[windows2000] Re: Porn Crazy Users!
- From: <SEspeseth@xxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Fri, 22 Aug 2003 15:17:16 -0500
It may depend on the os.
Win2k will wait only long enough for the positive response before quering the
second dns server. So if the second server can resolve the ip it responds
before the primary times out. Otherwise a secondary dns would never be used, if
the resolution stopped with the first saying domain doesn't exist. If the first
has a bogus entry(127.0.0.1), that is different.
Our configuration for home office users places our corp dns as primary and our
isp dns as secondary. When they are not connected to our vpn network(and thus
unable to reach primary dns)they can still browse the web without a problem,
because the recieve name resolution from the secondary.
per ms:
http://tinyurl.com/j18r
Windows 2000 Professional allows multiple DNS servers to be specified. The
first DNS server, known as the preferred DNS server, can be followed by an
unlimited number of alternate DNS servers. The resolver queries the DNS servers
in the following order:
The resolver sends the query to the first server on the preferred adapter's
search list and waits for one second for a response.
If the resolver does not receive a response from the first server within one
second, it sends the query to the first DNS servers on all adapters still under
consideration and waits two seconds for a response.
If the resolver does not receive a response from any server within two seconds,
the resolver sends the query to all DNS servers on all adapters still under
consideration and waits another two seconds for a response.
If the resolver still does not receive a response from any server, it sends the
query to all DNS servers on all adapters still under consideration and waits
four seconds for a response.
If it still does not receive a response from any server, the resolver sends the
query to all DNS servers on all adapters still under consideration and waits
eight seconds for a response.
If the resolver receives a positive response, it stops querying for the name,
adds the response to the cache and returns the response to the client.
If it has not received a response from any server by the end of the
eight-second time period, the resolver responds with a time-out. Also, if it
has not received a response from any server on a specified adapter, then for
the next 30 seconds, the resolver responds to all queries destined for servers
on that adapter with a time-out and does not query those servers.
If at any point the resolver receives a negative response from a server, it
removes every server on that adapter from consideration during this search. For
example, if in step 2, the first server on Alternate Adapter A gave a negative
response, the resolver would not send the query to any other server on the list
for Alternate Adapter A.
The resolver keeps track of which servers answer queries more quickly, and
might move servers up or down on the list based on how quickly they reply to
queries.
-----Original Message-----
From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx]
Sent: Friday, August 22, 2003 12:23 PM
To: 'windows2000@xxxxxxxxxxxxx'
Subject: [windows2000] Re: Porn Crazy Users!
I believe that you are correct... the scond DNS server will only be used if
the first one does not respond. If the first one responds at all (Even, "No
such domain...") then the stack takes that response as authoritative.
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: Robert Coffman - Info From Data Corporation
[mailto:bcoffman@xxxxxxxxxxxxxxxx]
Sent: Friday, August 22, 2003 1:11 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Porn Crazy Users!
I think two DNS servers is your best bet, although it is a case of security
through obscurity.
I don't believe the suggestion to use a secondary DNS server will work.
Correct me if I'm wrong, but if a lookup fails on the primary server, it
won't then go to the secondary server to see if it works there. It only
uses the secondary in the event that the primary server is unresponsive.
Re-reading this, i'm not certain that this is what was being suggested, so
ignore this if I'm mistaken!
- Bob Coffman
-----Original Message-----
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx]
Sent: Friday, August 22, 2003 12:51 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Porn Crazy Users!
The suggestion about two DNS servers is a good one - I think that might
work. The suggestion about setting the primary DNS to internal and the
secondary to external is not recommended by Microsoft. I don't have the
documentation to prove it handy, but I have seen it and have been told
the same thing by their support services. Microsoft wants all machines
to look at an internal DNS server which forwards out (or uses root
hints). Thanks for all the suggestions.
-----Original Message-----
From: SEspeseth@xxxxxxxx [mailto:SEspeseth@xxxxxxxx]
Sent: Thursday, August 21, 2003 1:25 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Porn Crazy Users!
The other possibility as someone already said was to add the
isp/external dns as a secondary dns only to people that need internet
access. Set your other users to the internal dns, and turn off
forwarding for the internal dns server.
Or put the users on different subnets. Get creative with the sunbet
masking: example inet router ip=10.0.0.1/25 users with inet access have
ip 10.0.0.1-127/24 users without inet access have ip 10.0.0.129-254/24.
The users computers all will talk because they are on the same subnet,
but the router will not respond nicely to the users in the 10.0.0.128+
group because it thinks they ar not local.
http://thethin.net/win2000list.cfm
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest constraint to
scaling up?! Get this free white paper to understand the real constraints &
how to overcome them. SAVE MONEY by scaling-up rather than buying more
servers.
http://www.rtosoft.com/Enter.asp?ID=148
**********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you know,
in most cases, CPU Utilization IS NOT the single biggest constraint to scaling
up?! Get this free white paper to understand the real constraints & how to
overcome them. SAVE MONEY by scaling-up rather than buying more servers.
http://www.rtosoft.com/Enter.asp?ID=148
**********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you know,
in most cases, CPU Utilization IS NOT the single biggest constraint to scaling
up?! Get this free white paper to understand the real constraints & how to
overcome them. SAVE MONEY by scaling-up rather than buying more servers.
http://www.rtosoft.com/Enter.asp?ID=148
**********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
