locked
RODC DNS Server RRS feed

  • Question

  • Hello,

    I have a DC a RODC (Both 2016). I configured my RODC DNS server to forward non AD queries (internet queries) to my ISP's DNS. My workstations have the RODC as primary dns server and the DC as secondary. The name resolution works fine but I realized that my domain controller also caches the requests of of my workstations. I checked that RODC have only my ISP's DNS in forwarders.

    Now I wonder if DC and RODC synchronize the cache or my RODC do not actually forward the requests to my ISP but to the DC for some reason.

    Thank you in advance.

    Saturday, May 2, 2020 2:23 PM

Answers

  • Hi,

    I finally found the problem. According to this link

    https://support.microsoft.com/en-au/help/2834226/net-dns-dns-client-resolution-timeouts

    the resolution process is the following:

    Time (seconds since start)

    Action

    0

    Client queries the first DNS server of the list

    1

    If no response is received after 1 second, client queries the second DNS server of the list

    2

    If no response is received after 1 more second, client queries again the second DNS server of the list

    4

    If no response is received after 2 more seconds, client queries all the servers in the list at the same time

    8

    If no response is received after 4 more seconds, client queries all the servers in the list at the same time

    10

    If no response is received after 2 more seconds, client stops querying

    I thought that the 1 second timeout was greater and client tries to query from second dns only when primary is really down. So, in my case, sometimes primary dns is too busy and the client get answer from secondary. Later gets answer from primary again. When I checked the cache on both servers after a long period of time, the cached addresses were almost the same because more or less the queries are the same and confused me, making me wrongly believe that are somehow synchronized.

    Thank you for your time.

    Friday, May 8, 2020 10:52 AM

All replies

  • The forwarders would take precedence over root hints. If there were no forwarders then the internet queries would have been passed on to the 13 default root hints and resolved top-level down.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, May 2, 2020 2:57 PM
  • Thanks for your answer Dave. But my question is not answered. Why PDC also caches the internet requests that are resolved by RODC ?
    Saturday, May 2, 2020 3:30 PM
  • When a machine on the network sends a query to a DNS server, but that server can't resolve the query and has to use root hints or forwarders to resolve it, the response it receives is placed in the DNS server cache. The purpose of this cache is the same as that of the local resolver cache; to speed up the resolution of subsequent queries for the same data.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, May 2, 2020 3:39 PM
  • Dave, I know all of these things. And that is what I expected to happen. Let me try to explain it in detail:

    My workstation have the RODC as primary DNS and PDC as secondary.

    My workstation tries to resolve www.unknownsite.com .

    RODC do not know the address and asks my ISP and then replies to my workstation the ip eg. 1.2.3.4

    So far so good.

    Now, checking the cache of PDC, that normally did not participate to the whole procedure, I can see that www.unknownsite.com is also to its cache ! It shouldn't be, because RODC found the answer from ISP (the forwarder) and normally cached the resolution.

    Why PDC has also cached www.unknownsite.com ?

    Saturday, May 2, 2020 4:09 PM
  • Sorry, as I explained this is normal expected behavior. Some other options here.

    https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsservercache?view=win10-ps

     

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, May 2, 2020 4:28 PM
  • As far as I understand, this is not expected behavior.

    It is potentially possible that your clients are not receiving responses from RODC-based DNS and sent their requests to the second DNS resolver in sequence.

    If you are looking for a confirmation, a quick Wireshark trace should suffice

    hth
    Marcin

    Sunday, May 3, 2020 11:34 AM
  • Hi,

    Thanks for posting here!

    Agree with Marcin, i would also recommend you capture a network package to confirm the real situation.

    If you have any updates ,welcome to share it.

    Best Regards,

    Fan 


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 4, 2020 5:57 AM
  • Hi,

     

    Just want to confirm the current situations.

    If there's anything you'd like to know, don't hesitate to ask.

     

    Best Regards,

    Fan

     


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 6, 2020 2:41 AM
  • Hi

    As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.

    Again thanks for your time and have a nice day!

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 8, 2020 5:42 AM
  • Hi,

    I finally found the problem. According to this link

    https://support.microsoft.com/en-au/help/2834226/net-dns-dns-client-resolution-timeouts

    the resolution process is the following:

    Time (seconds since start)

    Action

    0

    Client queries the first DNS server of the list

    1

    If no response is received after 1 second, client queries the second DNS server of the list

    2

    If no response is received after 1 more second, client queries again the second DNS server of the list

    4

    If no response is received after 2 more seconds, client queries all the servers in the list at the same time

    8

    If no response is received after 4 more seconds, client queries all the servers in the list at the same time

    10

    If no response is received after 2 more seconds, client stops querying

    I thought that the 1 second timeout was greater and client tries to query from second dns only when primary is really down. So, in my case, sometimes primary dns is too busy and the client get answer from secondary. Later gets answer from primary again. When I checked the cache on both servers after a long period of time, the cached addresses were almost the same because more or less the queries are the same and confused me, making me wrongly believe that are somehow synchronized.

    Thank you for your time.

    Friday, May 8, 2020 10:52 AM