DNS traffic optimization in root/hub configuration

[Guest]

I have root domain, and in root domain DMZ there is FE Exchange server and
public DNS. There are several separated domains connected to root domain. All
domains are connected with netsceen.
The problem is getting worse because UDP traffic. More or les DNS traffic
related. The situation is getting worse. DNS fail to resolve FQDN to IP. And
this is getting problematic because of FE exchange server. All incoming and
outgoing SMTP traffic is going through FE exchange server, and because name
resolution is failing, there are a lot of failed mails that are not delivered.
If I tried to use nslookup in any server in root domain I get strange
responses.
I type one domain name.
1. no response
2. no response
3. no response
4. response
I use ISP DNS server

1. no response
2. no response
3. no response
4. response
5. response
6. response
7. no response
8. no response
9. response
And so on

I have to domain controllers and FE Exchange server in DMZ. Both DC use AD
integrated and FE use several standard zones, because we host several domains
there.

Root DC have the following configuration:
Network configuration: under TCP/IP they use first DNS there own IP and
second DNS IP of second DC in root domain. DNS server host AD integrated
zones. One zone is for root domain and _mscds zone, which is replicated to
other DNS server in other domains. Both DNS server use the same ip set of
addresses of ISP provider. And recursion is check and i increase time out
for now to 10s.
FE exchange server use in IP configuration on TCP/IP properties IP addresses
of both DC in root domain. On forwarder tab i tried different configuration
on IP addresses , at the moment there are ISP DNS first than local DC IP
addresses will remove DC IP address witch I don’t thing these are need it.
Recursion is used and is set up now to ten second…

Today I set up so that FE server uses external DNS servers for mail delivery
on SMTP connector. I will se how does it respond. The error that is pop in up
is that the SMTP could not connect to DNS server, these DNS server can be
internal DNS server of DC or external. There is the same netscreen there.

All others domain have the following configuration. There are usually two
domain controllers with AD integrated zone. And _msdcs yon, tah is replicated
through root domain. And Forwarders are local ISP provider. IP configuration
has the first ip address of the he first DC than the second DC and third and
the fort is IP address of root DC. Recursion is enabled and default.

How can I fix and lower DNS query traffic through domain. And most
important, how to fix problem in root domain. All servers and DMZ are going
through on Netscreen box. Root domain is problematic because FE Exchange
server.

Thank you for replay.

 

[Herb Martin]

I have root domain, and in root domain DMZ there is FE Exchange server and
public DNS. There are several separated domains connected to root domain. All
domains are connected with netsceen.

Is this your outbound Exchange server? That is does it connect directly
to the final, external destinations and so need to resolve "the Internet"?

If so, does the Exchange server machine have a DNS server (caching only
is fine, probably even best) on it?

Also if (and only if) it does have a local DNS server, you might wish to
disable
the "DNS Client" service (there is little point and some negatives to
caching the
same info twice.)

The problem is getting worse because UDP traffic. More or les DNS traffic
related. The situation is getting worse. DNS fail to resolve FQDN to IP. And
this is getting problematic because of FE exchange server. All incoming and
outgoing SMTP traffic is going through FE exchange server, and because name
resolution is failing, there are a lot of failed mails that are not

delivered.

Describe your DNS setup from the point of view of this Exchange server --
NIC settings, had DNS/doesn't have DNS server, forwarding if any on the
DNS server used by the NICs, disable/not disable Recursion on the forwarders
tab.

If I tried to use nslookup in any server in root domain I get strange
responses.
I type one domain name.
1. no response
2. no response
3. no response
4. response
I use ISP DNS server

Implies but doesn't prove the ISPs DNS server may be sick. Why do you
get FOUR responses? That looks suspiciously like "ping" not NSLookup?

Do you use EXPLICIT DNS server Address when testing with NSLookup
to focus on one specific server (at a time)???

Do you use explicit timeouts, e.g., -time=10 (or 20 etc.)

First the ISP: Nslookup -time Name.To.Resolve IP.of.ISP.DNS

Then other DNS servers: Nslookup -time Name.To.Resolve IP.of.Other.DNS

I have to domain controllers and FE Exchange server in DMZ. Both DC use AD
integrated and FE use several standard zones, because we host several domains
there.

Why do you have DCs in the DMZ?

Root DC have the following configuration:
Network configuration: under TCP/IP they use first DNS there own IP and
second DNS IP of second DC in root domain. DNS server host AD integrated
zones. One zone is for root domain and _mscds zone, which is replicated to
other DNS server in other domains. Both DNS server use the same ip set of
addresses of ISP provider. And recursion is check and i increase time out
for now to 10s.

You likely should separate the way that the Exchange uses DNS from the
internal DC-DNS for internal resolution. You might use conditional
forwarding
(with Win2003) or hold a Secondary for each internal zone if you place DNS
on the Exchance server.

FE exchange server use in IP configuration on TCP/IP properties IP addresses
of both DC in root domain.

You mean "IP addresses of both DC" as the DNS server, right?

How do these DNS servers (or whatever you do use from Exchange) resolve
external names?

How many internal machines do you have? What is the load on the DNS-DCs
for both DNS and for everything else?

On forwarder tab i tried different configuration
on IP addresses , at the moment there are ISP DNS first than local DC IP
addresses will remove DC IP address witch I don't thing these are need it.

You must NOT use a mixture of DNS servers on EITHER the forwarders tab
or any NIC that could return different answers.

DNS Clients (NIC and the forwarders tab are two different ways to act as
a 'client' in some sense) ASSUME that all DNS servers will return the same
consistent and correct answers when queried.

Recursion is used and is set up now to ten second.

Why? If you are forwarding it is usually safer to disable recursion AND
it MAY be faster -- although I cannot logically explain this there are quite
a few anecdotal reports that when using a (reliable) forwarder you can
improve the speed by NOT ALSO using recursion.

If your forwarders are not reliable you should obviously just skip them
and use recursion only (or find other forwarders.)

Today I set up so that FE server uses external DNS servers for mail delivery
on SMTP connector. I will se how does it respond. The error that is pop in up
is that the SMTP could not connect to DNS server, these DNS server can be
internal DNS server of DC or external. There is the same netscreen there.

Well, your SMTP server needs a DNS server. Local and caching is what I
use.

All others domain have the following configuration. There are usually two
domain controllers with AD integrated zone. And _msdcs yon, tah is replicated
through root domain. And Forwarders are local ISP provider. IP configuration
has the first ip address of the he first DC than the second DC and third and
the fort is IP address of root DC. Recursion is enabled and default.

How can I fix and lower DNS query traffic through domain. And most
important, how to fix problem in root domain. All servers and DMZ are going
through on Netscreen box. Root domain is problematic because FE Exchange
server.

Thank you for replay.

 

[Guest]

Root domain DC ar not in DMZ zone, only FE exchange server.

FE exchange server is set up:
Because there are several sub domains, there is IP on server for each
domain. At the moment there is fourteen IP assigned to FE exchange server.
IP config is set up like that:
IP ******
WINS: DC1 IP, DC2 IP
DNS : DC1 IP, DC2 IP, FE IP
On FE Server run DNS server. There are cca 50 zones.
FE exchange server DNS listen only on one IP address.
FE forwarders are:
ISP1 DNS1 IP
ISP1 DNS2 IP
ISP2 DNS1 IP

Today I remove IP of DC1 and DC2 from forwarders tab. I disabled recursion.
There are root-hints there. Probably good to delete it, if I use forwarders.

Would it be better not to use forwarders, but I would put DCx IP DNS in
network settings under DNS tab.

DC1 and DC2 are configured the following :

Under IP configuration:
DC1 DC2

DNS : DC1 IP , DC2 IP DNS : DC2 IP , DC1 IP
Bouth DNS server host Three AD integrated zones.
First zone : _msdcs Zone transferred to any server, in future a will put
IP-s of all DC DNS servers ther
Second zone : Rott.local zone Zone transferred to any servers, I shout put
only listed Name servers.
Third zone is external zone for domain not important

Forwarders are configured identically :
ISP1 DNS1 IP
ISP1 DNS2 IP
ISP2 DNS1 IP
I disable recursion.
There are root-hints there. I should probably delete that, and relay only on
Forwarders or i should I only put ISP DNS on DNS configurations tab under
network settings..

All others domains are set up identically like root DC, with there respected
IP addresses and additional IP addresses of root DC. On forwarders tabs, i
use local ISP. There are root hints there to.

 

[Guest]

Root domain DC ar not in DMZ zone, only FE exchange server.

FE exchange server is set up:
Because there are several sub domains, there is IP on server for each
domain. At the moment there is fourteen IP assigned to FE exchange server.
IP config is set up like that:
IP ******
WINS: DC1 IP, DC2 IP
DNS : DC1 IP, DC2 IP, FE IP
On FE Server run DNS server. There are cca 50 zones.
FE exchange server DNS listen only on one IP address.
FE forwarders are:
ISP1 DNS1 IP
ISP1 DNS2 IP
ISP2 DNS1 IP

Today I remove IP of DC1 and DC2 from forwarders tab. I disabled recursion.
There are root-hints there. Probably good to delete it, if I use forwarders.

Would it be better not to use forwarders, but I would put DCx IP DNS in
network settings under DNS tab.

DC1 and DC2 are configured the following :

Under IP configuration:
DC1 DC2

DNS : DC1 IP , DC2 IP DNS : DC2 IP , DC1 IP
Bouth DNS server host Three AD integrated zones.
First zone : _msdcs Zone transferred to any server, in future a will put
IP-s of all DC DNS servers ther
Second zone : Rott.local zone Zone transferred to any servers, I shout put
only listed Name servers.
Third zone is external zone for domain not important

Forwarders are configured identically :
ISP1 DNS1 IP
ISP1 DNS2 IP
ISP2 DNS1 IP
I disable recursion.
There are root-hints there. I should probably delete that, and relay only on
Forwarders or i should I only put ISP DNS on DNS configurations tab under
network settings..

All others domains are set up identically like root DC, with there respected
IP addresses and additional IP addresses of root DC. On forwarders tabs, i
use local ISP. There are root hints there to.
For nslookup :

C:\Documents and Settings\AdminHI>nslookup
Default Server: dc1.root.local
Address: 192.168.1.1

slowniki.onet.pl

Server: dc1.root.local
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
*** Request to dc1.root.local timed-out

slowniki.onet.pl

Server: dc1.root.local
Address: 192.168.1.1

Non-authoritative answer:
Name: nospam.onet.pl
Address: 213.180.130.201
Aliases: slowniki.onet.pl

server DNS of IP

Default Server: dns1.123.net
Address: 123.2.2.1

slowniki.onet.pl

Server: dns1.123.net
Address: 123.2.2.1

DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: nospam.onet.pl
Address: 213.180.130.201
Aliases: slowniki.onet.pl

And what is strage is these sresponse from DC1 and DC2 DNS servers:

server 192.168.1.1

Default Server: [192.168.1.1]
Address: 192.168.1.1

server 192.168.1.1

Default Server: dc1.root.local
Address: 192.168.1.1

server 192.168.1.2

Default Server: [192.168.1.2]
Address: 192.168.1.2

server 192.168.1.2

Default Server: dc2.root.local
Address: 192.168.1.2

 

[Herb Martin]

Root domain DC ar not in DMZ zone, only FE exchange server.

FE exchange server is set up:
Because there are several sub domains, there is IP on server for each
domain. At the moment there is fourteen IP assigned to FE exchange server.
IP config is set up like that:
IP ******
WINS: DC1 IP, DC2 IP
DNS : DC1 IP, DC2 IP, FE IP
On FE Server run DNS server. There are cca 50 zones.
FE exchange server DNS listen only on one IP address.
FE forwarders are:
ISP1 DNS1 IP
ISP1 DNS2 IP
ISP2 DNS1 IP

Today I remove IP of DC1 and DC2 from forwarders tab.

From Exchange-DNS server?

I disabled recursion.
There are root-hints there. Probably good to delete it, if I use

forwarders.

Does removing DC1 and DC2 allow you to resolve all names
you need? (Internal as well as external?)

Would it be better not to use forwarders, but I would put DCx IP DNS in
network settings under DNS tab.

Likely it would be best to use CONDITIONAL forwarders for DC1 and DC2
to resolve internal or authoritative names and let the Exchange DNS server
either forward to the Internet OR recurse for itself for public names.

BUT since (if?) you are NOT using the Exchange-DNS server as it's OWN DNS
server on it's own NIC you are bypassing it and getting ZERO BENEFIT
from the local server.

If you are running a DNS server on the Exchange to speed up resolution then
your local CLIENT NIC settings there should specify that same DNS server
(on the Exchange box.)

 

[Ace Fekay [MVP]]

In

Root domain DC ar not in DMZ zone, only FE exchange server.

FE exchange server is set up:
Because there are several sub domains, there is IP on server for each
domain. At the moment there is fourteen IP assigned to FE exchange
server. IP config is set up like that:
IP ******
WINS: DC1 IP, DC2 IP
DNS : DC1 IP, DC2 IP, FE IP
On FE Server run DNS server. There are cca 50 zones.
FE exchange server DNS listen only on one IP address.
FE forwarders are:
ISP1 DNS1 IP
ISP1 DNS2 IP
ISP2 DNS1 IP

Today I remove IP of DC1 and DC2 from forwarders tab. I disabled
recursion. There are root-hints there. Probably good to delete it, if
I use forwarders.

Be careful with forwarding to another DNS internally that hosts the same
zone unless you are chaining Internet resolution from one DNS to another
whereas the last DNS in the chain is forwarding to the ISP's DNS. Usually we
just configure forwarders individually on each DNS to the ISP's.

Don't disable recursion. The checkbox under the forwarder tab just says to
use the Roots if the forwarder doesn't have the answer.

Would it be better not to use forwarders, but I would put DCx IP DNS
in network settings under DNS tab.

That is the recommended 'best practice' with any AD infrastructure
configuration.

DC1 and DC2 are configured the following :

Under IP configuration:
DC1 DC2

DNS : DC1 IP , DC2 IP DNS : DC2 IP , DC1 IP
Bouth DNS server host Three AD integrated zones.
First zone : _msdcs Zone transferred to any server, in future a will
put IP-s of all DC DNS servers ther
Second zone : Rott.local zone Zone transferred to any servers, I
shout put only listed Name servers.
Third zone is external zone for domain not important

Forwarders are configured identically :
ISP1 DNS1 IP
ISP1 DNS2 IP
ISP2 DNS1 IP
I disable recursion.

No need to disable recursion as I mentioned above.

There are root-hints there. I should probably delete that, and relay
only on Forwarders or i should I only put ISP DNS on DNS
configurations tab under network settings..

See above. Leave the Roots alone. Not contributing whatsoever with the
issue(s) you are having.

All others domains are set up identically like root DC, with there
respected IP addresses and additional IP addresses of root DC. On
forwarders tabs, i use local ISP. There are root hints there to.

Originally you mentioned possible UDP traffic issues. DNS uses UDP 53 first
for the query and response. However if the response is greater than 512
bytes, it reverts to TCP. However, Windows 2003 uses a new feature that
offers the response UDP traffic up to the maximum size of a packet, notably
1500 bytes. This is called EDNS0, a new industry implementation (I forget
the RFC#), that supports UDP DNS response packets upto 1500 bytes. Microsoft
is using this new industry implementation due to it being much more
efficient. I couldn't find anywhere you mentioning what Windows version you
are using, and at this point I will assume Windows 2003. My take on this is
if it is, then maybe your Netscreens or your Cisco router or PIX does not
support EDNS0 and would need an IOS update to do so. Read up more on it
here:

828731 - An External DNS Query May Cause an Error Message in Windows Server
2003:
http://support.microsoft.com/?id=828731

Also, FWIW, you can stipulate in the SMTP Virtual server properties in the
Exchange System Manger to use an external DNS. That is in SMTP properties,
Delivery tab, advanced (IIRC). Thsi will tell SMPT to use an outside server
to query when sending mail and won't bother to use the internal DNS servers.
But always only use the internal DNS servers in the machine's IP properties.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Thank you

In

Be careful with forwarding to another DNS internally that hosts the same
zone unless you are chaining Internet resolution from one DNS to another
whereas the last DNS in the chain is forwarding to the ISP's DNS. Usually we
just configure forwarders individually on each DNS to the ISP's.

Don't disable recursion. The checkbox under the forwarder tab just says to
use the Roots if the forwarder doesn't have the answer.


That is the recommended 'best practice' with any AD infrastructure
configuration.


No need to disable recursion as I mentioned above.



See above. Leave the Roots alone. Not contributing whatsoever with the
issue(s) you are having.


Originally you mentioned possible UDP traffic issues. DNS uses UDP 53 first
for the query and response. However if the response is greater than 512
bytes, it reverts to TCP. However, Windows 2003 uses a new feature that
offers the response UDP traffic up to the maximum size of a packet, notably
1500 bytes. This is called EDNS0, a new industry implementation (I forget
the RFC#), that supports UDP DNS response packets upto 1500 bytes. Microsoft
is using this new industry implementation due to it being much more
efficient. I couldn't find anywhere you mentioning what Windows version you
are using, and at this point I will assume Windows 2003. My take on this is
if it is, then maybe your Netscreens or your Cisco router or PIX does not
support EDNS0 and would need an IOS update to do so. Read up more on it
here:

828731 - An External DNS Query May Cause an Error Message in Windows Server
2003:
http://support.microsoft.com/?id=828731

Also, FWIW, you can stipulate in the SMTP Virtual server properties in the
Exchange System Manger to use an external DNS. That is in SMTP properties,
Delivery tab, advanced (IIRC). Thsi will tell SMPT to use an outside server
to query when sending mail and won't bother to use the internal DNS servers.
But always only use the internal DNS servers in the machine's IP properties.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Ace Fekay [MVP]]

In

Thank you

You are welcome. I hope it helped.

Ace

 

[Guest]

O Link.

http://support.microsoft.com/?id=828731

 

[Ace Fekay [MVP]]

In

O Link.

http://support.microsoft.com/?id=828731

Good to hear.