Announcement

Collapse
No announcement yet.

Root Hints Not Working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Root Hints Not Working

    We are in the process of migrating to a 2003 functional domain to a 2008 functional domain. The first part of the process was to move all of our 2003 DC/DNS servers to 2008 DC/DNS servers.

    Today, I removed our last 2003 DNS server as the network had been running on the 2008 DNS servers over the past week without a hitch. Once I removed DNS and AD from the last 2003 server, we were then unable to access any internet sites. DNS internally worked fine, but external DNS did not work.

    I finally had to add in forwards to external DNS of our ISP to access the internet.

    Anyone know why I just couldn't use root hints? I never had to put in forwards on the 2003 machines.
    MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

  • #2
    Re: Root Hints Not Working

    Last wednesday (I believe) all root hints are migrated to DNSSec. Maybe you have an issue with your firewall.
    I don't think your ISP is using DNSsec and therefor it works

    So my recommendation is, check your firewall solution.

    Edit: it happened on May the 5th. Still though I would check your firewall environment.
    Last edited by Dumber; 13th May 2010, 21:11.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Root Hints Not Working

      Originally posted by Dumber View Post
      Last wednesday (I believe) all root hints are migrated to DNSSec. Maybe you have an issue with your firewall.
      I don't think your ISP is using DNSsec and therefor it works

      So my recommendation is, check your firewall solution.

      Edit: it happened on May the 5th. Still though I would check your firewall environment.
      This is my guess as to what's causing the problem. DNSSec utilizes UDP DNS packets larger than 512 bytes and many firewalls don't recognize the larger packet size as being legitimate DNS packest and therefore block them. If your firewall can't be reconfigured or updated to support DNSSec packets then the fix is to do what boondock has done and use forwarders for external DNS resolution.

      Comment


      • #4
        Re: Root Hints Not Working

        That's what came to my mind as well but then I thought, Even when using forwarders the DNS responses "should" be signed (DNSSEC). One would have thought that most ISP would have implemented it by now otherwise their servers resolver cache (and consequently their clients) would still be vulnerable.

        It could well be that but just in case, is there anything logged in the events? and maybe try to run a packet capture to have a better idea.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Root Hints Not Working

          Originally posted by L4ndy View Post
          That's what came to my mind as well but then I thought, Even when using forwarders the DNS responses "should" be signed (DNSSEC). One would have thought that most ISP would have implemented it by now otherwise their servers resolver cache (and consequently their clients) would still be vulnerable.

          It could well be that but just in case, is there anything logged in the events? and maybe try to run a packet capture to have a better idea.
          I was thinking (maybe incorrectly) that most ISP's would not implement DNSSec because it would cause too many problems for their customers as most SOHO businesses use the ISP's DNS servers either directly or as forwarders.

          Comment


          • #6
            Re: Root Hints Not Working

            It was a firewall issue. I found the proper commands to alleviate the issue through my firewall manufacturer and all is good. Another question though, how did my 2003 servers work, but my 2008 servers did not?

            If it was a firewall issue, which is appears to be, why did it not break my 2003 DNS?
            MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

            Comment


            • #7
              Re: Root Hints Not Working

              Are your W2K3 servers configured to use the root hints or are they configured to use forwarders? If they're configured to use forwarders then they wouldn't have been affected. Also, this change took affect on May 5th. When was the last time your W2K3 servers were used as DNS servers?

              Comment


              • #8
                Re: Root Hints Not Working

                We have never used forwarders at our site. We always use root hints.

                The 2K3 servers were last used as late as yesterday morning. We had been running both 2008 and 2003 as DNS over the past 2-3 weeks as we migrated.

                Either way it's working now.

                Last question, I promise. Is there an advantage to using root hints over forwarders? Any security issues?
                MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

                Comment


                • #9
                  Re: Root Hints Not Working

                  As far as there being any advantage to using root hints is concerned, here's how I see it:

                  1. By using the root hints servers you're going right to the "source" without any interdependence on intermediate DNS servers.

                  2. By using the root hint servers you avoid being affected by misconfigured, malfunctioning, stale caching, unreliable, unstable, or unavailable forwarders.

                  So IMHO, those reasons are enough to convince me to not use forwarders at all, unless there's no way around it.

                  Comment


                  • #10
                    Re: Root Hints Not Working

                    About the choice to use the roothints or not, opinions might differ. Both has it advantages and disadvantages.

                    About DNSsec:
                    DNSsec support is limited within Windows 2003. In that case it propably failed back to TCP instead of UDP. Alhough TCP is more reliable, it has much more overhead and is slower then UDP.
                    However with Windows 2008 DNSsec is fully suppored so I think that Windows would accept it, but appearently your firewall didn't just as what I thought.

                    Some interested Microsoft links about this:

                    Using DNS Security Extensions (DNSSEC) Windows 2003
                    http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

                    Distribute Trust Anchors
                    http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

                    DNS Security Extensions (DNSSEC)
                    http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

                    Configure DNSSEC.
                    http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

                    Modify DNSSEC configuration: (DNS)
                    http://technet.microsoft.com/en-us/l...8WS.10%29.aspx


                    Server 2008 and don't forget to read the comments.
                    http://blogs.technet.com/sseshad/arc...windows-7.aspx
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment

                    Working...
                    X