Question on DNS Forwarders

  • Thread starter Thread starter C C
  • Start date Start date
C

C C

Hello.

We have a Internal DNS Win2K server behind a
Proxy server which is proxying DNS queries to root-servers
in the Internet.

The consultant who configured our internal DNS server
configured the Root Hits with a.root-servers.net
to m.root-servers.net.

Lately, DNS queries are backed up in our Proxy
server and are probably timing out because outbound
emails from our Exchange server takes a long time
to go out.

Right now, the "Forwarders" tab is empty. Will it
help if I put our ISP's DNS servers (one Primary
and one Secondary) in the "Forwarders" tab?

Thanks in advance for your help.
 
C C said:
Hello.

We have a Internal DNS Win2K server behind a
Proxy server which is proxying DNS queries to root-servers
in the Internet.

The consultant who configured our internal DNS server
configured the Root Hits with a.root-servers.net
to m.root-servers.net.

Lately, DNS queries are backed up in our Proxy
server and are probably timing out because outbound
emails from our Exchange server takes a long time
to go out.

Right now, the "Forwarders" tab is empty. Will it
help if I put our ISP's DNS servers (one Primary
and one Secondary) in the "Forwarders" tab?

Thanks in advance for your help.
Click to expand...

What kind of proxy server are you using?
Normally, the Proxy would forward to the ISP and your internal DNS would
forward to the proxy. Unless the proxy server is running on the same machine
as the DNS server, in that case the Proxy DNS would be disabled and the
internal DNS would forward to the ISP.
 

Kevin, thanks for your reply.
What kind of proxy server are you using?
Click to expand...

We are using Wingate 6.0+ by QBIK with ENS. This is on a dedicated machine.
The DNS server is one of our Active Directory controllers.
Normally, the Proxy would forward to the ISP and your internal DNS would
forward to the proxy. Unless the proxy server is running on the same machine
as the DNS server, in that case the Proxy DNS would be disabled and the
internal DNS would forward to the ISP.
Click to expand...

Yes, I understand this scenarios. What I'm not sure of is the "Forwarders"
tab
in the DNS Server configuration.

In your reply to my other post re "Root DNS Servers", I now see why
DNS queries by our Exchange server (another machine) takes a long
time to get resolved.

Now, back to the "Forwarders" tab. Shall I add our ISP's Primary
and secondary DNS servers in this tab? Or shall I use the IP address
of our Proxy server and let the proxy server NAT it out to our ISP's
DNS servers?

Again, thanks for your help.
 
C C said:
Kevin, thanks for your reply.


We are using Wingate 6.0+ by QBIK with ENS. This is on a dedicated
machine. The DNS server is one of our Active Directory controllers.


Yes, I understand this scenarios. What I'm not sure of is the
"Forwarders" tab
in the DNS Server configuration.

In your reply to my other post re "Root DNS Servers", I now see why
DNS queries by our Exchange server (another machine) takes a long
time to get resolved.

Now, back to the "Forwarders" tab. Shall I add our ISP's Primary
and secondary DNS servers in this tab? Or shall I use the IP address
of our Proxy server and let the proxy server NAT it out to our ISP's
DNS servers?
Click to expand...

I run two Wingate v6 proxies so I have quite a bit of experience in setting
these up.

So can I assume Wingate is on a member server or workstation and not a DC?
Your statement above left this unclear, if Wingate is one a DC, disable DNS
in Wingate, if Wingate is on a member, follow these instructions and make
sure the member is using one of the AD DNS servers for DNS in TCP/IP
properties.


On the MS DNS set the forwarder to The Wingate machine, then on the Wingate
machine, in Gatekeeper, Control, on the System Tab, Double click DNS\WINS
Resolver and enter your ISP's DNS server addresses.
Then on the Wingate server machine, go to Start>Programs>Wingate>Advanced
Options, Select DNS Servers, then enter the Local AD DNS server address.
This prevents Wingate from using your AD DNS server and therefore preventing
a DNS loop, this is because the Wingate DNS resolver will try to use the DNS
server in TCP/IP properties as one of its forwarders.

Make sure the ISP DNS servers you are using support doing recursive lookups,
some users have attempted to use the ISP's DNS server they use for hosting
public zones, some ISP's especially the large ones have recursion disabled
on their Authoritative DNS servers. If this is the case these ISP's have
several geographically dispersed caching only DNS server to use as
resolvers.
 
Kevin D. Goodknecht Sr. said:
I run two Wingate v6 proxies so I have quite a bit of experience in setting
these up.

So can I assume Wingate is on a member server or workstation and not a DC?
Your statement above left this unclear, if Wingate is one a DC, disable DNS
in Wingate, if Wingate is on a member, follow these instructions and make
sure the member is using one of the AD DNS servers for DNS in TCP/IP
properties.


On the MS DNS set the forwarder to The Wingate machine, then on the Wingate
machine, in Gatekeeper, Control, on the System Tab, Double click DNS\WINS
Resolver and enter your ISP's DNS server addresses.
Then on the Wingate server machine, go to Start>Programs>Wingate>Advanced
Options, Select DNS Servers, then enter the Local AD DNS server address.
This prevents Wingate from using your AD DNS server and therefore preventing
a DNS loop, this is because the Wingate DNS resolver will try to use the DNS
server in TCP/IP properties as one of its forwarders.

Make sure the ISP DNS servers you are using support doing recursive lookups,
some users have attempted to use the ISP's DNS server they use for hosting
public zones, some ISP's especially the large ones have recursion disabled
on their Authoritative DNS servers. If this is the case these ISP's have
several geographically dispersed caching only DNS server to use as
resolvers.
Click to expand...

Kevin, thanks for your expertise. Yes our Wingate 6 server is actually a
Win2k member server doing Proxy jobs.

How do you like Wingate 6? We just upgraded to this version and
we still have old versions of WGIC but it seems to work. What I
am not sure with Wingate is applications are still hitting the Wingate
server even though these applications are listed in the "System
Applications"
tab in WGIC Version 6. And what is the "User Applications" tab?

You know, I thought Qbik is out of business but last week I tried
to go to their Website and they are still alive and well.

I will give the DNS changes you recommended, a shot.

Thanks again.
 
Kevin D. Goodknecht Sr. said:
I run two Wingate v6 proxies so I have quite a bit of experience in setting
these up.

So can I assume Wingate is on a member server or workstation and not a DC?
Your statement above left this unclear, if Wingate is one a DC, disable DNS
in Wingate, if Wingate is on a member, follow these instructions and make
sure the member is using one of the AD DNS servers for DNS in TCP/IP
properties.


On the MS DNS set the forwarder to The Wingate machine, then on the Wingate
machine, in Gatekeeper, Control, on the System Tab, Double click DNS\WINS
Resolver and enter your ISP's DNS server addresses.
Then on the Wingate server machine, go to Start>Programs>Wingate>Advanced
Options, Select DNS Servers, then enter the Local AD DNS server address.
This prevents Wingate from using your AD DNS server and therefore preventing
a DNS loop, this is because the Wingate DNS resolver will try to use the DNS
server in TCP/IP properties as one of its forwarders.

Make sure the ISP DNS servers you are using support doing recursive lookups,
some users have attempted to use the ISP's DNS server they use for hosting
public zones, some ISP's especially the large ones have recursion disabled
on their Authoritative DNS servers. If this is the case these ISP's have
several geographically dispersed caching only DNS server to use as
resolvers.
Click to expand...

Kevin, after I followed the above steps, I saw gatekeeper with reduced
queue on port 53 from our DNS server.

BUT there is a long queue for DNS query for "barnatrans.com". How can we
prevent a query loop?

I have added our internal DNS server in the "Advance Options", I have added
our ISP's Primary and Secondary DNS servers in the "DNS/Wins" Service in the
Systems Tab in Gatekeeper.
 
C C said:
Kevin, thanks for your expertise. Yes our Wingate 6 server is
actually a Win2k member server doing Proxy jobs.

How do you like Wingate 6?
Click to expand...

I like the features in the SMTP server for datascanning(AV plugin), spam
rejection, etc. But, I use it mostly as a mail gateway for Exchange.

We just upgraded to this version and
we still have old versions of WGIC but it seems to work. What I
am not sure with Wingate is applications are still hitting the Wingate
server even though these applications are listed in the "System
Applications"
tab in WGIC Version 6. And what is the "User Applications" tab?
Click to expand...

I don't use the WGIC I have everything proxied, and set up the proxies to
intercept connections via ENS. It has been several years since I used the
WGIC.
 
C C said:
Kevin, after I followed the above steps, I saw gatekeeper with reduced
queue on port 53 from our DNS server.

BUT there is a long queue for DNS query for "barnatrans.com". How
can we prevent a query loop?
Click to expand...

Adding the internal DNS to Advanced options should prevent DNS loops between
the Wingate DNS and the Windows DNS.
Is there a reason you might suspect barnatrans.com of causing a loop?
I have added our internal DNS server in the "Advance Options", I have
added our ISP's Primary and Secondary DNS servers in the "DNS/Wins"
Service in the Systems Tab in Gatekeeper.
Click to expand...

Did you clear the Wingate DNS resolver cache?

If your ISP is SBC, make sure you don't use their authoritative DNS as a
forwarder. I know for a fact that ns1 and ns2.swbell.net and pbi.net do not
support recursion, don't use them as forwarders.
 
Back
Top