Hi all

We have internal(2000) and external dns servers(2003).
Internal dns's forward all queries to external and external dns's ask
Root servsers.

Everything is ok and all clients query any name any time.

The problem is that internal dns servers wants to connect root dns
servers "directly" although forwarders(external dnss) are entered.

Also sometimes some of the clients makes udp-domain connecitons to root
servers directly.

We think that there is a problem in servers and/or clients.

I search previous problems and we are not using single label domain and
cpu/ram are ok in the internal dns servers.

Is there any opinion?

Thanks

Devrim

(E-Mail Removed) wrote:
> Hi all
>
> We have internal(2000) and external dns servers(2003).
> Internal dns's forward all queries to external and external dns's ask
> Root servsers.
>
> Everything is ok and all clients query any name any time.
>
> The problem is that internal dns servers wants to connect root dns
> servers "directly" although forwarders(external dnss) are entered.

On the forwarders tab, place a check in the box, "Do not use recursion" this
tells the DNS server not to use Root Hints to resolve names.
Do not confuse "Do not use recursion" (Forwarders tab) with "Disable
Recursion" (Advanced tab) If you "Disable Recursion" on the Advanced tab the
DNS server will no longer resolve any name it does not own in its zones or
cache (DNS will continue to answer from the cache until the TTL expires on
cached records).



> Also sometimes some of the clients makes udp-domain connecitons to
> root servers directly.

How did you verify this?




--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Thanks for your response we are going to test it.

> > Also sometimes some of the clients makes udp-domain connecitons to
> > root servers directly.
>
> How did you verify this?

We see in the firewall logs.


Kevin D. Goodknecht Sr. [MVP] wrote:
> (E-Mail Removed) wrote:
> > Hi all
> >
> > We have internal(2000) and external dns servers(2003).
> > Internal dns's forward all queries to external and external dns's ask
> > Root servsers.
> >
> > Everything is ok and all clients query any name any time.
> >
> > The problem is that internal dns servers wants to connect root dns
> > servers "directly" although forwarders(external dnss) are entered.
>
> On the forwarders tab, place a check in the box, "Do not use recursion" this
> tells the DNS server not to use Root Hints to resolve names.
> Do not confuse "Do not use recursion" (Forwarders tab) with "Disable
> Recursion" (Advanced tab) If you "Disable Recursion" on the Advanced tab the
> DNS server will no longer resolve any name it does not own in its zones or
> cache (DNS will continue to answer from the cache until the TTL expires on
> cached records).
>
>
>
> > Also sometimes some of the clients makes udp-domain connecitons to
> > root servers directly.
>
> How did you verify this?
>
>
>

In news:(E-Mail Removed),
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:
> Hi all
>
> We have internal(2000) and external dns servers(2003).
> Internal dns's forward all queries to external and external dns's ask
> Root servsers.
>
> Everything is ok and all clients query any name any time.
>
> The problem is that internal dns servers wants to connect root dns
> servers "directly" although forwarders(external dnss) are entered.
>
> Also sometimes some of the clients makes udp-domain connecitons to
> root servers directly.
>
> We think that there is a problem in servers and/or clients.
>
> I search previous problems and we are not using single label domain
> and cpu/ram are ok in the internal dns servers.
>
> Is there any opinion?
>
> Thanks
>
> Devrim

Keep in mind that the forwarder will be used first before the Roots. If it
is hitting the Roots, then either the forwarder is not allowing recursion,
or the domain name is not serviced by the US registrars, such as
Asian/Pacific domains, etc. Try 4.2.2.2 and see if that works as a
forwarder. Check your firewall logs.

Also, if you are seeing client traffic accessing external DNS servers, then
that is telling me that the clients have an external DNS address in their IP
config. In an AD domain, ALL machines, including the DC, must only have the
internal DNS and never ever use an external server. An external server does
not have the internal AD domain info so a client can find your internal
domain controller. This can cause numerous other errors as well.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

In news:(E-Mail Removed),
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:


Oh, forgot to mention. If you have an AD single label name (such as DOMAIN
instead of 'domain.com'),then there will DEFINITELY be excessive Root
traffic.

Ace

Thats ok now
Thanks again

Kevin D. Goodknecht Sr. [MVP] wrote:
> (E-Mail Removed) wrote:
> > Hi all
> >
> > We have internal(2000) and external dns servers(2003).
> > Internal dns's forward all queries to external and external dns's ask
> > Root servsers.
> >
> > Everything is ok and all clients query any name any time.
> >
> > The problem is that internal dns servers wants to connect root dns
> > servers "directly" although forwarders(external dnss) are entered.
>
> On the forwarders tab, place a check in the box, "Do not use recursion" this
> tells the DNS server not to use Root Hints to resolve names.
> Do not confuse "Do not use recursion" (Forwarders tab) with "Disable
> Recursion" (Advanced tab) If you "Disable Recursion" on the Advanced tab the
> DNS server will no longer resolve any name it does not own in its zones or
> cache (DNS will continue to answer from the cache until the TTL expires on
> cached records).
>
>
>
> > Also sometimes some of the clients makes udp-domain connecitons to
> > root servers directly.
>
> How did you verify this?
>
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================

In news:(E-Mail Removed),
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:
> Thats ok now
> Thanks again

Curious, what did you change to get it to work? Please tell us.

It is always nice to hear how someone fixed an issue so we can all learn
from it if we see it in the future again.

Ace