DNS Gurus.. HELP!

I wanted to get your opinions on a DNS issue I have at my current job. Currently we have dozens of domains across several networks, and in between many firewalls. I am trying to recommend a standardized DNS solution that would work across our infrastructure. The domains are all Windows 2000/2003, and the DNS servers for each domain are the same (AD Integrated). Each domain has at least two DNS servers.

We are talking about hundreds of machines here. Our corp internal name space corp.company.com is on a separate network from the above domains. So no workstations here, all Windows 2000 and 2003 servers. Many of these domains also have child domains and trusts between one another.

Right now our name resolution is a simple HOSTS file that the entire IT team shares. We update as we remember and email it out. As you might expect, it is almost impossible to keep accurate and up to date. My initial thought was to maybe somehow take advantage of Server 2003 stub zones or conditional forwarding. I am reluctant though since I have not seen this in too many live production environments.

Your thoughts?

Justin

Find more posts tagged with

Comments

RTmarc

One of the first problems I see is this:

dozens of domains across several networks

. My first question is do you really need many domains? Obviously workng with just a few domains -preferably one- is ideal; yes I do recognize there are times when multiple are needed. Second, what is the heirarchy of the domians (i.e., multiple trees, single tree with multiple child domains, etc.)? Do the domains have trusts setup? Do users in one domain need to access resources in another domain? If you can clear this up I think we can start giving you a little more feedback. One of my first recommendations without needing any more information is to attempt a sort of domain consolidation and rid yourself of the burden of having to manage a domain that could be folded into another.

tuscani

Unfortunely we do have a legit need to all of these domains. Most of them are customer and or CITRIX related.

The hierarchy vaies between each. However, every situation applies to at least one or more domains.. ie. multiple trees, childs, various trusts, ect. Generally the same people have access to several different domains. This was a nightmare, but we have deployed MIIS (Microsoft Identity Integration Server) and we are now provisioning user accounts so the same user and password work everywhere.

Danman32

Sounds like you need to design an intranet DNS hiearchy similar to internet. Start with a dot zone, that points to your first level zones, which then refer to your second level zones, and so on. All your DNS servers can refer to the root zone to start their queries, either through forwarders, root hints, or both.

But then, without knowing the details of your DNS names, it's hard to give any recommendations.

If each domain is completely unique with the others, you either have to have a few 'master' DNS servers that list all the zones (as stubs or secondaries I suppose) and have everyone use them for resolution, or have DNS servers refer to each other through conditional forwarders or secondary zone transfers.

agustinchernitsky

As Danman says, create your own root hierarchy.

Assign two DNS servers (at least) as root servers. Or you can distribute them per location... Then make the rest of them use them as root hints.

Please do be carefull with Internet DNS resolution.

tuscani

Interesting.. I never thought of using root zones. This could work I suppose. I am not sure I am savvy enough to role it all out though.

Here is a list of some of our zones.. Could you give me an example on how the root zones night be setup?

domaina.com
-child1.domaina.com
-child2.domaina.com
-child3.domaina.com
-child4.domaina.com

domainb.com
-child1.domainb.com
-child2.domainb.com

domainc.com

domaind.com

domaine.net

domainf.org

Thanks

agustinchernitsky

Hello!

Well, just grab a DNS server... create a root zone (.) and the create first level zones:

.com
.net
.org

From there, in each zone you can delegate each domain to its appropiate DNS server.

.com
-> domainA: to nsx.domaina.com ip xxx.xxx.xxx.xxx

Do this for each zone... And then you can run a query to this server to see if sends you to the right DNS (using nslookup). You wont need to disable recursing or fwds because the root zone disables it.

Give it a try and tell me how it goes!

tuscani

Thanks!

No way it can be this easy. There are some pretty intelligent engineers here. Surely they would have thought about doing this right? Maybe there are factors involved that I am unaware of. My guess is firewalls. I would assume as long as the proper DNS ports were allowed through there would be no problems right?

Are there any reasons why you wouldn't go for a root hierachy in an advanced infrastructure like this? I know, tough question to answer from were you sit, but I am just wondering about general reasons why you root might not work.

Justin

rossonieri#1

hello,

i dont think that firewall is an issue here - since it was a very simple action to pass DNS query. but the HOSTS file? i dont think it will be effective enough in a complex environment - and that is way people build DNS.

but, since you said that you already have an AD - i think your questions is irrelevant, because AD use DNS in the first place. For easier integration - i suggest that you do DNS-DHCP integration.

cheers.

Danman32

I thought of one problem about defining one's own in-house root zone servers: you won't be able to resolve internet addresses, as you now become the internet.

tuscani

Danman32 wrote:

I thought of one problem about defining one's own in-house root zone servers: you won't be able to resolve internet addresses, as you now become the internet.

That's ok. These servers cannot get out to the internet anyway.

mikey_b

Danman32 wrote:

I thought of one problem about defining one's own in-house root zone servers: you won't be able to resolve internet addresses, as you now become the internet.

Could use conditional forwarding for all other domains to forward external requests to ISP DNS servers, no?

blargoe

Hmm, good question. I don't think that would work because the DNS server would think it's authorative for the . zone and therefore every zone on the Internet so I'm thinking it wouldn't ever make it to forwarding.

tuscani

blargoe wrote:

Hmm, good question. I don't think that would work because the DNS server would think it's authorative for the . zone and therefore every zone on the Internet so I'm thinking it wouldn't ever make it to forwarding.

Right. I am guessing in the root hierarchy you would never be able to resolve Internet names.

Danman32

mikey_b wrote:

Danman32 wrote:

I thought of one problem about defining one's own in-house root zone servers: you won't be able to resolve internet addresses, as you now become the internet.

Could use conditional forwarding for all other domains to forward external requests to ISP DNS servers, no?

No. At least for W2K, if you had a . zone, the forwarding checkbox was grayed out. Conditional forwarders might work, but then you would have to have an entry for every domain out there.

EDIT: Just tried it. Forwarding tab dialog is completely disabled. You can't add a server to the default forwarding, nor can you add additional contitional forwarders.

agustinchernitsky

justindu wrote:

Right. I am guessing in the root hierarchy you would never be able to resolve Internet names.

Yes... you are right... You need to separete Resolvers from your normal DNS servers.

What I would do (just thinking out loud), I would setup two DNS servers for recursive resolution. Then set the root servers and the other DNS hierarchy as usuall.

On the resolvers, I would try (in the lab) two things:

1.- Add your root hints at the beginning of the Root hint servers and see if you resolve your local domains and then the external domains (since your root dns doesn't have all Internet zones)
2.- Add a conditional fwd for your internal domains to the root DNS

Also, (still thinking out loud), I would try the following DNS structure:

1.- Your root DNS with their own DNS hierarchy
2.- One or two cache DNS resolvers with only your root dns hints (two sercers)
3.- One cache DNS resolver for Internet

this would / should work like this:

1.- Your cache DNS resolvers with only your root dns hints will resolve local domains
2.- If not found, you fwd the request to the DNS resolver for Internet.

Something like this... should work... it's just a little imagination

Danman32

That won't work. If YOU are the root, forwarders are disabled completely. DNS clients only use one server for DNS and switch to the alternate only if the primary server doesn't respond. A negative answer (as in "what are you talking about? I know nothing about 'google.com'") is an answer and therefore won't be passed on to the external resolver.

Silver Bullet

Why not setup a Caching only DNS server for the clients Primary DNS Server and use the Custom Root Server as you guys recommended, but instead of the clients using it directly, set up Conditional Forwarders on the Caching only Server for it to query the Custom Root Server for his domain names. All other queries should be forwarded to Internet DNS Server.

Sounds good to me anyway.

Danman32

If you are going to do that, then why use root servers at all? The conditional forwarding is doing all the work.

In this method, what you would need to do is list all of the top level unique domains. If it is a manageable number, then you can have cache DNS servers as the resolvers the clients use, with conditional forwarders used in them to forward queries to the appropriate domain.

Or you could use stub zones in the resolver DNS servers.

tuscani

rossonieri#1 wrote:

hello,

i dont think that firewall is an issue here - since it was a very simple action to pass DNS query. but the HOSTS file? i dont think it will be effective enough in a complex environment - and that is way people build DNS.

but, since you said that you already have an AD - i think your questions is irrelevant, because AD use DNS in the first place. For easier integration - i suggest that you do DNS-DHCP integration.

cheers.

No DHCP here.. all server are Static IP

tuscani

Danman32 wrote:

If you are going to do that, then why use root servers at all? The conditional forwarding is doing all the work.

In this method, what you would need to do is list all of the top level unique domains. If it is a manageable number, then you can have cache DNS servers as the resolvers the clients use, with conditional forwarders used in them to forward queries to the appropriate domain.

Or you could use stub zones in the resolver DNS servers.

Could you give me an example of how this might work?

Danman32

You have a series of servers that run DNS that all your clients use for queries. Those servers are then configured to either conditionally forward queries to the appropriate topmost DNS servers, or they would have stub zones for the topmost domains. Actually, I think the latter you would need stub zones for all the domains including child domains, not just the most top level, so that may not be the best option.

In this way, the query servers are still open to forwarding queries to the internet by default if you ever need to do that.

rossonieri#1

hello there : )

well, DHCP can do static also - reserved you servers there.
erase the top "." ('dot') from your DNS server, or try to point your ISP DNS server as your "DNS server" - DNS server, so any unresolved query will be forwarded to your ISP.

cheers.