to forward or not to forward... That is the question.

  • Thread starter Thread starter themeanies
  • Start date Start date
T

themeanies

We currently do not forward our Internal DNS's external requests to our
ISP's. I have this configuration due to technical issues relating to
routing our 2 T1's that are from 2 different ISP's.

We have 2 non AD integrated DNS servers running on 2k3 with custom
generated zone files.

Should I reconsider forwarding our internal DNS's external requests to
our ISP's DNS servers? What are the pro's and con's and current best
practice?

Thanks,

tM
 
themeanies said:
We currently do not forward our Internal DNS's external requests to our
ISP's. I have this configuration due to technical issues relating to
routing our 2 T1's that are from 2 different ISP's.
Click to expand...
Have all your internal clients point to your internal DNS servers. Have
your Internal DNS server use helpers to both your ISPs DNS servers. I don't
foresee any issues, if they can't reach one they will query the other one.
How are you doing it now? Just using root hints?

Matt
 
Matt said:
Have all your internal clients point to your internal DNS servers. Have
your Internal DNS server use helpers to both your ISPs DNS servers. I don't
foresee any issues, if they can't reach one they will query the other one.
How are you doing it now? Just using root hints?

Matt
Click to expand...


Thanks for your reply.

All internal clients(800 of them) point to the 2 internal DNS servers.
No forwarding currently, the DNS servers use the root hints.

I haven't used forwarding because some ISP's don't take kindly to DNS
traffic pounding their DNS servers when the traffic originates from
another ISP. Because we have all our outbound Inet traffic load
balanced out 2 different ISP's this could potentially happen.

tM
 
themeanies said:
Thanks for your reply.

All internal clients(800 of them) point to the 2 internal DNS servers. No
forwarding currently, the DNS servers use the root hints.

I haven't used forwarding because some ISP's don't take kindly to DNS
traffic pounding their DNS servers when the traffic originates from
another ISP. Because we have all our outbound Inet traffic load balanced
out 2 different ISP's this could potentially happen.

tM
Click to expand...

I'm not sure I understand how you would have another ISP's traffic ask the
other one for DNS requests. Can you elaborate? You are a customer of both
ISP's, therefore you can utilize both ISP's DNS servers.

Thanks,
Matt
MCT, MCSE
 
I'm not sure I understand how you would have another ISP's traffic ask the
other one for DNS requests. Can you elaborate? You are a customer of both
ISP's, therefore you can utilize both ISP's DNS servers.

Thanks,
Matt
MCT, MCSE
Click to expand...

Well I'm not the network engineer, but this is how I understand it:

We have a border router with 2 T1's that go to 2 different ISP's. The
router does BGP I think to determine shortest path to target plus some
load balancing logic. Internally we have no way to determine which path
Inet traffic will take unless we specifically tell the routers which
path certain internal IP's are to take. So a recursive DNS request
could potentially go out ISP1's T1 and if I have ISP2's DNS as the
forwarding target, the above situation could occur.

It seems to me that forwarding introduces several uncontrollable
variables for me, so I was looking for a compelling reason to/not to
forward.

tM
 
themeanies said:
Well I'm not the network engineer, but this is how I understand it:

We have a border router with 2 T1's that go to 2 different ISP's. The
router does BGP I think to determine shortest path to target plus some
load balancing logic. Internally we have no way to determine which path
Inet traffic will take unless we specifically tell the routers which path
certain internal IP's are to take. So a recursive DNS request could
potentially go out ISP1's T1 and if I have ISP2's DNS as the forwarding
target, the above situation could occur.
Click to expand...
I don't think you are using BGP.

Matt
 
If my DNS servers can handle the traffic and can reach external networks
(internet, for example), I just let them use Root-Hints. I typically forward
to ISPs in situations where there is a special requirement that prohibits
the DNS server from going outside the immediate network.

And, yes, BGP is the term you were trying to describe.

--


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 
In
themeanies said:
Well I'm not the network engineer, but this is how I
understand it:

We have a border router with 2 T1's that go to 2
different ISP's. The router does BGP I think to
determine shortest path to target plus some load
balancing logic. Internally we have no way to determine
which path Inet traffic will take unless we specifically
tell the routers which path certain internal IP's are to
take. So a recursive DNS request could potentially go
out ISP1's T1 and if I have ISP2's DNS as the forwarding
target, the above situation could occur.

It seems to me that forwarding introduces several
uncontrollable variables for me, so I was looking for a
compelling reason to/not to forward.

tM
Click to expand...

It is totally irrelevant which ISP's DNS gets used as a forwarder, as long
as both DNS servers serve the same Internet Root. This will most likely be
the ICANN Root, there could be a possible issue if one ISP serves the ICANN
Root and one serves the ORSC Root.
You might test all the DNS server to see which answers faster and use it at
the top of the forwarders list.
 
And this is the answer.



Should I reconsider forwarding our internal DNS's external requests to our ISP's DNS servers?



See the answer.



What are the pro's and con's and current best practice?



See the answer.
 
t> We have a border router with 2 T1's that go to 2 different ISP's.
t> The router does BGP I think to determine shortest path to target plus
t> some load balancing logic. Internally we have no way to determine
t> which path Inet traffic will take unless we specifically tell the
t> routers which path certain internal IP's are to take. So a recursive
t> DNS request could potentially go out ISP1's T1 and if I have ISP2's
t> DNS as the forwarding target, the above situation could occur.

And since ISPs are gradually learning the wisdom of not providing
promiscuous proxy DNS service to Internet at large, you have no way of
determining whether (a) your DNS query datagrams will even reach your
target forwardee (since the way of not providing promiscuous proxy DNS
service is to restrict what traffic, from whom, can actually reach the
server in the first place), and (b) your target forwardee will provide
proxy DNS service to you (since an incorrect, but nonetheless used, way
to try not to provide promiscuous proxy DNS service is to adjust what
service is provided according to the apparent source).
 
Deji said:
If my DNS servers can handle the traffic and can reach external networks
(internet, for example), I just let them use Root-Hints. I typically forward
to ISPs in situations where there is a special requirement that prohibits
the DNS server from going outside the immediate network.

And, yes, BGP is the term you were trying to describe.
Click to expand...

Maybe BGP -- However, it could be a load balanced NAT'd environment too.
 
Back
Top