DNS forwarders versus Root hints

Discussion in 'DNS Server' started by Lasse, Sep 20, 2007.

  1. Lasse

    Lasse Guest

    Hi

    We are currently using root hints and I am considering changing to DNS
    forwarders. Any opinions regarding this?

    We have 4 departments, HQ and 3 branch offices. The branchs offices connect
    to HQ through VPN tunnels and are all configured as DNS servers using root
    hints.
    The IP settings use the local server as primary DNS server and the HQ server
    as secondary.
    I was wondering if i should change all the branch office servers to use DNS
    forwarders pointing to the HQ server and the setup the HQ server to point to
    the ISP DNS server.

    Does this sound like a bad idea?
     
    Lasse, Sep 20, 2007
    #1
    1. Advertisements

  2. Lasse

    Anthony Guest

    Two different issues:
    Root hints are a sort of default forwarder for the Internet. They are there
    so that if you forget to apply a forwarder it still works. I can't see a
    reason not to use your ISP DNS as the forwarder.
    Whether you want to use your HQ DNS as a collecting point for external DNS
    queries depends on your network topology. Let's say Branch A needs to
    resolve hosts at Branch B. Should it hold a copy of BranchB DNS zone, or ask
    a central point at HQ? However it is going out to the internet from its own
    router, so do you want to query HQ for every internet address, or stay
    local? Lots of permutations and no right answer.
    Anthony,
    http://www.airdesk.co.uk
     
    Anthony, Sep 20, 2007
    #2
    1. Advertisements

  3. We are currently using root hints and I am considering changing to DNS
    The only issue would be "how reliable is the ISP's DNS servers?" If they are
    up "24 - 7" then take your pick as to use them or not. If they have outages
    you might be better off using root hints.


    See:
    http://support.microsoft.com/kb/275278/

    hth
    DDS
     
    Danny Sanders, Sep 20, 2007
    #3
  4. Lasse

    Lasse Guest

    Thanks for the reply.

    All our branchs offices connect to the internet through HQ so it shouldn't
    be a problem that they query the DNS at HQ.
    Each location holds a copy of the DNS zone.
     
    Lasse, Sep 21, 2007
    #4
  5. Lasse

    Anthony Guest

    In that case I would probably choose for them to forward to the HQ DNS. That
    way you can manage future changes to DNS a little more easily.
    Anthony,
    http://www.airdesk.co.uk
     
    Anthony, Sep 21, 2007
    #5
  6. Lasse

    ObiWan [MVP] Guest

    We are currently using root hints and I am considering
    Yes; DNS forwarders must only be used in TWO scenarios;
    first, you have a slow WAN link so you want to avoid timeouts
    and to do so, you decide to forward all your queries toward
    external resolvers; second, you have some other domains
    for which you also handle DNS servers, in this case you may
    want to configure conditional forwarding so that queries for
    those domains will be directly forwarded to the auth servers

    as a rule of thumb, NEVER use forwarders if you can't 100%
    trust them and/or if you don't have FULL control over them
    the reason is simple; let's say you use your ISP DNS servers
    as forwarders, those servers are a BIG target for any attacker
    since hitting them will result in a hit for a lot of people, so, say
    someone starts attacking your ISP DNS servers and poisons
    them; at this point the poisoning will hit YOUR DNS too !! While
    running a standard, recursive DNS (using root-hints) would
    protect you from such an issue

    HTH


    --

    * ObiWan

    Microsoft MVP: Windows Server - Networking
    http://www.microsoft.com/communities/MVP/MVP.mspx
    http://italy.mvps.org
     
    ObiWan [MVP], Sep 24, 2007
    #6
  7. Lasse

    ObiWan [MVP] Guest

    agreed 100% and.. not just for the above reason, but using such a
    config, the HQ may (if needed) implement DNS filtering to cut-off
    unwanted sites; also, setting up at least a couple of DNS servers
    at HQ running as recursive resolvers will maximize the caching
    efficiency for DNS queries and this in turn will help speeding up
    things :)


    --

    * ObiWan

    Microsoft MVP: Windows Server - Networking
    http://www.microsoft.com/communities/MVP/MVP.mspx
    http://italy.mvps.org
     
    ObiWan [MVP], Sep 24, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.