Best Practices for resolving external DNS queries

[wchull]

We are currently running Microsoft DNS on two Windows 2000 servers and we currently have our ISP's DNS servers specified in our forwarder list. I have heard two different stories about forwarders and I'm trying to get a feel for what the best practice regarding forwarders is.

In the blue corner are those that insist that is is a best practice to forward your external DNS request to your ISP's DNS servers as these servers have the addresses cached on the server making for a quick answer to you. In addition, someone told me that Microsoft's DNS cache can only hold an entry for a max of 1 day meaning that queries using the root hints servers take longer as the process of getting an authoritative answer takes longer and Microsoft DNS cache has to be rebuilt daily. What I have been told is that ISP's don't use Microsoft DNS because of the cache issue so most use BIND as it can be set to cache entries for up t 7 days.

In the red corner are those that believe that you should not be specifying your ISP's DNS as a forwarder but get all your answers from the root hints servers. The basis of this is that your ISP's DNS might go down and you can't get any resolutions while they are down. In addition to this the proponents of using the root hints servers say that you will always get the correct answer from the root hints servers as they are not allowed to cache answers and you avoid the possibility of getting a poluted cached response if your ISP's cache is corrupt.

Bottom line is appears to be a case of speed vs. accuracy and availability but so far I'm finding nothing that says that going to the root hints servers is a NO-NO and that one will get their hand slapped if you do.

Any help would be appreciated.

 

[nsantin]

Im in the red corner and have never had any performance issues, however I beleive the majority will say its best to forward to your ISP.

 

[technome]

Forwarding...
If not used there is a chance queries might go to a rouge DNS server, purposely infected or unintentional infected.
As far as your ISP going down or changing IPs, a very real possiblity, as I have had this a number of times.. simple solution, place the DNS sever IP of a few more different ISPs, I generally use the 2 address from client's ISP, then two more differnt ISPs, lower in the forwarding list.
Performance or pollution, I work on smaller networks, under 300 users, technically forwarding is faster as it creates less DNS traffic, pollution is a non issue.
Microsoft settings are adjustable, why would you want the cache 7 days, unless you want problems.

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[wchull]

So far what I am getting back from serveral forums is that there is no clear winner. Many people evidently are going to the root servers as many have complained that their ISP changes the IP address of their DNS servers or take them off line or in our case we exceeded some arbitrary threshold and were temporarily cut off from the DNS.

In regard to the local cache.... It's not that we necessarily want to cache addresses that long it was just mentioned that most ISP's do not use Microsoft's DNS, they use BIND and with MS you can only have 1 day's cache where Bind can be configured for 7. According to what I was told the ISP's typically maintain a longer cache to minimize the amount of traffic they are generating.

Some have said that it just boils down to speed vs. accuracy but yesterday I converted our two DNS servers in test network from forwarding to 2 ISP's to going straight to the root hints servers. After clearing the DNS's cache I started pinging obscure as well as common web sites and did not personally note any lag in response to the queries.

Basically, when responsibility for DNS was transferred to our department and we changed products from Incognito to Microsoft DNS we wanted to go straight to the root servers but our Network folks told us that doing so was "Bad Internet Manners" dispite the fact that the default install of DNS on a Microsoft server is designed to go to the root servers. We went the ISP route and have been cut off twice and we are now revisting the question of whether going straight to the root hints servers is really "Bad Internet Manners" or just an Old Internet Wives Tale.

I'm still interested to see what camp everyone is in so keep posting.

Thanks!

 

[ShackDaddy]

Personally, I set the servers I'm in charge of to use forwarders, but to make their own root query if they don't get an answer in 3 seconds. That gives you the best of both worlds (let's call it the Purple world!)

And the M$ DNS caching behavior is all about the ability to have changes pushed through relatively quickly (records have a default TTL of 1 hour), which values accuracy and expediency over traffic. There are always values in conflict...

ShackDaddy

 

[rliebsch]

Well, my opinion is:
Run DNS servers, and make sure they cache. Have your servers reference/cache your ISP, as your ISP references/caches servers above it. It's the design of system.

I know they are only guidelines, and no one is going to come smack your hand for querying root...

As far as your ISP cutting off your DNS requests... Um. You have a contract and SLA don't you? You are paying for a service, a service they are recieving cash to provide. Check your T&C and find out if they owe you money for lost service.



Robert Liebsch
Stone Yamashita Partners

http://www.stoneyamashita.com/

 

[wchull]

Thanks for the reply.

I don't know what service level agreement we have with our ISP. I know from discussions we have had with them after the fact they indicated that they considered the amount of traffic being generated as a denial of service attack and I'm assuming that they have some right to protect themselves from DOS attack written into that ageement.

 

[GlenJohnson]

Here's the bottom line. What I've done for years is set the dns servers to to point to our isp first, and themselves second. Take all client's, and point them to the dns servers only. Reason...If I want to go to aaa.com from my client computer, it will go to my internal servers. If the internals don't have this in cache, they will go to the isp, and then when aaa.com is located, it then goes into cache. The next time I want aaa.com, it's in local cache, and I get there even faster. If the isp servers go down, the local dns servers are also looking internally, so if it's in cache it will be found. Make sense?

In addition, someone told me that Microsoft's DNS cache can only hold an entry for a max of 1 day meaning that queries using the root hints servers take longer as the process of getting an authoritative answer takes longer and Microsoft DNS cache has to be rebuilt daily.

Here's the problem, cache lasts as long as you set it up in the dns server, not just one day. Ok? Good luck.

Glen A. Johnson
If you like fun and sun, check out Tek-Tips Florida Forum
"Maybe this world is another planet's hell."
Aldous Huxley (1894-1963), English critic & novelist

 

[devastator]

so under forwarders you have your own internal dns server as a forwarder beneath your ISP's dns? what does that do? why forward to yourself if the ISP'S dns fails?