Configuring DNS to Resolve Public Internet Addresses | Microsoft Small Business Server 2003 Unleashed

So how does the DNS Server service provide name resolution for public Internet addresses if both network cards point to the SBS server for DNS resolution? For that, we need to look again at the DNS Management Console.

Using DNS Forwarders in the DNS Management Console

When the DNS Management Console comes up, right-click on the server name and select Properties; then click on the Forwarders tab. The dialog box shown in Figure 5.3 appears. The DNS Domain box should have one entry named All Other DNS Domains. The Selected Domain's Forwarder IP Address List box should have the IP addresses for your ISP's DNS servers listed. You should expect to see this configuration after the Connect to the Internet Wizard has been run on the server.

Figure 5.3. The DNS Management Console displays the DNS forwarder addresses.

As described earlier in this chapter, if the DNS service receives a request for an address that is not in its configuration, it first looks to its internal DNS cache for the address. If one is not found, the DNS Server service then contacts the first IP address listed in the Forwarders section and requests the address from that server. A second DNS server IP is strongly recommended in the case where the first server cannot be contacted for some reason.

Using Root Hints in the DNS Management Console

Being able to use DNS servers provided by the ISP helps reduce the DNS server load. When the DNS server cannot find an address in its local table or local cache, it makes one request to the ISP's DNS server and lets that server do all the lookup work necessary to find the address.

The DNS Server service does not have to use external DNS forwarders, however. The DNS Server service can make use or root hint servers and handle all the lookups itself instead of handing them off to the forwarder. If no IP addresses are listed in the Forwarders tab of the server properties in the DNS Management Console, the DNS server will automatically query the root hint servers listed in the Root Hints tab of the properties window. These root hint servers do not contain any DNS address information themselves, but they do contain addresses for other DNS servers that do provide the address information. When a DNS query comes in to the SBS DNS server for a server on the public Internet, the DNS service first queries the appropriate root hint server to find a DNS server to use to resolve the name; then will sends another query to that server to get the actual address to pass back to the client.

Best Practice: DNS Forwarders Versus Root Hints

General wisdom in the SBS space is to use DNS forwarders for external DNS lookups. This reduces the load on the SBS DNS Server service for doing DNS lookups on the Internet. When the SBS server performs a DNS query for an Internet site by using the DNS forwarders, the SBS DNS Server service only makes one DNS query and relies on the DNS forwarder to do all the lookups necessary to get the IP address and return it to the SBS server.

Some small businesses have found that their ISPs may not provide the most reliable DNS forwarder servers. By configuring the SBS server to use the root hints servers, the SBS DNS Server service does all its own lookups, which may take multiple queries to get the actual IP address. But the root hint servers may be more reliable than the ISP's DNS servers.

The SBS server should be configured to use DNS forwarders as a general practice. But in cases where the ISP's DNS servers are not very reliable, configuring SBS to use the root hint servers is an acceptable alternative.

Recently, there have been security reports concerning DNS poisoning and the problem it can cause when using DNS forwarders. In short, DNS poisoning occurs when a DNS record is replaced with an IP address for a site not hosted by the DNS name owner. This effectively redirects web traffic to a different site for malicious purposes. Outside of ensuring that your ISP keeps its DNS servers patched and up-to-date, the only other workaround is to disable the use of forwarders and let the SBS server use the root hint servers for all DNS lookups. At this time, the SBS community still recommends the use of DNS forwarders but recognizes the threat of DNS poisoning and the use of the root hint servers as an acceptable alternative.