Turn off DNS root queries Server 2003

[grittyminder]

Greetings!

I have a silly question. Right now the local firewall is set only allow DNS queries from the internal network to the ISP's DNS servers (external DNS queries are being forwarded only, no DNS zone information is being sent as there is no need). I'm seeing dropped packets (UDP port 53) from a Windows 2003 DNS server in the firewall logs to DNS root hint servers (e.g. 198.41.0.4, 202.12.27.33, 128.8.10.90). I am assuming that if I delete all the name server entries in the root hint section of DNS the dropped packets will go away (is this a correct assumption?). My question is: if I were to delete the root hint entries would there be any unpleasant side effects? I just want to make sure...

 

[lhuegele]

Do you need the DNS server if you are using your ISP for DNS resolution? If you don't need the DNS server, you should just disable the DNS server service.

Good luck,

 

[Roadki11]

If you are running a domain you need dns so dont disable it. Check with your ISP and varify that the dns servers you are forwarding to are still active. Root hints servers shouldnt be hit unless your forwarders are bad. I had this happen once, you setup your forwarders and forget them. Then your ISP changes out some servers and your forwarders are not working then it hits the root hints because it doesnt get an answer from the ISP dns.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[grittyminder]

> Do you need the DNS server if you are using your ISP for
> DNS resolution? If you don't need the DNS server, you
> should just disable the DNS server service.

We are using the DNS server for local DNS resolution so we definitely need it. But we are not sharing any DNS information externally; the only DNS information that should be going out of our networks should be DNS queries being forwarded to our ISP's DNS servers.

> Check with your ISP and varify that the dns servers you
> are forwarding to are still active. Root hints servers
> shouldnt be hit unless your forwarders are bad. I had
> this happen once, you setup your forwarders and forget
> them. Then your ISP changes out some servers and your
> forwarders are not working then it hits the root hints
> because it doesnt get an answer from the ISP dns.

Hmmm... interesting. So root hint servers will only be hit if the forwarders are not working? The queries to the root hint servers are being dropped at the firewall so they are not getting through. DNS forwarding to our ISP's DNS servers seem to be working too because external DNS queries are resolving okay. However, we DID switch ISP's recently and I have no idea how reliable their DNS service is.

I will look into this further. So apart from something funky with the DNS forwarders, are we sure that there are no other incidences where root hint servers should be hit?

 

[Roadki11]

Well there is always a possibility that something else is wrong. Maybe your dns service is malfunctioning? If your forwarder servers are answering requests root hints shouldnt be used. This is just my best guess based on the info i have.


RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[grittyminder]

Roadkill,

I'm still not 100% sure where the source of the problem is, but as you say, the fact that the local DNS servers are trying to hit root host servers is evidence enough that something is wonky. Thanks for your help.

 

[DerbyAdmin]

If you query for a domain that you isp doesn't know wouldn't you dns server then make use of the root hints to try and find it.

 

[technome]

If you query for a domain that you ISP doesn't know wouldn't you Dns server then make use of the root hints to try and find it."
You should just get a page not found or similar, the root hints should take over only if your ISP's servers are NOT available.

http://www.windowsnetworking.com/ar...tional_Forwarding_in_Windows_Server_2003.html

"However, we DID switch ISP's recently and I have no idea how reliable their DNS service is."
I always place at lest 4 entries in the forwarder section, two from the client's ISP, two from another ISP, in case the client's ISP's DNS system goes down, happened at a common ISP in my area once... not nice having many clients needing a service call immediately to bypass an ISP DNS issue.

Along with the forwarder entries... on my firewall I only allow the internal DNS servers to use port 53 to the IP addresses of all the forwarders I have listed, they can not roam to any other DNS server, including the root hints. I also turn off port 53 for all machines other then the internal DNS servers in case a malware program tries to bypass the preferred and alternate DNS server entries on the wks and non DNS servers.
Basically my wks can only do DNS queries via my internal DNS servers, my DNS servers can only query the named forwarders.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[grittyminder]

technome, it sounds like you're doing something similar to what we're trying to do with our firewall/forwarders.

I still don't understand why our DNS servers are trying to hit the root hint servers (our DNS servers actually forward external DNS requests to a DNS server on the firewall, which then forwards the requests to one of four ISP DNS servers. I know it's a weird set up, I know nothing about it and had nothing to do with it), but since the root hint servers are of no use to us anyways (they are being blocked outright at the firewall) I decided to remove all references to them. I deleted all entries in the root hint tab in DNS and renamed the Cache.dns file. I don't know if this was the best method to solve the problem, but now, at least, my firewall logs are squeaky clean.

 

[technome]

You should really forward directly to the external DNS servers, skip the firewall DNS..it is just added complexity/something else to deal with. Glad you have eliminated the errors.

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[wchull]

OK....I'm going back to my original question.....

Regardless of whether you use a forwarder service like OpenDNS for name resolutions from a corporate DNS, is anyone aware of what the "Best"or "Approved" practice is?

On several other forums I have received advice to set out Name Servers to forward to an ISP's forwarder server or to an open forwarder server provide by OpenDNS. On the other hand I've recieved advice that suggests that forwarders should not be used in a corporate setting and that queries to the roots should always be used. There seems to be good arguements raised for using one or the other but is there something somewhere that "offically" suggests one method or another or is this a case where nobody really cares as long as what you're doing meets your own needs?

 

[lhuegele]

All I can tell you is that we had more DNS issues over time when we were using forwarders. If the forwarder goes down or is changed (without notice to you by the way), your DNS goes down also.

Since we stopped usng forwarders, our DNS has been stable. My recommendation is that you continue to use the root hints and resolve the DNS queries yourself.

Good luck,

 

[grittyminder]

In my case, there are two reasons we are using forwarders: 1) fewer holes to open up in the firewall, 2) we have a support contract with a vendor that includes support for DNS, so the vendor will be respsonsible for troubleshooting any DNS related problems that crop up.