Issue with one Conditional forwader

  • 39 Views
  • Last Post 4 weeks ago
bshwjt posted this 4 weeks ago

Hello All,
We have root DNS zone and using only conditional forwarders . All Conditional forwarders are working fine. Recently I have created two conditional forwarders and one of them is not working . That is "download.windowsupdate.com". Rest all conditional forwarders are working fine except that. What could be the issue!
Thanks and RegardsBiswajit Biswas

Order By: Standard | Newest | Votes
Icolan posted this 4 weeks ago

Why are you creating conditional forwarders to internet domains?  DNS queries for all internet domains should simply be forwarded to your ISP or other external DNS provider.  Conditional Forwarders are for domains you control or partner with, not internet domains.


show

daemonr00t posted this 4 weeks ago

Biswajit,

 

Is this set up of yours a secure one? Are you preventing people from navigating to certain domains but a handful explicit domaind for which you created the forwarders?

If yes then I would rather look into other ways to achieve this… even implementing a WSUS server would be much better than letting your customers go out download updates.

Please let us know more about your set up so we can give you some hints.

Cheers,

 

 

~danny

Sent from

Mail
for Windows 10

 

show

bshwjt posted this 4 weeks ago

Hello,
Our DNS servers having ROOT Zone hence "ROOT HINTS" & "Forwarders" are disabled by default. All name resolution are working fine with Conditional forwarders only. Like Google.com , Azure.com & etc.Recently I have created two conditional forwarders called "download.microsoft.com" & "download.windowsupdate.com" .
"download.microsoft.com"  : Working Fine as expected  "download.windowsupdate.com" : Non working.
Our Internal DNS servers (DCs) forward the queries to DMZ DCs (DNS) by conditional forwarders and from DMZ DCs (DNS) to DMZ CacheOnly DNS servers. CacheOnly server having forwarders  (8.8.8.8 & 8.8.4.4).
All conditional forwarders are working fine but not the  download.windowsupdate.com .
Thanks & RegardsBiswajit Biswas a.k.a bshwjt



show

Icolan posted this 4 weeks ago

I am a bit confused by "Our DNS servers having ROOT Zone".  The root zone of "download.microsoft.com" is com.  The root zone of any URL is the section after the last dot, (com, net, org, biz, us, uk, etc.).How does your internal DNS server have a root zone on it?
Your internal DNS servers should be configured to answer queries for any zone that exists on the server and forward everything else to your DMZ DNS servers. 
Unless there is a security requirement to only allow certain sites to be accessible, in which case a proxy server or web filter seems more appropriate.


show

bshwjt posted this 4 weeks ago

That's correct but that is not the issue. Facing issue on one Conditional forwarder.
Thanks
On 28-Oct-2017 5:08 AM, "Rick" <rickcperkins@xxxxxxxxxxxxxxxx> wrote:
I am a bit confused by "Our DNS servers having ROOT Zone".  The root zone of "download.microsoft.com" is com.  The root zone of any URL is the section after the last dot, (com, net, org, biz, us, uk, etc.).How does your internal DNS server have a root zone on it?
Your internal DNS servers should be configured to answer queries for any zone that exists on the server and forward everything else to your DMZ DNS servers. 
Unless there is a security requirement to only allow certain sites to be accessible, in which case a proxy server or web filter seems more appropriate.


show

Close