DNS Forwarders

Hi there,

I have 2 DNS servers in DMZ that are set as Forwarders to the internal DNS servers

both servers are running Windows Server 2012 R2 - Standard, with up-to-date patches

In these 2 DMZ servers, I have set my ISP forwarders (lets say ISP-01 & ISP-02)

I want to restrict these DMZ servers to use ISP-01, and use ISP-02 only if ISP-01 fails

I have disabled Round Robin, and increased the Query Time Out to 10 Seconds, but still Queries are sent to ISP-02

I used Microsoft Message Analyzer to capture the traffic and view DNS queries

Is there a way to achieve this and use Forwarders as a Primary/Secondary scenario?

This is a requirement by my ISP, cause ISP-02 is in a DR site, and should be used only when required

August 23rd, 2015 3:37am

Hi Ghazwan,

Enabling/disabling round robin won't make a difference here. When a query is made for a record which is listed in the DNS zone a number of times, enabling round robin (enabled by default) allows the DNS server to provide the IPs to the client in a round robin way (cycling through the IPs that are applicable for that subnet if subnet mask ordering is enabled). 

What should happen in your case of the forwarders is that the forwarder that is listed at the top of the list of forwarders should be used first and if it doesn't respond, the DNS server should move on to the next forwarder. By default the DNS server will wait for 5s before failing the query to the forwarder and moving onto the next one. There's more information here: https://technet.microsoft.com/en-us/library/cc757172(v=ws.10).aspx

What I suspect is happening is that either ISP-02 is listed above ISP-01 or ISP-01 is not responding in time and this is why it fails over to using ISP-02. The first you can confirm by reviewing your forwarder list and the second you can test by either using Message Analyzer or DNS logging on the server.

Let me know how you get along!

Mark

Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2015 8:24pm

Hi Mark,

thank you for your response and clarification

The Forwarders are set in the correct order, ISP-01 then ISP-02

Query time out has been set to 10 seconds

how can I confirm that ISP-01 is not responding in time?

using Message Analyzer and Debug Logging, I can see that its responding

I see few Server Failed responses, are those timed-out queries?

I don't know how to capture/view timed out query, a help on that would be appreciated

August 24th, 2015 1:49am

If you enable DNS logging, you can see this. To do this, right click on the server > properties > debug logging  tab > tick log packets for debugging. From here, tick all the boxes and make sure to tick details.

Make a query to the DNS server for a record that is not going to be in the DNS cache or clear the cache before you do this. In the DNS log, you should see the incoming query from the client then you should see the server attempt to contact ISP-01 for that record. If it's responding, you'll see this response in the logs. If not, you'll see another attempt made to ISP-02.

Free Windows Admin Tool Kit Click here and download it now
August 24th, 2015 3:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics