It may depend on the os. Win2k will wait only long enough for the positive response before quering the second dns server. So if the second server can resolve the ip it responds before the primary times out. Otherwise a secondary dns would never be used, if the resolution stopped with the first saying domain doesn't exist. If the first has a bogus entry(127.0.0.1), that is different. Our configuration for home office users places our corp dns as primary and our isp dns as secondary. When they are not connected to our vpn network(and thus unable to reach primary dns)they can still browse the web without a problem, because the recieve name resolution from the secondary. per ms: http://tinyurl.com/j18r Windows 2000 Professional allows multiple DNS servers to be specified. The first DNS server, known as the preferred DNS server, can be followed by an unlimited number of alternate DNS servers. The resolver queries the DNS servers in the following order: The resolver sends the query to the first server on the preferred adapter's search list and waits for one second for a response. If the resolver does not receive a response from the first server within one second, it sends the query to the first DNS servers on all adapters still under consideration and waits two seconds for a response. If the resolver does not receive a response from any server within two seconds, the resolver sends the query to all DNS servers on all adapters still under consideration and waits another two seconds for a response. If the resolver still does not receive a response from any server, it sends the query to all DNS servers on all adapters still under consideration and waits four seconds for a response. If it still does not receive a response from any server, the resolver sends the query to all DNS servers on all adapters still under consideration and waits eight seconds for a response. If the resolver receives a positive response, it stops querying for the name, adds the response to the cache and returns the response to the client. If it has not received a response from any server by the end of the eight-second time period, the resolver responds with a time-out. Also, if it has not received a response from any server on a specified adapter, then for the next 30 seconds, the resolver responds to all queries destined for servers on that adapter with a time-out and does not query those servers. If at any point the resolver receives a negative response from a server, it removes every server on that adapter from consideration during this search. For example, if in step 2, the first server on Alternate Adapter A gave a negative response, the resolver would not send the query to any other server on the list for Alternate Adapter A. The resolver keeps track of which servers answer queries more quickly, and might move servers up or down on the list based on how quickly they reply to queries. -----Original Message----- From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx] Sent: Friday, August 22, 2003 12:23 PM To: 'windows2000@xxxxxxxxxxxxx' Subject: [windows2000] Re: Porn Crazy Users! I believe that you are correct... the scond DNS server will only be used if the first one does not respond. If the first one responds at all (Even, "No such domain...") then the stack takes that response as authoritative. Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: Robert Coffman - Info From Data Corporation [mailto:bcoffman@xxxxxxxxxxxxxxxx] Sent: Friday, August 22, 2003 1:11 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Porn Crazy Users! I think two DNS servers is your best bet, although it is a case of security through obscurity. I don't believe the suggestion to use a secondary DNS server will work. Correct me if I'm wrong, but if a lookup fails on the primary server, it won't then go to the secondary server to see if it works there. It only uses the secondary in the event that the primary server is unresponsive. Re-reading this, i'm not certain that this is what was being suggested, so ignore this if I'm mistaken! - Bob Coffman -----Original Message----- From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] Sent: Friday, August 22, 2003 12:51 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Porn Crazy Users! The suggestion about two DNS servers is a good one - I think that might work. The suggestion about setting the primary DNS to internal and the secondary to external is not recommended by Microsoft. I don't have the documentation to prove it handy, but I have seen it and have been told the same thing by their support services. Microsoft wants all machines to look at an internal DNS server which forwards out (or uses root hints). Thanks for all the suggestions. -----Original Message----- From: SEspeseth@xxxxxxxx [mailto:SEspeseth@xxxxxxxx] Sent: Thursday, August 21, 2003 1:25 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Porn Crazy Users! The other possibility as someone already said was to add the isp/external dns as a secondary dns only to people that need internet access. Set your other users to the internal dns, and turn off forwarding for the internal dns server. Or put the users on different subnets. Get creative with the sunbet masking: example inet router ip=10.0.0.1/25 users with inet access have ip 10.0.0.1-127/24 users without inet access have ip 10.0.0.129-254/24. The users computers all will talk because they are on the same subnet, but the router will not respond nicely to the users in the 10.0.0.128+ group because it thinks they ar not local. http://thethin.net/win2000list.cfm ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=148 ********************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=148 ********************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=148 ********************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm