For several years now we have had our internal DNS servers forward queries for non-hosted zones to our ISP's forwarder servers. At the time we set this up we were told by someone (can't remember who) that this was a "best practice" to forward to an ISP's forwarder server vs. sending queries to the root servers for name resoution. Now, we have purchased internet services from some sort of bulk provider and our old ISP wants us to stop forwarding queries to their forwarder servers but the bulk provider does not have their own forwarder server. When contacted about the situation, the bulk provider is suggesting that we were told wrong and the real best practice is to forward external zone queries to the roots. Can anyone weigh in on this issue and perhaps point me to some sort of document that spells out the true best practice?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
DNS Best Practices Question
- Thread starter wchull
- Start date
We used to point our DNS forwarders to our ISP's DNS servers, but have since moved over to using OpenDNS' DNS servers.
You could use root hints, but I suspect the response time will be slower. ISP/DNS hosts are generally preferable to root hints.
"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
You could use root hints, but I suspect the response time will be slower. ISP/DNS hosts are generally preferable to root hints.
"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
- Thread starter
- #3
Thanks for the input but I guess I could use a bit of enlightenment regarding OpenDNS. I was on their site a few minutes ago and in reading their blurb I noted the following regarding their "Free" service:
"People frequently ask us how we can offer such a fantastic service without charging a dime. OpenDNS makes money the same way Google and Yahoo do — by showing relevant ads when we show you search results."
So my question is...If I'm an enterprise user it says that all I have to do is point my DNS forwarders to the two IP addresses they have specified. If I do that, how are they delivering the "relevant ads"?
"People frequently ask us how we can offer such a fantastic service without charging a dime. OpenDNS makes money the same way Google and Yahoo do — by showing relevant ads when we show you search results."
So my question is...If I'm an enterprise user it says that all I have to do is point my DNS forwarders to the two IP addresses they have specified. If I do that, how are they delivering the "relevant ads"?
To be honest, I've never seen any adverts. It's possible if you were to type in an unknown address and the OpenDNS page popped up, it might show some adverts near the top of the page.
"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
Read the posts in this link...
If you really want to read about DNS best practices, pick up Mark Minasi's Mastering Windows Server 200(x) by Sybex. He devotes about 120 pages to DNS.
Your new ISP does not have their own DNS servers??? maybe they can't afford a couple decent servers and you are taxing their ancient underpowered servers... a good part of being an ISP is providing DNS services, flakey outfit.
........................................
Chernobyl disaster..a must see pictorial
If you really want to read about DNS best practices, pick up Mark Minasi's Mastering Windows Server 200(x) by Sybex. He devotes about 120 pages to DNS.
Your new ISP does not have their own DNS servers??? maybe they can't afford a couple decent servers and you are taxing their ancient underpowered servers... a good part of being an ISP is providing DNS services, flakey outfit.
........................................
Chernobyl disaster..a must see pictorial
I am with a K-12 and we use OpenDNS and they are great. Not only do they provide very fast dns query, but I use them as a failover content filter for porn, proxy bypass, drugs,etc...
I'm not sure about commercial, but I know for us it's free. I believe they make their money on advertisement when you mistype a website, it takes you to one of their search pages which has links to sites it thinks you might be trying to go to and related query advertisements hoping you'll click on them.
I'm not sure about commercial, but I know for us it's free. I believe they make their money on advertisement when you mistype a website, it takes you to one of their search pages which has links to sites it thinks you might be trying to go to and related query advertisements hoping you'll click on them.
- Thread starter
- #7
OK....I'm going back to my original question.....
Regardless of whether you use a forwarder service like OpenDNS for name resolutions from a corporate DNS, is anyone aware of what the "Best"or "Approved" practice is?
On several other forums I have received advice to set out Name Servers to forward to an ISP's forwarder server or to an open forwarder server provide by OpenDNS. On the other hand I've recieved advice that suggests that forwarders should not be used in a corporate setting and that queries to the roots should always be used. There seems to be good arguements raised for using one or the other but is there something somewhere that "offically" suggests one method or another or is this a case where nobody really cares as long as what you're doing meets your own needs?
Regardless of whether you use a forwarder service like OpenDNS for name resolutions from a corporate DNS, is anyone aware of what the "Best"or "Approved" practice is?
On several other forums I have received advice to set out Name Servers to forward to an ISP's forwarder server or to an open forwarder server provide by OpenDNS. On the other hand I've recieved advice that suggests that forwarders should not be used in a corporate setting and that queries to the roots should always be used. There seems to be good arguements raised for using one or the other but is there something somewhere that "offically" suggests one method or another or is this a case where nobody really cares as long as what you're doing meets your own needs?
There is nothing "official" that I know of and like you said, they both have their minor pros and cons.
Everyone get's their DNS from servers upstream, sometimes these are the root servers. The amount of hops to get to those servers correlates to the delay for your name resolution which in your case might be acceptable. The closer the DNS server is to you, the faster the resolution if the hop count to the roots are an issue; however, if the local ISP has DNS issues, so will you.
It boils down to what you think serves your company better.
Everyone get's their DNS from servers upstream, sometimes these are the root servers. The amount of hops to get to those servers correlates to the delay for your name resolution which in your case might be acceptable. The closer the DNS server is to you, the faster the resolution if the hop count to the roots are an issue; however, if the local ISP has DNS issues, so will you.
It boils down to what you think serves your company better.
- Thread starter
- #9
cajuntank...
Thanks for the reply.
I have about come to the same conclusion that there is nothing "official" and it just depends on what best meets your needs. In my case we are being forced to change since the bulk internet provider does not have forwarders. Their recommendation to their clients is to go to the roots but I didn't want to go down that path if I was going to be tar'd and feathers by the Internet Police (grin). Thanks again for the feedback.
Thanks for the reply.
I have about come to the same conclusion that there is nothing "official" and it just depends on what best meets your needs. In my case we are being forced to change since the bulk internet provider does not have forwarders. Their recommendation to their clients is to go to the roots but I didn't want to go down that path if I was going to be tar'd and feathers by the Internet Police (grin). Thanks again for the feedback.
You want to forward to DNS servers from a fairly large ISP to use their servers as a buffer between your system and rouge DNS servers. You want their server to deal with DOS attacks, and being redirected via malware. Either way, forwarders or the root hints work, but forwarders are safer, and might faster, unless your dealing with a wannabe ISP which can't afford decent servers.
........................................
Chernobyl disaster..a must see pictorial
........................................
Chernobyl disaster..a must see pictorial
- Thread starter
- #11
Just a quick update:
I sent mail to ICANN.ORG asking the same question I have had posted on this forum. Here is the response I got back from the Manager, Root Zone Services Internet Assigned Numbers Authority via ICANN:
"We don't have a specific reference to a "best practice", but there is no problem for you setting up your own recursive name server rather than using a forwarder. All we recommend is that you take steps to make sure your root hints file is kept up to date — and as long as you use a package like BIND and regularly update it they should automatically provide you with updated hints files. Alternatively, you can download it from
I sent mail to ICANN.ORG asking the same question I have had posted on this forum. Here is the response I got back from the Manager, Root Zone Services Internet Assigned Numbers Authority via ICANN:
"We don't have a specific reference to a "best practice", but there is no problem for you setting up your own recursive name server rather than using a forwarder. All we recommend is that you take steps to make sure your root hints file is kept up to date — and as long as you use a package like BIND and regularly update it they should automatically provide you with updated hints files. Alternatively, you can download it from
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question