Internal caching-only DNS - right way to go?

T

tech

Hi all,

A few words about our situation... We support a WAN, > 35 sites. Our
DNS servers are located outside, and are not administered by us. All
machines on the network are getting 'real' IP's (not NAT in place).

In the past, we experienced quite a few disruptions service, mainly in
the way our records were (or were not) updated, mistyped, even
lost.... Long story short, at one point I was asked to implement an
internal DNS server to help us dealing with these recurring problems.

I setup a win2k caching-only server in the DMZ, and configured
forwarding to the external DNS servers. Through DHCP, the clients are
pointing to the caching-only as the primary DNS server (second and
tertiary are the external servers.

I am wondering if a cashing-only server is the right answer. In
particular:

1 - in case the guys who administer the external DNS servers are late
in updating a record (often the case), is there a way that our little
server can provide an updated answer, and how

2 - in order to accomplish 1, should we be looking at something
different than a caching-only server

3 - nslookup is not working, we get the error:
Can't find server name for address x.x.x.x: Non-existent domain"


Any help would be greatly appreciated.
 
J

J.C. Hornbeck [MSFT]

I don't think a caching only server will do what you want in this scenario.
If you want to control DNS then go ahead and configure a zone add the
appropriate records. That way you're not dependent on a third party
updating the appropriate records - you can do it yourself. The specific
message from nslookup does not necessarily indicate a problem. When nslookup
starts it tries to find a PTR record for the default DNS being used. If it
can't find it then it'll report an error but you can safely ignore it. I
do. Or if you like you can add the reverse zone and the PTR record for the
server and the message will go away.

--
J.C. Hornbeck, MCSE
Microsoft Product Support

NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!

This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose.
 
J

Jonathan de Boyne Pollard

t> 1 - in case the guys who administer the external DNS servers
t> are late in updating a record (often the case), is there a
t> way that our little server can provide an updated answer,

Yes, but unless you want to duplicate all of the work that they are
doing (which you apparently do not otherwise you wouldn't be using DNS
hosting services in the first place), it is better avoided.

t> 3 - nslookup is not working, we get the error:
t> Can't find server name for address x.x.x.x: Non-existent domain"

Stop using it.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/nslookup-daft-error-message.html>
 
T

tech

I don't think a caching only server will do what you want in this scenario.
If you want to control DNS then go ahead and configure a zone add the
appropriate records. That way you're not dependent on a third party
updating the appropriate records - you can do it yourself. The specific
message from nslookup does not necessarily indicate a problem. When nslookup
starts it tries to find a PTR record for the default DNS being used. If it
can't find it then it'll report an error but you can safely ignore it. I
do. Or if you like you can add the reverse zone and the PTR record for the
server and the message will go away.
Click to expand...

Forgive the naive question, but I am a bit confused... How can I go
ahead and create a new zone, while the SOA of out domain is still on
the external DNS server? Or are you suggesting something different?

Probably you got this by now, :) but the ideal solution should
require 'the least possible amount' of interaction with these external
admins. This was one of the main reasons why we went for a
caching-only solution in the 1st place.

Thanks
 
T

tech

Just out of curiosity - why public IPs? Why no NAT?
Click to expand...

Let us just say that in the public sector, sometimes, things evolve a
bit differently than elsewere ;-)
 
A

Ace Fekay [MVP]

In
tech said:
Forgive the naive question, but I am a bit confused... How can I go
ahead and create a new zone, while the SOA of out domain is still on
the external DNS server? Or are you suggesting something different?

Probably you got this by now, :) but the ideal solution should
require 'the least possible amount' of interaction with these external
admins. This was one of the main reasons why we went for a
caching-only solution in the 1st place.

Thanks
Click to expand...


What JC is saying is to manually create that zone internally and giving it
the IP addresses of the resource (like www,ftp, mail, MX record, etc) you
are trying to get to. This way, there is no query traffic (recursion
traffic) and the DNS server answers directly. This way it reduces bandwidth,
as what a caching only server is designed to do. It has nothing to do with
the external SOA on the internet. The SOA is just for when others on the
Internet need to "find" the DNS server that is hosting that zone so they can
get to the resources. It's kind of a 'shadow' copy *just* for internal
usage, that's it.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
R

Roland Hall

"tech" wrote in message : On Tue, 30 Mar 2004 13:52:07 -0600, "J.C. Hornbeck [MSFT]"
:
: >I don't think a caching only server will do what you want in this
scenario.
: >If you want to control DNS then go ahead and configure a zone add the
: >appropriate records. That way you're not dependent on a third party
: >updating the appropriate records - you can do it yourself. The specific
: >message from nslookup does not necessarily indicate a problem. When
nslookup
: >starts it tries to find a PTR record for the default DNS being used. If
it
: >can't find it then it'll report an error but you can safely ignore it. I
: >do. Or if you like you can add the reverse zone and the PTR record for
the
: >server and the message will go away.
:
: Forgive the naive question, but I am a bit confused... How can I go
: ahead and create a new zone, while the SOA of out domain is still on
: the external DNS server? Or are you suggesting something different?
:
: Probably you got this by now, :) but the ideal solution should
: require 'the least possible amount' of interaction with these external
: admins. This was one of the main reasons why we went for a
: caching-only solution in the 1st place.

Set yourself as the primary, and let the ISP/host be the secondaries. That
way you control the DNS; adds, deletes, mods... and you have never have to
deal with your external again. Make sure your DNS to only deal with known
secondaries. When you make changes, your server will notify the secondaries
they need to make a zone transfer. Every network I've ever setup is like
this. It eliminates the issues you're having now because when you give
someone else control, you no longer have it.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
 
T

tech

When you make changes, your server will notify the secondaries
they need to make a zone transfer. Every network I've ever setup is like
this. It eliminates the issues you're having now because when you give
someone else control, you no longer have it.
Click to expand...

A minor point, but I though that the secondary server(s) always
initiated the zone transfer, and not viceversa.
 
T

tech

OK, I think I got it... What would be the best way to go about those
servers that aren't under our namespace at all? I guess my question
is: how important is to be missing the PTR records in the reverse zone
for these (very few) servers?

Thanks for all the replies! :)
 
A

Ace Fekay [MVP]

In
tech said:
OK, I think I got it... What would be the best way to go about those
servers that aren't under our namespace at all? I guess my question
is: how important is to be missing the PTR records in the reverse zone
for these (very few) servers?

Thanks for all the replies! :)
Click to expand...
Reverse zones are not necessarily required, but in some cases with W2k3, it
may be required to eliminate a certain error (can't remember the #). So
otherwise, it would depend on your requirements.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
A

Ace Fekay [MVP]

In
tech said:
A minor point, but I though that the secondary server(s) always
initiated the zone transfer, and not viceversa.
Click to expand...


Actually the notification from the Primary will trigger the secondary to
'come and get it'.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
K

Kevin D. Goodknecht [MVP]

In
tech said:
OK, I think I got it... What would be the best way to go about those
servers that aren't under our namespace at all? I guess my question
is: how important is to be missing the PTR records in the reverse zone
for these (very few) servers?
Click to expand...

It wouldn't be all that important if they were all missing, PTR records are
usually only important to nslookup and SMTP servers, some SMTP servers will
not accept mail from a server that does not have one. Nslookup will still
work with out a PTR.
Reverse lookups can be considered by some to be a security risk, it is the
same as having a reverse phone number lookup or a reverse address lookup.
Most wouldn't consider these security risks, but it depends on the
situation. Is it OK if someone gets your name by doing a reverse lookup on
your telephone number?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Internal vs External DNS 3
DNS Caching on clients PC's 2
DNS Caching 4
Internal / External DNS Servers 4
internal/external DNS resolution problem 9
DNS Caching 5
DNS Delegations 0
Configuring DNS in DMZ zone 7

Top