Violently agreeing. :D
On Fri, Nov 9, 2012 at 12:23 PM, Michael B. Smith <[email protected]>wrote: > Then I think we are saying the same thing, just in different ways. :) > > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Thursday, November 8, 2012 1:09 PM > To: NT System Admin Issues > Subject: Re: Confused about DNS resolution on a server with 2 NICs on a DMZ > > On Thu, Nov 8, 2012 at 10:04 AM, Michael B. Smith <[email protected]> > wrote: > > Your statements are true in regards to DNS in the abstract. But as you > allude to, different adapters may have access to different servers and the > results you obtain - especially when both adapters point to DNS servers > that have different answers for queries can be surprising. > > That's what I'm trying to say: There's one DNS namespace/cache. > Resolver query order may be determined by adapter priority, but the > answers feed into the same cache. If you try to treat it as anything > *other* than a system-wide thing, you get those surprises. > > The fact that people fall into the trap of treating Windows DNS as not > system-wide, doesn't mean it's not actually system-wide. > > If DNS *wasn't* system-wide, having different resolvers configured on > different network adapters might be able to work -- you'd be able to > maintain different, disjoint namespaces simultaneously. But it doesn't > work that way, and that's the problem. > > Bad car analogy time: My car has one steering wheel. More than one > person can grab the wheel and try to steer at once. It won't end well, > because while you can provide multiple inputs, steering is a car-wide thing. > > (As an aside: This isn't a Windows-specific problem, either. You can > configure multiple resolvers on *nix or most other OSes, too, and if those > resolvers have different ideas of what the namespace is, the same problems > occur.) > > -- Ben > > > -----Original Message----- > > From: Ben Scott [mailto:[email protected]] > > Sent: Thursday, November 8, 2012 8:31 AM > > To: NT System Admin Issues > > Subject: Re: Confused about DNS resolution on a server with 2 NICs on > > a DMZ > > > > On Wed, Nov 7, 2012 at 6:49 PM, Michael B. Smith <[email protected]> > wrote: > >>> DNS is not specific to a given network adapter. It's a system-wide > thing. > >> > >> Your first two sentences are not really true with Windows. It's > >> complicated. :P > > > > My understanding is that the Windows DNS subsystem has a single > namespace, shared across the entire system. If a record is cached by the > local resolver, that cached record is the same for the entire system. Is > that incorrect? > > > > I realize the order in which full-service resolvers are tried is > driven by network adapter priority. > > > > Assuming my understanding is correct: If it's all one namespace, I > think it's best to consider it a system-wide thing. DNS *is* the > namespace, as far as most things are concerned. Playing games with the > resolver order to try and influence that single namespace is a very bad > idea. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
