Question re: DNS forwarding best practices

Discussion in 'DNS Server' started by Jason, Nov 17, 2004.

  1. Jason

    Jason Guest

    Lets say you have a company with a root AD domain, and 3 child domains. Call
    the domains,,, and All
    DC's in all domains are DNS servers, and all zones are AD integrated. Some
    DC's are Win2K and some are Win2K3.

    The root domain is confined to 3 DC's at a single location, while the child
    domains have DC's spread across many locations. Each child domain has one
    primary data center, and satellite offices branch out from it in a hub and
    spoke fashion. Each remote site has its own Internet connection. Some of the
    remotes have an additional dedicated circuit back to its hub, while some use
    a site to site vpn back to the hub. All child domains need to be able to
    resolve devices in the root domain, but not necessarily other child domains.

    So here's the question. What would be the best way to forward DNS queries?
    The way I see it, my options are:

    1) Configure forwarders on all DNS servers to point at the DNS servers in
    the root domain, and let the root forward to the Internet.
    2) Use conditional forwarding on all DNS servers to forward the root domain
    to the root DNS servers, and all other domains to the local ISP's DNS
    servers. (although this obviously wouldn't work for the Win2K boxes)
    3) Configure the replication scope of the root domain to all DNS servers in
    all domains, and each DNS server forwards directly to its local ISP's DNS
    servers (would this work for the Win2K boxes?)
    4) Create a secondary zone for the root zone on all DNS servers, and let
    each DNS server forward directly to its local ISP's DNS server.

    Did I miss anything? Which of the options would be the most desirable? I'm
    thinking option number 3, although I don't know how that would impact the
    Win2K DNS servers, since replication scope was added in Win2K3.

    Jason, Nov 17, 2004
    1. Advertisements

  2. In
    This would work, but it would mean that the root domain DNS would be
    resolving all external queries and would create a single point of failure,
    because on the child DNS servers forwarders tab you would need to select "Do
    not use recursion" to keep the child DNS server from trying to use Root
    Hints if the parent DNS responds a bit too slow.

    2) Use conditional forwarding on
    Correct it won't work for the Win2k boxes

    3) Configure the replication scope of the
    No this won't work for the Win2k boxes.

    4) Create
    This would be the best way on the Win2k child boxes.
    Since you don't state what servers are Win2k and which are Win2k3 it would
    be difficult to advise you which to use.

    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    Keep a back up of your OE settings and folders
    with OEBackup:
    Kevin D. Goodknecht Sr. [MVP], Nov 17, 2004
    1. Advertisements

  3. Jason

    Roger Abell Guest

    One key piece of information missing here is the size and
    change rate of the root DNS zone's content. Since all DCs
    of the root domain are at the central site, I assume it is
    relatively small, and also relatively static in content.
    If this is so, I would suggest replicating it to all sites.
    To do this, where possible leverage W2k3 replication
    scopes, and otherwise secondary replication (recognizing
    that child domain DCs will need to send there DNS updates
    to a primary of the zone, so hopefully you have at least one
    W2k3 DC in each site). Also, consider that you may only
    need to replicate/transfer from the root DCs to selected DCs
    in a site (preferrably two, perhaps bridgeheads) and that
    others in the site could be secondaries mastering off of these.
    In other words, I find your selection number 1 entirely
    unsatisfying due to its constant funneling of resolutions
    needlessly (? see later) back to the central site.

    For other (child) domain zones, you should carefully
    examine what needs to be resolvable where. If all zones
    are small and relatively static, you have different considerations
    than if one or more or all are large. What load is AD replication
    already placing on your links? Etc. As a generality, I would
    follow the option patterns outlined above for the root zone in
    order to get copies of the child zones where they needed to be
    with that "need" depending on your analysis of resource use
    pattern. If site A frequently access site B machines, or rarely,
    for example could guide you on whether it is better to have the
    whole zone local to site A, or build in cache of the DNS servers
    of A on demand (size of the zone is another consideration).

    Conditional forwarding really does not come into play if you
    recognize that you must have the root zone info available to all
    DCs, whether copied there or just locatable. This itself allows
    location of all the other delegated child zones.

    I would also have all child zones copied (replicated or transferred
    as the case might allow) to the DNS servers of the root.
    If all zones are small and link capacity rich, I would lean toward
    a fully replicated/transferred strategy (for example, one zone,
    replicated where possible and transferred otherwise; or, if multiple
    zones, all zones present on all DCs). Again, that was if all zones
    are small and links capacious.

    Keep in mind that as far as resolution goes it would be possible to
    have all zones (or the one zone) on the DCs of the root domain, and
    all DNS servers of the child domains be nothing more than caching
    servers if the were a public zone, or if not by use of a
    stub or conditional forwarding to bootstrap locating the "private" This option however is unsatisfying relative to DNS
    record updating if you have lots of client machine registration (DCs
    are going to update that root zone anyway).

    The bottom line is what resolutions will be occurring where, and
    with what frequency, and then, how does the aggregate of these
    compare in overhead when over the wire compared to site local?
    The other part of the bottom line is keeping in mind what machines
    are doing DNS record dynamic updating, and to where will this
    be going (site local or over the wire). You know whether you
    are having all clients register, or only DC and servers, etc. but
    if you can keep a primary site local to where the registrations go
    so much the better.

    As to internet global resolution, since you have not mentioned any
    requirements to restrain this there is not much reason to funnel these
    to a central site as compared to letting the site-local DNS servers
    work the resolutions, whether by root servers or forwarders to ISP.
    You may however want to also consider security related exposures.
    In a control-freak environment, the ability to examine sites built up
    in the DNS server cache becomes diluted when you let a couple
    DNS servers in each site work the outside queries, but you reduce
    the network loading and latency from resolutions.
    Roger Abell, Nov 18, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.