WIN2k DNS Server setup 1

[NETING]

I have just setup an internal Windows 2000 DNS server. All our clients recieve this entry via DHCP.

How should I configure the TCP/IP properties on that server. In other words should it point to itself and then the 2 ip's I have from my ISP. Or should the server just point to the 2 ISP Name Servers.

Please let me know if you need more details.

 

[Stiddy]

It should point to itself. In DNS, you should have two forwarders to your ISP for those addresses.

 

[ChrisAC]

In DNS, you should have two forwarders to your ISP for those addresses"

Why forward all external queries to your ISP's server? DNS servers can do their own resolution.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[Stiddy]

DNS servers can answer queries for the zones which it is authoritive, DNS will then forward queries for which it does not know about to the external ISP's DNS servers.

 

[ChrisAC]

Yes, but it does not need to do that. DNS servers do not have to send recursive queries to a forwarder. They can do thier own resolution starting with the root servers. This is the way DNS is supposed to work, but maybe it's just not the Microsoft way!

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[Stiddy]

I understand what you are saying but consider this. WHat happens when one of his clients tries to visit

http://www.cnn.com.

His DNS servers are only hosting a zone for xyz.com internal clients. How does the client get to cnn if the local DNS server does not know who are where cnn resides. His DNS server has to forward a request to an upstream server if it doesnt have cnn in its cache. Maybe I am wrong.

 

[ChrisAC]

You clearly don't understand how DNS works! If the server forwards the request to the ISP DNS server, that server has to do the leg work, find out the answer and report it back to the local DNS. DNS servers should really be configured to resolve non-local domains themselves.

If forwarders are not used, the users own DNS server should be able to resolve cnn.com by doing non-recursive queries to the root servers ("."), .com servers and then the cnn.com server. Once it has this info it will then cache that answer and also where the cnn.com server is. This is how DNS works. You do not need to use forwaders and I always suggest against it. My own server does not forward any queries to the ISP. If I want to know the IP address of

http://www.cnn.com,

my server will not ask the ISP server for the address, it will ask the name servers for cnn.com.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[ojaidave]

Chris,

It looks like you have a great handle on DNS. I am confused though. On the FAQ for this section, the FAQ titled "How to setup a DNS server for your LAN" suggests using forwarders. How would you configure your alternate suggestion?

Since I only have one DNS server on my small network, would an appropriate failover be to include my ISP's DNS servers' IPs as secondary DNS servers for my clients. This, it seems, would allow them to access the internet even if my DNS server went down.

Your posts are very informative. Thanks for being such an active member.

Dave

 

[ChrisAC]

Dave,

Yes, clients should always have two DNS servers listed just in case the main one is down.

As an example, on my network at work I have a BIND DNS server that I use for a couple of internal zones and for resolving external queries. However, I only have one active DNS server on the office network. So, on my laptop I specify my internal DNS server and one of our public cache servers as the second server. So when I'm on the office LAN, all queries go to my internal DNS server and when I'm out of the office and that server is unreachable (unless I have my VPN connection up), all client queries from my laptop are then sent to the public server.

However, on my DNS server, I do not use a forwarder. Rather than having my server send recursive queries (you find the answer for me) my server goes through the process of checking with the root servers etc until it finds the authoratative server to query. I have never read the FAQ on here but I always suggest not using forwarders if you are running a BIND server as it's fully capable of doing it's own queries without just passing the buck to another server that then has to do all the leg work. I don't use Windows DNS servers but I'm sure that they can do the same. If you remove the forwarder and it works okay then you've cracked it.

As an example of how a server gets to the correct server for a domain;

[chris@uranium chris]$ dig

http://www.tek-tips.com

+trace

; <<>> DiG 9.2.1 <<>>

http://www.tek-tips.com

+trace
;; global options: printcmd
. 384628 IN NS F.ROOT-SERVERS.NET.
. 384628 IN NS G.ROOT-SERVERS.NET.
. 384628 IN NS H.ROOT-SERVERS.NET.
. 384628 IN NS I.ROOT-SERVERS.NET.
. 384628 IN NS J.ROOT-SERVERS.NET.
. 384628 IN NS K.ROOT-SERVERS.NET.
. 384628 IN NS L.ROOT-SERVERS.NET.
. 384628 IN NS M.ROOT-SERVERS.NET.
. 384628 IN NS A.ROOT-SERVERS.NET.
. 384628 IN NS B.ROOT-SERVERS.NET.
. 384628 IN NS C.ROOT-SERVERS.NET.
. 384628 IN NS D.ROOT-SERVERS.NET.
. 384628 IN NS E.ROOT-SERVERS.NET.
;; Received 436 bytes from 192.168.3.113#53(192.168.3.113) in 1 ms

com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.
;; Received 506 bytes from 192.5.5.241#53(F.ROOT-SERVERS.NET) in 157 ms

tek-tips.com. 172800 IN NS ns.shutter.net.
tek-tips.com. 172800 IN NS ns2.shutter.net.
;; Received 112 bytes from 192.5.6.30#53(A.GTLD-SERVERS.NET) in 88 ms

http://www.tek-tips.com.

3600 IN CNAME tek-tips.com.
tek-tips.com. 3600 IN A 216.45.19.33
tek-tips.com. 3600 IN NS ns.shutter.net.
tek-tips.com. 3600 IN NS ns2.shutter.net.
;; Received 142 bytes from 216.45.16.13#53(ns.shutter.net) in 114 ms

So here you can see, I've asked my DNS server on 192.168.3.113 for the address of

http://www.tek-tips.com;

;; Received 436 bytes from 192.168.3.113#53(192.168.3.113) in 1 ms

My server then asked F.ROOT-SERVERS.NET;

;; Received 506 bytes from 192.5.5.241#53(F.ROOT-SERVERS.NET) in 157 ms

F.ROOT-SERVERS.NET directed it to A.GTLD-SERVERS.NET for information on where tek-tips.com can be found;

;; Received 112 bytes from 192.5.6.30#53(A.GTLD-SERVERS.NET) in 88 ms

A.GTLD-SERVERS.NET then tells it that it knows that this domain is delegated to ns.shutter.net and ns2.shutter.net. So it can now ask one of those servers for the address of

http://www.tek-tips.com.

It gets an answer from ns.shutter.net;

http://www.tek-tips.com.

3600 IN CNAME tek-tips.com.
tek-tips.com. 3600 IN A 216.45.19.33
tek-tips.com. 3600 IN NS ns.shutter.net.
tek-tips.com. 3600 IN NS ns2.shutter.net.
;; Received 142 bytes from 216.45.16.13#53(ns.shutter.net) in 114 ms

The beauty is that now my server will cache that information for the period of the TTL. If I query my server again;

[chris@uranium chris]$ dig

http://www.tek-tips.com

;; ANSWER SECTION:

http://www.tek-tips.com.

2527 IN CNAME tek-tips.com.
tek-tips.com. 2528 IN A 216.45.19.33

That info will stay on my server for 2528 seconds so it will not have to go and ask the root servers again until the TTL has expired.

tek-tips.com. 2393 IN A 216.45.19.33

2393 seconds left!

So, to recap .. always have two DNS servers configured on client machines (the two 'nearest' servers for faster resolution) and if you can don't use a forwarder on your own server if it doesn't need it. Let a DNS server do its job the way DNS is supposed to work.

I hope that this is of some help.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[ojaidave]

Chris,

Thanks for your clear and thoughful post. I get it, now I just have to configure it on my W2K server. Again, I appreciate the time and effort.

Dave