Join Log in
Score:0
Appleoddity avatar Server

How to make localnetpriority / netmask ordering work on Windows DNS server when it queries itself?

ng flag
Appleoddity

We are utilizing Windows 2016+ DNS servers. We rely on LocalNetPriority on our DNS servers. We have several Active Directory DNS servers across multiple sites. The expected behavior is that when a particular query is made to the DNS server, it will return an IP address that is in the same subnet as the query originated, if multiple A records exist for the same host. This works fine in most cases.

However, for requests originating from the DNS server itself, it does not work. First, the DNS server (or Active Directory), by default, configures it's network interface to use itself as the DNS server of choice via localhost (127.0.0.1 and ::1). This causes the LocalNetPriority selection to fail as the originating IP address is not in one of our subnets.

Second, the server is preferring IPv6 over IPv4. We don't use IPv6 but also don't want to disable it as it has clearly caused problems in the past in different scenarios, and Microsoft claims it is mandatory and does not support or recommend disabling it. Using IPv6 is out of the question.

Finally, this has to work when there are network interruptions. This specific requirement demands that localnetpriority work properly when the satellite location is severed from the rest of the network. Therefore, using peer DNS resolvers as the primary server does not fulfill this requirement alone.

It seems like settings IPv4 to be the priority over IPv6, and configuring the server's actual IP address as the DNS server of choice, may be the only solution. However, I learned a long time ago that using 127.0.0.1 is the best choice because during a reboot or if a network cable is unplugged, active directory can completely fall apart.

What am I missing? Is there a more direct way to solve this problem? Maybe I should just add a HOSTS file entry for the specific host that we're having trouble with.

135
0 + 0
joeqwerty avatar
cv flag
joeqwerty
127.0.0.1 should not be used as the primary DNS server. Use the server's actual ip address for primary DNS and use 127.0.0.1 for secondary DNS. - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378900(v=ws.10)?redirectedfrom=MSDN
2
Reply
joeqwerty avatar
cv flag
joeqwerty
I should have specified in my previous comment that if you have multiple DNS servers they each should refer to a "partner" DNS server for Primary DNS, another partner or themselves for Secondary DNS, and 127.0.0.1 as Tertiary DNS.
0
Reply
Score:1
John Mahowald avatar Server
cn flag
John Mahowald

For a DNS server's resolver, configure a different DNS server's IP address first, this DNS server's IP address second, and localhost IP third.

Even when the DNS service is restarting, it still can resolve from the remote server. Also when using AD DS, a different host first is less likely to cause replication problems.

Second, the server is preferring IPv6 over IPv4. We don't use IPv6 but also don't want to disable it as it has clearly caused problems in the past in different scenarios, and Microsoft claims it is mandatory and does not support or recommend disabling it.

Yes, preferring IPv6 is standard behavior, and Microsoft does not test disabling IPv6. If you do not use IPv6, do not assign IPv6 addresses to hosts. Including, ensure routers do not send IPv6 RAs. If there only are A records for a name and not AAAA, hosts resolve and use IPv4, no further configuration required.

0 + 0
Appleoddity avatar
ng flag
Appleoddity
Ok. This is a helpful post. What I may not have been clear enough about in my OP (edited now) is that this has to work when "peer" DNS servers are not available. This specific requirement is that I need localnetpriority to work when there is a network interruption severing this site from the others. Meaning this is the only DNS server available now. So the problem to be answered is really around how to solve the localnetpriority issue when the DNS server queries itself.
0
Reply
Appleoddity avatar
ng flag
Appleoddity
Regarding IPv6 and the localhost usage in general. The default for IPv6 is that it is auto-assigned. We don't do anything with IPv6. And the "localhost" DNS server is configured on both the IPv4 interface and the IPv6 interface, not by me, but by active directory when the server was promoted to a domain controller. I also think it made localhost the primary, and made the existing DNS servers secondary and tertiary. That all seems counter to MS's own best practices apparently.
0
Reply
Score:0
Appleoddity avatar Server
ng flag
Appleoddity

To solve this issue, I had to consider several things:

  • IPv6 link local addressing is enabled regardless if we use IPv6 or not. So every server / host is going to have an IPv6 address and use IPv6 if it can.
  • Promoting a server to a Domain Controller w/DNS adds "localhost" as a DNS server on the local network interface for both IPv4 and IPv6. This is an MS best practice.
  • We cannot disable IPv6 as this is unsupported by Microsoft.
  • Windows prefers IPv6 over IPv4 so any configured IPv6 DNS server will take priority.
  • In a multi-DC environment, servers should refer to a peer as the primary DNS, and to themselves in secondary, tertiary, etc.
  • I need localnetpriority to work even when other DNS servers / sites are unavailable.
  • When a Windows DNS server queries itself, if it uses "localhost" to do so, it will break localnetpriority.
  • The MS Best Practice analyzer provides useful insight in to DNS server configuration problems, and will complain about improperly configured DNS settings on the network interface.

After all of this, I found the best solution is to change the DNS server settings on the network interface, and make no other changes to anything in Windows. To address all the above concerns I:

  • Removed the "localhost" DNS server configured in IPv6. There are NO IPv6 DNS servers configured now.
  • I reconfigured the IPv4 DNS server listing as follows:
    1. Primary: <Peer DNS Server IP>
    1. Secondary: <IPv4 address of this DNS server>
    1. Tertiary: 127.0.0.1 (Localhost)

Any related complaints from BPA have been solved. Localnetpriority works when the network is fully functional, and when the site is severed due to a network failure. And, AD will still function normally, even if the local network cable is unplugged, or some other network interface issue occurs.

The end result answers the question, "How to make localnetpriority work when the DNS server queries itself?" With a secondary requirement that I don't break anything else.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.