Recursive VS Open DNS

Good answers but I still don't get it. Do I have to have 2 DNS servers
then? One to be authoritative for my websites, email server and then
another to be recursive for my internal network? I have looked for a DNS
layout/design setup but can't find one anywhere. I'm getting ready to
switch to a Windows 2003 network so I would like to set it up correctly.

Right now my clients have their primary DNS setting pointing to my
Authoritative DNS server (which is set to be NOT recursive) so that really
doesn't make any sense at all because the clients are really get the
recursive lookup from the secondary DNS setting.

It really looks like I need 4 DNS servers. 2 to be authoritative for my
websites, email server. And then 2 to be my internal Primary and Secondary
DNS that I set my clients to use. So these will be recursive and Open. Is
that what I have to do???

Thanks again.


"Kevin D. Goodknecht Sr. [MVP]" wrote in message

> Read inline please.
>
> In news:um38G0kKIHA.1324@TK2MSFTNGP06.phx.gbl,
> Bob Dole typed:
>> How do you make a DNS server recursive without ending up also making
>> it an Open DNS????
>
> In short, you can't, the reason for disabling recursion is to prevent it
> from being used as a non-authoritative resolving DNS and slowing its
> response time for Authoritative queries. If it is heavily loaded resolving
> other domains, it may not respond quickly enough for authoritative
> queries.
>
>>
>> If you turn Recursive off, that also turns off DNS Forwarding.
>
> That is correct.
>
>>
>> All my DNS does is answer quires from the internet. How can I get it
>> to be recursive???
>
> By clearing the "Disable recursion" checkbox on the Advanced tab.
> If this DNS server doesn't need to resolve queries it is not Authoritative
> for, then you can leave recursion disabled.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
 >> Stay informed about: Recursive VS Open DNS 

Read inline please.

In news:%23QU0nMlKIHA.5764@TK2MSFTNGP06.phx.gbl,
Bob Dole typed:
> Good answers but I still don't get it. Do I have to have 2 DNS
> servers then?
Yes.

> One to be authoritative for my websites, email server
> and then another to be recursive for my internal network?
Yes.

> I have
> looked for a DNS layout/design setup but can't find one anywhere.
> I'm getting ready to switch to a Windows 2003 network so I would like
> to set it up correctly.

Here is the main thing you have to look at, your internal network must have
a DNS server that can resolve internet names and resolve servers on the
internal network to the local IP addresses. If you also want to host your
own public zones, that DNS server must return only IP addresses that can be
used by internet users. If your DNS returns records that have internal IPs,
your sites and servers will not be available.

>
> Right now my clients have their primary DNS setting pointing to my
> Authoritative DNS server (which is set to be NOT recursive) so that
> really doesn't make any sense at all because the clients are really
> get the recursive lookup from the secondary DNS setting.
>
> It really looks like I need 4 DNS servers. 2 to be authoritative for
> my websites, email server. And then 2 to be my internal Primary and
> Secondary DNS that I set my clients to use. So these will be
> recursive and Open. Is that what I have to do???

RFCs require at least two DNS servers for public domains. It doesn't mean
you need two DNS servers, but you need someone to host Secondary zones for
you it you don't. It is wise to have someone else host Secondary zones and a
backup mail server so that if your link goes down you're not dead in the
water without a row. Some ISPs will do this for you, whether yours does or
not you'll need to drop them a line to find out. As for whether you actually
need two internal DNS servers for your clients, that depends on how many
clients you have and how important it is to you to have internal redundancy.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 >> Stay informed about: Recursive VS Open DNS 

BD> How do you make a DNS server recursive without ending up
BD> also making it an Open DNS????

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/proxy-server-ip-
addresses.html>

BD> All my DNS does is answer quires from the internet.
BD> How can I get it to be recursive???

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-
roles.html>
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-obtaining-
proxy-service.html>

If that is all that your DNS server does, turning off recursion is
entirely correct.
 >> Stay informed about: Recursive VS Open DNS 

"Bob Dole" wrote in message

> Good answers but I still don't get it. Do I have to have 2 DNS servers
> then?

Perhaps, but in general for a small Internet presence (anyone asking this
question or struggling with the issue) you really SHOULD have your
PUBLIC DNS handled by the REGISTRAR (GoDaddy, Register.com etc.)

You shouldn't be running it yourself for the reason you have seen and
also because technically it is an Internet "Business Rule" that you have
(at least) TWO PUBLIC servers anyway -- which makes 3 or 4 as
the minimum.

The registrar will give you the 2 public ones for free in almost all cases
and let you manage YOUR settings in a nice web interface.

> One to be authoritative for my websites, email server and then another to
> be recursive for my internal network?

Yes. You run the internal ones, let the Registrar provide the external
ones.

> I have looked for a DNS layout/design setup but can't find one anywhere.
> I'm getting ready to switch to a Windows 2003 network so I would like to
> set it up correctly.
>
> Right now my clients have their primary DNS setting pointing to my
> Authoritative DNS server (which is set to be NOT recursive) so that really
> doesn't make any sense at all because the clients are really get the
> recursive lookup from the secondary DNS setting.
>
> It really looks like I need 4 DNS servers. 2 to be authoritative for my
> websites, email server. And then 2 to be my internal Primary and
> Secondary DNS that I set my clients to use. So these will be recursive
> and Open. Is that what I have to do???


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com (phone on web site)

If you use LinkedIn then tell me where you know me from when linking:

http://www.linkedin.com/in/herbmartin
 >> Stay informed about: Recursive VS Open DNS 

RM> 5) As a practical consideration, public DNS references should
RM> never be provided from a Windows DNS. Use only ISC BIND,
RM> the reference standard, [...]

That is ridiculous advice that has no basis in fact. There are plenty
of softwares that one can use in place of ISC's BIND; there is zero
reason to recommend using only BIND; and there are indeed good reasons
to use other softwares in place of BIND. Moreover: There is no reason
that, properly oonfigured, Microsoft's DNS server cannot be used to
provide content DNS service to the rest of Internet. It is on an
entirely equal footing with BIND in this regard.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-
server-as-content.html>
 >> Stay informed about: Recursive VS Open DNS 

Actually, each A-D Domain controller should also be a DNS server.

DNS Architecture is fairly straight-forward, especially if you want any sort
of security.
1) All your interanet hosts should be on their own Top-Level directory and
you should have your own Root. These same hosts should also be on NET10
(10.0.0.0/.
2) All access to the public Internet should be via NAT gateways.
3) Access to your Intranet, from a sister site, should be via VPN tunnels
and they should share the same NET10 domains.
4) Internet services should only be via heavily firewalled, dual-port,
perimeter servers.
5) As a practical consideration, public DNS references should never be
provided from a Windows DNS. Use only ISC BIND, the reference standard,
preferably on a isolated, from your intranet, Linux untility server, using
ICANN root zone (okay, color me paranoid).
6) Internal root zone can be served from Windows DNS, no problem, including
any internal top-level domains that you need. These same DNS servers can
also handle all your internal DNS resolution needs. It's mostly a
configuration issue.
7) These same internal TLD DNS servers should only be available to your
intranet, on NET10, and in no way be accessible from the public internet.

What the above does is essentially bypass the root-servers.net system,
substituting your own root for them and resolves directlly to
gtld-servers.net. Your own ISP becomes irrelevent and even redundant. Don't
forget to adjust in-addr.arpa as well. Someday, I'll detail this all in one
of my wikis.

"Bob Dole" wrote in message

> Good answers but I still don't get it. Do I have to have 2 DNS servers
> then? One to be authoritative for my websites, email server and then
> another to be recursive for my internal network? I have looked for a DNS
> layout/design setup but can't find one anywhere. I'm getting ready to
> switch to a Windows 2003 network so I would like to set it up correctly.
>
> Right now my clients have their primary DNS setting pointing to my
> Authoritative DNS server (which is set to be NOT recursive) so that really
> doesn't make any sense at all because the clients are really get the
> recursive lookup from the secondary DNS setting.
>
> It really looks like I need 4 DNS servers. 2 to be authoritative for my
> websites, email server. And then 2 to be my internal Primary and
> Secondary DNS that I set my clients to use. So these will be recursive
> and Open. Is that what I have to do???
>
> Thanks again.
>
>
> "Kevin D. Goodknecht Sr. [MVP]" wrote in message
>
>> Read inline please.
>>
>> In news:um38G0kKIHA.1324@TK2MSFTNGP06.phx.gbl,
>> Bob Dole typed:
>>> How do you make a DNS server recursive without ending up also making
>>> it an Open DNS????
>>
>> In short, you can't, the reason for disabling recursion is to prevent it
>> from being used as a non-authoritative resolving DNS and slowing its
>> response time for Authoritative queries. If it is heavily loaded
>> resolving
>> other domains, it may not respond quickly enough for authoritative
>> queries.
>>
>>>
>>> If you turn Recursive off, that also turns off DNS Forwarding.
>>
>> That is correct.
>>
>>>
>>> All my DNS does is answer quires from the internet. How can I get it
>>> to be recursive???
>>
>> By clearing the "Disable recursion" checkbox on the Advanced tab.
>> If this DNS server doesn't need to resolve queries it is not
>> Authoritative
>> for, then you can leave recursion disabled.
>>
>>
>>
>> --
>> Best regards,
>> Kevin D. Goodknecht Sr. [MVP]
>> Hope This Helps
>>
>> ===================================
>> When responding to posts, please "Reply to Group"
>> via your newsreader so that others may learn and
>> benefit from your issue, to respond directly to
>> me remove the nospam. from my email address.
>> ===================================
>> http://www.lonestaramerica.com/
>> http://support.wftx.us/
>> http://message.wftx.us/
>> ===================================
>> Use Outlook Express?... Get OE_Quotefix:
>> It will strip signature out and more
>> http://home.in.tum.de/~jain/software/oe-quotefix/
>> ===================================
>> Keep a back up of your OE settings and folders
>> with OEBackup:
>> http://www.oehelp.com/OEBackup/Default.aspx
>> ===================================
>>
>>
>
 >> Stay informed about: Recursive VS Open DNS