DNS – Improper Config?

Networking services
I have recently walked into a company that has their DNS setup as follows. They have two W2K Doman Controllers serving an AD-integrated zone. They removed the root zone from the Windows DNS. They then have the two domain controllers' client DNS configs setup as follows: 1. the other DC, 2. Itself, 3. the DC of a trusted domain, 4, ISP's DNS, 5. Another ISP's DNS. Everything seems to be working fine, given it is a network of only about 150 users, but I always thought that you Never put your ISPs DNS in the client config of the DNS server. On the other hand, I'm not sure if it is really hurting anything. I would think though that each DNS server should have only itself as a DNS server and then setup the trusted domain as a forwarder, followed by the ISPs. Does this sound correct? And what, if any, are the ramifications of how they currently have their DNS setup?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Best Practices for Active Directory Design and Deployment
I agreed with you. The current set up is not per but it is working right now so please don’t rush into changing all those things. Please take time and collect all the information for your case.

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Swiftd
    I agree w/the previous poster that you need to change it incrementally, but I see no reason that the clients need the ISPs DNS servers in their configuration. I'd put a sniffer on the network and see if the clients are actually talking to the ISPs DNS servers or if the DNS servers are doing it on their behalf. Putting in the forwarders in the DNS server shouldn't hurt anything since it doesn't have the root hints. I'd have to agree that this is the strangest DNS cobfig I've ever heard of. I have see one close to it, though. Everything was pointed in a huge "loop" if you will until one of the servers figured out the loop and would resolve it from the root servers. I dunno, maybe that one was more odd than yours, but it's a close call. I don't think it'll take that much to straighten it out, tho. You could probably have it all straightened out over a Saturday or less. The only part that stinks is you'll have to resolve it on off hours. There goes your weekend. Best of luck.
    0 pointsBadges:
  • HenryKafeman
    Just a note of caution about circular DNS settings! Problem ------- I had communication problems (intermittent slow response on our Network) and finally tracked it down to a DNS issue! I had 2 Windows 2000 Servers in our Lab running DNS and pointing to each other. Troubleshooting --------------- I noticed that DNS.EXE on both Servers was taking 100% of the CPU time intermittently. Using Ethereal I found that if I tried for example a PING to an unknown address on one of the 2 Servers that the result was 10,000s of Packets between the 2 Servers. These Packets were also getting out from our Lab via its Firewall to our Corporate Network and hence causing overall slow performance! Note, this only happened the first time the address was tried - presumably after failing the Software remembered the failure without initiating the DNS Lookup? Resolution ---------- I found the following setting in DNS which I have now ticked on both Servers: In the DNS Manager select the Server. Right-click and select "Properties". Select the "Advanced" Tab. Tick "Disable recursion". The Help has the following: Disabling recursion =================== By default, recursion is enabled for the DNS service, and clients typically request that the server use recursion to resolve a name when sending a query. If recursion is disabled, the DNS service always uses referral, regardless of the client request. In general, DNS servers can answer queries for names outside of their authoritative zones in two ways: Servers can send referral answers, which are an immediate response to the requesting client with a list of resource records for other DNS servers it knows about that appear to be closer or more likely to be of help in resolving the queried name. Servers can use recursion to query other servers on behalf of the requesting client, attempting to fully resolve the name. Recursive lookups continue until the server receives an authoritative answer for the queried name. The server then forwards this answer in response to the original query from the requesting client. In most cases, disabling recursion on a DNS server happens when DNS clients are to be limited to resolving names authoritatively managed on a specific server. For example, this is the case when a DNS server has only DNS names data for an internal network or when the DNS server is incapable of resolving external DNS names (such as Internet DNS names) and clients are expected to retry another DNS server to resolve these names. This prevents the 10,000s of packets and resolved the problem! Regards Henry
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: