Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Server 2003 / DNS / September 2006

Tip: Looking for answers? Try searching our database.

Recursive DNS setup

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jerry Mickman - 28 Sep 2006 00:20 GMT
Hi All,

I just want to make sure that I've either got this concept right, or
completely wrong.

If I configure a DNS forwarder on a Server2003 DC using an external DNS
server for "all other domains," am I correct that if I don't disable
recursive on that entry, if the server can't resolve the address, my DNS
server will not query the root servers to try to resolve the DNS info?

A better way to ask this...  If I enable recursive queries, am I correct in
thinking that if the server can't resolve the address, it will just "throw
up its hands and give up?"  That if I disable the recursive queries, it will
try to resolve using the root servers?

Thanks in advance!
Reply to this Message
Kevin D. Goodknecht Sr. [MVP] - 28 Sep 2006 06:12 GMT
> Hi All,
>
[quoted text clipped - 11 lines]
> will just "throw up its hands and give up?"  That if I disable the
> recursive queries, it will try to resolve using the root servers?

It all depends on if your talking about "Disable Recursion" on the Advanced
tab, or checking "Do not use recursion.." on the Forwarders tab.
"Disable recursion" stops all external queries.
"Do not use recusion..." only tells your DNS server to NOT use its root
hints, meaning, if it doesn't have the zone, wait for the answer from the
forwarder which could take several seconds, and fail the query if the
Forwarder can't get the answer.

Signature

Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Reply to this Message
Jerry Mickman - 28 Sep 2006 15:55 GMT
Sorry, if I seem dense, but it sounds like I did get everything backwards...

Let me see if I've got this straight:  In general, recursion in DNS means to
use external sources?

If I enable recursion on the forwarder page, then the DNS server will use
the root servers if it doesn't get resolution from the forwarding server?

And if I disable recursion on the forwarder page, then the DNS server will
NOT use the root servers if it doesn't get resolution from the forwarding
server?

Thanks!

>> Hi All,
>>
[quoted text clipped - 20 lines]
> forwarder which could take several seconds, and fail the query if the
> Forwarder can't get the answer.
Reply to this Message
Kevin D. Goodknecht Sr. [MVP] - 28 Sep 2006 18:28 GMT
> Sorry, if I seem dense, but it sounds like I did get everything
> backwards...
>
> Let me see if I've got this straight:  In general, recursion in DNS
> means to use external sources?

Recursion is a mathematical term for finding the answer to a question, When
a DNS server uses recursion, it sends iterative queries to DNS servers, that
will provide the answer, or refer it to a DNS server that should know the
answer, until it gets its answer.
For example, when you send a query to your DNS, that is does not have the
answer to, (either from its cache or its zones), it starts at the very top
which is the Root, then works its way down until it either gets the answer
it wants or a DNS server answers NXDOMAIN (non-existent domain). All
recursive queries start at the root.

A real world query to use is www.microsoft.com. If your DNS doesn't know the
answer it starts with the Root servers, which don't do recursive lookups and
will give a referral by a delegation saying, "Go ask the .com gTLD servers",
which also can't do recursive lookups and will answer with a referral by
using a delegation to the Microsoft.com DNS servers. When your DNS asks the
microsoft.com DNS servers, they either give the answer by saying here is the
record or by using a delegation tells your DNS where www.microsoft.com 
should be.

> If I enable recursion on the forwarder page, then the DNS server will
> use the root servers if it doesn't get resolution from the forwarding
> server?

Exactly.

> And if I disable recursion on the forwarder page, then the DNS server
> will NOT use the root servers if it doesn't get resolution from the
> forwarding server?

Yes, which is why you have to make sure if you disable recursion on the
forwarders tab, that the forwarder you use is highly trusted. Because if it
fails, or even worse, gives you a bad record which is then cached on your
DNS and your DNS will continue to answer with this bad record, until the bad
record's remaining TTL has expired, that is by default on a MS DNS is up to
one day and seven days on BIND.

A good use of this setting is on a Win2k3 DNS, which has support for
conditional forwarders, you can add a conditional forwarder for a Domain
that cannot be found from the root servers. A good example of this is if you
have multiple Active Directory domain trees such as domain.local that
obviously can't be resolved from the root, but doesn't have a zone on your
DNS, you can add a conditional forwarder for domain.local, give it the IPs
for its DNS servers, select the box "Do not use recursion for this domain",
if the domain.local DNS servers become unavailable, your DNS will answer
with "Server fail" instead of asking the root. It is important that if you
use a Conditional forwarder, that the forwarder has authority for the
domain.

Signature

Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Reply to this Message
Jerry Mickman - 28 Sep 2006 21:26 GMT
Thank you for straigtening me out on this topic!  Your explanation was
extremely helpful.

>> Sorry, if I seem dense, but it sounds like I did get everything
>> backwards...
[quoted text clipped - 61 lines]
> use a Conditional forwarder, that the forwarder has authority for the
> domain.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.