Jump to content
RESET Forums (homeservershow.com)

DNS on Windows Server


oj88
 Share

Recommended Posts

I have a DNS server at home, a WinSvr2k19. I have a few rookie questions....

 

1. Is it ok to rely on the default root-hints or do I really need to put in DNS Forwarders? What would be the pros and cons  in terms of:

a. Performance

b. Security

 

2. If I do use forwarders, how do I make it so that that DNS queries gets through all of them in the list in a round-robin fashion? For example, if I have configured three forwarders; 8.8.8.8, 8.8.4.4, and 1.1.1.1, it seems that all queries are just sent to the first one (8.8.8.8) until, I imagine, it becomes unreachable. However, there are situation, for example, where certain queries won't resolve correctly using 8.8.8.8, but will work when queried through 1.1.1.1, and vice versa. I would want the queries to jump from one forwarder to the next so in case a query fails (but not because that particular forwarder is down), I can just refresh the browser and my DNS server would query the next forwarder on the list.

Edited by oj88
Link to comment
Share on other sites

4 hours ago, oj88 said:

I have a DNS server at home, a WinSvr2k19. I have a few rookie questions....

 

1. Is it ok to rely on the default root-hints or do I really need to put in DNS Forwarders? What would be the pros and cons  in terms of:

a. Performance

b. Security

 

2. If I do use forwarders, how do I make it so that that DNS queries gets through all of them in the list in a round-robin fashion? For example, if I have configured three forwarders; 8.8.8.8, 8.8.4.4, and 1.1.1.1, it seems that all queries are just sent to the first one (8.8.8.8) until, I imagine, it becomes unreachable. However, there are situation, for example, where certain queries won't resolve correctly using 8.8.8.8, but will work when queried through 1.1.1.1, and vice versa. I would want the queries to jump from one forwarder to the next so in case a query fails (but not because that particular forwarder is down), I can just refresh the browser and my DNS server would query the next forwarder on the list.

#1. Root hints is basically a last-resort. The root-hints servers are not designed to take the load from the entire load from the internet.

a) performance. The closer the DNS server is to you, the fastest response times. So your local ISP's DNS should be good. Also Google's DNS (8.8.8.8 and 8.8.4.4) is widely used-

b) As long as you use your ISP's or Google's DNS servers, you should be good to go. Using weird 3rd party - DNS-workaround servers is not a good idea. After all, the DNS servers posses the ability to direct your request to anywhere they want you to go. (If they are not to be trusted)

 

#2 DNS servers are used in the order they appear, just a you suggest. And it is only after a timeout (the value at the bottom on the forward-page) that the next servers is used.

All DNS servers are supposed to have the same information. If one DNS server does not return the same response as the other DNS servers do, they are not in sync and you should wait for the sync to complete (can take up to 24hrs). Or something is not configured correctly.

You say:

Quote

I would want the queries to jump from one forwarder to the next so in case a query fails (but not because that particular forwarder is down)

This is not the way DNS works. If a query fail, e.g. a record does not exist, the record does not exist. If you ask another DNS server and get a different response, the DNS servers are not in sync and that's an error.

 

So: bottom line: all DNS servers should be in sync at all times.

 

Br, Bjorn

Link to comment
Share on other sites

Thanks for the response.

 

I recently ran into a situation in which everyone in my network were unable to access any Yahoo! website. You can ping it and it does return a response (so somehow, DNS appears to be resolving it), but the browser just keeps trying to load the page forever. Too bad I didn't took note of the actual error it was returning.

 

Anyway, switching to a different DNS provider solved this issue. I may be wrong but I think I was using a couple of Level 3's public DNS servers. This was ok for months and the issue with Yahoo! just started a few days ago. Also, my brother couldn't login to Ubisoft/UPlay when using Google's DNS (8.8.8.8) but works fine with Cloudflare (1.1.1.1).

 

Is there any way to get around these issues that I have control over?

Edited by oj88
Link to comment
Share on other sites

3 hours ago, oj88 said:

Anyway, switching to a different DNS provider solved this issue. I may be wrong but I think I was using a couple of Level 3's public DNS servers. This was ok for months and the issue with Yahoo! just started a few days ago. Also, my brother couldn't login to Ubisoft/UPlay when using Google's DNS (8.8.8.8) but works fine with Cloudflare (1.1.1.1).

 

Is there any way to get around these issues that I have control over?

Hmm. I've never experienced DNS errors like the ones you are describing. I would try to diagnose a bit further.

 

E.g:

nslookup some-uplay-server-name.com 

and see what that returns. Maybe there is something that blocks access on your brother's computer for some reason due to weird traffic etc. (just random thoughts).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...