Windows 2008 DNS forwarders and root hints

Discussion in 'DNS Server' started by David Chadwick, Apr 12, 2009.

  1. Hi,

    I think I have found a bug in the Windows 2008 DNS management tool.

    From within the DNS tool right-click a DNS server and click Properties then
    select the Forwarders tab. There is a checkbox on this screen called "Use
    root hints if no forwarders are available". Toggling this checkbox causes a
    DWORD called IsSlave at
    HKLM\SYSTEM\ControlControlSet\Services\DNS\Parameters to change between 0
    and 1.

    When the checkbox is selected, IsSlave is set to 1. When the checkbox is
    cleared, IsSlave is set to 0. I have tested this on four different Windows
    2008 DNS servers and got the same results on all of them.

    I believe that this behavior is the reverse of what it should be. When "Use
    root hints if no forwarders are available" is selected, IsSlave is set to 1
    which causes the DNS server *NOT* to use root hints. If the forwarding
    fails, the DNS server does not attempt recursion and the query fails.

    If "Use root hints if not forwarders are available" is cleared, IsSlave is
    set to 0 which causes the DNS server to use recursion. If the forwarding
    fails, the DNS query is still successful as the server uses the root hints
    and performs recursion.

    Surely this is completely the opposite of what should happen? Selecting
    "Use root hints" causes the server NOT to use root hints, and clearing "Use
    root hints" causes it to use them.

    Can someone else confirm this behavior? Am I missing something?

    Cheers,
    David
     
    David Chadwick, Apr 12, 2009
    #1
    1. Advertisements

  2. In
    The value of the IsSlave works depending on if Forwarders were configured.
    However if you disable recursion under the Forwarders tab (not the advanced
    tab), it will not use the Roots and only use the Forwarders. It is
    recommended to put only one forwarder in for efficiency (this recommendation
    is in the article below).

    The following is quoted from:
    Microsoft DNS Server Registry Parameters, Part 1 of 3
    http://support.microsoft.com/kb/198408

    "When a DNS server is using Slave (and Forwarders -- see Forwarders key
    description), it can stop and fail the query when it does not get a response
    from any of the forwarders servers /Vs Forwarders: configuration where the
    DNS server can attempt to resolve the query itself using normal iterative
    queries. The key is NOT read if Forwarders are not configured. If the
    IsSlave key does not exist or is zero, the DNS falls back to normal
    recursive query resolution when forwarders fail to respond.

    If the IsSlave key is nonzero, the server fails (answers the original query
    with SERVER_FAILURE) when the forwarders do not respond. "


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 13, 2009
    #2
    1. Advertisements

  3. Hi Ace,

    Did you read my message at all? :) Based on your reply, I would suggest
    not. ;)

    Just in case I wasn't clear:

    I am using the Windows 2008 DNS tool to configure a Windows 2008 DNS server.
    I have a forwarder configured (only 1). If you do not have a forwarder
    configured then the "Use root hints if no forwarders are available" option
    on the Forwarder tab is greyed out (and the IsSlave registry key
    disappears). I am not talking about the option on the Advanced tab (I know
    that is different). The option I am talking about used to be called "Do not
    use recursion for this domain" in Windows 2003. It is now called "Use root
    hints if no forwarders are available" in Windows 2008.

    The wording of this suggests to me that if this option is ticked, the server
    should use recursion and the root hints. If the option is unticked, the
    server should NOT use recursion. Is that not how you would read it?

    My point is that if you select the option to use root hints, Windows 2008
    DNS does *not* use root hints (instead it fails). If you CLEAR the option
    to use root hints then Windows 2008 DNS *does* use root hints. The bug is
    that it works completely the reverse of how it should. I have verified this
    on 4 or more servers now. This option is setting the IsSlave registry key
    to 0 when it should be setting it to 1, and to 1 when it should be setting
    it to 0.

    I'd love for someone to confirm this - I don't think I am going mad. I have
    triple checked this....

    Cheers,
    David
     
    David Chadwick, Apr 13, 2009
    #3
  4. In
    Hi David,

    I did read it, and I believe my reply was based on that setting, that is, it
    depends on if it is checked or not if you have a forwarder set. Maybe I
    didn't elaborate on that part. Hmm, I can understand the confusion. Let me
    try to elaborate more in detail and hopefully that will clear it up.

    I know it grays out if there are no forwarders, otherwise it would be a moot
    setting.

    The way I look at it is, using forwarders is a recursion. When the IsSlave
    setting is set, it is performing a recursion (acting like a DNS client
    asking another DNS server), but using the Roots is an iterative query,
    meaning that DNS will attempt to devolve the name starting with the TLD,
    therefore taking www.microsoft.com, for example, it asks the Roots for the
    server that hosts the 'com' TLD, which refers it to the nameservers that
    host the TLD, then asking it for the 2nd level, or 1st level - for
    'microsoft' which then queries Microsoft's nameservers for www. So in
    essence in the Roots, it starts as an interative, but turns into a recursive
    when it queries Microsoft's nameservers.

    So look at it this way, the IsSalve setting when enabled, basically says it
    will be a slave, or a recurser sending the query elsewhere, such as to a
    forwarder, which is another DNS server, essentially acting like a DNS
    client.

    Do not use recursion for this domain will disable recursion and not be a
    slave and will use the Roots performing iterative queries.

    Use root hints if no forwarders are available basically does the same thing,
    it is not a slave and will use the Roots performing interative queries.

    So if the 2003 setting is not checked (it doesn't gray out) but the IsSlave
    settings, and a few others regarding forwarding, disappear, or 2008 has no
    forwarders set (where it grays out), I would understand why the IsSlave
    setting disappears in 2008. It makes sense correlating it with whether it is
    a slave DNS or performing a devolving iterative query to the Roots.

    I hope that helps, and I understood what you arr asking, and were able to
    provide a better response... unless my logic is flawed or I messed up
    something.

    Cheers!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 13, 2009
    #4
  5. Hi Ace,

    Thanks for the reply - I understand what you are saying. However I still
    want to state my main point again and see what you think.

    I understand DNS enough to "get around" - not as well as you, but I have a
    reasonable understanding of a devolving iterative query starting with the
    roots versus a recursive query to a forwarder.

    I'll try and be concise! :)

    Firstly - I am only interested in Windows 2008 using the Windows 2008
    management tool here. In this scenario, the setting I am asking about is on
    the Forwarder tab and is called "Use root hints if no forwarders are
    available". Toggling this checkbox simply changes IsSlave from 0 to 1 and
    back again.

    I think this is the same thing as ticking "Do not use recursion" when "All
    other DNS Domains" is selected in Windows 2003. To my knowledge, this
    toggles IsSlave between 0 and 1 also. For the purpose of my question this
    is not relevant. I am only interested in the Windows 2008 tool.

    Essentially all I am saying is that I believe the tool incorrectly sets the
    option back to front. When you TICK "Use root hints if no forwarders are
    available", this actually sets IsSlave to 1 which tells the DNS server *not*
    to use the root hints. If the forwarder is not available, the DNS query
    fails (the server makes no attempt to perform a devolving iterative query to
    the roots).

    If I UNTICK "Use root hints if no forwarders are available", this sets
    IsSlave to 0 which tells the DNS server to use the root hints. If the
    forwarder is not available, the DNS server performs a devolving iterative
    query against the roots and the query succeeds.

    Am I making sense? Unless I am totally missing something, the Windows 2008
    tool is getting it completely wrong. If I tick the option to use the root
    hints, it should use the root hints! This could be fixed in two ways -
    either the tool needs to reverse when it sets IsSlave to 0 and 1 (swap it
    around), or they could re-write the option to be called something like "Do
    not use root hints if no forwarders are available".

    Am I making sense? Can you confirm what I am saying? I am not confused
    about what IsSlave does - I think I understand it pretty well. I just
    believe the interface is doing exactly the opposite of what it should be
    doing based on what the option says. Either that or I am completely
    misunderstanding something....

    Cheers,
    David
     
    David Chadwick, Apr 13, 2009
    #5
  6. In
    As expected, based on my previous explanation.
    Similar setting with 2003, but 2008 does everyone a favor by graying it out
    if no forwarder is present, which forces it to use the forwarders and the
    IsSlave disappears.
    You are making sense in your statement, but I didn't see it testing it. I
    spent a good 30 minutes messing with this, and each time I was able to
    successfully resolve queries. Here are my steps. Check them out. If they
    differed from yours, let me know.
    ===
    Forwarders present:
    Ticked "use Root hints if no forwarders are available
    Refreshed reg
    IsSlave = 1 (means it will recurse using forwarders)
    List of forwarders remained in reg

    Deleted the forwarders while the box was still ticked.
    Checkbox grayed out, but remained ticked
    Refreshed Reg
    IsSlave setting disappeared (meaning it becomes an iterative resolver to use
    Roots)
    So I assume it will now use the Roots
    Tested with nslookup.
    Made sure it was using this DNS server.
    Resovled microsoft.com successfully.

    Cleared DNS server cache (no need to clear local cache because nslookup has
    it's own resolver and cache for each session)
    exited nslookup
    Tried again, successfully resolved microsoft.com and endoftheinternet.com (I
    chose that because I was not at that site in at least 2 years to insure it
    is not cached anywhere)
    So it can resolve fine using the Roots
    Just in case, I set nslookup to diagnostic mode by using: set d2
    Ran another query for beginningoftheinternet.com
    Successfully resolved it using the Roots.

    While the grayed out box was still ticked
    I created a forwarder to 4.2.2.2
    Refreshed Registry
    IsSlave setting reappered = 0 (means it should only use Roots)
    Unticked the checkbox
    Refreshed Registry
    IsSlave setting still = 0
    Invoked a new instance of nslookup
    Resolved intel.com successfully

    removed forwarder
    Unticked the box
    hit apply
    Refreshed reg
    IsSlave disappeared
    Resolved highpoint-solutions.com successfully

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 13, 2009
    #6
  7. Hi Ace,

    Thank you so much for being so diligent about this! Your steps are very
    clear and you are getting the same results that I am getting.
    This is the same behaviour that I see. The only thing we differ on is what
    it SHOULD be doing. There is a forwarder present, we have ticked the option
    "Use root hints if no forwarders are present" and IsSlave is set to 1. As
    you correctly stated, with IsSlave being set to 1 this tells DNS that it can
    ONLY resolve DNS by doing a recursive query to the forwarder. However, the
    option we have ticked is called "Use root hints if NO forwarders are
    available". To me this means if the server is unable to contact the
    forwarder then it should use an iterative query to the root hints. So it
    should try a recursive lookup against the forwarder FIRST... if the
    forwarder is not there it should fall back to using the root hints.
    However, as IsSlave is set to 1 it does not fall back to anything. So in
    this case if you set a fake forwarder (4.2.2.2) and this option is ticked,
    DNS will fail. This is completely the opposite of what should happen.
    I agree with all this. If the forwarders are deleted the option is greyed
    out and IsSlave disappears. This is correct behavior and I am not
    suggesting there is a problem here. The problem I am seeing ONLY occurs if
    a forwarder IS present. IsSlave is set to the opposite value of what it
    should be set to based on the "Use root hints if no forwarders are
    available" option.
    Yep - still agree with this. You do not currently have a forwarder set and
    iterative queries work perfectly (IsSlave is gone).
    This is also the behavior I am seeing, but it is not correct! You have a
    forwarder set (in this case, you have set it to a nonsense value so that it
    doesn't work). You have unticked "Use root hints if no forwarders are
    available" yet it is still working! This is exactly what I am saying. With
    the option unticked, the server should NOT use the root hints but it does!
    You will also find if you tick the option (telling it to use the root hints)
    and you keep the 4.2.2.2 forwarder then it will stop using the root hints
    and DNS queries will fail. Again this is totally the opposite of what
    should happen. Ticking the option which tells it to use the root hints
    causes the server to STOP using the root hints. It's back to front.

    From your description you are seeing exactly the same behavior as I am. I
    am not sure why you think it is correct. Am I completely missing something
    obvious here? :)

    The option is called "Use root hints if no forwarders are available". To me
    that means that it should try the forwarder first and if it cannot connect
    to it then it will "fall back" to using the root hints (devolving
    iterative). However, with this option ticked it does NOT fall back to using
    the root hints. You have to UNTICK the option to make it fall back to using
    the root hints. This option has to be set to the opposite of what you want
    in order to get it to work correctly.

    Am I wrong?

    Cheers,
    David
     
    David Chadwick, Apr 13, 2009
    #7
  8. Well, sort of. It does perform a recursive only after an iterative process
    gets to the actual nameservers.So in essence, it is performing a recursive,
    eventually.


    Well, kind of. The only time it will fail, and the Roots completely gray
    out, is if a Root zone is created under the FLZ. I kind of think that if
    there are no forwarders and the box is ticked, it will still recurse (really
    an interative first, then recurse), against the Roots.

    But in my tests, it still resolves.

    btw - 4.2.2.2 is a real nameserver, so is 4.2.2.3, 4.2.2.4, and 4.2.2.5. I
    haven't checked further than .5 in that range. They belong to GTE and are
    some of the GTLD servers out there. If you want to test it with a fake
    forwarder, choose a private IP that is not being used, or 1.1.1.1.

    I understand what you are saying, but I've found that it still works. I
    think the setting is ignored and that would be something in the executable,
    and not in the reg that makes it work. I am not a programming engineer to
    dig deeper into the exe, and would have to escalate this further. However,
    this is the first I've heard of this in the private and public forums, and I
    don;t have a real answer other than what I'm surmizing about the executable.

    Also, I did not test it with a fake forwarder.
    I'm not trying to skirt around the terminology, but in the old 2003
    setting, the wording didn't make sense to many, but it simply is a tick box
    to use or not use the Roots. However, it will use the Roots if no forwarders
    are present, otherwise it cannot do it' job to resolve names, and therefore
    still works anyway, probably sometihng in the exe hardcoded to perform
    resolution when tehre is a confilicting setting, such as what you've found.
    The only time this didn;t work is if you created a Root zone under the FLZ,
    whereas it then thinks it is a Root server and the Roots will totally gray
    out.

    What I can probably suggest is to delete the Roots and retry your test with
    a fake forwarder. Don't worry about deletign the Roots, you can always get
    them back by reloading them from an existing server, such as 4.2.2.2.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 13, 2009
    #8
  9. Hi Ace,

    I think once again we have completely crossed our wires. :)

    Do this test:

    1. Enter a fake forwarder on the forwarding tab.
    2. Tick the "Use root hints if no forwarders available" option
    3. Try and do a DNS query.

    It fails. The DNS server tries to talk to the fake forwarder, which isn't
    there. The DNS server does NOT use the root hints. Instead, it just fails.

    4. Now untick the "Use root hints if no forwarders available" option
    5. Do another DNS query.

    It now works. The DNS server first tries to talk to the fake forwarder,
    which isn't there. The DNS server then uses the root hints and successfully
    resolves the name.

    This is the wrong way around. When "Use root hints" is ticked, it doesn't
    use the root hints. When "Use root hints" is unticked, it does use them.
    It's completely wrong.

    Cheers,
    David
     
    David Chadwick, Apr 14, 2009
    #9

  10. David,

    I see your point now. Maybe I should have simply asked you for your steps,
    because I couldn't reproduce it, but then again, I didn't try it with a fake
    forwarder. Even though it is checked, it will not use the Roots. So I stand
    corrected.

    A twist on this, while still set with the fake forwarder and the box ticked,
    I created a conditional forwarder for microsoft.com, and added 4.2.2.2 in
    it. Microsoft.com was able to get resolved, but nothing else. So the Roots
    were being ignored across the board.

    Maybe someone else may have an explanation that we are both overseeing.
    Otherwise, I'm not sure what to say, other than a great job digging this one
    up.

    Ace

    I can't explain this one.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 14, 2009
    #10

  11. Thinking more on this, if the setting says if no Forwarders are available,
    it literally means just that, not whether the forwarder entered is fake or
    not. So it isn't such a setting that says, "If the forwarder doesn't answer,
    use the Roots, rather that if there is none in the list, it will use the
    Roots," So with a fake forwarder, there's one in the list. So the setting is
    behaving as it should, but we are expecting it to use the Roots, but it is
    not, it is literally upholding it's setting as stated.

    I agree this is wrong and possibly a nice hotfix to make it a conditional
    event instead of an OR event.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 14, 2009
    #11
  12. Hi Ace,

    Thank you for confirming that I am not mad! :)

    It is just simply the wrong way around. The functionality itself is working
    OK (so you can switch it on and off) - it's just that off is on and on is
    off. :)

    They could fix this simply by changing the text in the DNS console to read
    "Do not use root hints if no forwarders are available".

    Cheers,
    David
     
    David Chadwick, Apr 14, 2009
    #12

  13. I agree. I posted something else too regarind this a few moments ago, but
    haven't seen it show up yet.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 14, 2009
    #13
  14. Hi Ace,

    I think we disagree on this point.

    The option only becomes available when you have a forwarder entered on the
    tab. So once you enter a forwarder, Windows DNS is giving you an additional
    option which says "if I am unable to talk to this forwarder, what should I
    do?". If there is no forwarder entered, the option becomes irrelevant and
    becomes greyed out.

    I do not think the setting has anything to do with how the server responds
    if there are no forwarders actually in the list. If this were the case, the
    setting would not be greyed out when the last forwarder is deleted.

    In my opinion the setting is specifically to tell DNS what it should do if
    it is unsuccessful in contacting the forwarders that are listed. It is
    asking "If I cannot contact the forwarder, shall I attempt to resolve the
    query myself with the root hints or shall I just fail?".

    This is just my opinion of course but I cannot see any other logical
    conclusion.

    Cheers,
    David
     
    David Chadwick, Apr 14, 2009
    #14

  15. At least we agree the wording should be changed to be more specific as to
    what it is actually doing!

    Cheers!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 14, 2009
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.