Laptop DNS Settings for Traveling User Laptops

[jocharflet]

Does anyone else see an issue with setting up a laptop with hard coded
DNS entires in the following way:

Primary - a DNS server that resides in an offsite colocation facility
(20 miles away)
Secondary - a public DNS server
Tertiary - a DNS server located at headquarters

There are two types of laptop:
1. Laptops are used at remote sites who VPN into headquarters
2. Laptop at headquarters that VPN when traveling.

Both types of laptops use host files to find resources when they attach
to the network locally or VPN.

The logic is as follows: The Primary DNS server is that is where the
VPN router is. The public DNS server is needed when they are traveling
and need access to the internet only. The tertiary is used when they
login in at headquarters.

All the laptops are XP. So far I have seen poor performance at
headquarters every so often because the logon server is the DNS server
at the offsite colocation facility, or they cannot contact a domain
controller at all. Once I remove the public DNS entry they can log on.


We use a lot of AD aware applications that rely on proper DNS settings
(CRM, Outlook, for example), so I need to build the case to use DHCP
for all systems and find a VPN solution that pushes network settings
when they enable their VPNs.

Does anyone know if these settings are good and I'm just wrong about
how DNS works? Or does anyone have any advice on how to "sell" my
concerns to management? My MCSE doesn't count for much where I work.
8/

 

[Herb Martin]

Does anyone else see an issue with setting up a laptop with hard coded
DNS entires in the following way:

Primary - a DNS server that resides in an offsite colocation facility
(20 miles away)
Secondary - a public DNS server
Tertiary - a DNS server located at headquarters

Sure, everyone who does client-side DNS incorrectly
that way sees such problems.

DNS clients must NOT mix different sets of DNS servers
which return different answers.

There is no reliable way to make that work.

Clients will take (either positive or negative) answers
from the first DNS server which answers (at all.)

DNS clients must use STRICTLY the internal set of
DNS servers which can resolve ALL names that will
ever be needed by that client.

It is then the responsibility of the DNS server(s) to
find external (or any other) names not held by the
internal DNS server(s) directly.

[Not an issue here, but remember that not only laptops
but even DCs and other Servers are "DNS clients" too.]

There are two types of laptop:
1. Laptops are used at remote sites who VPN into headquarters
2. Laptop at headquarters that VPN when traveling.

Both types of laptops use host files to find resources when they attach
to the network locally or VPN.

The logic is as follows: The Primary DNS server is that is where the
VPN router is. The public DNS server is needed when they are traveling
and need access to the internet only. The tertiary is used when they
login in at headquarters.

All the laptops are XP. So far I have seen poor performance at
headquarters every so often because the logon server is the DNS server
at the offsite colocation facility, or they cannot contact a domain
controller at all. Once I remove the public DNS entry they can log on.


We use a lot of AD aware applications that rely on proper DNS settings
(CRM, Outlook, for example), so I need to build the case to use DHCP
for all systems and find a VPN solution that pushes network settings
when they enable their VPNs.

Does anyone know if these settings are good and I'm just wrong about
how DNS works?

Looks like a very common but incorrect misunderstanding
of DNS client settings and DNS server responsibilities.

Or does anyone have any advice on how to "sell" my
concerns to management? My MCSE doesn't count for much where I work.
8/

It's not about the four letters (MCSE) but rather about
the underlying knowledge that let you earn that MCSE.

[For a long time, I didn't even bother to put my "MVP"
in my messages, preferring to let the 'authority' of my
answers derive from their correctness rather than the
perception of some award or designation.]

Properly used, the MCSE (and other certifications) are
a way to force yourself to really learn the product in
a broad way, and faster than you might otherwise do
through an accidental path of experience only.

 

[jocharflet]

Herb,

Thank your confirming what I believe to be the facts (my underlying
knowledge of DNS). At 2am I was looking for a sanity check and a way
to deal with a manager who knows I'm arong about DNS and he is right.
I need to fidn a differetn forumn for that I'm sure.

I'm not quite sure though I understand how the MCSE comments apply to
me specifically, but that's ok. They hired me for my credentials but
disagree with everything I say to either 1)make sure they have the
credit for the work, or 2) avoid any harm their egos if they were
proven wrong. 8)

Politics have the ultimate authority.

Thanks again,
J

Does anyone else see an issue with setting up a laptop with hard coded
DNS entires in the following way:

Primary - a DNS server that resides in an offsite colocation facility
(20 miles away)
Secondary - a public DNS server
Tertiary - a DNS server located at headquarters

Sure, everyone who does client-side DNS incorrectly
that way sees such problems.

DNS clients must NOT mix different sets of DNS servers
which return different answers.

There is no reliable way to make that work.

Clients will take (either positive or negative) answers
from the first DNS server which answers (at all.)

DNS clients must use STRICTLY the internal set of
DNS servers which can resolve ALL names that will
ever be needed by that client.

It is then the responsibility of the DNS server(s) to
find external (or any other) names not held by the
internal DNS server(s) directly.

[Not an issue here, but remember that not only laptops
but even DCs and other Servers are "DNS clients" too.]

There are two types of laptop:
1. Laptops are used at remote sites who VPN into headquarters
2. Laptop at headquarters that VPN when traveling.

Both types of laptops use host files to find resources when they attach
to the network locally or VPN.

The logic is as follows: The Primary DNS server is that is where the
VPN router is. The public DNS server is needed when they are traveling
and need access to the internet only. The tertiary is used when they
login in at headquarters.

All the laptops are XP. So far I have seen poor performance at
headquarters every so often because the logon server is the DNS server
at the offsite colocation facility, or they cannot contact a domain
controller at all. Once I remove the public DNS entry they can log on.


We use a lot of AD aware applications that rely on proper DNS settings
(CRM, Outlook, for example), so I need to build the case to use DHCP
for all systems and find a VPN solution that pushes network settings
when they enable their VPNs.

Does anyone know if these settings are good and I'm just wrong about
how DNS works?

Looks like a very common but incorrect misunderstanding
of DNS client settings and DNS server responsibilities.

Or does anyone have any advice on how to "sell" my
concerns to management? My MCSE doesn't count for much where I work.
8/

It's not about the four letters (MCSE) but rather about
the underlying knowledge that let you earn that MCSE.

[For a long time, I didn't even bother to put my "MVP"
in my messages, preferring to let the 'authority' of my
answers derive from their correctness rather than the
perception of some award or designation.]

Properly used, the MCSE (and other certifications) are
a way to force yourself to really learn the product in
a broad way, and faster than you might otherwise do
through an accidental path of experience only.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

Herb,

Thank your confirming what I believe to be the facts (my underlying
knowledge of DNS). At 2am I was looking for a sanity check and a way
to deal with a manager who knows I'm arong about DNS and he is right.
I need to fidn a differetn forumn for that I'm sure.

I don't know what your meant by "knows I'm arong about DNS".
(I make frequent typos and other errors myself but this one keeps

I'm not quite sure though I understand how the MCSE comments apply to
me specifically, but that's ok. They hired me for my credentials but
disagree with everything I say to either

The point was that the MCSE will make you neither
wrong nor right -- in and of itself -- but in earning it
you might or might not have learned what you really
need to understand to be able to design systems and
troubleshoot their problems.

1)make sure they have the credit for the work, or
2) avoid any harm their egos if they were
proven wrong. 8)

If both of those are true (and not just a misperception
on your part -- but note I am making NO judgment
about which it is) then you should START looking for
a new job.

Don't quit or anything right away, but such people
are personally toxic and should be avoided at the
earliest opportunity.

Politics have the ultimate authority.

Precisely the reason that techies should learn to deal
in politics, human nature, psychology, and communications.

These are all skills that can be approached from a technical
perspective but many (most?) techies eschew dealing with
them instead of treating such skills as just another set of
tools to add to their personal toolkit.

All are imminently learnable and teachable if you find
the right sources.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks again,
J

Does anyone else see an issue with setting up a laptop with hard coded
DNS entires in the following way:

Primary - a DNS server that resides in an offsite colocation facility
(20 miles away)
Secondary - a public DNS server
Tertiary - a DNS server located at headquarters

Sure, everyone who does client-side DNS incorrectly
that way sees such problems.

DNS clients must NOT mix different sets of DNS servers
which return different answers.

There is no reliable way to make that work.

Clients will take (either positive or negative) answers
from the first DNS server which answers (at all.)

DNS clients must use STRICTLY the internal set of
DNS servers which can resolve ALL names that will
ever be needed by that client.

It is then the responsibility of the DNS server(s) to
find external (or any other) names not held by the
internal DNS server(s) directly.

[Not an issue here, but remember that not only laptops
but even DCs and other Servers are "DNS clients" too.]

There are two types of laptop:
1. Laptops are used at remote sites who VPN into headquarters
2. Laptop at headquarters that VPN when traveling.

Both types of laptops use host files to find resources when they attach
to the network locally or VPN.

The logic is as follows: The Primary DNS server is that is where the
VPN router is. The public DNS server is needed when they are traveling
and need access to the internet only. The tertiary is used when they
login in at headquarters.

All the laptops are XP. So far I have seen poor performance at
headquarters every so often because the logon server is the DNS server
at the offsite colocation facility, or they cannot contact a domain
controller at all. Once I remove the public DNS entry they can log on.


We use a lot of AD aware applications that rely on proper DNS settings
(CRM, Outlook, for example), so I need to build the case to use DHCP
for all systems and find a VPN solution that pushes network settings
when they enable their VPNs.

Does anyone know if these settings are good and I'm just wrong about
how DNS works?

Looks like a very common but incorrect misunderstanding
of DNS client settings and DNS server responsibilities.

Or does anyone have any advice on how to "sell" my
concerns to management? My MCSE doesn't count for much where I work.
8/

It's not about the four letters (MCSE) but rather about
the underlying knowledge that let you earn that MCSE.

[For a long time, I didn't even bother to put my "MVP"
in my messages, preferring to let the 'authority' of my
answers derive from their correctness rather than the
perception of some award or designation.]

Properly used, the MCSE (and other certifications) are
a way to force yourself to really learn the product in
a broad way, and faster than you might otherwise do
through an accidental path of experience only.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]