Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS with no forwarder 3

Status
Not open for further replies.
link9

link9

Programmer
Nov 28, 2000
3,387
US
Hello all,

This is more of a "Do you know why this works, and can you explain it" question than anything.

I have a new windows 2003 machine that I'm using on my network that serves as (among other things) a DNS server. My initial problem was that DNS lookups were stalling out for about a second before being resolved.

My suspicion was that the forwarder wasn't working properly, and Windows was getting hung up looking around to see if it knew were xxx.com was before giving up and forwarding the request on.

The reason that I thought this was that if I set a client machine to use the address of the forwarder directly as its primary DNS server (instead of the win2003 server), lookups were very snappy. This ruled out there being a problem with the ISP's server.

I compared and compared settings against another box that had DNS working quite well on, and to the best of my abilities, I could not find anything out of the ordinary.

Ok, so now comes the wierd part. I removed the forwarder completely from the Windows DNS, and now DNS lookups are lightning fast.

The only address that the server now has is its default gateway, and that (of course) is pointed at my router. All the clients are then pointed at the server for DNS, and it is all working flawlessly.

I'm very confused by this behavior, and am hoping that someone can explain to me how Windows is figuring out where these addresses resolve to if not with a forwarder.

Thanks for any insight you might be able to provide.

-paul

penny.gif
penny.gif

The answer to getting answered -- faq855-2992
 
Sort by date Sort by votes
Root hint servers are there for a purpose..
The function of root hint servers is to direct your DNS server to DNS servers which can answer a query, if your DNS server or clients are allowed to do recursive queries; which I will say again, you do not want to happen as a choice. The safest is to use forwarding, with the DO not use recursion checked off.

Root hint servers are not meant to be used as forwarders, as they are there to direct your DNS servers to DNS servers which can answer queries, not to supply query answers as to the location of websites.

Out of curiosity..
Just tried to enter a couple of root hint servers as forwarders, in Win 2003 server, it would not allow it.
Placed a couple in the "local are connection", "TCP properties" for the primary and alternate DNS addresses, it does not resolve queries... so using root hint server IP addresses will not work for DNS servers or workstation DNS clients; the root hint servers are true to form.
 
Upvote 0 Downvote
Using the root hints...

Without forwarder setup, your DNS server will query recursively (the default)via the root hint servers, your web pages will come up fine.
But if you have to go to the root hints, it is an added step for a query... and the time required for your DNS server to go through the routers to get to the root servers, (root hint servers do not cache website information, they only have information on DNS servers); then from the info supplied by the root server, your DNS server has to go through the routers to the DNS server which can answer the query.

If forwarding is in place...
Most ISPs DNS servers have large DNS caches, so for many sites the ISP would not need to query beyond itself, the ISP could just give a query answer directly from it's cache.

 
Upvote 0 Downvote
I think you're missing something here. I never said i used root hint servers for querying. MS DNS server can be configured for root hints only without preset forwarders, meaning that the MS DNS server will do exactly as you described: Use the root hints for finding dns servers that it can automatically forward queries to. Best thing is that this method is truely dynamic.
As I said i've used this method for 2 years now, and it's really fast too.

 
Upvote 0 Downvote
To add to the discussion...I'm having some trouble with root hint servers. I've turned off my forwarders (since I run a firewall with Dual WAN load-balancing, I don't want to use static forwarders). I can get Google to search for anything I want, but I cannot get to many sites.... was one of them. Upon trying to ping that URL, it resolved to 0.0.0.0 and gave a "Destination specified is invalid".

I've never had any luck with the root hint servers, though in theory it should work. Any hints?

Thanks.
 
Upvote 0 Downvote
Technome,
I added the enableDNSprobes entries, turned on root forwarding and have not had any trouble at all! Thanks for the help!!

Scott
 
Upvote 0 Downvote
Greetings All:

So here's a ? about pointing to your ISP's DNS servers as forwarders. I'm setting up a new AD domain to migrate off an old NT domain. The new AD domain will be internal only (xyz.local) If I set the IP addresses for my ISP's DNS machines in forwarders section, and leave the dynamic update security set to "secure only", I'm constantly getting "can't establish secure link" nags from W2003. Is there a way to designate the ISP's 2 DNS IP's as "trusted"? Or a better way to do this?

Thanks
R.Lee
 
Upvote 0 Downvote
Trusted, this should not be involved in forwarding. Dumb question, on the interface tab you do not have the ISP IP as an entry, right, needs to be you NIC IP. Never had this warning
 
Upvote 0 Downvote
PMF71, sorry for the late response, just got home from work...nice conference call filled day of convincing change mgmt dept.'s of my custoemrs to allow us to make a change and trying my best to explain the technical areas in english...which I'm not good at I might add

The links at the bottom can answer most of your questions regarding DNS as well....it is a very good resource, with very few mistakes that I spotted (don't ask me to name em off hand, cuz its been about 1.5 yrs since reading it :), mistakes meaning either actual mistakes, or the behavior has been changed in a service pack (wont go into the hotfixes)

I am referring here to your note above:

"ADGod, can you explain why you would need to try and stay away from root hints?

I've been using root hints *only* on my windows server for the past two years, and have had no problems whatsoever. They always work. Never had any DNS problems, except for an odd one within my network."

A: There is no real reason to stay away from root hints...I have actually seen both ways work perfectly fine. Using root hints is a little more resource intensive on the server however, due to having to use more processing power and memory to query the root hints, vs. just passing a request it does not have locally onto specified IP addresses, which of course is quicker and easier. root hints are queried in the order they are listed, from top to bottom if i recall correctly. It is also possible to add more root hints, such as to your ISP, or domain registrar. I believe the caching behavior is the same....I believe all answered queries, whether by recursion using root hints or forwarders, are cached for something like 3600 seconds (yep just double checked thats what it was). I would not expect issues with either configuration (providing it is configured correctly) if you have a smaller sized domain. out of curiosity, whats the odd behavior you were speaking of?

and will go into your original problem statement.....

"I have a new windows 2003 machine that I'm using on my network that serves as (among other things) a DNS server. My initial problem was that DNS lookups were stalling out for about a second before being resolved.

Note: Sounds like misconfiguration of the forwarders, or non recursive DNS servers being the forwarded address (which would log a bunch of events in your DNS log, you will likely see these events occasionally, which is not a worry, its the mass amounts...on another note, I have seen this spike router bandwidth, which could also be a potential culprit...the events (the reason they are being logged rather) could also potentially cause run time errors in DNS service). As a test, try using 4.2.2.2 as a forwarder and see how request times look. After the first query, the result will be cahced for the 3600 second minimum so other requests for the same name will be handled much much faster, since the local DNS server has the information in it's cache.
Forwarders in Win2003 work by specified domain name (conditional forwarding), or a general forwarder address for all other requests that are not cached on the local DNS server. This can be greatly influenced by a few items, including responsiveness of the DNS server being forwarded to, the amount of hops to get to your forwarder, network bandwidth of course, and quite a few quirks that could come in. Let's put it this way, I typically use 4.2.2.2 as a forwarder, since it is public, and it always work extremely well.

My suspicion was that the forwarder wasn't working properly, and Windows was getting hung up looking around to see if it knew were xxx.com was before giving up and forwarding the request on.

Note: what you say here is true...it is lookign around in its local cache for <domain>.com (or <domain>.<domain>.com for that matter), once it finishes that, it will review its conditional forwarders to find out if there is a DNS domain name match, if not, it will move to its general forwarders. If there are no domain names specified in teh forwarders tab as conditional forwarders, it should move directly to the general forwarders. Whereas with root hints, it will review its local cache, then it will check for forwarders, and if none are listed, will move to root hints....if i am recalling correctly...the links below will tell you for sure....all of these processes take time...but it is time in milliseconds...so not necessarily getting hung, but taking longer to get to the forwarder due to hops involved, or something of the sort (typically hops should not be a big issue, but of course, the fewer the hops, teh quicker the request and response)

The reason that I thought this was that if I set a client machine to use the address of the forwarder directly as its primary DNS server (instead of the win2003 server), lookups were very snappy. This ruled out there being a problem with the ISP's server.

Note: This does not necessarily rule out a problem with the ISP DNS servers. The reason for this is that they may be non-recursive, and log so many events from teh DNS server to that effect, that it can cause a run time error in the service, as mentioned above. Again....4.2.2.2 as a test for a forwarder, this will not log any of the problematic errors

I compared and compared settings against another box that had DNS working quite well on, and to the best of my abilities, I could not find anything out of the ordinary.

Note: Assuming a query for an internal resource...you likely would not see anything different, due to internal DNS working perfectly...for query to external resource...if you have one or sporadic machines working good, and the other machines are having the slow queries, there is a potential that it is a client side issue and not server side (would want to look for patterns in os type and sp level, etc.)....for anything like this to be a fair test, you need to run ipconfig /flushdns & ipconfig /registerdns (can reboot instead for good measure)...then try queries and see the behavioral differences

Ok, so now comes the wierd part. I removed the forwarder completely from the Windows DNS, and now DNS lookups are lightning fast.

Note: leads back to issue with forwarder config or forwarder DNS servers themselves

The only address that the server now has is its default gateway, and that (of course) is pointed at my router. All the clients are then pointed at the server for DNS, and it is all working flawlessly."

.....hopefully all this clears it up for you a bit better...questions just ask

dont forget too, you can always make a memebr server a caching only DNS server too to further speed up responses, this can save alot of bandwidth actually in teh long haul

You may find these links helpful:
DNS queries-

DNS-


anything else just ask


-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
693
suncit
suncit
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
978
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
578
DrB0b
DrB0b
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
601
fredmartinmaine
fredmartinmaine
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
295
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top