DNS on a DC - IPv6 default entry in a IPv4 server?

[Mike Leone]

I'm confused. We're in the process of upgrading our DCs from Win 2012
R2 to Win 2019. So I created a couple new WIn 2019 VMs, DCPromoed them
up to be DCs, all went well.

Today I noticed this, when doing an "ipconfig /all" on the console of that DC:

DNS Servers . . . . . . . . . . . : ::1
10.64.7.54
10.64.7.49
8.8.8.8

Now, in the (IPv4) DNS entries on the NIC of this DC, I only have the
2 private addresses and the Google one. We're not utilizing IPv6, so I
never changed any settings there (although it is checked and active).

So why are these new DCs trying to use the IPv6 address as the first
DNS server, instead of the IPv4 first entry of 10.64.7.54?

>nslookup <old Win2012 R2 DC>
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: ::1

Name: <old Win2012 R2 DC>
Address: 10.64.7.58

(I still don't know why it's giving that timeout, either, especially
if it is - essentially - talking to itself over IPv6 ...)

I've noticed the same config on all the new Win2019 DCs I've made -
the first entry in the DNS list is "::1". Is that some new default for
Win 2019 DCs?

I'll do a separate email about the timeout ...

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

[Charles F Sullivan]

This is beside the point, but I would get rid of the external DNS server right away. If you are concerned about the DCs being able to resolve names from external zones, then you can set up 8.8.8.8 as a forwarder.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiJY4_YuaxJsDVcJUyfJjDajcBhaVzqcntfd%3DSZoxZXUA%40mail.gmail.com.

--

Charlie Sullivan

Principal Windows Systems Administrator

Boston College

197 Foster St. Room 367

Brighton, MA 02135

617-552-4318

[Mike Leone]

On Thu, Sep 16, 2021 at 10:41 AM Charles F Sullivan
<charles.s...@bc.edu> wrote:
>
> This is beside the point, but I would get rid of the external DNS server right away. If you are concerned about the DCs being able to resolve names from external zones, then you can set up 8.8.8.8 as a forwarder.

I am probably going to get rid of it. But that won't answer the
question as to why it's trying to use IPv6 for DNS lookups instead of
the IPv4 address.I think 8.8.8.8 is already set up as a forwarder.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkXC0cTRhDaJ56Z53PjHxO7PfR1A7W46Q8A_NSWXn22uw%40mail.gmail.com.

[Erik Goldoff]

is that IPv6 first address not equivalent to the IPv4 127.0.0.1 loopback address ?

On Thu, Sep 16, 2021 at 10:37 AM Mike Leone <tur...@mike-leone.com> wrote:

[Erik Goldoff]

100% on this ... only use local DNS internally, let your internal authoritative DNS do the forwarding request to externals

On Thu, Sep 16, 2021 at 10:41 AM Charles F Sullivan <charles.s...@bc.edu> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkXC0cTRhDaJ56Z53PjHxO7PfR1A7W46Q8A_NSWXn22uw%40mail.gmail.com.

[Charles F Sullivan]

You could disable IPv6 on the DCs, though some people say not to. To completely disable it:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

DWORD (32-bit) Value: DisabledComponents, 0xff

It does require a reboot.

I can say that we have IPv6 disabled on all of our servers and have for years and I have not seen it cause any problems. We don't use any of the MS technologies that rely on it. I could be convinced to enable it, but I think for now it will stay put. (This usually begins an argument it seems....)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg3nSEnwEm-Hjz_tBScGR5GAR1-dzGLUE%2BHuhoBhh%3D%2Bqw%40mail.gmail.com.

[Mike Leone]

On Thu, Sep 16, 2021 at 11:00 AM Charles F Sullivan
<charles.s...@bc.edu> wrote:
>
> You could disable IPv6 on the DCs, though some people say not to. To completely disable it:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
> DWORD (32-bit) Value: DisabledComponents, 0xff
> It does require a reboot.

I looked on my existing WIn2012 R2 DCs; IPv6 is *not*enabled in the
properties of the adapter. We always used to disable it, too, but in
the last few years we've just let it be enabled by default (MS
default).

I guess that answers 1 question ... I guess my DNS servers (aka DCs)
aren't handling IPv6, hence why the name shows as "UnKnown". I suppose
I could make a IPv6 hosts file (do such things exist?), which would
clear up the "UnKnown" portion ..

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzn0%3Da%3Dr1pRc7GGxOHbG%2BAWQyMK%2B40qu234PPKyNXARQNw%40mail.gmail.com.

[Jonathan Raper]

Windows Servers have IPv6 enabled by default. AND by default IPv6 is preferred over IPv4. It’s been that way for years now. Although Microsoft offers ways to disable IPv6, there is some debate about whether you should or whether you shouldn’t disable it. I personally lean toward NOT disabling it...but we could debate that all day....so I won’t. 😉

In IPv6 ::1 is equivalent to the IPv4 loopback of 127.0.0.1.

If you really want to get this working properly, you should configure both of your DCs with IPv6 addresses, point them to each other as primary, themselves as secondary, and ::1 as tertiary. It will require you defining IPv6 addresses for each of your DCs. (Not a huge deal, but something else to configure and think about.)

Same goes for IPv4: each DC should point to the other as primary, point to itself as secondary, and point to 127.0.0.1 as tertiary.

And you shouldn’t “probably” remove 8.8.8.8, you should DEFINITELY remove 8.8.8.8 and ONLY use internal DNS server addresses for your internal systems. The ONLY place 8.8.8.8 should exist, if at all, is in your forwarders configuration on each DNS server. This, I will not debate. Putting public DNS entries in your internal DNS resolution configuration is asking for trouble. Either run DNS internally (and correctly) and solely depend on that DNS configuration for internal and external resolution, or don’t run DNS at all. There is almost no middle ground here.

Now, if you REALLY don’t want to fool with IPv6, you CAN set the server up to prefer IPv4 over IPv6. I wouldn’t, but I don’t have to support your system....so its kinda like your underwear....up to you, man. 🙂

Google or Bing: “Guidance for configuring IPv6 on Windows for advanced users”. Should take you to a MSFT article dated 9/8/2020.

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Erik Goldoff <egol...@gmail.com>
Sent: Thursday, September 16, 2021 10:47:23 AM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] DNS on a DC - IPv6 default entry in a IPv4 server?

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGMVfXSY40vV-LRq%2BDX1_gCcrCCCRFgAuzoOUgfoAYaJAGef2g%40mail.gmail.com.

[Mike Leone]

On Thu, Sep 16, 2021 at 11:08 AM Jonathan Raper
<jonatha...@gmail.com> wrote:
>
> Windows Servers have IPv6 enabled by default. AND by default IPv6 is preferred over IPv4. It’s been that way for years now. Although Microsoft offers ways to disable IPv6, there is some debate about whether you should or whether you shouldn’t disable it. I personally lean toward NOT disabling it...but we could debate that all day....so I won’t. 😉
>
> In IPv6 ::1 is equivalent to the IPv4 loopback of 127.0.0.1.

Right, I know that much, at least. Or perhaps I should say - at most,
because that's about where my IPv6 knowledge ends. LOL
So why does it say "UnKnown" in an nslookup, instead of it's own host
name, then? Do I need to enter "::1 <hostname>" in my hosts file, to
not have it show "UnKnown"?

> If you really want to get this working properly, you should configure both of your DCs with IPv6 addresses, point them to each other as primary, themselves as secondary, and ::1 as tertiary. It will require you defining IPv6 addresses for each of your DCs. (Not a huge deal, but something else to configure and think about.)

Pass. Not right now, I don't think ...

> Same goes for IPv4: each DC should point to the other as primary, point to itself as secondary, and point to 127.0.0.1 as tertiary.

Yep, I know that. And, in fact, that's what I was verifying, That the
new DCs all have DNS entries that point to only the other new DCs
(i.e., not the old ones, which I'm planning on retiring Real Soon Now,
so I can up my DFL/FFL). Don't want to demote the old DCs and delete
them, until I've verified that nothing is still set to point at them
...

So wait - each DC should have itself as a secondary address, and
127.0.0.1 (again, itself) as tertiary? so it points to itself twice??

> And you shouldn’t “probably” remove 8.8.8.8, you should DEFINITELY remove 8.8.8.8 and ONLY use internal DNS server addresses for your internal systems. The ONLY place 8.8.8.8 should exist, if at all, is in your forwarders configuration on each DNS server. This, I will not debate. Putting public DNS entries in your internal DNS resolution configuration is asking for trouble. Either run DNS internally (and correctly) and solely depend on that DNS configuration for internal and external resolution, or don’t run DNS at all. There is almost no middle ground here.

Easy now. LOL I already did remove it ...

> Now, if you REALLY don’t want to fool with IPv6, you CAN set the server up to prefer IPv4 over IPv6. I wouldn’t, but I don’t have to support your system....so its kinda like your underwear....up to you, man. 🙂
>
> Google or Bing: “Guidance for configuring IPv6 on Windows for advanced users”. Should take you to a MSFT article dated 9/8/2020.

Again, pass. Not until I have to (and I don't have to, at least not yet ..)

So this answers the question about why ::1 is first in the DNS list,
Windows is preferring IPv6 to IPv4. So that's explained. I'd like to
get the "UnKnown" explained, too, if I can ...

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CS1PR8401MB0775A4E9900234803C2B7B68A9DC9%40CS1PR8401MB0775.NAMPRD84.PROD.OUTLOOK.COM.

[Michael B. Smith]

You don't have a reverse zone in DNS for IPv6.

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Thursday, September 16, 2021 11:23 AM
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] DNS on a DC - IPv6 default entry in a IPv4 server?

On Thu, Sep 16, 2021 at 11:08 AM Jonathan Raper
<jonatha...@gmail.com> wrote:
>
> Windows Servers have IPv6 enabled by default. AND by default IPv6 is preferred over IPv4. It’s been that way for years now. Although Microsoft offers ways to disable IPv6, there is some debate about whether you should or whether you shouldn’t disable it. I personally lean toward NOT disabling it...but we could debate that all day....so I won’t. 😉
>
> In IPv6 ::1 is equivalent to the IPv4 loopback of 127.0.0.1.

Right, I know that much, at least. Or perhaps I should say - at most,
because that's about where my IPv6 knowledge ends. LOL
So why does it say "UnKnown" in an nslookup, instead of it's own host
name, then? Do I need to enter "::1 <hostname>" in my hosts file, to
not have it show "UnKnown"?

> If you really want to get this working properly, you should configure both of your DCs with IPv6 addresses, point them to each other as primary, themselves as secondary, and ::1 as tertiary. It will require you defining IPv6 addresses for each of your DCs. (Not a huge deal, but something else to configure and think about.)

Pass. Not right now, I don't think ...

> Same goes for IPv4: each DC should point to the other as primary, point to itself as secondary, and point to 127.0.0.1 as tertiary.

Yep, I know that. And, in fact, that's what I was verifying, That the
new DCs all have DNS entries that point to only the other new DCs
(i.e., not the old ones, which I'm planning on retiring Real Soon Now,
so I can up my DFL/FFL). Don't want to demote the old DCs and delete
them, until I've verified that nothing is still set to point at them
..

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh8LxuiGn2ZxXt7Lfe%3DWMijUWJh5MpLyQ_OOkkRkB9d3w%40mail.gmail.com.

[Jonathan Raper]

Hi Mike,

Ok, fair enough if you don’t want to configure IPv6. At this point, I would advise you to go into Server Manager, go down to the DNS role, and scroll down to the Best Practices Analyzer for that role and run it. Resolve everything it calls out. Ultimately, if everything is configured properly, it will only bark about one issue:

Note that it will bark about something along the lines of  “DNS servers should point to themselves, but not as the primary”. That is barking about the ::1 in the IPv6 configuration. If that is the only loopback that is set to primary, you can ignore it and move on.

If the DNS BPA comes back clean with the exception of that one caveat, then you should be all set.

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Mike Leone <tur...@mike-leone.com>
Sent: Thursday, September 16, 2021 11:23:29 AM
To: NTSysAdmin <ntsys...@googlegroups.com>

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh8LxuiGn2ZxXt7Lfe%3DWMijUWJh5MpLyQ_OOkkRkB9d3w%40mail.gmail.com.

[Mike Leone]

On Thu, Sep 16, 2021 at 11:38 AM Michael B. Smith <mic...@smithcons.com> wrote:
>
> You don't have a reverse zone in DNS for IPv6.

Learning more all the time. LOL Today is my IPv6 learning day, apparently.

So I guess this answers everything in my original email. All is worked
as expected (now that I know what to actually expect ...)

Still dunno why I am getting the timeouts, but I'm running "dcdiag /c"
at the moment (the "dcdiag /test:dns /DnsBasic" passed, for all DCs,
so I'm just trying to track things down, at this point ..

Thanks everybody!

[Jonathan Raper]

And no, you should never, ever modify the hosts file of a DNS server, unless you have a *VERY* good reason...

At least that is my opinion. And I am an EXPERT on my opinion! 😂

Thanks,

Jonboy

Get Outlook for iOS

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Mike Leone <tur...@mike-leone.com>
Sent: Thursday, September 16, 2021 11:23:29 AM

To: NTSysAdmin <ntsys...@googlegroups.com>

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh8LxuiGn2ZxXt7Lfe%3DWMijUWJh5MpLyQ_OOkkRkB9d3w%40mail.gmail.com.

[Gabriel Clifton]

We do have IPV6 enabled on all of our servers, but we prefer IPV4 over
IPV6 set for all Windows machines, and we have never had any issues with
not using IPV6. All of our servers and workstations only actually use
IPV4. We even do not have IPV6 set up with our DNS and DHCP servers.

[Micheal Espinola]

You can opt to prefer IP4 over IP6, which is preferred by MS over disabling IP6:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CS1PR8401MB0775A4E9900234803C2B7B68A9DC9%40CS1PR8401MB0775.NAMPRD84.PROD.OUTLOOK.COM.

--

Espi

[Philip Elder]

Get rid of the 8.8.8.8. That's a public DNS server that has absolutely no clue about the internal network.

That setting belongs in FORWARDERS in the DNS console!

Philip Elder MCTS
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
 
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.flickr.com_photos_mikeleonephotos&d=DwICaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=zmFHnDgK5Hyu7-iaPoMa6lewGQK356Tjsmbz10qYxNU&m=SZC3vLETUcSjKArNKtXPG_B-YJjjgfGl9Bxuz6eYujA&s=wmKITTYnljhNjN9LNoSuaburHGpNcSIizYK8NUT0Yes&e=>

This space reserved for future witticisms ...

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_msgid_ntsysadmin_CAHBr-252B-252BiJY4-5FYuaxJsDVcJUyfJjDajcBhaVzqcntfd-253DSZoxZXUA-2540mail.gmail.com&d=DwICaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=zmFHnDgK5Hyu7-iaPoMa6lewGQK356Tjsmbz10qYxNU&m=SZC3vLETUcSjKArNKtXPG_B-YJjjgfGl9Bxuz6eYujA&s=vf46uQVs224B17SRYTt7YwU4pqNC2nvczF0wE7APC2I&e=.

[Kurt Buff]

Coming in a little late, but I suggest you read up on IPv6 ULAs, and perhaps NPT as well.

ULAs are a good way to set up private and static IPv6 addressing, something a bit like the RFC1918 IPv4 address ranges.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiJY4_YuaxJsDVcJUyfJjDajcBhaVzqcntfd%3DSZoxZXUA%40mail.gmail.com.

[Jim Behning]

Off topic. I never enter google dns numbers. They know nothing of my domain. I do use forwarders in DNS.

 IPV6 may be running on my DCs but I do not use that intentionally. Only one server running 2019. The other two are running 2016. Not that it is relevant to the question.