Recursive VS Open DNS

  • Thread starter Thread starter Bob Dole
  • Start date Start date
B

Bob Dole

How do you make a DNS server recursive without ending up also making it an
Open DNS????

If you turn Recursive off, that also turns off DNS Forwarding.

All my DNS does is answer quires from the internet. How can I get it to be
recursive???

Thanks
 
Read inline please.

In
Bob Dole said:
How do you make a DNS server recursive without ending up also making
it an Open DNS????
Click to expand...

In short, you can't, the reason for disabling recursion is to prevent it
from being used as a non-authoritative resolving DNS and slowing its
response time for Authoritative queries. If it is heavily loaded resolving
other domains, it may not respond quickly enough for authoritative queries.
If you turn Recursive off, that also turns off DNS Forwarding.
Click to expand...

That is correct.
All my DNS does is answer quires from the internet. How can I get it
to be recursive???
Click to expand...

By clearing the "Disable recursion" checkbox on the Advanced tab.
If this DNS server doesn't need to resolve queries it is not Authoritative
for, then you can leave recursion disabled.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Good answers but I still don't get it. Do I have to have 2 DNS servers
then? One to be authoritative for my websites, email server and then
another to be recursive for my internal network? I have looked for a DNS
layout/design setup but can't find one anywhere. I'm getting ready to
switch to a Windows 2003 network so I would like to set it up correctly.

Right now my clients have their primary DNS setting pointing to my
Authoritative DNS server (which is set to be NOT recursive) so that really
doesn't make any sense at all because the clients are really get the
recursive lookup from the secondary DNS setting.

It really looks like I need 4 DNS servers. 2 to be authoritative for my
websites, email server. And then 2 to be my internal Primary and Secondary
DNS that I set my clients to use. So these will be recursive and Open. Is
that what I have to do???

Thanks again.
 
Read inline please.

In
Bob Dole said:
Good answers but I still don't get it. Do I have to have 2 DNS
servers then? Yes.

One to be authoritative for my websites, email server
and then another to be recursive for my internal network? Yes.

I have
looked for a DNS layout/design setup but can't find one anywhere.
I'm getting ready to switch to a Windows 2003 network so I would like
to set it up correctly.
Click to expand...

Here is the main thing you have to look at, your internal network must have
a DNS server that can resolve internet names and resolve servers on the
internal network to the local IP addresses. If you also want to host your
own public zones, that DNS server must return only IP addresses that can be
used by internet users. If your DNS returns records that have internal IPs,
your sites and servers will not be available.
Right now my clients have their primary DNS setting pointing to my
Authoritative DNS server (which is set to be NOT recursive) so that
really doesn't make any sense at all because the clients are really
get the recursive lookup from the secondary DNS setting.

It really looks like I need 4 DNS servers. 2 to be authoritative for
my websites, email server. And then 2 to be my internal Primary and
Secondary DNS that I set my clients to use. So these will be
recursive and Open. Is that what I have to do???
Click to expand...

RFCs require at least two DNS servers for public domains. It doesn't mean
you need two DNS servers, but you need someone to host Secondary zones for
you it you don't. It is wise to have someone else host Secondary zones and a
backup mail server so that if your link goes down you're not dead in the
water without a row. Some ISPs will do this for you, whether yours does or
not you'll need to drop them a line to find out. As for whether you actually
need two internal DNS servers for your clients, that depends on how many
clients you have and how important it is to you to have internal redundancy.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
BD> How do you make a DNS server recursive without ending up
BD> also making it an Open DNS????

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/proxy-server-ip-
addresses.html>

BD> All my DNS does is answer quires from the internet.
BD> How can I get it to be recursive???

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-
roles.html>
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-obtaining-
proxy-service.html>

If that is all that your DNS server does, turning off recursion is
entirely correct.
 
Bob Dole said:
Good answers but I still don't get it. Do I have to have 2 DNS servers
then?
Click to expand...

Perhaps, but in general for a small Internet presence (anyone asking this
question or struggling with the issue) you really SHOULD have your
PUBLIC DNS handled by the REGISTRAR (GoDaddy, Register.com etc.)

You shouldn't be running it yourself for the reason you have seen and
also because technically it is an Internet "Business Rule" that you have
(at least) TWO PUBLIC servers anyway -- which makes 3 or 4 as
the minimum.

The registrar will give you the 2 public ones for free in almost all cases
and let you manage YOUR settings in a nice web interface.
One to be authoritative for my websites, email server and then another to
be recursive for my internal network?
Click to expand...

Yes. You run the internal ones, let the Registrar provide the external
ones.
I have looked for a DNS layout/design setup but can't find one anywhere.
I'm getting ready to switch to a Windows 2003 network so I would like to
set it up correctly.

Right now my clients have their primary DNS setting pointing to my
Authoritative DNS server (which is set to be NOT recursive) so that really
doesn't make any sense at all because the clients are really get the
recursive lookup from the secondary DNS setting.

It really looks like I need 4 DNS servers. 2 to be authoritative for my
websites, email server. And then 2 to be my internal Primary and
Secondary DNS that I set my clients to use. So these will be recursive
and Open. Is that what I have to do???
Click to expand...


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com (phone on web site)

If you use LinkedIn then tell me where you know me from when linking:

http://www.linkedin.com/in/herbmartin
 
Actually, each A-D Domain controller should also be a DNS server.

DNS Architecture is fairly straight-forward, especially if you want any sort
of security.
1) All your interanet hosts should be on their own Top-Level directory and
you should have your own Root. These same hosts should also be on NET10
(10.0.0.0/8).
2) All access to the public Internet should be via NAT gateways.
3) Access to your Intranet, from a sister site, should be via VPN tunnels
and they should share the same NET10 domains.
4) Internet services should only be via heavily firewalled, dual-port,
perimeter servers.
5) As a practical consideration, public DNS references should never be
provided from a Windows DNS. Use only ISC BIND, the reference standard,
preferably on a isolated, from your intranet, Linux untility server, using
ICANN root zone (okay, color me paranoid).
6) Internal root zone can be served from Windows DNS, no problem, including
any internal top-level domains that you need. These same DNS servers can
also handle all your internal DNS resolution needs. It's mostly a
configuration issue.
7) These same internal TLD DNS servers should only be available to your
intranet, on NET10, and in no way be accessible from the public internet.

What the above does is essentially bypass the root-servers.net system,
substituting your own root for them and resolves directlly to
gtld-servers.net. Your own ISP becomes irrelevent and even redundant. Don't
forget to adjust in-addr.arpa as well. Someday, I'll detail this all in one
of my wikis.
 
RM> 5) As a practical consideration, public DNS references should
RM> never be provided from a Windows DNS. Use only ISC BIND,
RM> the reference standard, [...]

That is ridiculous advice that has no basis in fact. There are plenty
of softwares that one can use in place of ISC's BIND; there is zero
reason to recommend using only BIND; and there are indeed good reasons
to use other softwares in place of BIND. Moreover: There is no reason
that, properly oonfigured, Microsoft's DNS server cannot be used to
provide content DNS service to the rest of Internet. It is on an
entirely equal footing with BIND in this regard.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-
server-as-content.html>
 
Back
Top