For several years now we have had our internal DNS servers forward queries for non-hosted zones to our ISP's forwarder servers. At the time we set this up we were told by someone (can't remember who) that this was a "best practice" to forward to an ISP's forwarder server vs. sending queries to the root servers for name resoution. Now, we have purchased internet services from some sort of bulk provider and our old ISP wants us to stop forwarding queries to their forwarder servers but the bulk provider does not have their own forwarder server. When contacted about the situation, the bulk provider is suggesting that we were told wrong and the real best practice is to forward external zone queries to the roots. Can anyone weigh in on this issue and perhaps point me to some sort of document that spells out the true best practice?
Best Practices Question
- Thread starter Moondoggy
- Start date
Best Practices
Our two existing internal DNS servers actually cache external queries returned by our existing forwarders. My question is whether it is a best practice to forward to a Forwarder supplied by an ISP or whether it is a best practice to do a root query?
Also, someone else on another forum suggested OpenDNS but I'm a bit confused. On the OpenDNS web site they specifically state:
"People frequently ask us how we can offer such a fantastic service without charging a dime. OpenDNS makes money the same way Google and Yahoo do — by showing relevant ads when we show you search results."
My question is this.....If I use the OpenDNS IP addresses as my forwarder addresses where do the relevant ads come into play?
Our two existing internal DNS servers actually cache external queries returned by our existing forwarders. My question is whether it is a best practice to forward to a Forwarder supplied by an ISP or whether it is a best practice to do a root query?
Also, someone else on another forum suggested OpenDNS but I'm a bit confused. On the OpenDNS web site they specifically state:
"People frequently ask us how we can offer such a fantastic service without charging a dime. OpenDNS makes money the same way Google and Yahoo do — by showing relevant ads when we show you search results."
My question is this.....If I use the OpenDNS IP addresses as my forwarder addresses where do the relevant ads come into play?
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,274
I don't know. I have never seen any ads or even that statement. I use them for my home network and for some of my servers. No ads anywhere.
You have already stated that you do not have that option.
The root nameservers will be more accurate. ISP's namesevrers will be slightly faster but may have inaccurate cached data. I could be wrong.
You have already stated that you do not have that option.
The root nameservers will be more accurate. ISP's namesevrers will be slightly faster but may have inaccurate cached data. I could be wrong.
Last edited:
If you have some of their special services enabled, then when you type in a bad URL or use their search engine, the pages will have ads on them. I turned off the special services (proxy, typo correction, shortcuts [being able to type certain words in your address bar and it going to the website of choice], etc.). If you're just using it for the actual DNS services like I do, you'll never see the pages with ads on them.
Dave,
Thanks for your reply. Here is what you wrote:
According to the instructions on the OpenDNS web site it states that if I want to use their service all I need to do is replace the IP addresses of my current forwarders with their IP addresses on my two DNS servers and I'm done. So if that's all I have to do, how do you turn off the special services? I'm still missing something so if you get this can you enlighten me some more?
Thanks.
Thanks for your reply. Here is what you wrote:
According to the instructions on the OpenDNS web site it states that if I want to use their service all I need to do is replace the IP addresses of my current forwarders with their IP addresses on my two DNS servers and I'm done. So if that's all I have to do, how do you turn off the special services? I'm still missing something so if you get this can you enlighten me some more?
Thanks.
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,274
Moondoggy; said:
I think it is pretty clear.
Dravu said:
Are you using a browser on the server? Are you using the server to browse the internet? No. Then you will never see an ad in the browser if you are not using a browser on the server.
Dravu said:
If you use opendns on your computer that you use to browse the internet then you will see an ad but only if you type in a domain that does not have a dns entry.
As Floyd pointed out; since you'll be using it on your server, you really wouldn't need to disable them anyways as you'll never see the pages that have ads on them (unless perhaps you use a script that attempts to grab a page from a non-existant domain maybe?). But when you register an account with OpenDNS, just go to the Settings page to disable anything you don't want to apply to your IP.
Dave,
I think I'm getting a better picture now. Their (openDNS) instructions only tell you to change the IP addresses of your fowarders in your DNS to change to their service but what you're telling me is that there is some sort of "registration" that is taking place and I get an account created that I can setup how I want. That also explains another post on another forum where the guy was telling me that I could customize any search page delivered by putting our own corporate logo on the page if we want. When does this registration/account setup occur?
Thanks!
I think I'm getting a better picture now. Their (openDNS) instructions only tell you to change the IP addresses of your fowarders in your DNS to change to their service but what you're telling me is that there is some sort of "registration" that is taking place and I get an account created that I can setup how I want. That also explains another post on another forum where the guy was telling me that I could customize any search page delivered by putting our own corporate logo on the page if we want. When does this registration/account setup occur?
Thanks!
Go to their home page and put your mouse over the tab that applies to you. Then on the left side, click "Start using it now (It's free.)". It'll tell you how to set everything up for use of their DNS servers and once that's done, it'll take you to an optional account creation page. Associate your IPs with it and edit the settings to how you want. I personally never have tried it without an account, so I'm not sure if the OpenDNS Guide (the pages that have the ads on them and such) comes enabled or disabled when you don't use an account. I'd probably just create one anyways just to make sure if you're worried any about it.
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,274
I have never used them with an account.
I am trying hard to figure out how this got so complicated.
No. That does not apply. You are given the choice to click on "Computer" or "Router". You are not using it on your computer or a router. Does not apply.
Just scroll down to the bottom of the page. They give you their DNS ip addresses. Put those in your resolve.conf file.
OK....I'm going back to my original question.....Regardless of whether you use a forwarder service like OpenDNS for name resolutions from a corporate DNS, is anyone aware of what the "BEST PRACTICE" is? All of your advice has been golden regarding the use of OpenDNS but a Microsoft DNS MVP I had contact with this week suggested that it was a bad thing for large corporations on the DNS servers to be using a forwarder. In his opinion, he aways recommend that DNS servers be setup to query the ROOT servers and cites the potental of cache poisoning and other problems as reasons why. He suggests that by going to the roots the roots will always get an "authoritative" answer to the DNS query and once one query has occurred for that domain, information pertaining to that domain, such as the direct address of the name servers for that domain will now be in your own cache and any future queries will be directly made to those name servers thereby bypassing the roots. Based on what this MVP is stating it sound logical but is going to the roots an approved practice or is going to a forwarder or does anyone really care?
Floyd,
Thanks for the reply.
I understand where you're coming from but as you said that is your "opinion" which is totally valid but is that opinion backed up as an official guideline or standard that everyone should be following? What I'm hoping for is something concrete that I can point to but so far all I'm getting from everyone is "opinions" and if that's all there is then I'll make up my own mind and set my own direction.
P.S. Sorry if some think I'm mumbling.......
Thanks for the reply.
I understand where you're coming from but as you said that is your "opinion" which is totally valid but is that opinion backed up as an official guideline or standard that everyone should be following? What I'm hoping for is something concrete that I can point to but so far all I'm getting from everyone is "opinions" and if that's all there is then I'll make up my own mind and set my own direction.
P.S. Sorry if some think I'm mumbling.......
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,274
Just break up your thoughts into short paragraphs.
I have never seen anything official but my upstream provider told me I could not use theirs anymore because because of the number of dns queries. So I either have to query the root or use opendns.