What is the general opinion on the use of 4.2.2.2 and 4.2.2.1 as forwarders?
Is this recommended or not? I suppose it depends on how close you are to
these servers, but I was looking for a more general recommendation. The
reason I ask is that I have a few clients using these as forwarders and I
have seen numerous instances where certain domains, primarily Microsoft ones,
failed to resolve. Has anyone else seen issues with these DNS servers? Any
opinions on their usage?
You should never use external DNS servers on the NIC configuration in your
domain machines. Use only domain internal DNS servers and configure the FORWARDERS
in the DNS server properties of the DNS management console.
Although you are correct that domain clients should use the domain dns
servers only for name resolution, you didn't answer the underlying question
of 4.2.2.2 and 4.2.2.1 as reliable forwarders. These two servers are owned
by Verizon Trademark Services LLC, so the question is, do you trust Verizon
to provide accurate forwarding information?
Personally, I don't use forwarders. I'd rather let the root servers do
their jobs. The time saved by using forwarders is miniscule, especially
when you realize that the bulk of the time it takes to download a web-page
is the actual transfer of data from the web server.
Why are you using forwarders at all, why not let your DNS servers do the
lookups themselves?
I've used 4.2.2.2 for years as a second in the list forwarder. It works
fine. You can test it with nslookup using the -d2 option. I use another one
as the first, but I do not want to post it in the forum. You can use
4.2.2.2, 4.2.2.1, as well as 4.2.2.3.
I never used this as forwarders. So i can not tell you about this special
DNS servers or Verizon. The advantage of using forwarders, especially if
you have a big network, with lot's uf users using the internet, you bring
the load to the DNS server outside your network, if you use root hints, the
domain DNS server does the complete work.
My thinking here is that if your organization is large enough that your
DNS traffic is significant enough to care about, you should probably
have all of your internal DNS servers using forwarders, pointing to DNS
servers in an edge role that perform your own DNS lookups.
If you don't have enough DNS load to justify dedicated resolvers you
probably don't have enough load that you'll even notice the difference
if your internal DNS does all resolution without forwarders.
You could rely on your ISP, but frankly, DNS is far too critical to
trust someone outside, and ISPs don't seem to stress much about broken
DNS. My experience has been that broken or overloaded DNS servers are
fairly common, DNS at connectivity providers is often treated as a "set
it and forget it", with the only troubleshooting being an occasional
reboot. This also doesn't count the ISPs that think it's a smart idea
to replace NXDOMAIN results with their own IPs that offer advertising on
port 80.
Meinolf has already answered your question. IF you want your DNS server to
perform the heavily lifting go for it. Many people use their ISP DNS as their
forwarders.
Forwarders and root hints can be uses together (win03-08) as redundancy,
fist forwarders and if it fails root hints second. If you are running one or
two DC’s for small client the DNS traffic is not such a big deal. If your DNS
servers getting pounded over thousands recursive queries the heavy listing
start into consideration.
http://support.microsoft.com/kb/291382
The root hint server can provide a level of redundancy in exchange for
slightly increased DNS traffic on your Internet connection. Windows Server
2003 DNS will query root hints servers if it cannot query the forwarders.
IF the network is in secure premises government etc, the security will tell
you where to point it too and you have no choice anyway
I've used 4.2.2.1 as tertiary and also when I'm at a client's site
and the ISP's DNS servers are unknown. I've never had issues. I'd
rather use the ISP's DNS servers as they are many less hops away
therefore the response should be faster, but not always depending on
the load of the ISP's DNS servers (Some of my clients have terrible
ISP's). Also, I've been a small fan of opendns.com which I use as a
forwarder for my home network. It blocks many malware/spyware sites.
I'm unsure if they are tracking my browsing habits by storing my DNS
requests but I don't really care as it's my home network.
Member
If you use external DNS servers in your domain, you won't be able to access the intranet sites, exchange servers etc..
Posting Permissions
Reply With Quote
Bookmarks