AD - Secondary Reverse Lookups?

[CB]

Hello,
Thanks in advance.

Current Setup:
2003AD Interim Mode
Server A: Win2K Primary Forward/Reverse Zone Lookups
Server B: Win2003 Secondary Zone Lookups
Zone Transfers work fine

Question:
Is best practice to configure a secondary 'reverse' lookup zone or am
I OK with only one?

-CB

 

[Herb Martin]

Current Setup:

2003AD Interim Mode
Server A: Win2K Primary Forward/Reverse Zone Lookups
Server B: Win2003 Secondary Zone Lookups
Zone Transfers work fine

Question:
Is best practice to configure a secondary 'reverse' lookup zone or am
I OK with only one?

You may optionally configure the reverse zones -- unless you have
some application which actually benefits from them. (unlikely but
possible.)

If you do configure them, it would seem you would want the same
fault tolerance and performance as you expect from the forward
lookups so you might as well configure the secondary too -- unless
you have a positive reason for not doing so.

Or not, since the reverse is likely doing very little for you anyway.
(Don't get me wrong, I have the Reverse zones on my own net.)

And you might want to make them "dynamic" if you want machines
to register automatically in them as well.

 

[Ed Horley]

I would disagree with the previous poster if you are hosting reverse zones
for public blocks. If you are doing reverse DNS for any public blocks from
this server then having a secondary for that reverse zone should be right up
there in importance as the forward zones. Reverse name space is becoming an
important tool in combating zombie systems that send spam. Please see:
RFC 2505
RFC 2317
RFC 1034
RFC 1035

Hope that helps.
Ed

 

[Herb Martin]

I would disagree with the previous poster if you are hosting reverse zones
for public blocks. If you are doing reverse DNS for any public blocks from
this server then having a secondary for that reverse zone should be right up
there in importance as the forward zones. Reverse name space is becoming an
important tool in combating zombie systems that send spam. Please see:

You are not disagreeing with me on several counts:

1) I suggested that IF he has the zones, he should have secondaries
2) He almost certainly is not dealing with public blocks since it in
support of AD
3) IF he were dealing with public blocks they almost always belong to
the "ISP or NAP" (not the small company using them)

I agree with your comments as you posted them in fact.

 

[CB]

Herb/Ed,
Thank you for the suggestions.

I am using forwarders for external namespace.

-CB

 

[Herb Martin]

Forwarders have nothing to do with the zones that you hold
ON YOUR SERVERS.

It is extremely useful to separate the function of DNS -- at
least mentally -- into two different purposes:

1) Resolving names of YOUR resources
(or addresses in the case of reverse zones)

2) Helping your users resolve names/addresses (of ANY resource)

Forwarders are about completing the second item;
Zones you hold are about accomplishing the former.

And understand that many servers may do both, but in
DNS design, setup, and troubleshooting the two should
at least be considered separately.