Home
Join

42 Replies

  • Good info - thanks for sharing.  One revision I saw that may be needed - do you mean SRV records instead of SVC records?

    Spice (4) flagReport
    Was this post helpful? thumb_up thumb_down
  • Good right up.  Many a young IT, depending on their background have DNS issues.  And sometimes there is more than one way to solve DNS issues, but generally, if you don't understand it, look up an article like this one and learn a bit before bringing the network to a snail's pace.  I've personally had to fix DNS issues at a handful of companies.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • Well written and hit on all the right topics that are often posed as questions here! Thanks for sharing and nice read!

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Thanks! This was great.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Having at least a basic understanding of DNS (and other network standards) is essential to success in IT.  I worked with techs for years who refused to get even a basic understanding and would call me with the same issues over and over.  If they took the time to learn even a little bit about it, they would have been able to fix many more problems on their own.

    Spice (4) flagReport
    Was this post helpful? thumb_up thumb_down
  • Great writeup! 

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Excellent!  Thank you for posting this.  I was just google searching this last week.

    Was this post helpful? thumb_up thumb_down
  • %u041C%u0434%u0430, %u0438%u043D%u0442%u0435%u0440%u0435%u0441%u043D%u0435%u043D%u044C%u043A%u043E.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Thank you, this helps refresh basics while I am struggling right now with sub-domains and subnet reverse delegation issues.

    Was this post helpful? thumb_up thumb_down
  • Excellent write up. I wish that was available 10 years ago when DNS was still a mystery to me.  :)

    Was this post helpful? thumb_up thumb_down
  • Good article. You should publish a Split DNS how-to

    Spice (4) flagReport
    Was this post helpful? thumb_up thumb_down
  • Awesome, I can say I learned something today!

    Was this post helpful? thumb_up thumb_down
  • For some of us, split DNS isn't a choice. Its usually a case of the previous admin not having a clue what he's doing when creating a domain.  For most AD implementations a .local suffix will do. If you have hosted Exchange and use split DNS, you know what a pain that is dealing with locked accounts due to Outlook.

    Was this post helpful? thumb_up thumb_down
  • I agree with ArgMen2009.  An article on split DNS, especially in an AD environment would be nice.  I am currently doing it an ugly way, if the DNS I want to internalize is outlook.domain.com, I create a new zone called outlook.domain.com and then create an A record to the internal IP.  Its an ugly hack but it works for our environment.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • I assume the SRV -> SVC typo was due to a rogue auto-correction?  Other than that I have two comments:

    CNAME records should be avoided whenever possible.  Multiple A records work much better as long as you can control the IP address pointed to.

    The PTR / rDNS section is a bit misleading.  Although it is very common for anti-spam zealots to use reverse DNS, it is illogical to check that the address resolves to a name "registered as a mail server".  MX records are used for addresses used to receive mail, not necessarily to send it.  And even if used for both sending and receiving, servers serving several domains are unlikely to have a PTR record for each of them.  SPF or the equivalent TXT record would be much better for authenticating the sender.

    Spice (7) flagReport
    Was this post helpful? thumb_up thumb_down
  • great article. We should have more like this

    Was this post helpful? thumb_up thumb_down
  • Before this article I had an extremely basic understanding of DNS. After reading the article I feel a little more confident about DNS and what it really is. I will be sure to read this article again and also read something to supplement this as I never knew how complicated DNS could really be.

    Thanks!

    Was this post helpful? thumb_up thumb_down
  • @ITSlave

     

    Even if you use a .local TLD for your internal network, there are still cases where you would use a split DNS. Its often better to tell your users to use one website like webmail.company.com instead of telling them to use one internally and a different one externally. And for the mentioned scenario where you don't want traffic trying to do a U-Turn on your firewalls.
    You can always set it up to forward unresolved hosts back out to a different path if you don't want to have to list every external host in your split zone.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • ArgMen2009 wrote:

    Good article. You should publish a Split DNS how-to

    I second this. I inherited a Split DNS setup, and it was hell to figure out how it worked and why it was set up in the manner that it is.

    Was this post helpful? thumb_up thumb_down
  • ITSlave wrote:

    For some of us, split DNS isn't a choice. Its usually a case of the previous admin not having a clue what he's doing when creating a domain.  For most AD implementations a .local suffix will do. If you have hosted Exchange and use split DNS, you know what a pain that is dealing with locked accounts due to Outlook.

    At one point, Microsoft were advising against the use of .local as it caused problems with mDNS and the advice was to use a subdomain of a domain you own.

    As more mDNS based software appeared, I've stuck with split or a subdomain and had no headaches.

    It's all fully documented, so if I get hit by a bus, whoever comes after me will be good.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • One way around the .local problem is to use any other suffix. I always use .lan for mine.

    Was this post helpful? thumb_up thumb_down
  • ITSlave wrote:

    For some of us, split DNS isn't a choice. Its usually a case of the previous admin not having a clue what he's doing when creating a domain.  For most AD implementations a .local suffix will do. If you have hosted Exchange and use split DNS, you know what a pain that is dealing with locked accounts due to Outlook.

    All of our sites use split DNS and I consider it essential to do so, Primarily for flexibility of registering SSL certificates which isn't going to work well for much longer if it isn't a verifiable domain.

    I have yet to find a site that has an issue with a hosted exchange environment either. If you configure the correct DNS internally on the DNS server hosting the split DNS to point to the correct records externally then it isn't a problem. IIRC an MX record and an Autodiscover A record plus another A or possibly an SRV record is all what's needed for Office 365. It then even auto configures the Outlook account as normal if you install the Office 365 AD synchronisation tools too (if you're game to do so, and aren't too hyper sensitive about the AD).

    Regards,

    Matt

    Was this post helpful? thumb_up thumb_down
  • Very good.

    Was this post helpful? thumb_up thumb_down
  • jrondo4 wrote:

    Good info - thanks for sharing.  One revision I saw that may be needed - do you mean SRV records instead of SVC records?

    duh...as for the root cause....

    Emilio6465 wrote:

    I assume the SRV -> SVC typo was due to a rogue auto-correction?  Other than that I have two comments:

     

    Or I was multi-tasking when I wrote this (a few months ago) and when I got around to proof read it I just missed it.

    I don't have the initial draft of this anymore (notepad version) so I can't go back and check to see what caused it for sure.

     

    Another issue is it was a ID10T, PEBCAC, PICNIC, or other IT slang issue.  Since the error is out there and pointed out (first comment) I might as well have fun with it.

     

    [Edit - fixed article]

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Sean Donnelly wrote:

    Well written and hit on all the right topics that are often posed as questions here! Thanks for sharing and nice read!

    That was why I wrote it in the first place - we (as a community) got hit with way too many issues that were DNS related where the person just didn't understand DNS (created a domain and pointed all DNS clients to Google as an example).

    Was this post helpful? thumb_up thumb_down
  • Emilio6465 wrote:

    CNAME records should be avoided whenever possible.  Multiple A records work much better as long as you can control the IP address pointed to.

     

    There are reasons for them and reasons not to use them.  I have a client that has a SCOM system on the east coast and a SCOM system on the west coast.  Only one system is monitored at any time (active system) however clients report to both systems (or try to).  When admins connect to the SCOM terminal, they connect to SCOM.domain.com and using a CNAME the SCOM terminal is directed to the proper server.

    The second way it is used is in WSUS.  There is a primary parent and a secondary parent.  Primary is on the east coast and secondary is on the west coast.  When a storm or other maintenance will disrupt the WSUS service, the team using a CNAME will change WSUS.domain.com between the two parent servers.

     

    Of course you could do the same thing with A records, but then you must have the correct IP address for each of the servers.  By using a CNAME, the record can be changed from SCOM-east.domain.com to SCOM-west.domain.com and IP addresses don't need to be known.  Same with WSUS - WSUS-east.domain.com to WSUS-west.domain.com is handled the same way.

     

    What you shouldn't do is use a CNAME and point it to a record (A or CNAME) in a DNS zone you don't control.  In this scenario, I would use an A record in a DNS zone that I control.

    Spice (4) flagReport
    Was this post helpful? thumb_up thumb_down
  • Excellent primer! I'm constantly amazed at how complex DNS seems at first, but is really quite simple once you get in to it. When I started dealing with in in Win2k I wished I only had to deal with WINS servers. Now I'm glad the WINS servers are gone.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • da Beast wrote:

    Emilio6465 wrote:

    CNAME records should be avoided whenever possible.  Multiple A records work much better as long as you can control the IP address pointed to.

     

    There are reasons for them and reasons not to use them.  ...

    Of course you could do the same thing with A records, but then you must have the correct IP address for each of the servers.  By using a CNAME, the record can be changed from SCOM-east.domain.com to SCOM-west.domain.com and IP addresses don't need to be known.  Same with WSUS - WSUS-east.domain.com to WSUS-west.domain.com is handled the same way.

    What you shouldn't do is use a CNAME and point it to a record (A or CNAME) in a DNS zone you don't control.  In this scenario, I would use an A record in a DNS zone that I control.

    I guess it would be boring if we all did things the same way, but I think it should be the other way around.  Possibly because DNS is not my primary business. :-)

    If I were one of your clients handling my own DNS, I would expect to know the IP addresses, so using the A records would not be overly complicated.  And I use CNAMEs only to provide a local name for a server in somebody else's zone.  E.g. so that the payroll people could  look for  "prhelp" rather than "usa.support.payroll.bloatedpigsoftware.com".  Can't use an A record when I can't control the IP address.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Excellent read, easily understood.

    Was this post helpful? thumb_up thumb_down
  • Thank you very enlightening.

    Was this post helpful? thumb_up thumb_down
  • Very well written and good article!  Refreshes my memory on DNS.

    Was this post helpful? thumb_up thumb_down
  • Hi mate.

     

    Why is using .local suffix a problem? I have used these at home for my home lab and for a few charities I worked as their IT consultant. I might need to revisit them if this may cause them a problem!

    Was this post helpful? thumb_up thumb_down
  • JesusMR wrote:

    Hi mate.

     

    Why is using .local suffix a problem? I have used these at home for my home lab and for a few charities I worked as their IT consultant. I might need to revisit them if this may cause them a problem!

    It's not necessarily a problem, but it can be a problem.

    .local is used by some Multicast DNS (mDNS) applications, such as Bonjour. 

    In multi-vendor/multi-OS networks, depending on which Microsoft (and Apple) OS versions you are using, this can create issues (see http://support.apple.com/kb/ts3389 and http://support.microsoft.com/kb/836413).  There are also some reported instances involving Linux.

    Also, purchased SSL certs can't use .local for certs after (some month/day I can' remember) 2015. http://social.technet.microsoft.com/Forums/exchange/en-US/cc3f4a7c-f38d-4b72-82fe-c98b4089a1ec/how-to-handle-ssl-certificates-now-that-you-cant-have-local-subject-alternative-names

    So, 99% of the people using .local won't experience any difficulty - but that doesn't necessarily make it right (cf use of RAID 5) ;)

    Was this post helpful? thumb_up thumb_down
  •  

    Huw3481 wrote:

    So, 99% of the people using .local won't experience any difficulty - but that doesn't necessarily make it right (cf use of RAID 5) ;)

    Gaaahhhh we use .local for our internal DNS and RAID5 on some servers! I'm doomed :-)

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Well done.  Explaining a complex subject in easy to understand language is a skill in itself.  

    Thanks

     

    How about an article on one or two of the most common dns problems (especially with AD) and possible quick fixes.   Sort of a cheat sheet.

    Was this post helpful? thumb_up thumb_down
  • Great article!

    Was this post helpful? thumb_up thumb_down
  • Nicely done Beast.   It's amazing how many problems can be averted, or sadly, cured, by a simple understanding of DNS.    

    Was this post helpful? thumb_up thumb_down
  • Emilio6465 wrote:

    da Beast wrote:

    Emilio6465 wrote:

    CNAME records should be avoided whenever possible.  Multiple A records work much better as long as you can control the IP address pointed to.

     

    There are reasons for them and reasons not to use them.  ...

    Of course you could do the same thing with A records, but then you must have the correct IP address for each of the servers.  By using a CNAME, the record can be changed from SCOM-east.domain.com to SCOM-west.domain.com and IP addresses don't need to be known.  Same with WSUS - WSUS-east.domain.com to WSUS-west.domain.com is handled the same way.

    What you shouldn't do is use a CNAME and point it to a record (A or CNAME) in a DNS zone you don't control.  In this scenario, I would use an A record in a DNS zone that I control.

    I guess it would be boring if we all did things the same way, but I think it should be the other way around.  Possibly because DNS is not my primary business. :-)

    If I were one of your clients handling my own DNS, I would expect to know the IP addresses, so using the A records would not be overly complicated.  

    So - in smaller networks that might be possible (you knowing the IP address for all of you servers).  The client I used as an example has more than 200,000 users. To support that user base, there are several thousand servers.  I would guess that you wouldn't remember all the IP addresses for all the servers at all the locations.

    So if in this client's network I used A records instead of CNAME records, if the server was upgraded and the IP address changed, I would not know it until the tickets started to come in saying user couldn't connect to SCOM and I did some troubleshooting.  With a CNAME, the server IP change would not be an issue as the CNAME is pointing to the name for the A record.  Granted, if the name changed we would have the same issue - but that is where naming standards come into play.

     

    Now - like most things in the IT world, there is more than 1 way to accomplish the goal.  A records could be used or CNAME records could be used.  Each has Pro's and Con's.

    Was this post helpful? thumb_up thumb_down
  • Depending on your firewall, split DNS isn't needed.

    SonicWALLs for example allow you to setup loopback NAT

    Was this post helpful? thumb_up thumb_down
  • Nice article, thanks! Split DNS always got my mind puzzled - feel like an idiot when you finally figure it out!

    Was this post helpful? thumb_up thumb_down
  • Hi,

    i am facing one problem in our DNS server that is sometimes our dns server not working mean page not opening. when i restart dns server (dns and dhcp same server) then all are working fine (all: internet , e-mail, browsing).this is our red hat server. this issue i am not understand properly what happened sometimes. please help .  

    Was this post helpful? thumb_up thumb_down
  • santukar wrote:

    Hi,

    i am facing one problem in our DNS server that is sometimes our dns server not working mean page not opening. when i restart dns server (dns and dhcp same server) then all are working fine (all: internet , e-mail, browsing).this is our red hat server. this issue i am not understand properly what happened sometimes. please help .  


    Start a new thread and provide what happens and what you do to temp resolve it.  Others will chime in and ask you to look at various logs.

    I am not a Linux person so I can't assist more - that is what the new thread is for.

    Was this post helpful? thumb_up thumb_down

Read these next...

  • Cloud storage to share video files 5TB and larger

    Cloud storage to share video files 5TB and larger

    Data Storage, Backup & Recovery

    I assisting a company that is looking for cloud storage for large video files so they can upload the videos at one site and download them at another.The current solution is manually shipping usb hard drives with the video files which are around 5TB or lar...

  • Spark! Pro Series - 28th September 2022

    Spark! Pro Series - 28th September 2022

    Water Cooler

    Today in History: 1980 Carl Sagan's 13 part "Cosmos" premieres on PBSAstronomer Carl Sagan's landmark 13-part science series takes you on an awe-inspiring cosmic journey to the edge of the Universe and back aboard the spaceship of the imagination.The seri...

  • Win 10 Lock screen showing wrong name, after name change

    Win 10 Lock screen showing wrong name, after name change

    Windows

    I have a strange thing happening with a remote laptop after I changed her name.So, everything is changed in AD and setup correctly.  So, I like to simplify things for my users so when i change names I do the following: change names in AD username email ...

  • Best Practice Enterprise Wiping Devices Before New User

    Best Practice Enterprise Wiping Devices Before New User

    Windows

    Hello all.As I am sitting here wiping laptops for one of my sites, in preparation for any new users that start.I got to thinking, what is the best practice for re-deploying previously used laptops in an enterprise environment? I was curious how ya'll hand...

  • Tech & End User Expectations

    Tech & End User Expectations

    Best Practices & General IT

    Hey all!We are an IT team of 10 in a school district, and there have been some recent (and not so recent) issues with techs being snarky, end users being snarky, etc.We are trying to turn a new leaf, and want to come up with a set of expectations for the ...