Then I think we are saying the same thing, just in different ways. :) -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Thursday, November 8, 2012 1:09 PM To: NT System Admin Issues Subject: Re: Confused about DNS resolution on a server with 2 NICs on a DMZ
On Thu, Nov 8, 2012 at 10:04 AM, Michael B. Smith <[email protected]> wrote: > Your statements are true in regards to DNS in the abstract. But as you allude > to, different adapters may have access to different servers and the results > you obtain - especially when both adapters point to DNS servers that have > different answers for queries can be surprising. That's what I'm trying to say: There's one DNS namespace/cache. Resolver query order may be determined by adapter priority, but the answers feed into the same cache. If you try to treat it as anything *other* than a system-wide thing, you get those surprises. The fact that people fall into the trap of treating Windows DNS as not system-wide, doesn't mean it's not actually system-wide. If DNS *wasn't* system-wide, having different resolvers configured on different network adapters might be able to work -- you'd be able to maintain different, disjoint namespaces simultaneously. But it doesn't work that way, and that's the problem. Bad car analogy time: My car has one steering wheel. More than one person can grab the wheel and try to steer at once. It won't end well, because while you can provide multiple inputs, steering is a car-wide thing. (As an aside: This isn't a Windows-specific problem, either. You can configure multiple resolvers on *nix or most other OSes, too, and if those resolvers have different ideas of what the namespace is, the same problems occur.) -- Ben > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Thursday, November 8, 2012 8:31 AM > To: NT System Admin Issues > Subject: Re: Confused about DNS resolution on a server with 2 NICs on > a DMZ > > On Wed, Nov 7, 2012 at 6:49 PM, Michael B. Smith <[email protected]> > wrote: >>> DNS is not specific to a given network adapter. It's a system-wide thing. >> >> Your first two sentences are not really true with Windows. It's >> complicated. :P > > My understanding is that the Windows DNS subsystem has a single namespace, > shared across the entire system. If a record is cached by the local > resolver, that cached record is the same for the entire system. Is that > incorrect? > > I realize the order in which full-service resolvers are tried is driven by > network adapter priority. > > Assuming my understanding is correct: If it's all one namespace, I think > it's best to consider it a system-wide thing. DNS *is* the namespace, as far > as most things are concerned. Playing games with the resolver order to try > and influence that single namespace is a very bad idea. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
