DNS & Forwarders

[Guest]

Hi,

I have a W2k server that is DC & running DNS. I want to set Forwarders to
point to new ISP router. I believe I want to delete the "." root so I can
then setup a Forwarder.

Questions is, if I delete the ".", do I need to do any other setup/config
other than add the forwarder? I don't want this to quit working cause I
deleted the "." & didn't know I needed to do something else.

Thanks in advance for any help or suggestions!
Bill

 

[Herb Martin]

Hi,

I have a W2k server that is DC & running DNS. I want to set Forwarders to
point to new ISP router. I believe I want to delete the "." root so I can
then setup a Forwarder.

Questions is, if I delete the ".", do I need to do any other setup/config
other than add the forwarder? I don't want this to quit working cause I
deleted the "." & didn't know I needed to do something else.

Delete the root. You don't need it. The only people
who need it have multiple TREES of zones and NO
NEED for Internet resolution. (They know who they are.)

Add your forwarders and CONSIDER checking the box
on the forwarders page that says: Do Not user Recursion

You internal DNS will become dependent on the forwarders
but it will NOT try to visit every DNS server on the world
wide Internet (including EvilHackersWillGetYou.com <grin>)

 

[Guest]

Thank you!

I will do as you suggest!

Best Regards
Bill

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Delete the root. You don't need it. The only people
who need it have multiple TREES of zones and NO
NEED for Internet resolution. (They know who they are.)

Herb, the existence of a root zone won't stop internet resolution, if all
the TLDs are delegated. Deleting the root zone Windows creates will enable
the root hint servers which by default point to the ICANN Root. There are
other internet roots beside the ICANN root, if you want to resolve those
roots you will need to run their copy of their delegated root zone.

 

[Guest]

Hi Kevin,

What I am trying to do is enable Internet access via a DSL router. I
currently have the router IP as the Alternate DNS on my workstations which I
have found causes many problems.

What I want to do is set the Forwarder to my Router IP and not have anything
in my workstation DNS except for the DNS running on my W2k server.

So deleting the "." zone & setting up a forwarder to my Router IP is what I
want and need to do at this point? Will I need to do anything with Root
Hints?

Thank you!
Bill

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi Kevin,

What I am trying to do is enable Internet access via a
DSL router. I currently have the router IP as the
Alternate DNS on my workstations which I have found
causes many problems.

What I want to do is set the Forwarder to my Router IP
and not have anything in my workstation DNS except for
the DNS running on my W2k server.

So deleting the "." zone & setting up a forwarder to my
Router IP is what I want and need to do at this point?
Will I need to do anything with Root Hints?

Deleting the root zone will get you internet access, you shouldn't need to
do anything to the root hints. MS DNS automatically loads the Root Hints for
the ICANN root if you delete the root zone. You can set the router as a
forwarder, and you should only use the DNS server's IP address for DNS,
only. Especially, if you have Active Directory Domain.

 

[Guest]

Hi Kevin,

In

Deleting the root zone will get you internet access, you shouldn't need to
do anything to the root hints. MS DNS automatically loads the Root Hints for
the ICANN root if you delete the root zone. You can set the router as a
forwarder, and you should only use the DNS server's IP address for DNS,
only. Especially, if you have Active Directory Domain.

I was looking at the settings on the router and have one more question. On
the WAN side DNS is enabled, WAN IP and a DNS IP. On the LAN side I have a
static IP & no DNS.

Which IP would I use for the DNS Forwarder? I'm thinking it would be the
LAN side IP. Should I also enable DNS on the LAN side?

I have read many articles and am getting lots of pieces but it's hard to
make them all fit.

Sorry about the newbie questions.

I do appreciate the advice!

Bill

 

[Herb Martin]

I was looking at the settings on the router and have one more question.
On

the WAN side DNS is enabled, WAN IP and a DNS IP. On the LAN side I have a
static IP & no DNS.

Which IP would I use for the DNS Forwarder? I'm thinking it would be the
LAN side IP. Should I also enable DNS on the LAN side?

If you use your Router as the DNS resolving for the
Internet, (many provide that ability, some don't) then
it is the FORWARDER set on internal DNS servers.

You should NOT set internal clients to use this DNS
(nor the ISP) directly as you indicated in an earlier
message.

Rule:
Internal clients must use ONLY the internal DNS server (set).

Generally:
The Internal DNS server(s) forward to either the Router-DNS
or directly to the ISP.

If you use the RouterDNS, then the router uses the ISP as it's
forwarder (usually) to do the real work.

Forwarding to the Router is usually better when that is an option,
since it eliminates the need for internal (and sensitive DCs/DNS
servers) to "visit the Internet", and if you have more than one
internal DNS server it consolidates the Internet name cache so
that all may take advantage of the work (resolutions) it does.

Using a RouterDNS like this it is usually (termed) a "caching only
DNS server" -- which means it has no zones of it's own but just
does resolutions when we ask it to do so.

Even using the ISP
I have read many articles and am getting lots of pieces but it's hard to
make them all fit.

This is actually a fairly advanced question since it entails
several options which CAN work, and has only guidelines
for picking the BEST solution.

But remember these key points:
Internal clients must use the INTERNAL DNS (ONLY)
because otherwise they might 'skip' the internal names
that only these DNS servers know.

You cannot mix them on the client, because the clients
pick semi-randomly and "latch on" to whichever DNS
server works most quickly or is working right now.
(This mixing may SEEM to work but it is unreliable.
Due to the fact that it doesn't fail consistently many
people are under the false impression that it is a
good method.)

Since you cannot mix internal and external (reliably)
you should* have the INTERNAL DNS server Forward
to resolve both their INTERNAL Addresses AND
the EXTERNAL Addresses of the Internet.

*Technically, the internal DNS servers could do their
own external resolution by physically recursing from the
root of THE Internet, but this would mean opening the
firewall to them (at least for DNS) AND that they would
potentially visit ANYWHERE on the Internet, including
places like EvilHackers.Com

Sorry about the newbie questions.

They are good questions. Sometimes we have to
restructure them so that they don't hide (incorrect)
assumptions.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Which IP would I use for the DNS Forwarder?

Use the private IP of the router for the DNS forwarder (it is the same
address as the gateway you assign clients)

I'm thinking

it would be the LAN side IP. Should I also enable DNS on
the LAN side?

A I think you may be looking at the DHCP server on the router. If you are
leave it disabled, or put your DNS server's IP in. You really should leave
DHCP disabled on the router and configure DHCP on the Windows server with
option 003 (Router), 006 DNS (Use the DNS server's IP) 015 Domain Name (Use
the DNS name of your AD domain) This are the minimum options to use.

 

[Guest]

Kevin, thanks for all your help!

Problem solved!!!

(see below)

In

Use the private IP of the router for the DNS forwarder (it is the same
address as the gateway you assign clients)

I'm thinking

A I think you may be looking at the DHCP server on the router. If you are
leave it disabled, or put your DNS server's IP in. You really should leave
DHCP disabled on the router and configure DHCP on the Windows server with
option 003 (Router), 006 DNS (Use the DNS server's IP) 015 Domain Name (Use
the DNS name of your AD domain) This are the minimum options to use.

Deleting the "." and adding the Forwarder to the ISP Router did the trick!
Things are working very well now.

It's amazing how a simple question can get so complex in a hurry. I
appreciate the time to answer my questions & explain why it needs to be done
a certain way. I'm just being cautious before changing something & bringing
the whole network to its knees.

I've read several articles related to this issue and found several pieces
but not everything needed to finish the puzzle. I appreciate your help!

I inherited this system and am trying to correct some problems. I would
like to also do some performance tuning when I get the time. One of my next
projects will be to turn-on DHCP on the server. Everything now is static.
Something to keep things interesting I guess!

Thanks Again!
Bill

 

[Guest]

Hi Herb,

Thanks for all your advice!

Deleting the "." and adding the Forwarder to the ISP Router did the trick!
Things are working very well now.

Bill

 

[Herb Martin]

Hi Herb,

Thanks for all your advice!

Deleting the "." and adding the Forwarder to the ISP Router did the trick!
Things are working very well now.

Bill

Ok.

And remember, internal DNS clients must use ONLY
internal DNS servers.


Here's the outline for checking DNS for AD:

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Mike H]

On Tue, 15 Feb 2005 10:23:13 -0600, Kevin D. Goodknecht Sr. [MVP] wrote:
[]

Deleting the root zone will get you internet access, you shouldn't need to
do anything to the root hints. MS DNS automatically loads the Root Hints for
the ICANN root if you delete the root zone.

Hi, Kevin. "Automatically loads"? Can you elaborate on that?

 

[Kevin D. Goodknecht Sr. [MVP]]

In

[]

Deleting the root zone will get you internet access, you
shouldn't need to do anything to the root hints. MS DNS
automatically loads the Root Hints for the ICANN root if
you delete the root zone.

Hi, Kevin. "Automatically loads"? Can you elaborate on
that?

When you delete the root zone the ICANN Root server information is loaded
into the DNS server. The cache.dns file in the dns\backup directory is the
file used to load these root hints.

 

[Herb Martin]

When you delete the root zone the ICANN Root server information is loaded

into the DNS server. The cache.dns file in the dns\backup directory is the
file used to load these root hints.

Kevin is right.

And if for some crazy reason it doesn't reload you can
pick most any DNS server (that is working at your ISP
for instance) and ask it for the "." zone DNS servers
directly (just like any other zone).

Once you have that list put in a few and then hit the
button that auto-repopulates the whole list (it asks one
of them for the list of others.)

nslookup -type=NS . dns1.yourisp.com.

Note between the =NS and the DNS server there is a
long DOT "." which is the official 'name' of the root zone.

dns1.yourisp.com = an IP address for this one (if your
DNS can't resolve while you are doing this.)


--
Herb Martin

In

[]

Deleting the root zone will get you internet access, you
shouldn't need to do anything to the root hints. MS DNS
automatically loads the Root Hints for the ICANN root if
you delete the root zone.

Hi, Kevin. "Automatically loads"? Can you elaborate on
that?

When you delete the root zone the ICANN Root server information is loaded
into the DNS server. The cache.dns file in the dns\backup directory is the
file used to load these root hints.

 

[Mike H]

In

[]

Deleting the root zone will get you internet access, you
shouldn't need to do anything to the root hints. MS DNS
automatically loads the Root Hints for the ICANN root if
you delete the root zone.

Hi, Kevin. "Automatically loads"? Can you elaborate on
that?

When you delete the root zone the ICANN Root server information is loaded
into the DNS server. The cache.dns file in the dns\backup directory is the
file used to load these root hints.

hmm, okay, in that directory I have root.dns and <domainname>.local.dns,
both modified 12.16.04. That looks like the date DNS server was
installed on this machine. One level up I have cache.dns dated
7.7.03-looks like it's unchanged from what I loaded off the cds or some
service pack.

Now, I'm using Active Directory and my zones are AD integrated.
Cache.dns seems to be supurfluous. I am thinking right there? Ohhhh,
never mind. Okay, when I deleted the root zone, the root hints were
populated as you say. That happens once, right? After that, one would
manually edit the hints in DNS server if necessary (like
b.root-servers.net, for instance). You're not saying that cache.dns
itself gets updated, right?

Now let me look at what Herb's saying and see what I can apply out of
that.

Thank you for taking the time to reply, Kevin Providing what I
restated is correct, I learned something tonight.

 

[Mike H]

Kevin is right.

I think so. See my reply to him.

And if for some crazy reason it doesn't reload you can
pick most any DNS server (that is working at your ISP
for instance) and ask it for the "." zone DNS servers
directly (just like any other zone).

Once you have that list put in a few and then hit the
button that auto-repopulates the whole list (it asks one
of them for the list of others.)

The button?

nslookup -type=NS . dns1.yourisp.com.

Note between the =NS and the DNS server there is a
long DOT "." which is the official 'name' of the root zone.

dns1.yourisp.com = an IP address for this one (if your
DNS can't resolve while you are doing this.)

That is NICE! I've been using ftp at ICANN every so often to download
the new list (if there is one) and check it against what I have.
Frequently, I'm unable to make that connection, and in that way and
others it's a bit of a hastle. What you just provided is very slick!

Now, if I could just automate that procedure somehow or force periodic
updates without intervention I'd have it made. Hence, my hopefulness
that "the button" means more than the return key at the end of that
command line

Good of you to jump in and provide some nice supplementary info, Herb.
I'm grateful.

 

[ObiWan]

Now, if I could just automate that procedure somehow or force periodic
updates without intervention I'd have it made. Hence, my hopefulness
that "the button" means more than the return key at the end of that
command line

Oh well ... just keep using "ftp" but automate it to to that you'll
need a copy of wget for win32, you can find the latest complete
package here

ftp://ftp.sunsite.dk/projects/wget/windows/wget-complete-stable.zip

just download the zip above and extract it into whatever folder you
like, next, create the following script into the same folder

@echo off
:
if not exist cache.old copy %SYSTEMROOT%\SYSTEM32\DNS\cache.dns cache.old

NUL

if not exist cache.new copy %SYSTEMROOT%\SYSTEM32\DNS\cache.dns cache.new

NUL

:
wget -N -nd -nv -O cache.new ftp://ftp.internic.net/domain/named.root >NUL
fc /C /L cache.old cache.new >NUL
if errorlevel 1 goto COPY
goto QUIT
:
:COPY
net stop dns
copy /Y cache.new %SYSTEMROOT%\SYSTEM32\DNS\cache.dns >NUL
net start dns
copy cache.new cache.old >NUL
:
:QUIT
exit

at this point just schedule the above script say once a month to check if
there are updated root-hints and to automatically download/update them
keep in mind though that root hints (root nameserver) don't change so
often, so I'm not sure the above will be really useful

Regards

--

* ObiWan

Microsoft MVP: Windows Server - Networking
http://www.microsoft.com/communities/MVP/MVP.mspx
http://mvp.support.microsoft.com

DNS "fail-safe" for Windows clients.
http://ntcanuck.com

Support and discussions forum
news://news.ntcanuck.com

408+ XP/2000 tweaks and tips
http://ntcanuck.com/tq/Tip_Quarry.htm

 

[Herb Martin]

The button?

(Sorry), I could remember "the button" name and it only
appears in the Win2003 version of the MMC (if you
run only Win2000 DNS servers, you can install the
Win2003 MMC on an XP workstation).

It is on the Root Hints tab and called Copy from Server
(pick any of the working ones, or perhaps another of your
own working DNS servers):

"Copy from Server" and type in that working DNS
which has the correct list.

Generally the root hints list will work if even one of these
servers is reached by the (local) DNS server.

Since these are not actually the root servers (anymore) but
the servers which PUBLISH the root servers it is very
resilient to changes.

MS (and BIND) use a root HINTS file (the name change
is actually meaningful) to FIND the root servers at startup.

 

[Mike H]

Oh well ... just keep using "ftp" but automate it

[snip link to utility program and the script to use it]

at this point just schedule the above script say once a month to check if
there are updated root-hints and to automatically download/update them
keep in mind though that root hints (root nameserver) don't change so
often, so I'm not sure the above will be really useful

hehe, "useful"? Sure it will be I find that the better DNS Server
runs the more I tend to forget about it. Besides, although I wouldn't
want to, and wouldn't recommend it, I can see a late-night installation
of DNS Server that for one reason or other still used the cache.dns that
mis-listed b.root-servers.net and I will have been to "rummy" to fix
that little detail. Besides, I see that even though I updated the AD
root hints (is it correct to say that?), I forgot to change cache.dns
itself. Presumably, if I ever stopped DNS server it would load up the
old hints again.

So, see? At least for me it's worth doing My thanks to the OP, "New
to DNS" for bringing the subject up, as well as Herb, Kevin, and ObiWan
for provoking thoughts that allowed me to catch an error in my DNS
configuration.

Good to see you in these parts again, Obi