Forwarding verse Root Hints

[mclaughlinj]

I'm reviewing a clients Windows 2003 DNS configuration.

Insted of enabling forwarders they deleted all addresses in the Root
Hints file and entered the DNS servers they want to be queried (two).

I beleive the configuration should work but just had never done it
this way. Any thoughts of why one should prefer to use forwarders over
Root Hints?

Note: the firewall will not allow querying external root hint servers.
All queries are forwarded to our ISP DNS.

Thanks, Jeff

 

[Kevin D. Goodknecht [MVP]]

In

I'm reviewing a clients Windows 2003 DNS configuration.

Insted of enabling forwarders they deleted all addresses in the Root
Hints file and entered the DNS servers they want to be queried (two).

I beleive the configuration should work but just had never done it
this way. Any thoughts of why one should prefer to use forwarders over
Root Hints?

Note: the firewall will not allow querying external root hint servers.
All queries are forwarded to our ISP DNS.

Thanks, Jeff

This will not work, the root hints are not forwarders Root hint servers must
have a root zone. You should have not deleted the root hints.
You should have enabled a forwarder to your ISP's DNS and checked the box
"Do not use recursion" if your firewall does not allow you to use recursion.

Also you firewall may not allow EDNS0 Extensions which Win2k3 supports, this
allows UDP packets over 512 bytes which many firewalls reject. Read the
following KB articles.
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323380

828731 - An External DNS Query May Cause an Error Message in Windows Server
2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731

 

[Jonathan de Boyne Pollard]

KDGS> Root hint servers must have a root zone.

Untrue.

<URL:http://homepages.tesco.net./~J.deBo...ting-resolving-proxy-root-list.html#Microsoft>

 

[Jonathan de Boyne Pollard]

m> I thought if the internal DNS could not resolve a query it would
m> use the servers defined in the root hint files.

You thought wrong. If the Microsoft DNS server is performing proxy DNS
service and cannot answer the query from cached data, it will commence query
resolution at the content DNS servers for the nearest enclosing superdomain
that it knows about. (Conceptually, query resolution begins from the "."
content DNS servers every time, but caching resolving proxy DNS servers
apply an optimisation whereby if they already know, for example, the
addresses of the "com." DNS servers, they will begin the process of query
resolution at those servers for any queries for "com." and its subdomains.)

Even if query resolution begins at the "." content DNS servers, this does
_not_ mean that it begins at one of the content DNS servers listed in the
"root hints". Those aren't necessarily "." content DNS servers.

m> So if I change the DNS servers in the root hint files to DNS
m> servers of my choosing, won't queries be forwarded to those
m> servers [...] ?

No. Those servers, if they are not actually "." content DNS servers, will
be queried exactly once.

<URL:http://homepages.tesco.net./~J.deBo...ting-resolving-proxy-root-list.html#Microsoft>

 

[Jonathan de Boyne Pollard]

m> Any thoughts of why one should prefer to use forwarders over
m> Root Hints?

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ForwardingProxy>