| Author |
Message |
April
Guest
|
 Posted:
Tue Jan 04, 2005 6:11 am Post subject:
Using Forwarders |
|
|
Does a forwarding server answer iterative queries, i.e. letting other name
servers use its forwarders, or only it can answer recursive queries, from its
client resolvers?
Got this question recently. |
|
| Back to top |
|
 |
Roger Abell
Guest
|
| Posted:
Tue Jan 04, 2005 8:09 am Post subject:
Re: Using Forwarders |
|
|
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
| Quote: | Does a forwarding server answer iterative queries, i.e. letting other name
servers use its forwarders, or only it can answer recursive queries, from
its
client resolvers?
Got this question recently. |
|
|
| Back to top |
|
|
April
Guest
|
| Posted:
Tue Jan 04, 2005 9:11 am Post subject:
Re: Using Forwarders |
|
|
The question in this situation actually is, will the forwarding server
answer an iterative request with a recursive response (forwarding)?
"Roger Abell" wrote:
| Quote: | The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e. letting other name
servers use its forwarders, or only it can answer recursive queries, from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Tue Jan 04, 2005 10:54 am Post subject:
Re: Using Forwarders |
|
|
| Quote: | "Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
|
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
| Quote: |
The question in this situation actually is, will the forwarding server
answer an iterative request with a recursive response (forwarding)?
|
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
| Quote: | --
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e. letting other
name
servers use its forwarders, or only it can answer recursive queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
April
Guest
|
| Posted:
Wed Jan 05, 2005 2:59 am Post subject:
Re: Using Forwarders |
|
|
Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
Is this statement true?
"A forwarding server will issue a recursive query to the forwarder, after it
cannot find an answer locally, regardless the original query type sent to the
forwarding server".
I have n a design issue at hand and need to clarify this first.
"Herb Martin" wrote:
| Quote: | "Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the forwarding server
answer an iterative request with a recursive response (forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e. letting other
name
servers use its forwarders, or only it can answer recursive queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Wed Jan 05, 2005 10:26 am Post subject:
Re: Using Forwarders |
|
|
"April" <April@discussions.microsoft.com> wrote in message
news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com...
| Quote: | Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
|
Good but be quick to ask for clarification or
do what you are doing here and just state it so
we can check for you....
| Quote: | Is this statement true?
"A forwarding server will issue a recursive query to the forwarder, after
it
cannot find an answer locally, regardless the original query type sent to
the
forwarding server".
|
Terminology looks fine but that should not happen.
If you query a server with a non-recursive, i.e., iterative,
request, it should neither forward nor perform physical
recursion.
This is part of the confusion between packet/request type
and the server's settings.
A server set to disable serving recursive requests will
(generally) not forward either.
| Quote: | I have n a design issue at hand and need to clarify this first.
|
You might just try the design issue to get faster and more
focused help.
You can also call me if you wish....phone number is on
my website: http://www.LearnQuick.Com
--
Herb Martin
| Quote: |
"Herb Martin" wrote:
"Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the forwarding server
answer an iterative request with a recursive response (forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e. letting
other
name
servers use its forwarders, or only it can answer recursive
queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
April
Guest
|
| Posted:
Wed Jan 05, 2005 10:31 pm Post subject:
Re: Using Forwarders |
|
|
Just thought that once you set a machine as a forwarding server, it's
behavior might get changed when receiving an iterative query. So you are
saying that's not the case?
Thanks for the offer.
"Herb Martin" wrote:
| Quote: | "April" <April@discussions.microsoft.com> wrote in message
news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com...
Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
Good but be quick to ask for clarification or
do what you are doing here and just state it so
we can check for you....
Is this statement true?
"A forwarding server will issue a recursive query to the forwarder, after
it
cannot find an answer locally, regardless the original query type sent to
the
forwarding server".
Terminology looks fine but that should not happen.
If you query a server with a non-recursive, i.e., iterative,
request, it should neither forward nor perform physical
recursion.
This is part of the confusion between packet/request type
and the server's settings.
A server set to disable serving recursive requests will
(generally) not forward either.
I have n a design issue at hand and need to clarify this first.
You might just try the design issue to get faster and more
focused help.
You can also call me if you wish....phone number is on
my website: http://www.LearnQuick.Com
--
Herb Martin
"Herb Martin" wrote:
"Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the forwarding server
answer an iterative request with a recursive response (forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e. letting
other
name
servers use its forwarders, or only it can answer recursive
queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Wed Jan 05, 2005 11:25 pm Post subject:
Re: Using Forwarders |
|
|
"April" <April@discussions.microsoft.com> wrote in message
news:4F535DD3-BB4E-40BA-97CB-D0BFE9C5EAA7@microsoft.com...
| Quote: |
Just thought that once you set a machine as a forwarding server, it's
behavior might get changed when receiving an iterative query. So you are
saying that's not the case?
|
No.
I have said it above but the terms are confusing.
An iterative query really means, "Tell me if YOU
know the answer, otherwise don't bother."
A recursive query says, "Tell me if you know or
if you can find the answer through physical recursion,
or forwarding, or by witchcraft but I really need
you to answer it for me if there is a way that you support."
Now there is a check box on the forwarding server,
on the Forwarders tab below where you set the forwarders,
and it allows you to disable (physical) recursion --
"do not use recursion" is the label I believe -- This
means the forwarding server either KNOWS the answer
or is dependent on the Forwarder DNS to find it.
This setting is GOOD for DCs who should forward ONLY
for names outside the LAN -- forward to the gateway or
ISP DNS and don't even try to recurse (physically) on
their own.
There is another setting in the Advanced tab where it
says "Disable recursion" in Windows 2000, but it really
means Disable the servicing of recursive queries because
it also disables forwarding from this server -- it was so
confusion they change it in Win2003 to say (something like)
"Disable Recursion including Forwarding."
This latter setting should seldom be used except by those
who really know the precise behavior they wish -- e.g.,
for an INTERNET exposed authoritative server that should
NOT be servicing recursive queries for which it does not
know the answer. In other words, it services it's own
zone(s) ONLY.
--
Herb Martin
| Quote: |
Thanks for the offer.
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com...
Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
Good but be quick to ask for clarification or
do what you are doing here and just state it so
we can check for you....
Is this statement true?
"A forwarding server will issue a recursive query to the forwarder,
after
it
cannot find an answer locally, regardless the original query type sent
to
the
forwarding server".
Terminology looks fine but that should not happen.
If you query a server with a non-recursive, i.e., iterative,
request, it should neither forward nor perform physical
recursion.
This is part of the confusion between packet/request type
and the server's settings.
A server set to disable serving recursive requests will
(generally) not forward either.
I have n a design issue at hand and need to clarify this first.
You might just try the design issue to get faster and more
focused help.
You can also call me if you wish....phone number is on
my website: http://www.LearnQuick.Com
--
Herb Martin
"Herb Martin" wrote:
"Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the forwarding
server
answer an iterative request with a recursive response
(forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e.
letting
other
name
servers use its forwarders, or only it can answer recursive
queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
April
Guest
|
| Posted:
Thu Jan 06, 2005 12:19 am Post subject:
Re: Using Forwarders |
|
|
Thanks Herb and this answered my question.
Yes you are right on the options you mentioned. They are the same as the
default and "forward only" in a BIND situation:
With default (without that "do not use recursion" box checked), the server
will do forwarding first. If no response coming back in a set time, the
server will do recursion.
With that box checked, it will relying on forwarding only. If bothing coming
back from forwarders, it will tell the resolver with a nxdomain response.
"Herb Martin" wrote:
| Quote: | "April" <April@discussions.microsoft.com> wrote in message
news:4F535DD3-BB4E-40BA-97CB-D0BFE9C5EAA7@microsoft.com...
Just thought that once you set a machine as a forwarding server, it's
behavior might get changed when receiving an iterative query. So you are
saying that's not the case?
No.
I have said it above but the terms are confusing.
An iterative query really means, "Tell me if YOU
know the answer, otherwise don't bother."
A recursive query says, "Tell me if you know or
if you can find the answer through physical recursion,
or forwarding, or by witchcraft but I really need
you to answer it for me if there is a way that you support."
Now there is a check box on the forwarding server,
on the Forwarders tab below where you set the forwarders,
and it allows you to disable (physical) recursion --
"do not use recursion" is the label I believe -- This
means the forwarding server either KNOWS the answer
or is dependent on the Forwarder DNS to find it.
This setting is GOOD for DCs who should forward ONLY
for names outside the LAN -- forward to the gateway or
ISP DNS and don't even try to recurse (physically) on
their own.
There is another setting in the Advanced tab where it
says "Disable recursion" in Windows 2000, but it really
means Disable the servicing of recursive queries because
it also disables forwarding from this server -- it was so
confusion they change it in Win2003 to say (something like)
"Disable Recursion including Forwarding."
This latter setting should seldom be used except by those
who really know the precise behavior they wish -- e.g.,
for an INTERNET exposed authoritative server that should
NOT be servicing recursive queries for which it does not
know the answer. In other words, it services it's own
zone(s) ONLY.
--
Herb Martin
Thanks for the offer.
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com...
Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
Good but be quick to ask for clarification or
do what you are doing here and just state it so
we can check for you....
Is this statement true?
"A forwarding server will issue a recursive query to the forwarder,
after
it
cannot find an answer locally, regardless the original query type sent
to
the
forwarding server".
Terminology looks fine but that should not happen.
If you query a server with a non-recursive, i.e., iterative,
request, it should neither forward nor perform physical
recursion.
This is part of the confusion between packet/request type
and the server's settings.
A server set to disable serving recursive requests will
(generally) not forward either.
I have n a design issue at hand and need to clarify this first.
You might just try the design issue to get faster and more
focused help.
You can also call me if you wish....phone number is on
my website: http://www.LearnQuick.Com
--
Herb Martin
"Herb Martin" wrote:
"Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the forwarding
server
answer an iterative request with a recursive response
(forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e.
letting
other
name
servers use its forwarders, or only it can answer recursive
queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
April
Guest
|
| Posted:
Thu Jan 06, 2005 12:51 am Post subject:
Re: Using Forwarders |
|
|
A comment on this. Only can a forwarding server be set up to serve the
client resolvers directly using it. In another word, the forwarding servers
should only be set up on local name servers, or on the ones normally serve as
"preferred" or "Alternate" name servers for client resolvers. Have not seen
a warning of this limitation on use of forwarding/forwarders, and I believed
this should be mentioned in the training materials.
"Herb Martin" wrote:
| Quote: | "April" <April@discussions.microsoft.com> wrote in message
news:4F535DD3-BB4E-40BA-97CB-D0BFE9C5EAA7@microsoft.com...
Just thought that once you set a machine as a forwarding server, it's
behavior might get changed when receiving an iterative query. So you are
saying that's not the case?
No.
I have said it above but the terms are confusing.
An iterative query really means, "Tell me if YOU
know the answer, otherwise don't bother."
A recursive query says, "Tell me if you know or
if you can find the answer through physical recursion,
or forwarding, or by witchcraft but I really need
you to answer it for me if there is a way that you support."
Now there is a check box on the forwarding server,
on the Forwarders tab below where you set the forwarders,
and it allows you to disable (physical) recursion --
"do not use recursion" is the label I believe -- This
means the forwarding server either KNOWS the answer
or is dependent on the Forwarder DNS to find it.
This setting is GOOD for DCs who should forward ONLY
for names outside the LAN -- forward to the gateway or
ISP DNS and don't even try to recurse (physically) on
their own.
There is another setting in the Advanced tab where it
says "Disable recursion" in Windows 2000, but it really
means Disable the servicing of recursive queries because
it also disables forwarding from this server -- it was so
confusion they change it in Win2003 to say (something like)
"Disable Recursion including Forwarding."
This latter setting should seldom be used except by those
who really know the precise behavior they wish -- e.g.,
for an INTERNET exposed authoritative server that should
NOT be servicing recursive queries for which it does not
know the answer. In other words, it services it's own
zone(s) ONLY.
--
Herb Martin
Thanks for the offer.
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com...
Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
Good but be quick to ask for clarification or
do what you are doing here and just state it so
we can check for you....
Is this statement true?
"A forwarding server will issue a recursive query to the forwarder,
after
it
cannot find an answer locally, regardless the original query type sent
to
the
forwarding server".
Terminology looks fine but that should not happen.
If you query a server with a non-recursive, i.e., iterative,
request, it should neither forward nor perform physical
recursion.
This is part of the confusion between packet/request type
and the server's settings.
A server set to disable serving recursive requests will
(generally) not forward either.
I have n a design issue at hand and need to clarify this first.
You might just try the design issue to get faster and more
focused help.
You can also call me if you wish....phone number is on
my website: http://www.LearnQuick.Com
--
Herb Martin
"Herb Martin" wrote:
"Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the forwarding
server
answer an iterative request with a recursive response
(forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e.
letting
other
name
servers use its forwarders, or only it can answer recursive
queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Thu Jan 06, 2005 1:58 am Post subject:
Re: Using Forwarders |
|
|
"April" <April@discussions.microsoft.com> wrote in message
news:7EC539A2-1761-46CE-ACA4-90DDB366ECA7@microsoft.com...
| Quote: |
A comment on this. Only can a forwarding server be set up to serve the
client resolvers directly using it. In another word, the forwarding
servers
should only be set up on local name servers, or on the ones normally serve
as
"preferred" or "Alternate" name servers for client resolvers. Have not
seen
a warning of this limitation on use of forwarding/forwarders, and I
believed
this should be mentioned in the training materials.
|
I usually word it the other way around (since that is the
way the vast majority of people mess it up):
1) The internal clients must all use ONLY the internal DNS
server (set) in their NIC->IP properties -- i.e., they must
not use external DNS server or try to mix these.
2) The internal DNS server should (typically) be set to forward
to the gateway or ISP DNS server which will perform the
actual recursion of the Internet namespace from the root down.
3) Rememember that servers, including DNS servers and especially
DCs are "DNS clients" too - so rule #1 applies.
Here's my standard AD support for DNS message:
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:
nltest /dsregdns /server:DC-ServerNameGoesHere
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
--
Herb Martin
| Quote: |
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:4F535DD3-BB4E-40BA-97CB-D0BFE9C5EAA7@microsoft.com...
Just thought that once you set a machine as a forwarding server, it's
behavior might get changed when receiving an iterative query. So you
are
saying that's not the case?
No.
I have said it above but the terms are confusing.
An iterative query really means, "Tell me if YOU
know the answer, otherwise don't bother."
A recursive query says, "Tell me if you know or
if you can find the answer through physical recursion,
or forwarding, or by witchcraft but I really need
you to answer it for me if there is a way that you support."
Now there is a check box on the forwarding server,
on the Forwarders tab below where you set the forwarders,
and it allows you to disable (physical) recursion --
"do not use recursion" is the label I believe -- This
means the forwarding server either KNOWS the answer
or is dependent on the Forwarder DNS to find it.
This setting is GOOD for DCs who should forward ONLY
for names outside the LAN -- forward to the gateway or
ISP DNS and don't even try to recurse (physically) on
their own.
There is another setting in the Advanced tab where it
says "Disable recursion" in Windows 2000, but it really
means Disable the servicing of recursive queries because
it also disables forwarding from this server -- it was so
confusion they change it in Win2003 to say (something like)
"Disable Recursion including Forwarding."
This latter setting should seldom be used except by those
who really know the precise behavior they wish -- e.g.,
for an INTERNET exposed authoritative server that should
NOT be servicing recursive queries for which it does not
know the answer. In other words, it services it's own
zone(s) ONLY.
--
Herb Martin
Thanks for the offer.
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com...
Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
Good but be quick to ask for clarification or
do what you are doing here and just state it so
we can check for you....
Is this statement true?
"A forwarding server will issue a recursive query to the
forwarder,
after
it
cannot find an answer locally, regardless the original query type
sent
to
the
forwarding server".
Terminology looks fine but that should not happen.
If you query a server with a non-recursive, i.e., iterative,
request, it should neither forward nor perform physical
recursion.
This is part of the confusion between packet/request type
and the server's settings.
A server set to disable serving recursive requests will
(generally) not forward either.
I have n a design issue at hand and need to clarify this first.
You might just try the design issue to get faster and more
focused help.
You can also call me if you wish....phone number is on
my website: http://www.LearnQuick.Com
--
Herb Martin
"Herb Martin" wrote:
"Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the
forwarding
server
answer an iterative request with a recursive response
(forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e.
letting
other
name
servers use its forwarders, or only it can answer
recursive
queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
April
Guest
|
| Posted:
Thu Jan 06, 2005 2:41 am Post subject:
Re: Using Forwarders |
|
|
Excellent stuff!
One thing worth to mention is that this issue may get its way in a large
enterprise, with DNS servers at different levels. In that case, forwarding
may only be set up at the bottom.
BTW, it seems stub zones behave the same way as forwarding, ignoring all the
non-recursive queries.
"Herb Martin" wrote:
| Quote: | "April" <April@discussions.microsoft.com> wrote in message
news:7EC539A2-1761-46CE-ACA4-90DDB366ECA7@microsoft.com...
A comment on this. Only can a forwarding server be set up to serve the
client resolvers directly using it. In another word, the forwarding
servers
should only be set up on local name servers, or on the ones normally serve
as
"preferred" or "Alternate" name servers for client resolvers. Have not
seen
a warning of this limitation on use of forwarding/forwarders, and I
believed
this should be mentioned in the training materials.
I usually word it the other way around (since that is the
way the vast majority of people mess it up):
1) The internal clients must all use ONLY the internal DNS
server (set) in their NIC->IP properties -- i.e., they must
not use external DNS server or try to mix these.
2) The internal DNS server should (typically) be set to forward
to the gateway or ISP DNS server which will perform the
actual recursion of the Internet namespace from the root down.
3) Rememember that servers, including DNS servers and especially
DCs are "DNS clients" too - so rule #1 applies.
Here's my standard AD support for DNS message:
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:
nltest /dsregdns /server:DC-ServerNameGoesHere
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
--
Herb Martin
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:4F535DD3-BB4E-40BA-97CB-D0BFE9C5EAA7@microsoft.com...
Just thought that once you set a machine as a forwarding server, it's
behavior might get changed when receiving an iterative query. So you
are
saying that's not the case?
No.
I have said it above but the terms are confusing.
An iterative query really means, "Tell me if YOU
know the answer, otherwise don't bother."
A recursive query says, "Tell me if you know or
if you can find the answer through physical recursion,
or forwarding, or by witchcraft but I really need
you to answer it for me if there is a way that you support."
Now there is a check box on the forwarding server,
on the Forwarders tab below where you set the forwarders,
and it allows you to disable (physical) recursion --
"do not use recursion" is the label I believe -- This
means the forwarding server either KNOWS the answer
or is dependent on the Forwarder DNS to find it.
This setting is GOOD for DCs who should forward ONLY
for names outside the LAN -- forward to the gateway or
ISP DNS and don't even try to recurse (physically) on
their own.
There is another setting in the Advanced tab where it
says "Disable recursion" in Windows 2000, but it really
means Disable the servicing of recursive queries because
it also disables forwarding from this server -- it was so
confusion they change it in Win2003 to say (something like)
"Disable Recursion including Forwarding."
This latter setting should seldom be used except by those
who really know the precise behavior they wish -- e.g.,
for an INTERNET exposed authoritative server that should
NOT be servicing recursive queries for which it does not
know the answer. In other words, it services it's own
zone(s) ONLY.
--
Herb Martin
Thanks for the offer.
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com...
Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
Good but be quick to ask for clarification or
do what you are doing here and just state it so
we can check for you....
Is this statement true?
"A forwarding server will issue a recursive query to the
forwarder,
after
it
cannot find an answer locally, regardless the original query type
sent
to
the
forwarding server".
Terminology looks fine but that should not happen.
If you query a server with a non-recursive, i.e., iterative,
request, it should neither forward nor perform physical
recursion.
This is part of the confusion between packet/request type
and the server's settings.
A server set to disable serving recursive requests will
(generally) not forward either.
I have n a design issue at hand and need to clarify this first.
You might just try the design issue to get faster and more
focused help.
You can also call me if you wish....phone number is on
my website: http://www.LearnQuick.Com
--
Herb Martin
"Herb Martin" wrote:
"Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the
forwarding
server
answer an iterative request with a recursive response
(forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries, i.e.
letting
other
name
servers use its forwarders, or only it can answer
recursive
queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Thu Jan 06, 2005 3:18 am Post subject:
Re: Using Forwarders |
|
|
"April" <April@discussions.microsoft.com> wrote in message
news:4ABDE69A-37EE-4EFA-8599-C389D1E8EBD1@microsoft.com...
| Quote: |
Excellent stuff!
One thing worth to mention is that this issue may get its way in a large
enterprise, with DNS servers at different levels. In that case,
forwarding
may only be set up at the bottom.
|
Actually, it doesn't work well to use Forwarding
"at the bottom" only -- in fact only the top can
safely forward with only one setting since physical
recursion and forwarding are incompatible except
as a backup method -- i.e., if you don't know WHERE
the address will be resolved it doesn't work for the
internal servers to forward what may be an exteral
name but could just as easily be an internal name,
and thereby missed if the request goes outside and
comes back NXDomain (that ends the whole recursion.)
I have a way to fix this - I modified the config of the
BIND server to do what amounts to a Negative-Stub,
it returns queried denied for the zones I specific so
they get reflected back into the internal DNS server
set (to the Internal root). I use permissions for this.
[Those may not all be the exact technical terms; I
don't do BINS every day but I can hack the source
code when I must -- the above though is straight
bind with no hack.]
The other schemes include cross secondaries (every
DNS holds a secondary for the others in at least it's
parent chain) -- this works on Win2000, or cross
stubs and conditional forwarding -- the last two only
working on Win2003.
| Quote: | BTW, it seems stub zones behave the same way as forwarding, ignoring all
the
non-recursive queries.
|
Again, I would not say ignoring, but rather "only servicing
them locally" .
I am not sure about Stubs, but an argument
can be made (from logic) for either behavior.
--
Herb Martin
| Quote: |
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:7EC539A2-1761-46CE-ACA4-90DDB366ECA7@microsoft.com...
A comment on this. Only can a forwarding server be set up to serve
the
client resolvers directly using it. In another word, the forwarding
servers
should only be set up on local name servers, or on the ones normally
serve
as
"preferred" or "Alternate" name servers for client resolvers. Have
not
seen
a warning of this limitation on use of forwarding/forwarders, and I
believed
this should be mentioned in the training materials.
I usually word it the other way around (since that is the
way the vast majority of people mess it up):
1) The internal clients must all use ONLY the internal DNS
server (set) in their NIC->IP properties -- i.e., they must
not use external DNS server or try to mix these.
2) The internal DNS server should (typically) be set to forward
to the gateway or ISP DNS server which will perform the
actual recursion of the Internet namespace from the root down.
3) Rememember that servers, including DNS servers and especially
DCs are "DNS clients" too - so rule #1 applies.
Here's my standard AD support for DNS message:
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:
nltest /dsregdns /server:DC-ServerNameGoesHere
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
--
Herb Martin
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:4F535DD3-BB4E-40BA-97CB-D0BFE9C5EAA7@microsoft.com...
Just thought that once you set a machine as a forwarding server,
it's
behavior might get changed when receiving an iterative query. So
you
are
saying that's not the case?
No.
I have said it above but the terms are confusing.
An iterative query really means, "Tell me if YOU
know the answer, otherwise don't bother."
A recursive query says, "Tell me if you know or
if you can find the answer through physical recursion,
or forwarding, or by witchcraft but I really need
you to answer it for me if there is a way that you support."
Now there is a check box on the forwarding server,
on the Forwarders tab below where you set the forwarders,
and it allows you to disable (physical) recursion --
"do not use recursion" is the label I believe -- This
means the forwarding server either KNOWS the answer
or is dependent on the Forwarder DNS to find it.
This setting is GOOD for DCs who should forward ONLY
for names outside the LAN -- forward to the gateway or
ISP DNS and don't even try to recurse (physically) on
their own.
There is another setting in the Advanced tab where it
says "Disable recursion" in Windows 2000, but it really
means Disable the servicing of recursive queries because
it also disables forwarding from this server -- it was so
confusion they change it in Win2003 to say (something like)
"Disable Recursion including Forwarding."
This latter setting should seldom be used except by those
who really know the precise behavior they wish -- e.g.,
for an INTERNET exposed authoritative server that should
NOT be servicing recursive queries for which it does not
know the answer. In other words, it services it's own
zone(s) ONLY.
--
Herb Martin
Thanks for the offer.
"Herb Martin" wrote:
"April" <April@discussions.microsoft.com> wrote in message
news:B9DAC5CC-9A06-4793-906E-166EAA031D13@microsoft.com...
Thanks guys for trying to help.
I believe I'm not confused by the terms, ;-)
Good but be quick to ask for clarification or
do what you are doing here and just state it so
we can check for you....
Is this statement true?
"A forwarding server will issue a recursive query to the
forwarder,
after
it
cannot find an answer locally, regardless the original query
type
sent
to
the
forwarding server".
Terminology looks fine but that should not happen.
If you query a server with a non-recursive, i.e., iterative,
request, it should neither forward nor perform physical
recursion.
This is part of the confusion between packet/request type
and the server's settings.
A server set to disable serving recursive requests will
(generally) not forward either.
I have n a design issue at hand and need to clarify this
first.
You might just try the design issue to get faster and more
focused help.
You can also call me if you wish....phone number is on
my website: http://www.LearnQuick.Com
--
Herb Martin
"Herb Martin" wrote:
"Roger Abell" wrote:
The config of a DNS server to use forwarders, and the
config of allowing it to accept interative only or
recursive
queries are two separate, independent config options.
The forwarding server just forwards on the accepted
query and returns the result obtained from its
forwarder.
"April" <April@discussions.microsoft.com> wrote in message
news:7BAD1828-1829-4EF0-BB72-616B93E57D42@microsoft.com...
The question in this situation actually is, will the
forwarding
server
answer an iterative request with a recursive response
(forwarding)?
Roger is correct and you are still conflating the
a couple of issues: an interative and a recursive
query are not the same (nor the same issue) as
recursion, forwarding etc.
The former (query type) is how the actual packet
is marked -- whether it requests recurion or not.
Typically clients make their queries this way and
DNS servers which are performing their own
RECURSION do not -- they don't request recursion
since they are doing it themselves.
Whether the queries servers are WILLING to do the
recursion (directly) or forward (to another DNS
server) or merely refuse such requests is actually
a separate issue.
Normally a server will NOT recurse when it receives
an iterative query (nor forward) as it assumes the
requester wants a direct answer or nothing.
However, a server set to disable recursion will not
recurse just because the packet requests it.
BTW, is there some underlying question or problem
you are really trying to solve?
--
Herb Martin
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"April" <April@discussions.microsoft.com> wrote in
message
news:F69342EA-FB22-4EF1-8386-962B44FE059B@microsoft.com...
Does a forwarding server answer iterative queries,
i.e.
letting
other
name
servers use its forwarders, or only it can answer
recursive
queries,
from
its
client resolvers?
Got this question recently.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in