunderstanding of the English language.
Thank you very much for having taken the time to disscuss this with me at
such length. I apreciate it.
Herb Martin
news:OKKrcrjA...@TK2MSFTNGP15.phx.gbl...
> OK thx ,
>
> There was some confusion on my part about the benfits forwarding offers
> about but you've cleared things up, and thing as you explained them now
are
> as I taught. I misunderstood some of your answers and you had me worried
> there for a moment.
>
> In your solution:
>
> 1) Internal Servers all forward to the Firewall/Gateway
> "caching only" DNS server(s).
>
> I was thinking of letting all internal DNS servers forward to the DNS
> rootserver(s) -and yes I mean Domain root DNS servers - and only have
> that/those internal root server(s) handle all forwarding to the Caching
Only
> DNS server
This can work, but if you are using another caching only
DNS server on the firewall/gateway (e.g., to keep this
very imporant server from visiting the Internet) it just adds
an extra layer of forwarding with no real advantage.
Forwarding is good BUT EVENTUALLY too much forwarding
can cause time out failures when the advantage is less than
the increased delays from doing things like checking empty
caches and re-issuing the request.
And it will not work on a TRUE DNS 'root', only on a domain
root at a lower level of the hierarchy.
(which need not be a domain member or even a Windows machine)
True.
FYI, FWIW: My gateway/router here is a Windows machine
and even in the domain -- but get this: It's OWN CLIENT
settings (i.e., on the NIC-IP properties) point to the INTERNAL
DNS servers since it is (from this point of view) and internal
client.
It does this even though it is itself a caching only DNS server --
or because of that. If it were to ask 'itself' first, it would never
resolve any internal names because it know none of them
(as a DNS server) but always try, and fail, to find it on the
Internet.
> 2) The Firewall/Gateway caching only server(s) forward
> to the ISP
>
> Yup, I'm happy with that.
>
>
> 3) No internal DNS is allowed to perform Internet root
> recursion (Do not use recursion)
>
> And I'm even happier with that.
>
> #2's advantage is the consolidation of the INTERNAL cache
> of resolutions, AND it doesn't require my internal servers
> to EVER pass the firewall. (Faster and protects the WAN
> from redundent use.)
>
> For multiple trees internally, I use use (mostly) Conditional
> Forwarders on Win2003, and "cross secondaries" on
> Win2000.
>
> I was under the impression that this was possible and OK but so many text
> only imply roothints when dealing with the internal DNS configuration ...
> but perhaps that's my misunderstanding of the English language.
You might notice that I don't even really like to use the
term "root hints" to describe this, but think rather in terms
of doing (physical) recursion (using those root hints to find
the top of the hierarchy) or forwarding to another DNS
server and letting THAT ONE deal with the issue.
But I don't think it is a problem with your English as I have
talked with many people who have a slightly skewed view
of the whole thing AFTER reading the books.
The MENTAL keys I follow and teach are this:
1) Separate internal resolution FOR YOUR clients from the
holding of zones for "others" to resolve your resources.
(They can be on the same server, and frequently are, but
don't think about them, or troubleshoot them as one subject.)
2) For your resource zones, never "THINK" about more than
one zone at a time -- again, one server can hold many zones
but don't "think" about the design this way, use that to optimize
and patch together after you understand how it will lay out.
> Thank you very much for having taken the time to disscuss this with me at
> such length. I apreciate it.
>
You are welcome.
--
Herb Martin
>
>