to forward or not to forward... That is the question.

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

We currently do not forward our Internal DNS's external requests to our
ISP's. I have this configuration due to technical issues relating to
routing our 2 T1's that are from 2 different ISP's.

We have 2 non AD integrated DNS servers running on 2k3 with custom
generated zone files.

Should I reconsider forwarding our internal DNS's external requests to
our ISP's DNS servers? What are the pro's and con's and current best
practice?

Thanks,

tM

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"themeanies" <themeanies@nowhere.net> wrote in message
news:41978d9c$1_2@127.0.0.1...
> We currently do not forward our Internal DNS's external requests to our
> ISP's. I have this configuration due to technical issues relating to
> routing our 2 T1's that are from 2 different ISP's.
>
Have all your internal clients point to your internal DNS servers. Have
your Internal DNS server use helpers to both your ISPs DNS servers. I don't
foresee any issues, if they can't reach one they will query the other one.
How are you doing it now? Just using root hints?

Matt

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Matt Anderson wrote:

> "themeanies" <themeanies@nowhere.net> wrote in message
> news:41978d9c$1_2@127.0.0.1...
>
>>We currently do not forward our Internal DNS's external requests to our
>>ISP's. I have this configuration due to technical issues relating to
>>routing our 2 T1's that are from 2 different ISP's.
>>
>
> Have all your internal clients point to your internal DNS servers. Have
> your Internal DNS server use helpers to both your ISPs DNS servers. I don't
> foresee any issues, if they can't reach one they will query the other one.
> How are you doing it now? Just using root hints?
>
> Matt
>
>


Thanks for your reply.

All internal clients(800 of them) point to the 2 internal DNS servers.
No forwarding currently, the DNS servers use the root hints.

I haven't used forwarding because some ISP's don't take kindly to DNS
traffic pounding their DNS servers when the traffic originates from
another ISP. Because we have all our outbound Inet traffic load
balanced out 2 different ISP's this could potentially happen.

tM

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"themeanies" <themeanies@nowhere.net> wrote in message
news:4197977b$1_1@127.0.0.1...
> Matt Anderson wrote:
>
>> "themeanies" <themeanies@nowhere.net> wrote in message
>> news:41978d9c$1_2@127.0.0.1...
>>
>>>We currently do not forward our Internal DNS's external requests to our
>>>ISP's. I have this configuration due to technical issues relating to
>>>routing our 2 T1's that are from 2 different ISP's.
>>>
>>
>> Have all your internal clients point to your internal DNS servers. Have
>> your Internal DNS server use helpers to both your ISPs DNS servers. I
>> don't foresee any issues, if they can't reach one they will query the
>> other one. How are you doing it now? Just using root hints?
>>
>> Matt
>
>
> Thanks for your reply.
>
> All internal clients(800 of them) point to the 2 internal DNS servers. No
> forwarding currently, the DNS servers use the root hints.
>
> I haven't used forwarding because some ISP's don't take kindly to DNS
> traffic pounding their DNS servers when the traffic originates from
> another ISP. Because we have all our outbound Inet traffic load balanced
> out 2 different ISP's this could potentially happen.
>
> tM

I'm not sure I understand how you would have another ISP's traffic ask the
other one for DNS requests. Can you elaborate? You are a customer of both
ISP's, therefore you can utilize both ISP's DNS servers.

Thanks,
Matt
MCT, MCSE

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

>
> I'm not sure I understand how you would have another ISP's traffic ask the
> other one for DNS requests. Can you elaborate? You are a customer of both
> ISP's, therefore you can utilize both ISP's DNS servers.
>
> Thanks,
> Matt
> MCT, MCSE
>
>

Well I'm not the network engineer, but this is how I understand it:

We have a border router with 2 T1's that go to 2 different ISP's. The
router does BGP I think to determine shortest path to target plus some
load balancing logic. Internally we have no way to determine which path
Inet traffic will take unless we specifically tell the routers which
path certain internal IP's are to take. So a recursive DNS request
could potentially go out ISP1's T1 and if I have ISP2's DNS as the
forwarding target, the above situation could occur.

It seems to me that forwarding introduces several uncontrollable
variables for me, so I was looking for a compelling reason to/not to
forward.

tM

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"themeanies" <themeanies@nowhere.net> wrote in message
news:4197ba0a$1_1@127.0.0.1...
>
>>
>> I'm not sure I understand how you would have another ISP's traffic ask
>> the other one for DNS requests. Can you elaborate? You are a customer
>> of both ISP's, therefore you can utilize both ISP's DNS servers.
>>
>> Thanks,
>> Matt
>> MCT, MCSE
>
> Well I'm not the network engineer, but this is how I understand it:
>
> We have a border router with 2 T1's that go to 2 different ISP's. The
> router does BGP I think to determine shortest path to target plus some
> load balancing logic. Internally we have no way to determine which path
> Inet traffic will take unless we specifically tell the routers which path
> certain internal IP's are to take. So a recursive DNS request could
> potentially go out ISP1's T1 and if I have ISP2's DNS as the forwarding
> target, the above situation could occur.
>
I don't think you are using BGP.

Matt

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

If my DNS servers can handle the traffic and can reach external networks
(internet, for example), I just let them use Root-Hints. I typically forward
to ISPs in situations where there is a special requirement that prohibits
the DNS server from going outside the immediate network.

And, yes, BGP is the term you were trying to describe.

--


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
"themeanies" <themeanies@nowhere.net> wrote in message
news:41978d9c$1_2@127.0.0.1...
> We currently do not forward our Internal DNS's external requests to our
> ISP's. I have this configuration due to technical issues relating to
> routing our 2 T1's that are from 2 different ISP's.
>
> We have 2 non AD integrated DNS servers running on 2k3 with custom
> generated zone files.
>
> Should I reconsider forwarding our internal DNS's external requests to
> our ISP's DNS servers? What are the pro's and con's and current best
> practice?
>
> Thanks,
>
> tM

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:4197ba0a$1_1@127.0.0.1,
themeanies <themeanies@nowhere.net> commented
Then Kevin replied below:
>> I'm not sure I understand how you would have another
>> ISP's traffic ask the other one for DNS requests. Can
>> you elaborate? You are a customer of both ISP's,
>> therefore you can utilize both ISP's DNS servers.
>>
>> Thanks,
>> Matt
>> MCT, MCSE
>>
>>
>
> Well I'm not the network engineer, but this is how I
> understand it:
>
> We have a border router with 2 T1's that go to 2
> different ISP's. The router does BGP I think to
> determine shortest path to target plus some load
> balancing logic. Internally we have no way to determine
> which path Inet traffic will take unless we specifically
> tell the routers which path certain internal IP's are to
> take. So a recursive DNS request could potentially go
> out ISP1's T1 and if I have ISP2's DNS as the forwarding
> target, the above situation could occur.
>
> It seems to me that forwarding introduces several
> uncontrollable variables for me, so I was looking for a
> compelling reason to/not to forward.
>
> tM

It is totally irrelevant which ISP's DNS gets used as a forwarder, as long
as both DNS servers serve the same Internet Root. This will most likely be
the ICANN Root, there could be a possible issue if one ISP serves the ICANN
Root and one serves the ORSC Root.
You might test all the DNS server to see which answers faster and use it at
the top of the forwarders list.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns (More info?)

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<p>And <a
href="http://homepages.tesco.net./%7EJ.deBoynePollard/FGA/dns-server-roles.html#ChoosingProxy">this
is the answer</a>.</p>
<blockquote type="cite" cite="mid41978d9c$1_2@127.0.0.1">
<p>Should I reconsider forwarding our internal DNS's external
requests to our ISP's DNS servers? </p>
</blockquote>
<p>See the answer.</p>
<blockquote type="cite" cite="mid41978d9c$1_2@127.0.0.1">
<p>What are the pro's and con's and current best practice?
</p>
</blockquote>
<p>See the answer.</p>
</body>
</html>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns (More info?)

t> We have a border router with 2 T1's that go to 2 different ISP's.
t> The router does BGP I think to determine shortest path to target plus
t> some load balancing logic. Internally we have no way to determine
t> which path Inet traffic will take unless we specifically tell the
t> routers which path certain internal IP's are to take. So a recursive
t> DNS request could potentially go out ISP1's T1 and if I have ISP2's
t> DNS as the forwarding target, the above situation could occur.

And since ISPs are gradually learning the wisdom of not providing
promiscuous proxy DNS service to Internet at large, you have no way of
determining whether (a) your DNS query datagrams will even reach your
target forwardee (since the way of not providing promiscuous proxy DNS
service is to restrict what traffic, from whom, can actually reach the
server in the first place), and (b) your target forwardee will provide
proxy DNS service to you (since an incorrect, but nonetheless used, way
to try not to provide promiscuous proxy DNS service is to adjust what
service is provided according to the apparent source).

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Deji Akomolafe wrote:
> If my DNS servers can handle the traffic and can reach external networks
> (internet, for example), I just let them use Root-Hints. I typically forward
> to ISPs in situations where there is a special requirement that prohibits
> the DNS server from going outside the immediate network.
>
> And, yes, BGP is the term you were trying to describe.
>

Maybe BGP -- However, it could be a load balanced NAT'd environment too.

--
SCIENTISTS COMPARE APPLES AND ORANGES FOR VITAMIN CONTENT
"It's like comparing apples and oranges," says researcher