DNS Server going to IANA for resolution

  • Thread starter Thread starter Adam Sandler
  • Start date Start date
A

Adam Sandler

Hello,

I have a subnet of my LAN (all W2K SP4 boxes); which is
psueudo-isolated for the developers. This area supports a local
domain and is not registered in any way. At any rate, in that LAN
there are 2 DCs and they are both DNS servers with an Active Directory
integrated zone. The remaining 5 boxes in this area all point to these
2 DCSs for DNS. If a request outside of this area (e.g., for a
website) is made, then a forwarder has been specified on the DNS
servers.

My problem arose when I was looking at the network logs the other day.
One of the DNS servers is consistently banging IANA for DNS resolution.
I'm really lost here; I don't know why this one box is trying to hit
IANA all the time. All the external requests should be going to my
registered DNS server. Any suggestions are appreciated.

Thanks!
 
In
Adam Sandler said:
Hello,

I have a subnet of my LAN (all W2K SP4 boxes); which is
psueudo-isolated for the developers. This area supports
a local domain and is not registered in any way. At any
rate, in that LAN there are 2 DCs and they are both DNS
servers with an Active Directory integrated zone. The
remaining 5 boxes in this area all point to these 2 DCSs
for DNS. If a request outside of this area (e.g., for a
website) is made, then a forwarder has been specified on
the DNS servers.

My problem arose when I was looking at the network logs
the other day. One of the DNS servers is consistently
banging IANA for DNS resolution. I'm really lost here; I
don't know why this one box is trying to hit IANA all the
time. All the external requests should be going to my
registered DNS server. Any suggestions are appreciated.
Click to expand...

Do you have a reverse lookup zone for your local subnet?
While not required for AD functionality, all clients set for DDNS will try
to register A and PTR records in the Authoritative DNS servers. All PTR
records for private IPs are sent to several different Black hole DNS servers
at iana.org, prisoner.iana.org is the SOA master.
 
Adam Sandler said:
Hello,

I have a subnet of my LAN (all W2K SP4 boxes); which is
psueudo-isolated for the developers. This area supports a local
domain and is not registered in any way. At any rate, in that LAN
there are 2 DCs and they are both DNS servers with an Active Directory
integrated zone. The remaining 5 boxes in this area all point to these
2 DCSs for DNS. If a request outside of this area (e.g., for a
website) is made, then a forwarder has been specified on the DNS
servers.
Click to expand...

Also specify "Do not use recursion" on the forwarders tab.

This will require the DNS server to use STRICTLY the forwarder(s).
 
In
Adam Sandler said:
I do have a corresponding reverse lookup zone
Click to expand...

Do you have an SMTP server using this DNS server?
SMTP server will query for a PTR record, if so configured.
 
I do have a corresponding reverse lookup zone
Do you have an SMTP server using this DNS server?
SMTP server will query for a PTR record, if so configured.
Click to expand...

Yes, and a quick and (rather) easy way to minimize
traffic to root servers is to change the DNS config
setting up both the "." and the "in-addr.arpa" zones
as secondary ones, this way the DNS will have its
local copy of the two root zones (direct/reverse)
and won't need to ask root-servers for DNS glue
 
In
ObiWan said:
Yes, and a quick and (rather) easy way to minimize
traffic to root servers is to change the DNS config
setting up both the "." and the "in-addr.arpa" zones
as secondary ones, this way the DNS will have its
local copy of the two root zones (direct/reverse)
and won't need to ask root-servers for DNS glue
Click to expand...

Obi, you are exactly right. as I have done exactly that on all of my DNS
servers.
Delegated Root and in-addr.arpa secondary zones are a good addition to any
DNS server. It can save a lot of trips out to the root.
 
Back
Top