Recursive lookups

[Greg Richards]

How come if I disable recursive lookups I cannot browse outside sites?
DNSstuff dings me if I leave recursive on. Any ideas?

2 more questions, Can I prevent access to the DNS server by IP address in
the DNS manager or is it usually done at the firewall?
Lastly, is there anyway to setup a template for adding domains? Like the
contact and serial number, etc?

Thanks
Greg

 

[William Stacey [MVP]]

How come if I disable recursive lookups I cannot browse outside sites?

Cause you need either forwarders or root-hints. Using forwarders, your dns
server will send a recursive query to the forwarder and expect a reply. If
using root-hints, the dns server will send non-recursive queries to the best
name servers it knows about or will start from the root on down. If you
disable resursion in the advanced tab, it will only reply with local data
and not use forwarders or hints. HTH.

DNSstuff dings me if I leave recursive on. Any ideas?

Dings what? If your public dns is authoritive for the name, it should find
name regardless of that check box.

2 more questions, Can I prevent access to the DNS server by IP address in
the DNS manager or is it usually done at the firewall?

You can set what IP the dns server listens on and remove any you don't want
it to listen on. Firewall is always a good idea.

Lastly, is there anyway to setup a template for adding domains? Like the
contact and serial number, etc?

Look at the zone file in .../dns (i.e. myzone.com.dns) You can use that as
a template for new zones or make one up.

 

[Jonathan de Boyne Pollard]

GR> How come if I disable recursive lookups I cannot browse
GR> outside sites?

Because your DNS server does not have the entire contents of the public DNS
database to hand locally. To look up information in the distributed public
DNS database, it needs to send back-end queries to the servers that publish
the relevant portions of the database. Sending back-end queries to other
DNS servers is, of course, the definition of recursion.

GR> DNSstuff dings me if I leave recursive on. Any ideas?

Use separate DNS servers for your content and proxy DNS services.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html>

GR> Can I prevent access to the DNS server by IP address in
GR> the DNS manager

Not effectively.

GR> is it usually done at the firewall?

No. It's *usually* done by using RFC 1918 private addresses.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ProxyIP>

For a DNS server that needs to be accessible through a firewall in the
first place, IP address restriction is usually completely inappropriate
anyway.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html>

GR> is there anyway to setup a template for adding domains?

Not in Microsoft's DNS server, no. Other DNS server softwares have
mechanisms for simply generating the data for "zones" from templates.
Microsoft's does not. (However, one can use server-side aliasing in
Microsoft's DNS server to make two "zones" server-side aliases of each
other, as long as one doesn't use Active Directory integrated "zones",
by having them use the same database source file.)