Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS forwarders or just leave it to the root hints? 2

Status
Not open for further replies.
ADB100

ADB100

Technical User
Mar 25, 2003
2,399
GB
I have my local DNS servers (Windows 2003) configured with the default '.' zone removed but with just the root hints and all is working OK as far as I can tell. Is this OK or should I configure my ISP DNS servers as forwarders? I have tested both and the outcome is the same.
What is considered the best way and what are the benefits/downsides to either?

Andy
 
Sort by date Sort by votes
Yes, you'll need to configure the forwarders with your ISP's DNS servers.

If it works without them , then you probably have the server NICs configred to use the ISP DNS. This is not the correct way to configure the network. You're going to have internal DNS problems.

All devices (including the server) on the network should use the server for their DNS. The server should be configured to use itself (127.0.0.1).

MCSE CCNA CCDA
 
Upvote 0 Downvote
No this isn't the case. I have an AD deployment, all Windows Servers & PC's point ONLY to the internal DNS Servers (there are only 2 as it's a small network). On the actual DNS servers (which are also DC's) they are configured ONLY to use themselves as DNS Servers (no external DNS servers are configured). Currently there are no forwarders configured from the DNS Manager GUI, only the root hints, the default '.' root domain has been removed so lookups are forwarded out to the root servers.
This works fine and has done for about 2 years, I have no name resolution issues. However I was wondering whether this is 'Best Practise' as I have seen examples configured as I currently have it as well as ones where the ISP's DNS Servers are configured as forwarders. What I want to know is which is best as the end result (from a name resolution point of view) is the same.

Andy
 
Upvote 0 Downvote
Best practice is to use your ISP's DNS for your forwarders.

MCSE CCNA CCDA
 
Upvote 0 Downvote
What? that's it? Where is your reasoning?

 
Upvote 0 Downvote
Agree with forwarder use, as forwarding to a major ISP's DNS server shields your network from querying to DNS servers which are manned by hackers or have been infected with malicious software..the risk is small but it is still out there using the root servers. Also, on the firewall I only let the internal DNS servers use port 53, I block the workstations, even though they are set to only query the internal DNS servers. I recommend at least 4 forwarder entries, two from your ISP, and at least two entries from another..this way if your ISP goes down(and I have had it happen), you will still have Internet access.



........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Thanks technome, that is what I was after. I must admit though that in the two years it's been running like this (with just the root hints) I have never had any issues and haven't seen any 'hacking' of DNS names, does it actually happen? Or is it one of these 'potential' issues?
I'll take your advice though and reconfigure my ISP's DNS servers as forwarders.

Cheers

Andy
 
Upvote 0 Downvote
I have never had any issues and haven't seen any 'hacking' of DNS names, does it actually happen?"
Like I said, it is a small threat, you could define it as a "potential" threat, but hitting a compromised DNS server could introduce malware to systems..would I realize if malware was introduced by a compromised DNS server, very unlikely.
Personally I go the extra step, setting up forwarders takes less than a minute, worth it to rule out even a small threat. Performance wise, it is supposed to be a mite fast over a period of time, dependent upon your ISP's DNS servers cache settings/speed...would you notice it, I doubt it.


........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
PorkChopExpress...
Thanks for the link, I was unaware China was using DNS poisoning to control Internet use..when is their government going to grow up.

........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Just as an added benefit, you could sign up at OpenDNS.com for a free account. You use their DNS servers for your forwarders and you can take advantage of their DNS record level content filtering. You can go through and choose which categories you want blocked (ie... porn, gambling, proxy bypass, etc...) and also have access to reports and statistics to outside DNS queries. They are very fast and again, best of all, it's free.
 
Upvote 0 Downvote
Pretty much whatever works is good in this instance. Using your ISP dns forwarders will allow you to pull on a larger setup of cached results, not that the difference is particularly staggering.

If your ISP dns servers have high availibility I would tend to use them but at the end of the day there is no difference.

Security issues with DNS comes down to is your ISP secure which they are going to tell you they are regardless.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
642
suncit
suncit
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
489
Aquiles Vidal
Aquiles Vidal
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
426
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
437
microsGuy16
microsGuy16
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
870
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top