DNS excessive traffic root hints

D

devrimkalmaz

Hi all

We have internal(2000) and external dns servers(2003).
Internal dns's forward all queries to external and external dns's ask
Root servsers.

Everything is ok and all clients query any name any time.

The problem is that internal dns servers wants to connect root dns
servers "directly" although forwarders(external dnss) are entered.

Also sometimes some of the clients makes udp-domain connecitons to root
servers directly.

We think that there is a problem in servers and/or clients.

I search previous problems and we are not using single label domain and
cpu/ram are ok in the internal dns servers.

Is there any opinion?

Thanks

Devrim
 
K

Kevin D. Goodknecht Sr. [MVP]

Hi all

We have internal(2000) and external dns servers(2003).
Internal dns's forward all queries to external and external dns's ask
Root servsers.

Everything is ok and all clients query any name any time.

The problem is that internal dns servers wants to connect root dns
servers "directly" although forwarders(external dnss) are entered.
Click to expand...

On the forwarders tab, place a check in the box, "Do not use recursion" this
tells the DNS server not to use Root Hints to resolve names.
Do not confuse "Do not use recursion" (Forwarders tab) with "Disable
Recursion" (Advanced tab) If you "Disable Recursion" on the Advanced tab the
DNS server will no longer resolve any name it does not own in its zones or
cache (DNS will continue to answer from the cache until the TTL expires on
cached records).


Also sometimes some of the clients makes udp-domain connecitons to
root servers directly.
Click to expand...

How did you verify this?




--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
A

Ace Fekay [MVP]

In
Hi all

We have internal(2000) and external dns servers(2003).
Internal dns's forward all queries to external and external dns's ask
Root servsers.

Everything is ok and all clients query any name any time.

The problem is that internal dns servers wants to connect root dns
servers "directly" although forwarders(external dnss) are entered.

Also sometimes some of the clients makes udp-domain connecitons to
root servers directly.

We think that there is a problem in servers and/or clients.

I search previous problems and we are not using single label domain
and cpu/ram are ok in the internal dns servers.

Is there any opinion?

Thanks

Devrim
Click to expand...

Keep in mind that the forwarder will be used first before the Roots. If it
is hitting the Roots, then either the forwarder is not allowing recursion,
or the domain name is not serviced by the US registrars, such as
Asian/Pacific domains, etc. Try 4.2.2.2 and see if that works as a
forwarder. Check your firewall logs.

Also, if you are seeing client traffic accessing external DNS servers, then
that is telling me that the clients have an external DNS address in their IP
config. In an AD domain, ALL machines, including the DC, must only have the
internal DNS and never ever use an external server. An external server does
not have the internal AD domain info so a client can find your internal
domain controller. This can cause numerous other errors as well.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...
 
A

Ace Fekay [MVP]

In (e-mail address removed) <[email protected]> stated, which I commented on
below:


Oh, forgot to mention. If you have an AD single label name (such as DOMAIN
instead of 'domain.com'),then there will DEFINITELY be excessive Root
traffic.

Ace
 
D

devrimkalmaz

Thats ok now
Thanks again
On the forwarders tab, place a check in the box, "Do not use recursion" this
tells the DNS server not to use Root Hints to resolve names.
Do not confuse "Do not use recursion" (Forwarders tab) with "Disable
Recursion" (Advanced tab) If you "Disable Recursion" on the Advanced tab the
DNS server will no longer resolve any name it does not own in its zones or
cache (DNS will continue to answer from the cache until the TTL expires on
cached records).




How did you verify this?




--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Click to expand...
 
A

Ace Fekay [MVP]

In
Thats ok now
Thanks again
Click to expand...

Curious, what did you change to get it to work? Please tell us.

It is always nice to hear how someone fixed an issue so we can all learn
from it if we see it in the future again.

Ace
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Root Hints or forwarders? 7
New to DNS Admin - Root-hints & IMCP packets 2
Forwarding verse Root Hints 4
to forward or not to forward... That is the question. 10
root hints and forwarders 8
External resolve / internal don't 2
DNS/ ISA and NIC configuration 2
DNS + Forwarders 10

Top