Question : A few easy (for an expert) questions about DNS, load balanced IPs, and IP numbers

I am trying to understand the ins and outs of DNS, which is necessary but very hard given my primary role as a developer and the complexity of what I'm trying to set up. My main use for DNS will be to serve redundant website and web application needs rather than clients connecting on an internal network. I have a few questions about DNS as its relates to use with IIS and NLB.

Background: My server's network card has two IPs assigned to it: if you go to TCP/IP settings for the device, you can see two IPs listed. For the first IP, I have set up my own nameserver at my domain name provider and it points to the IP of my server. For the second IP, our institution is providing institution.edu and my DNS is a subdomain of that: ourdomain.institution.edu. I My IIS websites are set up to keep an eye out for both IPs. One of these IPs I eventually intend to set up as the IP for an NLB cluster.

Question #1: In DNS, in my ourdomain.institution.edu.local folder of my forward lookup zones, BOTH of the IPs mentioned in the previous paragraph have Host (A) records. Is this correct or not? Will this be correct once my clustered IP is set up?

Question #2: What does the ourdomain.institution.edu.local section refer to? Perhaps the local (private) network? This is a basic question about DNS.

Question #3: What does the _msdcs.ourdomain.institution.edu records refer to/mediate? This is a basic question about DNS.

Question #4: Again in the forward lookup zones, I have nameserver records that include BOTH IPs described in the paragraph above in the following sections:
_msdcs.ourdomain.institution.edu
ourdomain.institution.edu.local
myCustomDomainNameBeingPointedFromMyDomainNameProvider.com
ourdomain.institution.edu.

I am wondering if both IPs should be listed in the nameserver records in all of the places listed above, especially myCustomDomainNameBeingPointedFromMyDomainNameProvider.com.

Question #5: for redundancy on the name resolution on my websites, I will want to have multiple nameserver entries on the SOA record, correct? This does NOT mean that I want multiple Host(A) records mapping to each of my servers' IPs, unless I have a site set up on each IP, correct? My understanding is that when I finish getting my NLB clustering set up for my IIS websites, in the forward lookup zone associated with a particular website, I should remove the (A) record that corresponds to an individual server IP and only put the cluster IP in place, as an A record, correct or no? If not what is the right practice?

Question #6: If I right click on the "interfaces" section of my DNS server, I see "Listen only on the following IP addresses". Two are listed as described in my intro paragraph. Should I be listening on all IP addresses? What is the advantage and tradeoff?

Question #7: I understand there is a limit on the use of host header mapping when you are trying to host https-secure websites. What is that limit, generally?

Question #8: My SOA and nameserver records refer to ourdomain.institution.edu.LOCAL [emphasis mine]as the name servers, for both seemingly internal uses (the ourdomain.institution.edu.local and _msdcs.ourdomain.institution.edu sections), and for external uses (e.g. forward lookup zones corresponding to names corresponding to websites. I am wondering if this is perfectly acceptable or not. Both names will resolve from inside the network, I think (.local and non-.local); why use one or the other for this need?

Many thanks for any insights you can offer. I'm finding the whole DNS thing rather difficult, but am slowly but surely learning some of the things I need to know.

Answer : A few easy (for an expert) questions about DNS, load balanced IPs, and IP numbers

> Clarifying Question #4, I mis-wrote last night. My forward lookup zones look like this:

Ahh good, that's a lot more consistent :)

> Now I am noticing that on my public zones (customdomain.com) that primary
> server is listed as "server1.domain.com.local" and if I am understanding you
> correctly that is bad.

Yep, it is. We want those fully consistent for public use.

We can't do that and have it use AD Integrated zones though. It'll continually "correct" the value for us.

So, pick a server you want to be Primary, then change it's zone type from AD Integrated to Standard Primary.

Make sure Dynamic Updates is disabled, then fix all the NS and SOA records so they look good as far as the public are concerned.

These are the steps for that:

1. Create a Host (A) Record called ns1 (note that this can be whatever you like within reason, it's entirely arbitrary). This record should match the Name Server entries you gave to your Registrar.

2. Modify the NS Records. Remove the old one, add ns1 as the new one (again so it's referencing the public IP). If will ask if you want to remove the Host Record for the old server, you do, it's referring to Glue within the current zone, not the record in the proper zone.

3. Modify the SOA Record. Two fields for this one, the important one is Primary Server. Set that to ns1 (browse is probably easiest). Note the period (dot) it adds to the end of the name, it's important to keep that.

Responsible Person is the other field. That one is an e-mail address. Not exactly in common use these days so you could just put whatever you want there. If you want to put something meaning full the @ symbol is replaced with a period. e.g. [email protected] becomes hostmaster.yourdomain.com. for the SOA. Again, note the period suffixed onto the record, it is important to keep that.

4. Add Host and NS Records for ns2 (representing the second DC, and again the name can be whatever you wish).

5. Open the Properties for the zone and select Zone Transfers. Tick allow Transfers and select "Only to the following servers". Add the Private IP address of your second Name Server.

6. Head to the second server, make sure the zone doesn't exist at the moment.

7. Add a new Secondary Zone and enter the Private IP of ns1 as the Master.

8. Test it! Make sure you can right click on the Secondary zone and select Transfer from Master.

9. Make sure if you change it on ns1 you can run Transfer from Master and that you see the change.

And just a few notes on all that.

Periods (dots) after Names:

The period on the name indicates that it's "all" of the name, if it's not there the server will add on the zone name.

That is, if you have a record called "bob.domain.com" (without the period) the server reads that and makes it "bob.domain.com.domain.com.". Basically excluding the period allows you to use shorthand for writing records, but if you forget to add it it'll break things.

MS DNS will add the period for you in almost every instance, but it's worth being aware of.

Zone Transfers:

How frequently a Zone Transfers is based on the values in the SOA Record. If you double click on it you'll see a number of intervals:

Refresh Interval - How frequently the Secondary server will check in with the Primary looking for a change. The default value of 15 minutes is good enough for this.

Retry Interval - How long it will wait before retrying a transfer if one fails (say the primary server is down for a few minutes). The default value of 10 minutes is good enough.

Expiry - How long the secondary keeps it's copy of the zone before it decides it's too out of date (then it discards the zone data). 1 Day is rubbish. I recommend increasing this to 48 Days. Makes you a lot safer in the event of server failure on the Primary.

The minimum TTL (Time To Live) is treated differently on different servers. Here it defines the default value for the Time To Live on records, I'd set that to 1 Day unless you feel you'll change records around a great deal.

> Compounding our potential confusion, way back when I set this DNS up and had no
> idea what I was doing, I appended ".local" as part of a name I should not have, and
> I have been advised this is functional but "weird."

That's fine and common for a Private domain (such as one for Active Directory). .local may cause problems with Apple Mac's but that is the extent of those. It's certainly not weird :)

You will find there are a lot of differing opinions on that naming convention around the Internet. What you have is valid, there are other valid choices too. People like to argue about what the "right" valid choice is, all very silly.

> What you seem to be suggesting is that (at least as a convention) I should
> create A records that correspond to my server machine names, one for each machine.
> So in the MSFT console for a given public zone -- domain.com -- it would look like

That would be fine as well, and would happily replace ns1 / ns2 in the examples above. All we care about is making the publicly accessible.

Chris

Random Solutions

VLAN operation using HP Procurve 2524 switches

URGENT Help: OC4J Deployment Problem

Weblogic thread dumps what to look for?

Share a computer (running win xp) with two users simultaneously?

unexpected shutdown error with Windows 2000 server

Setting up Linksys WRT54Gfor Windows Remote Desktop

netmasking in the middle of an octet

Simple Network Disk Space Monitor

network two computers using ethernet crossover cable