Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS with no forwarder 3

Status
Not open for further replies.
link9

link9

Programmer
Nov 28, 2000
3,387
US
Hello all,

This is more of a "Do you know why this works, and can you explain it" question than anything.

I have a new windows 2003 machine that I'm using on my network that serves as (among other things) a DNS server. My initial problem was that DNS lookups were stalling out for about a second before being resolved.

My suspicion was that the forwarder wasn't working properly, and Windows was getting hung up looking around to see if it knew were xxx.com was before giving up and forwarding the request on.

The reason that I thought this was that if I set a client machine to use the address of the forwarder directly as its primary DNS server (instead of the win2003 server), lookups were very snappy. This ruled out there being a problem with the ISP's server.

I compared and compared settings against another box that had DNS working quite well on, and to the best of my abilities, I could not find anything out of the ordinary.

Ok, so now comes the wierd part. I removed the forwarder completely from the Windows DNS, and now DNS lookups are lightning fast.

The only address that the server now has is its default gateway, and that (of course) is pointed at my router. All the clients are then pointed at the server for DNS, and it is all working flawlessly.

I'm very confused by this behavior, and am hoping that someone can explain to me how Windows is figuring out where these addresses resolve to if not with a forwarder.

Thanks for any insight you might be able to provide.

-paul

penny.gif
penny.gif

The answer to getting answered -- faq855-2992
 
Sort by date Sort by votes
Is the DNS server now using the root hints settings to query a root DNS server, I believe they are preset?
 
Upvote 0 Downvote
There are root hints in there, but they are the ones that it came installed with. I never changed them.

Preset to lookup at some omnipresent dns server that MS manages or something like that, you mean?

-p

penny.gif
penny.gif

The answer to getting answered -- faq855-2992
 
Upvote 0 Downvote
Yep they are the address of the 13 DNS root servers, they are called A.ROOT-SERVERS.NET through to M.ROOT-SERVERS.NET
 
Upvote 0 Downvote
They are usually managed by universities or technology companies, i don't think MS has anything to do with any of them.
 
Upvote 0 Downvote
Interesting. Thanks for the info.

-paul

penny.gif
penny.gif

The answer to getting answered -- faq855-2992
 
Upvote 0 Downvote
Paul...

Wonder if you try another two DNS servers from a different ISP in the forwarders tab would it make a difference.As is, if you do not have your ISP's in the forwarders with the "do not use recursion" checked off, your DNS server is free to roam for queries; perhaps the ISPs DNS servers are slow enough, that you DNS server now roams for the queries via the root servers referals.

I generally test the DNS response times with the tracert and pathping commands to find out any delaying routers in between the client and ISPs DNS servers, and if any packet losses occur along the way.

If you want, you can post over at the Minasi site, they have a couple of people heavy into DNS, I am curious if anyone else has seen this happen

 
Upvote 0 Downvote
Well, like I said, though, if I put the DNS address directly into the client, thereby bypassing the server for DNS queries, then everything worked quickly.

In your opinion, doesn't that rule out it being an issue w/ the ISP?

-p

penny.gif
penny.gif

The answer to getting answered -- faq855-2992
 
Upvote 0 Downvote
Probably...
your server default is 5 seconds for a query to a DNS server, if it does not complete, it goes on to the next, then to the root servers, who direct the query to a server which can answer. Once the queried DNS server returns an answer, it is in the server or wks cache, which will return a query basically instantly. Do you pull up all web pages fast; if it is to a site which has not been accessed before , is it still fast? Any over 5-10 seconds for a new site to be queried, would raise my suspicions

Unlikely, that it is this, but I am really curious why your having problems with the forwarders.

There is a security issue if forwarders are not used, and are not slaved to an ISPs (or internal, highly secure/AV protected DNS server), as in the case of the servers/wks seeking DNS queries recursively which allows the machines to query any DNS server on the Internet, as you are setup now. Seems there are virus which can act as a DNS server, and infect machines seeking queries; personally I have not seen it happen as I always use forewarders, how much of a risk I do not know, but there is alway a first time.

Can I post your question the site I linked ?

 
Upvote 0 Downvote
I agree with technome let have a dig around and see what turns up it could be intersting.
 
Upvote 0 Downvote
Seriously, there are a couple of guys at the site who eats DNS for breakfast, lunch, dinner, AND snack time.. the guys are damn good.
 
Upvote 0 Downvote
Well, as I sat here and typed out a big long reply to this message, I decided to go ahead and try a couple of other forwarders that I know, and sure enough, things do work much faster using those.

I can't say I completely "get it", though, due to my aforementioned logic of how the DNS address worked just fine when entered directly on the workstation.

Seems like what is good for the goose would, indeed, be good for the gander, does it not? Or is there some difference in the way the server is used if for forwarding ???

Confused...

-p

penny.gif
penny.gif

The answer to getting answered -- faq855-2992
 
Upvote 0 Downvote
Please forgive me if any of my writing appears condescending, I have a difficult time explaining things.

Again, if your ISPs DNS servers are slow, or possibly packet are being lost somewhere, causing retransmission, etc., with you clients pointing to them directly, if the clients do not get a query quickly, they go on to other DNS servers for a query answer.

Assume the workstations are going through your DNS server, with your DNS server slaved to your ISPs DNS server. If your DNS server is slaved to the ISP with the "Do not use recursion" check off, your DNS server is suppling DNS queries to the work stations after getting DNS query answers from your ISP. Your workstations are slaves to your DNS server, and the server is a slave to your ISPs servers.

As the setup described, if your DNS server queries the ISP's, and does not receive an answer to the query it stops at the ISPs server; it is not allowed to query any other DNS servers on the Internet. With the "Do not do recursion" unchecked( not a good idea), your DNS server would be allowed to go beyond your ISPs DNS servers for a query answer; again, basically your workstations are doing the same thing if they have the entries for your ISPs DNS servers IP address in their preferred and alternate DNS properties boxes.

For the hell of it..
Use the pathping and tracert commands to the two ISP DNS servers. Pathping will show if any packets are being lost along the way; between the two commands you can see if you have a slow router in between. If you get lost packets, I would run the following utility to adjust your gateway router. Actually I would run it anyway for your gateway router, mis adjusted MTU slows things down . There is an option to adjust the network card also, but Win2003 is self adjusting, unlike Win2000.

 
Upvote 0 Downvote
try using 4.2.2.2 as a forwarder

you should try to stay away from root hints

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
One other tidbit..
I use at least 3 forwarders. If your ISP decides to play with both DNS servers over a weekend, or decides to change the IP addresses, you will need the third forwarder. Happened where I live, they changed the DNS servers IP addresses of a static addressed line. Guess it was too much trouble to tell the customers ahead of time.
 
Upvote 0 Downvote
i think it was a white house dns server...government anyway if i remember right

legal to use though...a whole lotta people use it for a forwarder

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
ADGod, can you explain why you would need to try and stay away from root hints?

I've been using root hints *only* on my windows server for the past two years, and have had no problems whatsoever. They always work. Never had any DNS problems, except for an odd one within my network.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
694
suncit
suncit
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
978
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
579
DrB0b
DrB0b
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
601
fredmartinmaine
fredmartinmaine
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
296
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top