locked
DNS forwarders and MS Root Hints RRS feed

  • Question

  • Hi there,

     

    I have a query on using DNS forwarders. By default after DNS service is installed the Root Hints are already configured. What I'm trying to figure out if were using this server for internet DNS resolution is it better practice to use the default Root Hints or remove those and put our ISP's DNS servers in there.

    Can anyone advise whats the best practice. We have 2 DNS ISP providers ISP-A and ISP-B which is the backup. So if I was to remove the Root Hints and place our ISP for the first two I would put ISP-A then ISP-B as entery 3 and 4.  If our ISP-A link fails and the internet fails to ISP-B then it will use this DNS servers.

     

    Can anyone give some advice -  many thanks


    Momo
    Monday, March 14, 2011 3:41 PM

Answers

  • This usually depends on your local security policies.

    If you aren't using forwarders that means your local DNS server will be making recursive queries to resolve the target host names.  If you use forwarders your local DNS sends the client's request to the forwarder for the recursive queries to be made.  I"m not aware of a mechanism to cause the forwarders to change based on which ISP's link is active although there probably is a way to achieve this programmatically.  IIRC the requests will simply be sent to the DNS forwarders in order until a response is received.  Even if your link to ISP A is down their DNS servers will probably still be reachable via ISP B although the response time will likely be impacted.

    I don't think there is a cut and dry "best" way to do this.  It's more situational.  In the past I have used forwarders often to reduce the load on the local DNS servers and their WAN connections and let the ISP's DNS servers perform the recursion.  Most of the time they will already have the responses cached so the lookups will be fast.  YMMV.


    Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+
    Monday, March 14, 2011 4:31 PM
  • In addition to Matt's response, depending on which Forwarder will be listed as the first address, will more than likely be the one being used to resolve queries.

    I wouldn't remove the Root hints. No point in doing that anyway, if you've configured a forwarder or two. Besides, if the first forwarder doesn't resolve it, then it will try the second one but only after a series of attempts and a time out period, and if the second one doesn't resolve it after the same series of attempts and times outs, then by the time it gets to the Root hints, the client side resolver (the workstation or whatever requested it) that originally requested the query has its own resolver algorithm that would have reached it's own time out, therefore dropping the request. So even if you remove the Roots, it wouldn't matter. Here's more info on this behavior:

    DNS, WINS NetBIOS, Client Side Resolver algorithm, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC Goes Down, Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    As for what is Best Practice, there are multiple schools of thoughts on this, as well as whether to use a Forwarder or not. Some look at it as a security issue, other don't and simply look at using Forwarders to offload recursion, as Matt indicated. I use forwarders to offload recursion. If its a security concern, depending on your own company's SLA or local gov regulations, you can install a locked-down, standalone, caching only DNS (not joined to the domain) that you would configure without Forwarders (so it's using its Roots) and use this guy as a forwarder from your internal DNS servers.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, March 14, 2011 5:26 PM
  • Hi Momo,

    You may also refer to the FAQ in the link below:

    http://support.microsoft.com/kb/291382

    Thanks.

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, March 15, 2011 8:54 AM

All replies

  • This usually depends on your local security policies.

    If you aren't using forwarders that means your local DNS server will be making recursive queries to resolve the target host names.  If you use forwarders your local DNS sends the client's request to the forwarder for the recursive queries to be made.  I"m not aware of a mechanism to cause the forwarders to change based on which ISP's link is active although there probably is a way to achieve this programmatically.  IIRC the requests will simply be sent to the DNS forwarders in order until a response is received.  Even if your link to ISP A is down their DNS servers will probably still be reachable via ISP B although the response time will likely be impacted.

    I don't think there is a cut and dry "best" way to do this.  It's more situational.  In the past I have used forwarders often to reduce the load on the local DNS servers and their WAN connections and let the ISP's DNS servers perform the recursion.  Most of the time they will already have the responses cached so the lookups will be fast.  YMMV.


    Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+
    Monday, March 14, 2011 4:31 PM
  • In addition to Matt's response, depending on which Forwarder will be listed as the first address, will more than likely be the one being used to resolve queries.

    I wouldn't remove the Root hints. No point in doing that anyway, if you've configured a forwarder or two. Besides, if the first forwarder doesn't resolve it, then it will try the second one but only after a series of attempts and a time out period, and if the second one doesn't resolve it after the same series of attempts and times outs, then by the time it gets to the Root hints, the client side resolver (the workstation or whatever requested it) that originally requested the query has its own resolver algorithm that would have reached it's own time out, therefore dropping the request. So even if you remove the Roots, it wouldn't matter. Here's more info on this behavior:

    DNS, WINS NetBIOS, Client Side Resolver algorithm, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC Goes Down, Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    As for what is Best Practice, there are multiple schools of thoughts on this, as well as whether to use a Forwarder or not. Some look at it as a security issue, other don't and simply look at using Forwarders to offload recursion, as Matt indicated. I use forwarders to offload recursion. If its a security concern, depending on your own company's SLA or local gov regulations, you can install a locked-down, standalone, caching only DNS (not joined to the domain) that you would configure without Forwarders (so it's using its Roots) and use this guy as a forwarder from your internal DNS servers.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, March 14, 2011 5:26 PM
  • Hi Momo,

    You may also refer to the FAQ in the link below:

    http://support.microsoft.com/kb/291382

    Thanks.

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, March 15, 2011 8:54 AM