Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, January 27, 2016 2:38 AM
Our domain controllers are configured to use two BIND DNS servers as forwarders. One of those BIND DNS servers is on the east coast and one on the west coast. (For this example call them NS-East and NS-West respectively)
- East Coast domain controllers are configured to use NS-East and NS-West (in that order) as forwarders.
- West Coast domain controllers are configured to use NS-West and NS-East (in that order) as forwarders.
When querying for an A record for an Akamai edge server, for example, under normal operating conditions we would want to return the IP address of a west coast edge server when the client is on the west coast and querying a west coast domain controller; and return an east coast edge server when the client is on the east coast.
Microsoft's documentation seems to indicate that when multiple DNS forwarders are configured we should expect that a query would only be sent to the first IP address in the list of forwarders; if that server doesn't respond within the configured timeout period (3s) it would query the second IP address in the list of forwarders
However, we are seeing in a Wireshark capture that an East Coast Domain Controller is essentially sending out both requests asynchronously (separated by 21ms) to both the east coast (NS-East) and west coast (NS-West) BIND DNS server. NS-East responds (it’s closer) then NS-West responds 32ms later. Both responses are for valid records -- the NS-East server sends back an IP address for an east coast Akamai edge server; the NS-West server sends back an IP address for a west coast Akami edge server, but for some reason the east coast Domain Controller DNS selected the 32ms older NS-West response and sends that back to the client (Dig).
Can someone help explain why we might not be seeing the expected behavior? There don't appear to be any configuration options for forwarders other than the timeout value and the order of preference of the forwarders listed.
Thanks
-Greg
All replies (2)
Wednesday, January 27, 2016 7:22 AM
Hi gregd7,
Thank you very much for your detailed explanation.
I have build a new environment and test your issue.
Here are the results:
When the first forwarder couldn't resolve the query the second forwarder will took over a query.
Forwarder configuration tips:
https://technet.microsoft.com/en-us/library/cc773379(v=ws.10).aspx
Thanks again for posting here.
Best regards,
Andy_Pan
Wednesday, January 27, 2016 2:52 PM
Thanks for the reply Andy_Pan.
In our case a query is sent first to NS-east (65.x.x.x), then a short time later sends a query to NS-west (204.x.x.x)
Both DNS forwarders respond with what appears to be a valid result. NS-West forwarder returns a west coast edge server IP address; NS-East forwarder returns a east coast edge server IP.
The East Domain Controller sends the response from NS-West back to the client despite receiving a valid response from NS-east first.
Based on the documentation since NS-east responds in less than the 3 second timeout period I would expect the domain controller to take that result and pass it to the client. I wouldn't expect to even see the request to NS-west.