1

We have two forward lookup zones (intranet.com and mayberry.com) that aren't actually registered to us. Sometimes, our MS DNS server forwards the queries for network resources within these domains to OpenDNS, who is our forwarder.

OpenDNS then responds with the IP address of their "Not Found" page, therefore creating a problem until we flush the client's DNS and try again.

Is there any way to insure that these domains are only resolved by our DNS server? Perhaps a way to block forwards for these domains or only allow an authoritative answer for them?

Thanks for the help!

6 Answers6

1

The Microsoft DNS server won't forward requests for domains it's authoritative for. I suspect that you've specified a "secondary" DNS server on your client computers that refers to another DNS server (like, say, OpenDNS) and you're periodically getting resolution from this secondary DNS server.

If you're in an Active Directory environment no domain-joined computer should have any DNS server specified in its NIC properties (either hard-set or delivered via DHCP) that refers to a DNS server that isn't running on one of your domain controllers. Your DNS servers running on your DCs should be resolving external-to-the-forest names either via forwarders to another DNS server, or via root hints.

Edit:

It sounds like you're saying that you have a DNS server specified on the clients that's not a domain controller (i.e. "my gateway").

It's unclear what you mean by "is a slave for DC". Assuming the IP address of the IP address of the DC is "X.X.X.X", the IP address of the "gateway" specified as a secondary DNS server is "Y.Y.Y.Y", and one of the internal domain names that isn't resolving properly is "foo.com", run the following commands and compare the output:

nslookup foo.com X.X.X.X
nslookup foo.com Y.Y.Y.Y

The output should match. If it doesn't, then the "gateway" is resolving the internal domain name differently than the domain controller and that's your problem.

As long as the "gateway" resolves names exactly like a domain controller it's not a problem to use it as a secondary DNS server. If it doesn't resolve names exactly the same way, though, you shouldn't be using it as a secondary DNS server. Every time you add an AD-integrated DNS zone to your DC you'll need to configure the "gateway" to resolve names in that zone the same way.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I agree. As long as the zones are entered on all of the DNS servers, MS DNS shouldn't look elsewhere for the answer. There must be something else in play. – Scott Forsyth Dec 19 '09 at 23:20
  • re: no domain-joined computer should have any DNS server specified in its NIC properties... -- I have only one DC and I push through DHCP my gateway as secondary DNS (which is as a slave for DC and a forwarder). – blank3 Dec 21 '09 at 10:03
  • @blank3: I'll drop on an edit asking for some clarification. – Evan Anderson Dec 21 '09 at 15:44
0

If OpenDNS is returning an answer (its "Not Found" page) instead of saying there's no answer then it is speaking lies, but you cannot control that.

If your DNS server is authoritative for a domain (a zone), it will only return what it knows. I've never seen any DNS server forward requests when it is authoritative.

If your client has multiple DNS servers that include your DNS servers and also other DNS servers, then it is possible for the client to pick one of those other servers and thus get back answers when your servers would have said "no name" or similar.

All of the above is true for all DNS servers, MSFT or otherwise.

Beau Geste
  • 111
  • 1
0

You can turn that feature off (somewhat) in your OpenDNS control panel, or change to a forwarder that doesn't do that. Google DNS works well (reportedly), or you could just run your own recursive server that doesn't rely on an upstream.

Bill Weiss
  • 10,782
  • 3
  • 37
  • 65
0

Whilst changing your forwarders to ones that don't do NXDOMAIN rewriting may achieve your ends, that would only be addressing the symptoms of the problem and not the root cause.

To fix the root cause you need to prevent MS DNS from forwarding queries for your internal domains offsite.

If that proves to be00 impossible, there are several nameservers that will happily (and reliably) serve local data authoritatively, whilst forwarding queries for other domain names offsite.

My personal favourites are BIND and Unbound, both of which are available for Windows servers.

Alnitak
  • 20,901
  • 3
  • 48
  • 81
0

This seems to be a name resolution issue in your DNS server. For some reason when someone queries your DNS Server for addresses in the two zones above, your DNS server is replying with 'I don't know, go ask Open DNS' this could be caused because your forward lookup zones are not completely current with all of the addresses in the two domains in your question. I would compare your zone listings with their domains to insure that your information is current.

You can do a bit of double redundancy to allow for multiple query paths for the domains in question. You have a couple of forward look-up zones, and that is good, but if those domains have their own DNS Servers you might also try putting forwarders into your DNS server specifically for those domains.

If you go to the forwarders tab in DNS you can hit the 'New' button under the 'DNS Domain' box and add a specific entry for the domains you are trying to hit. This will add those entries under the 'For all other DNS domain' listing. You can then go to each one and specify the IP address of a DNS server in those domains.

Laranostz
  • 225
  • 2
  • 7
-4

Yeah, use a real DNS server (instead of MS).

Florin Andrei
  • 1,148
  • 1
  • 11
  • 18
  • 1
    -1, that's not very helpful. This isn't Slashdot. – ThatGraemeGuy Dec 18 '09 at 19:58
  • it's actually a sane answer, although it could have been put better. A "real" DNS server (e.g. BIND or unbound) would although you to configure authoritative answers for your local zones whilst forwarding queries for other zones to offsite recursive servers. – Alnitak Dec 18 '09 at 20:17
  • @Alnitak: And the Microsoft DNS server doesn't allow you to do that how? What you're saying sounds like "BIND lets you host forward lookup zones and use forwarders", which the MS DNS server does, too. Aside from a lack of "views", Microsoft's DNS server has a pretty reasonable set of functionality. For the average DNS server on a LAN serving recursive resolution requests for client computers it does fine. – Evan Anderson Dec 19 '09 at 13:42
  • @Alnitak MS DNS will allow you to do the same thing. – phoebus Dec 19 '09 at 16:10