thought I had DNS but I guess not

looking for some tips that helped you guys with wrappnig your head around DNS

I've used cbt nuggets, I've done labs, read the MOAC book, Read the EXam Cram2 book but Im' just not getting DNS in large environments and when to use a stub zone VS conditional forwarding has my number.

and unfortuantely right now i work in a small single domain environment so I have no hands on with big environments

I guess I need a better method so what are your suggestions??

Find more posts tagged with

Comments

royal

Conditional forwarder is static. If the dns server's ip changes, the conditional forwarder entries must be updated manually. With a conditional forwarder, you'll most likely want to add multiple entries for the same domain to aid in redundancy.

Stub zones are dynamic. When you create a stub zone, it creates a zone which contains the SOA, NS, and A records for the targeted dns zone. Because it contains the SOA record, it will periodically contact the targeted server to see if there are any changes. If there are, the stub zone will update its' database accordingly.

Another very important thing to consider is security. When a client does a recursive request to its' primary dns server, it wants the server to give it a response. If the primary dns server has a stub zone, it will actually reply to the client with NS record information for the targeted domain. The primary server will actually give a referral back to the client telling the client to go contact the targeted domain's DNS servers contacted. Do you see the problem here? What if the primary DNS server is the only server allowed to communicate over port 53. Your queries won't be resolving.

Conditional forwarding will fix this. Now lets say the primary dns server has a conditional forwarder with static entries instead of a stub zone. When a client tries to resolve something for the target domain, the primary dns server the client contacts will have a conditional forwarder for that domain. The difference in this situation, is the server will actually perform the process of recursion itself instead of sending a referral back to the client and telling the client to go find out itself. The process of recursion means that the dns server received a recursive query from a client and to resolve that recursive query, it has to do recursion through iterative queries.

Hope this helps.

Smallguy

my biggest issue with DNS is understanding when you need a stub zone versus when a conditional forwarder should be used.

I understand that with conditional forwarding you are telling your DNS server to send all queries for xyz.com to 131.131.131.2

and that a stub zone contians less recoreds than traditinoal zones so there is less replication traffic and if I understand stubs corrctly it is effectivley sending the info off to the authoratative server

but I guess what I've yet to find is when I should be implementing a stub zone instead of conditional forwarding or the opposite whne conditional forwarding shold be used instead of a stub zone.

when security is n issue it seems like conditonal forwarding is the best bet or when a firewall is only allowing traffic with port 53. but I"ve come accross some pretty conveluted DNS questions in my studing that boggle my mnid having limited experience in this field and my expereince is limited to small environments where I'm not using anytihng other than Ad-integrated zones.

ICroyal can you help me with clearing up when to use these zones types

I'll be sitting down and reading some tech tutorials in the next few days hopefully those will hlep bring it all together as well

bighornsheep

you want to use stub and conditional forwarder with remote sites, the key factor is the cost on the link. If speed over the WAN link is an issue, you dont want to use stub zones.

The point with conditional forwarder is that there are internal records that the server is able to resolve, so there's no need to add traffic on the WAN link because the DNS forwarder can resolve it itself.

royal

1. When using stub zones, the dns server that holds the stub zone has to periodically contact the server that is defined in the SOA record. It will then pull all NS records and A records. This of course takes up bandwidth. With conditional forwarding, it's basically on-demand traffic. So traffic like bighornsheep stated is one condition to take into account.

2. Conditional forwarding is static. Stub zones dynamically update. The only problem that will be seen is when the server that is defined in the SOA record is down.

3. The third thing I can think of is the whole referral vs recursion process which I explained in my original post. Stub zones give referrals to clients which then go contact the authoritative server (bad if only dns servers can talk over the WAN using port 53) and conditional forwarding will cause the dns server to do recursion.

Smallguy

Thanks guys

nzchris

Guys, with respect, I think you have this a little bit wrong.

When a client makes a query to a dns server (server a) with a stub zone, the dns server makes a query to the dns server named in the NS record (server b) for the stub zone. It then caches the result, and answers the client.

Check out the site that mentions this http://technet2.microsoft.com/WindowsServer/en/library/a3cf0184-0594-4e78-8247-609f038434381033.mspx?mfr=true]

The use of a stub zone versus a forwarder is explained by MS in this site
http://technet2.microsoft.com/WindowsServer/f/?en/library/78ad7115-a502-41b4-a969-2d0032549c591033.mspx

Basically it says that stub zones are good for when you want a parent zone to keep track of which servers are authoritative for a child zone.
Forwarders are good for when you have a network to network requirement to resolve dns names.

If I am wrong, then please reply, because I am always happy to be corrected if my end game can benefit.[/url]

sprkymrk

nzchris wrote:

Guys, with respect, I think you have this a little bit wrong.

That's a nice link nzchris, thank you. However, aside from the discussion turning a little towards the bandwidth issue (which is not incorrect) everything these guys pointed out agrees with the information stated on the MS link. Check out a couple of things specifically:

icroyal wrote:

Conditional forwarder is static. If the dns server's ip changes, the conditional forwarder entries must be updated manually.

and from your link:

A conditional forwarder is not an efficient method of keeping a DNS server hosting a parent zone aware of the authoritative DNS servers for a child zone. If you used this method, whenever the authoritative DNS servers for the child zone changed, the conditional forwarder setting on the DNS server hosting the parent zone would have to be manually configured with the IP address for each new authoritative DNS server for the child zone.

Again:

icroyal wrote:

When you create a stub zone, it creates a zone which contains the SOA, NS, and A records for the targeted dns zone. Because it contains the SOA record, it will periodically contact the targeted server to see if there are any changes. If there are, the stub zone will update its' database accordingly.

and from your link:

If the stub zone for a child zone is hosted on the same DNS server as the parent zone, the DNS server hosting the stub zone will receive a list of all new authoritative DNS servers for the child zone when it requests an update from the stub zone's master server . This method of updating the DNS server hosting the parent zone maintains a current list of the authoritative DNS servers for the child zone as they are added and removed.

Another:

bighornsheep wrote:

If speed over the WAN link is an issue, you dont want to use stub zones.

The point with conditional forwarder is that there are internal records that the server is able to resolve, so there's no need to add traffic on the WAN link because the DNS forwarder can resolve it itself.

the MS link:

DNS servers in one network will forward names for clients in the other network to a specific DNS server that will build up a large cache of information about the other network. When forwarding in this way, you create a direct point of contact between two networks' DNS servers, reducing the need for recursion.

I could go on too, but I think that's enough. If you see something wrong posted by these guys could you be more specific? We like to make sure the information is correct and we all can make mistakes, so no hard feelings if you see something. Let us know, and again that link is great, thanks for posting it.

nzchris

Hi again. Sorry for not being specific. I have found the information in this post to be excellent, but the part that I thought might be wrong is...

icroyal wrote:

When a client does a recursive request to its' primary dns server, it wants the server to give it a response. If the primary dns server has a stub zone, it will actually reply to the client with NS record information for the targeted domain. The primary server will actually give a referral back to the client telling the client to go contact the targeted domain's DNS servers contacted.

I believe that a stub zone does not refer a dns client to another server, but instead performs the recursion on behalf of the client. This then enables the stub zone to cache the resolved name. If the stub zone had referred the dns client on, then how would it build up it's cache?

Cheers, nzchris

royal

Thanks for the link nzchris. I'll give it a read a little later today.

helms20

Another good link for the info is here http://technet2.microsoft.com/WindowsServer/f/?en/library/78ad7115-a502-41b4-a969-2d0032549c591033.mspx. According to this the DNS server performs the lookup but then refers the client to the result, and caches it for quicker resolution.

Please read it and let me know if I interpreted it incorrectly. Thanks

royal

helms20 wrote:

Another good link for the info is here http://technet2.microsoft.com/WindowsServer/f/?en/library/78ad7115-a502-41b4-a969-2d0032549c591033.mspx. According to this the DNS server performs the lookup but then refers the client to the result, and caches it for quicker resolution.

Please read it and let me know if I interpreted it incorrectly. Thanks

This is a good use of forwarding. Lets say you had 10 internal DNS servers that you do not want directly querying tDNS servers on the internet. Also, if you had all 10 internal DNS servers querying the internet, that is 10x the WAN traffic than you actually need. Not to mention all 10 of them will have different cache. A good practice is to contain a DNS server that provide Internet lookups. All internet DNS servers will create a forwarder entry to point to this DNS server. This way, when a client internally tries to query for an internet name, any of your internal servers will send this query to your forwarding server. This server will then go do the iterative queries to other DNS servers on the internet. This means you are saving 10x the WAN traffic, you have a server with rich cache which means you will actually use even less than that 10x amount. Of course you can have 2 forwarding servers to provide redundancy. DNS servers will use the 1st forwarding server so it will still contain a rich cache, and if that goes down, it will go to the 2nd forwarding server temporarily.

$Roman

royal wrote: »

...
Another very important thing to consider is security. When a client does a recursive request to its' primary dns server, it wants the server to give it a response. If the primary dns server has a stub zone, it will actually reply to the client with NS record information for the targeted domain. The primary server will actually give a referral back to the client telling the client to go contact the targeted domain's DNS servers contacted. Do you see the problem here? What if the primary DNS server is the only server allowed to communicate over port 53. Your queries won't be resolving.
...

That's what I thought, but it seems like no one else I've read makes that clear. Thank you!
This is to me the primary and important difference. The dynamic nature of stub zones seems like a dubious benefit and if forwarders can have fault tolerance (i.e. if the first query fails, it will try the next configured server and the next until it gets a reponse or runs out of configured name servers to query) it seems like one should just always use conditional forwarders unless one knows that they want the client to end up doing an iterative query.
When Microsoft or whoever explains stub zones saying that it will get all of the DNS name servers and if that list changes, it will figure it out, they neglect to mention that 1) the list of name servers rarely changes. I mean, who is out there adding and removing name servers constantly? 2) does it provide protection against name server failure? Well, if I have a conditional forwarder configured with 2 name servers, both would have to go down for resolution to fail, right? With a stub zone, maybe two additional name servers were added at some point and now it has 4 to choose from for resolution. Well, if those first two fail, then the stub zone will still work, but only until the zone has "expired" because it still must regularly update the SOA record from a static list of servers (those first two). So, it will provide protection from "system down" for maybe a day (whatever the expiration time is). That seems like a minor benefit. What's the chance that two machines will go down, but others will be up?