Hey everyone, I have some basic concerns regarding the DNS setup I've inherited from a previous company. We have three domain controllers (DCs), of which two are DNS servers that are supposed to be authoritative for specific zones. However, recursion is disabled on these servers to avoid exposure to malicious external requests, which makes complete sense. Currently, all client machines have switched to using DNS servers from our parent company, which provides recursive lookups. This setup seems to lead to frustrating delays for users, especially with DNS record propagation, taking around 30 minutes to replicate from our internal AD servers to the parent company's DNS.
I'm reconsidering whether the current setup is adequate or aligned with best practices. I believe that these DNS servers should point to each other for internal queries and that the third DC should also do the same. But I am uncertain how the DCs would handle name resolution since recursion is turned off, effectively disabling forwarding and root hints. Should I just add the parent company's DNS servers in the additional DNS addresses of the DC settings? I'm really cautious about making any changes that might disrupt services for this new client, and I want to ensure I'm starting off on the right track without breaking anything.
1 Answer
You can set the primary DNS on your DCs to 127.0.0.1, as long as you’ve configured valid forwarders in the DNS Server settings on the DC. It should work pretty well as long as the DNS is also installed locally on the same server. Just keep in mind that having recursion disabled will prevent the use of any external DNS servers unless you also add them under the forwarders tab, which isn’t available since recursion is off. It's a bit tricky, but that's the gist of it!
Exactly! And I think it’s important to remember that when recursion is disabled, root hints don’t work anymore either. But I’d advise double-checking whether you really need the forwarders for external lookups at all if you’re primarily concerned with internal resolution. Let me know if you need further insights!