When you have to do directed name lookups you have lots of options.
Conditional forwarders, stub zones and secondary zones. What should I choose? It
is not easy to choose, as the pros and cons are hard to find. But look no
further, you are now reading the definitive source.
Before I go into the discussions about pros and cons bear in mind that not
all environments are equal. For this discussion there exist only two types of
connections (WAN) between sites. A network that is firewalled can in many
circumstances look like a LAN-LAN VPN type of connection - the same restrictions
applies.
| Connection |
Configuration |
| LAN-LAN VPN |
In this configuration a remote site is connected to the main site
using VPN over Internet. The remote site have only access to parts of
your network based on the IPSec policy. |
| Leased line |
The remote site shares the entire IP network with the main network
and can access all internal resources. |
Stub zones
Microsoft added support for stub zones a few years ago. With stub zones you
configure from where to load the stub and then all queries are iterative from
that point. More about stub zones
here.
| Why |
Why not |
- Does not require zone transfers to work.
- Easy to integrate into an existing network as it can scale and
change with the network.
- The stub zone can be placed in Active Directory and
automatically loaded onto all domain controllers.
|
- If stub zones fails to load (can not obtain NS and SOA) the
zones can be loaded with information on the Internet. If a zone is
part of a split DNS then the public information is cached instead of
the private information.
- Queries are iterative; the DNS server will attempt to query all
DNS servers by it self to get the answer. If the zone have delegated
subzones then our DNS server needs to talk to all other DNS servers.
- Changes to information within DNS propagates slower as the
server caches all answers. (Also negative answers.)
- You have to reconfigure the zone properties for most changes in
the other DNS server.
|
Secondary zone
A secondary zone will at all times keep a copy of the entire zone on disc or
in memory. Read more
here.
| Why |
Why not |
- Faster updates (potentially) as your DNS server can be notified
on any changes to the original zone. (If not, the zone is refreshed
based on
values inside the SOA record.)
- The server does not have to query any other server to get the
answer. (Except when you have delegated subzones.)
- If the zone expires (it fails to update the zone within the
configured time) the server will only send back negative answers. It
will not ask other DNS servers for an answer. (No chance for
cache
poisoning.)
|
- You need zone transfers, and that is usually blocked on DNS
servers.
- If it is a zone with many records then you consume memory, disc
and network resources.
- You have to reconfigure the zone properties for most changes in
the other DNS server.
|
Conditional forwarders
A conditional forwarder sends (by default) a recursive query directly and returns the
answer. Read more
here.
| Why |
Why not |
- Queries are unconditionally forwarded to the forwarder(s).
- Answers are cached.
- Reduces number of queries as they are recursive. (Good if
you have a slow WAN.)
|
- Have to be configured manually on all name servers.
- You have to reconfigure the zone properties for all changes in
the other DNS server.
|
Sources
Labels: DNS, Microsoft, network
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home