Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, July 26, 2019 7:24 AM
Hi All,
Recently we've done an internet failover at site and ran into some DNS issues. I was wondering if what we had configured is incorrect and what can we do it fix it.
For simplicity we'll use 3 DNS servers, 2 of them are located in the main site and the other is located in remote site.
1. Primary DNS at main site:
- first forwarder IP points to secondary DNS at main site
- second forwarder IP points to external DNS, eg. 8.8.8.8
2. Secondary DNS at main site:
- first forwarder IP points to primary DNS at main site
- second forwarder IP points to external DNS, eg. 8.8.8.8
3. DNS server (primary) at remote site.
- first forwarder IP points to primary DNS at main site
- second forwarder IP points to secondary DNS at main site
- third forwarder IP points to external DNS, eg. 8.8.8.8
DNS client on remote DNS server is configured to point to primary and secondary DNS at main site, and the third IP is to point to itself 127.0.0.1
Issues we found after we disconnect WAN links:
1. Internet didn't work until I added 8.8.8.8 as one of the forwarders
2. I also had to untick "use root hints if no forwarders are available" to get the internet to work
3. DNS and internet took ages to become available
Obviously our current setup isn't correct as I've had to add 8.8.8.8 as one of the forwarders on remote DNS server to be able to connect out to the internet directly.
Questions:
1. Can I leave "use root hints if no forwarders are available" unticked?
2. I've reduced the "number of seconds before forward queries time out:" down to 1 second. What is the best practice and can I lower this down further?
3. Should 8.8.8.8 be right on the top of the forwarder, followed by main primary and secondary DNS to speed up resolution when WAN links are down?
Thank you.
All replies (8)
Saturday, July 27, 2019 6:30 PM ✅Answered
1. Can I leave "use root hints if no forwarders are available" unticked?
Port No. 53 needs to opened if you are using root hints server on your network devices.
2. I've reduced the "number of seconds before forward queries time out:" down to 1 second. What is the best practice and can I lower this down further?
As far as I know, when the the server is harddown it will use the next server, Lowering down i think wouldn't be better options
3. Should 8.8.8.8 be right on the top of the forwarder, followed by main primary and secondary DNS to speed up resolution when WAN links are down?
Your internal resolution break if 8.8.8.8 is your primary forwarder.
Please check if you can make a use or conditional forwarding if you have specific internet domain queries.
Thank you.
Thanks HA
Saturday, July 27, 2019 9:27 PM ✅Answered | 1 vote
Hey Jamec23,
- We commonly untick 'use root hints' because our firewalls only allow the DCs to query approved external DNS addresses (like the upstream ISPs DNS)
- I've never tweaked this, but clients should normally move through their DNS lists if they dont get a response.
- Your list of forwarders should only contain locations to look for external records that the DNS server itself is not aware of, think of it like a default route. Normally you would only point this to another domain controller internally, if the DC you're configuring it on doesn't have direct internet access itself. So I would set your forwarders to point to the upstream ISPs DNS in each location, and remove the internal DNS servers from the conditional forwards.
I hope this helps
Cheers, Ben Thomas
Microsoft Certified Professional
Microsoft MVP Cloud and Datacenter Management
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
Monday, July 29, 2019 2:11 AM
Thanks guys.
Looks like I'll have to disable the use of root hints as a change in firewall rule might not be an option. I'll probably be reducing number forwarders as well as our current setup contains 3 internal forwarders before it gets to 8.8.8.8.
Monday, July 29, 2019 8:43 AM
Hi,
I am glad to hear that the information is helpful to you. If you have any another question, please feel free to post in the forum.
Best regards,
Hollis
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, August 1, 2019 12:39 AM
Thanks. I actually have 1 more question.
So, we did another internet failover test last night and everything went well this time. However, it's mentioned here that if I moved 8.8.8.8 to the top of the forwarder, internal DNS resolution will fail. I just wanted to confirm that this is the case?
During testing I moved 8.8.8.8 to the top of the list with internal forwarders sitting on the 2nd and 3rd, I was able to resolve internal DNS with no issues.
What's the best setup here?
Thursday, August 1, 2019 1:37 AM
Hi,
DNS forwarding queries will follow the order in the list. As long as your internal domain name is not registered on the public network, your configuration will bring no issue. In fact, you can resolve your internal domain name successfully.
Best regards,
Hollis
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, August 1, 2019 7:02 AM
Thanks. I think I'll leave the internal forwarder at the top of the list as we have multiple split zones and these may fail if 8.8.8.8 is our first forwarder.
Thursday, August 1, 2019 8:01 AM
Hi,
As you wish, it only has influence on forwarding order. There is no effect on your result of resolution. Thanks for posting your issue in the forum, if you have any another question, please let us know.
Kind regards,
Hollis
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].