1

When I setup a network I usually ignore the isp DNS offerings. I either change DNS to OPENDNS 208.67.222.222, 208.67.220.220, or Google 8.8.8.8 for high availability.

I set these dns settings on the router with DHCP .

So the clients receive the DNS settings provided there via DHCP.

On my server I set the DNS to the router gateway.

I have never had any problems with this. A co worker says this is a recipe for disaster, stating that server 2012 works best with loopback 127.0.0.1 for primary dns.

I am curious what you all think and what are your best practices?

5 Spice ups
2

Assuming you’re running a Windows DNS server for a domain setting 127.0.0.1 as your DNS server on the NIC is proper form and recommended by the Microsoft Best Practice Analyzer.

Then on that DNS server you set your forwarders for your external DNS providers.

7 Spice ups
3

I think we would need more detail…is this an AD network? If so he’s right, setting all of the clients to public DNS via DHCP is going to cause some fail. Your DNS server would work fine setting the primary DNS to 127.0.0.1…the clients should then point to that DNS server for primary (and preferrably you would also have a second domain controller to point to for secondary). Then your DNS server would forward requests on to a public DNS service such as OpenDNS.

5 Spice ups
4

In the AD world, 127.0.0.1 is best practice. Your clients look to the AD box and the AD box looks to any other DNS server and itself on 127.0.0.1

Best practices for configuring a new Active Directory

So, it depends if this environment is AD or not.

5 Spice ups
5

If you point your internal clients at an external DNS server instead of your DC or AD DNS Master, your clients will not be able to resolve internal hosts properly and may not be able to locate important resources on the LAN. In the absence of an AD server perhaps you may get away with that, but in an AD environment it is best practice.

4 Spice ups
6

Yep, as stated above, if it is a ADDS network your internal DHCP needs to point to the domain controller for DNS. The domain controller needs to have forwarders setup, 3rd party DNS is okay here, to look up any unknown addresses. If not you will begin having issues.

Also the domain controller should always point to itself in the network settings. Unless you have 2 DCs then they should point to each other as primary and to themselves as secondary.

But my understanding is that you are having issues explaining to someone about using 3rd party DNS on the WAN configuration of the router right?

1 Spice up
7

Your profile says “21 years in ITMCP (XP), MCSE, Network+” - is that true, but you don’t know this standard best practice about DNS?

9 Spice ups
8

Assuming an AD network, there are always, at least, 3 DNS “hops” in this order…

(A) Local computer (has DNS cache) → (B) Microsoft DNS Server (has DNS cache) → (C) Forwarder out to your ISP, or GoogleDNS, or OpenDNS, or whoever

(A) must always go to (B)

(A) must never go directly to (C)

If you don’t think your ISP (C) is the best/fastest DNS server, then test it and pick whoever is fastest. Google DNS is fastest for me on Comcast. See: http://dnsredirector.com/sample/dnstest/ for where I learned how to do this.

For AD server’s (B) themselves, there has been some debate over the years, including inconsistencies in Microsoft’s own documentation. I like to configure every AD server to have itself listed as the primary DNS server IP (using it’s real static IP and NOT the loopback of 127.0.0.1, as this can cause other problems in certain circumstances) then set the secondary DNS server as the IP of one of your other AD servers. Do this for every AD server.

For local computers (A), you can use any one DNS server (B), or if you have more than one (ideal) set any two AD servers (B) set for primary and secondary DNS - Ideally the geographically closer or faster/beefier server would be primary, and another sever, perhaps out at another branch over a VPN would be used for secondary.

2 Spice ups
9

Primary DNS=127.0.0.1 is good only if the box is a DNS server. If the box is a domain controller, then 127.0.0.1 is required, but only if it is a single DC environment. Otherwise, multiple domain controllers have to point to each other as primary DNS.

3 Spice ups
10

Regarding the first point, Legoman is correct that there has been a lot of back-and-forth on what is considered best practice. The “current” (AFAIK) best practice is to point to the DNS replication partner first on the NIC, then loopback as secondary if running more than one DC (assuming DNS is running on the DC’s themselves, and yes, they can run against non-DC DNS servers, I learned this by a public spanking in the forums here). See

DNS: DNS servers on should include the loopback address, but not as the first entry

Something to remember, at least in the world of Windows: If primary DNS can’t resolve an IP, the secondary DNS doesn’t just kick in and attempt the resolution. The primary has to completely fail a DNS request altogether (i.e. it’s down and/or is not answering DNS requests) before the secondary kicks in. I don’t think a lot of people realize this.

8 Spice ups
11

Oh, and here’s my experience I had with OpenDNS as a forwarder:

So…if you use OpenDNS forwarders at work

Things may have changed since then, but a word of warning.

1 Spice up
12

Good catch Rob! Thanks for the link!

1 Spice up