DNS Forwarders

Hi there,

I have 2 DNS servers in DMZ that are set as Forwarders to the internal DNS servers

both servers are running Windows Server 2012 R2 - Standard, with up-to-date patches

In these 2 DMZ servers, I have set my ISP forwarders (lets say ISP-01 & ISP-02)

I want to restrict these DMZ servers to use ISP-01, and use ISP-02 only if ISP-01 fails

I have disabled Round Robin, and increased the Query Time Out to 10 Seconds, but still Queries are sent to ISP-02

I used Microsoft Message Analyzer to capture the traffic and view DNS queries

Is there a way to achieve this and use Forwarders as a Primary/Secondary scenario?

This is a requirement by my ISP, cause ISP-02 is in a DR site, and should be used only when required

August 23rd, 2015 3:36am

Hi Ghazwan,

Enabling/disabling round robin won't make a difference here. When a query is made for a record which is listed in the DNS zone a number of times, enabling round robin (enabled by default) allows the DNS server to provide the IPs to the client in a round robin way (cycling through the IPs that are applicable for that subnet if subnet mask ordering is enabled). 

What should happen in your case of the forwarders is that the forwarder that is listed at the top of the list of forwarders should be used first and if it doesn't respond, the DNS server should move on to the next forwarder. By default the DNS server will wait for 5s before failing the query to the forwarder and moving onto the next one. There's more information here: https://technet.microsoft.com/en-us/library/cc757172(v=ws.10).aspx

What I suspect is happening is that either ISP-02 is listed above ISP-01 or ISP-01 is not responding in time and this is why it fails over to using ISP-02. The first you can confirm by reviewing your forwarder list and the second you can test by either using Message Analyzer or DNS logging on the server.

Let me know how you get along!

Mark

Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2015 8:25pm

Hi Ghazwan,

Enabling/disabling round robin won't make a difference here. When a query is made for a record which is listed in the DNS zone a number of times, enabling round robin (enabled by default) allows the DNS server to provide the IPs to the client in a round robin way (cycling through the IPs that are applicable for that subnet if subnet mask ordering is enabled). 

What should happen in your case of the forwarders is that the forwarder that is listed at the top of the list of forwarders should be used first and if it doesn't respond, the DNS server should move on to the next forwarder. By default the DNS server will wait for 5s before failing the query to the forwarder and moving onto the next one. There's more information here: https://technet.microsoft.com/en-us/library/cc757172(v=ws.10).aspx

What I suspect is happening is that either ISP-02 is listed above ISP-01 or ISP-01 is not responding in time and this is why it fails over to using ISP-02. The first you can confirm by reviewing your forwarder list and the second you can test by either using Message Analyzer or DNS logging on the server.

Let me know how you get along!

Mark

August 24th, 2015 12:22am

Hi Mark,

thank you for your response and clarification

The Forwarders are set in the correct order, ISP-01 then ISP-02

Query time out has been set to 10 seconds

how can I confirm that ISP-01 is not responding in time?

using Message Analyzer and Debug Logging, I can see that its responding

I see few Server Failed responses, are those timed-out queries?

I don't know how to capture/view timed out query, a help on that would be appreciated

Free Windows Admin Tool Kit Click here and download it now
August 24th, 2015 1:50am

If you enable DNS logging, you can see this. To do this, right click on the server > properties > debug logging  tab > tick log packets for debugging. From here, tick all the boxes and make sure to tick details.

Make a query to the DNS server for a record that is not going to be in the DNS cache or clear the cache before you do this. In the DNS log, you should see the incoming query from the client then you should see the server attempt to contact ISP-01 for that record. If it's responding, you'll see this response in the logs. If not, you'll see another attempt made to ISP-02.

August 24th, 2015 3:43am

Hi Ghazwan,

We could also use Network Monitor to analyze the problem. Install it on DNS server and perform a capture. Check the time when DNS server sent the query and when it got the response.

Here is the guide for Network Monitor:
Network Monitor:
https://technet.microsoft.com/en-us/library/cc938655.aspx

Best Regards,

Leo

Free Windows Admin Tool Kit Click here and download it now
August 24th, 2015 11:30pm

Thank you Mark

I did as you suggested, and noticed that some queries sent to ISP-01 where either getting Server Failed or no response at all (which I think is a time-out case), so they were sent to ISP-02

I shared this information with the ISP, and they are also checking and trouble shooting from their side to find out why we are getting this time out requests

August 25th, 2015 11:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics