2008 SBS and DNS. Has it gone mental?
|
From: Ace Fekay [MVP - Directory Services, MCT] on 29 Apr 2010 19:39 On Thu, 29 Apr 2010 16:54:32 +0200, Freaky <wontsay(a)ondeja.com> wrote: >Hi Cris, > >if it comes with the microsoftupdate tool, it's installed, otherwise I'd >have to check. All essential updates from microsoftupdate have been >installed. > >Can't use forwarders. The reasons we use root hints is that there are 2 >internetlines in fail-over / loadbalancing. > >For the 2008 server (or well, basically any OS as the router handles it) >it's not possible to know over what line (and thus what forwarder) it >goes out. They are purposely from different ISP (and even different >infrastructure suppliers), so the risk of them both failing at the same >time is minimized as much as possible. > >Public DNS servers usually come with their own issues. At least, there >are quite the amount of warnings on the internet of them having issues >with RBL's like zen.spamhaus.org due to not honoring certain cache >settings and/or the DNS server at the RBL limiting requests per time >unit from a host. Next to that, iirc, opendns always returns IPs even if >there are no A records to point you to ad pages, which is how they >survive. That causes undesirable results as well. > >Anyways, thanks for the re' :). > >Kind regards > I recommend forwarders, as well, and OpenDNS is a good one. As Chris mentioned, it doesn't matter which gateway is being used with the multiple, failover ISPs. It's just sending it to an IP address on the internet. I'm also wondering if it's simply an EDNS0 issue being blocked by your firewall. I don't use DIG, but I'm sure you can perform this test as well that I would use with nslookup. Using nslookup, you can test it by issuing a query, just as you did, to that domain name. Then on the next query, force TCP. Nslookup and DIG uses UDP. To force TCP, set the command "set vc" then re-run the command. If it provides a result, then it's tellin gme the packet is over 512 bytes, and EDNS0 is blocked. Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
From: Freaky on 30 Apr 2010 06:46 Thanks for the re's. Actually, it does matter what line DNS requests go out on, for most forwarders. Just not with public ones (most ISPs only recurse for their members). Most public ones have their own issues however. Most importantly for us are issues with RBLs, due to some free RBL hosters limiting the amount of queries per time unit per IP. Secondly are the fake responses redirecting you to advertising sites (although not all public servers do this). Not on site so can't use dig, but doing: nslookup server 8.8.8.8 www.bbc.co.uk set vce www.bbc.co.uk On the SBS 2008 server returns the expected results in both cases. Kind regards PS for dig it's +tcp option to use TCP instead of UDP and can set EDNS version with +edns=<x> where x is between 0 and 255 for version. On 30-04-10 01:39, Ace Fekay [MVP - Directory Services, MCT] wrote: > On Thu, 29 Apr 2010 16:54:32 +0200, Freaky <wontsay(a)ondeja.com> wrote: > >> Hi Cris, >> >> if it comes with the microsoftupdate tool, it's installed, otherwise I'd >> have to check. All essential updates from microsoftupdate have been >> installed. >> >> Can't use forwarders. The reasons we use root hints is that there are 2 >> internetlines in fail-over / loadbalancing. >> >> For the 2008 server (or well, basically any OS as the router handles it) >> it's not possible to know over what line (and thus what forwarder) it >> goes out. They are purposely from different ISP (and even different >> infrastructure suppliers), so the risk of them both failing at the same >> time is minimized as much as possible. >> >> Public DNS servers usually come with their own issues. At least, there >> are quite the amount of warnings on the internet of them having issues >> with RBL's like zen.spamhaus.org due to not honoring certain cache >> settings and/or the DNS server at the RBL limiting requests per time >> unit from a host. Next to that, iirc, opendns always returns IPs even if >> there are no A records to point you to ad pages, which is how they >> survive. That causes undesirable results as well. >> >> Anyways, thanks for the re' :). >> >> Kind regards >> > > I recommend forwarders, as well, and OpenDNS is a good one. > > As Chris mentioned, it doesn't matter which gateway is being used with > the multiple, failover ISPs. It's just sending it to an IP address on > the internet. > > I'm also wondering if it's simply an EDNS0 issue being blocked by your > firewall. I don't use DIG, but I'm sure you can perform this test as > well that I would use with nslookup. Using nslookup, you can test it > by issuing a query, just as you did, to that domain name. Then on the > next query, force TCP. Nslookup and DIG uses UDP. To force TCP, set > the command "set vc" then re-run the command. If it provides a result, > then it's tellin gme the packet is over 512 bytes, and EDNS0 is > blocked. > > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. > > Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. > > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 > Microsoft Certified Trainer > Microsoft MVP - Directory Services > > If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
From: Cris Hanna [SBS - MVP] on 30 Apr 2010 10:41 I think you're missing the concept of the DNS forwarders in the MS DNS Server that is part of your SBS Server. I think you may be referring to the DNS entries on each interface of the router. I don't fill those in. That's what I have the DNS forwarders in my internal DNS server for...so that I have consistency...and I use the two DNS servers which are listed at OpenDNS as my forwarders because they don't have the same issues that you're referring too My customers are all setup to use OpenDNS and we use a single Block List Provider. zen.spamhause.org which is free and we haven't exceeded any limits in our lookups (because there aren't any) and we have a single interface -- Cris Hanna [SBS - MVP] (since 1997) Co-Contributor, Windows Small Business Server 2008 Unleashed http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1 Owner, CPU Services, Belleville, IL A Microsoft Registered Partner ------------------------------------ MVPs do not work for Microsoft Please do not submit questions directly to me. "Freaky" <wontsay(a)ondeja.com> wrote in message news:%23fmicJF6KHA.4508(a)TK2MSFTNGP06.phx.gbl... Thanks for the re's. Actually, it does matter what line DNS requests go out on, for most forwarders. Just not with public ones (most ISPs only recurse for their members). Most public ones have their own issues however. Most importantly for us are issues with RBLs, due to some free RBL hosters limiting the amount of queries per time unit per IP. Secondly are the fake responses redirecting you to advertising sites (although not all public servers do this). Not on site so can't use dig, but doing: nslookup server 8.8.8.8 www.bbc.co.uk set vce www.bbc.co.uk On the SBS 2008 server returns the expected results in both cases. Kind regards PS for dig it's +tcp option to use TCP instead of UDP and can set EDNS version with +edns=<x> where x is between 0 and 255 for version. On 30-04-10 01:39, Ace Fekay [MVP - Directory Services, MCT] wrote: > On Thu, 29 Apr 2010 16:54:32 +0200, Freaky <wontsay(a)ondeja.com> wrote: > >> Hi Cris, >> >> if it comes with the microsoftupdate tool, it's installed, otherwise I'd >> have to check. All essential updates from microsoftupdate have been >> installed. >> >> Can't use forwarders. The reasons we use root hints is that there are 2 >> internetlines in fail-over / loadbalancing. >> >> For the 2008 server (or well, basically any OS as the router handles it) >> it's not possible to know over what line (and thus what forwarder) it >> goes out. They are purposely from different ISP (and even different >> infrastructure suppliers), so the risk of them both failing at the same >> time is minimized as much as possible. >> >> Public DNS servers usually come with their own issues. At least, there >> are quite the amount of warnings on the internet of them having issues >> with RBL's like zen.spamhaus.org due to not honoring certain cache >> settings and/or the DNS server at the RBL limiting requests per time >> unit from a host. Next to that, iirc, opendns always returns IPs even if >> there are no A records to point you to ad pages, which is how they >> survive. That causes undesirable results as well. >> >> Anyways, thanks for the re' :). >> >> Kind regards >> > > I recommend forwarders, as well, and OpenDNS is a good one. > > As Chris mentioned, it doesn't matter which gateway is being used with > the multiple, failover ISPs. It's just sending it to an IP address on > the internet. > > I'm also wondering if it's simply an EDNS0 issue being blocked by your > firewall. I don't use DIG, but I'm sure you can perform this test as > well that I would use with nslookup. Using nslookup, you can test it > by issuing a query, just as you did, to that domain name. Then on the > next query, force TCP. Nslookup and DIG uses UDP. To force TCP, set > the command "set vc" then re-run the command. If it provides a result, > then it's tellin gme the packet is over 512 bytes, and EDNS0 is > blocked. > > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. > > Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. > > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 > Microsoft Certified Trainer > Microsoft MVP - Directory Services > > If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
From: Ace Fekay [MVP - Directory Services, MCT] on 2 May 2010 14:05 On Fri, 30 Apr 2010 12:46:20 +0200, Freaky <wontsay(a)ondeja.com> wrote: >Thanks for the re's. > >Actually, it does matter what line DNS requests go out on, for most >forwarders. Just not with public ones (most ISPs only recurse for their >members). > >Most public ones have their own issues however. Most importantly for us >are issues with RBLs, due to some free RBL hosters limiting the amount >of queries per time unit per IP. Secondly are the fake responses >redirecting you to advertising sites (although not all public servers do >this). > >Not on site so can't use dig, but doing: > >nslookup >server 8.8.8.8 >www.bbc.co.uk >set vce >www.bbc.co.uk > >On the SBS 2008 server returns the expected results in both cases. > >Kind regards > >PS for dig it's +tcp option to use TCP instead of UDP and can set EDNS >version with +edns=<x> where x is between 0 and 255 for version. > Actually, it's 'set vc' so I assume your mention of 'set vce' was a typo? So if it doesn't reply to a query over UDP (default), but does over TCP, that indicates an EDNS0 block, however assuming that was a typo, and it responded both using UDP and TCP, then the issue is elsewhere. My definition of using a forwarder is to not forward to an ISP's or provider's DNS that doesn't allow it's use outside of the scope of the customer network. I usually use a couple of specific, generic DNS servers for fowarding. One of which is 4.2.2.2. It wouldn't matter which gateway it goes over, if one were to fail in your setup. you can use OpenDNS or others, as the one above I stated, but I actually don't use OpenDNS. I simply use Exchange's antispam and the RBLs mentioned by Chris and possibly others, which I find works fine. Ace
First
|
Prev
|
Pages: 1 2 Prev: Windows 2003 SBS on IBM System x3200 M2 Next: SBS2003 and Windows 7 Clients |