Gentleman's argument about local DNS

[Tsaico]

I have do some overflow side work for a small PR firm that has about 25 workstations in a Non-domain envrioment. They have a 7.5 MBit connect for the internet, but it is slow and intermittent. The currently do not have a DNS, only WINS on their 2003 server that is also part of a workgroup. This server has DHCP and is dealing IPs out and for DNS, it uses an external DNS address for both primary and scondary. (it is a 1.4 GHz machine already running a sql server that 4 users connect to and has 2 gigs of RAM on RAID5 array)

The guy who normally handles their day to day, does not want to add DNS services because the server is old and he doesn't think it can handle it and it isn't worth the extra work and maintenance for a group this size. I want to risk it because the over all hit isn't that much for DNS operations, and it would speed up the internet performance to have it locally. (there are times the workstation cannot resolve an external name at all, other times it is slow as snails)

While I admit that the name resolution isn't the only thing impacting the performance here, (some of the wiring needs to be redone) windows really does need a good DNS to get things to work and 25-ish workstations is large enough to want to use local DNS...

What do you guys say?

 

[spidey07]

I say it is totally unnecessary to run a DNS server in that environment.

you don't have a domain/ad
It works fine now.
You're adding administrative complexity.
It's not needed nor required.
You don't need the ability to change records from what i understrand, just internet access.

-edit- the only plus I can see would be dynamic DNS, but even then you don't have a domain.

When is it needed?
Active Directory or any other active directory type function (exchange, etc)
Hosting and want the need to change records on the fly
Larger environments where you have different operating systems and need a unified naming resolution
when you can't get a good external DNS server to respond withing 1 second
when you have staff that actually know it and can operate it (DNS DOES get borked from time to time and if you don't know what you are doing it can take you days to get it working right)

 

[ScottMac]

(Just to add to Spidey's list ... no need to plant another monolith in front of the monkeys .....)

Internal DNS is also (at the least) helpful when you have publicly accessable resources (web, mail, ftp) behind a NAT.

If you try to use the outside address, it doesn't work, because the NAT won't hairpin back to the inside. SO, you put up a local DNS, define the internal IP addresses, and make sure that it's the primary DNS for all of your inside users.

FWIW

Scott

 

[Tsaico]

Hmmm... You guys seem to have a better grasp than I... So then here is my question.

They do have a inhouse web, run Novell for their email and scripts, but the only thing that is showing signs of problems is the internet. They do not have problems getting into network folders hosted on Novell Linux, emailing people outside, receiving etc. But about 1/4 the time, you try to go to a web site, you get the "cannot find" page. At times you cannot resolve a name in ping or nslookup, both will either time out or say, host unknown. Other times the pings are all over the place in regards to timing. Using online resources like online banking is impossible, because at least once in a session, you try to click on something and it cannot resolve But then the majority of the time, 75% it runs as expected.

The normal tech says the cable jobs are good in most places, (but that doesn't explain why it is like that for everyone) and SBC says it is good all the way to the firewall. What are some other things that I might do to help this out? I thought since the computers were having a hard time resolving names, having a local DNS would help cut that down.

 

[RebateMonger]

Tsaico,

You didn't explain what "slow and intermittent" DNS means. Does it mean that it takes an extra half-second to resolve a web site? Or does it mean that people can't reach needed sites at all, sometimes for hours at a time?

A Server 2003 DNS server would cache Internet DNS listings, and would be able to do DNS Root Server resolution and completely avoid the use of an ISP's unreliable DNS servers.

Of course, what I'd really do is recommend installing a new SBS 2003 server as a Domain Controller and email server and make the current server a Member Server and SQL server. You can get a modern Dell Server with SBS 2003 Standard Edition with a RAID 1 array for less than $1000 sometimes. You'd need SBS User CALS, too.

If you wanted to completely dump the old server, you could get SBS 2003 Premium Edition for about $500 more, with SQL 2000, along with ISA 2004 as a heavy-duty firewall.

SBS 2003 is really low maintenance. I manage a couple of offices with 20-25 users and spend a few hours a month on the Servers themselves. And you get Group Policies and WSUS, so you can now install software, manage updates, and set Security policies with a few mouseclicks on the Server (remotely, of course....).

 

[Tsaico]

Originally posted by: RebateMonger
Tsaico,

You didn't explain what "slow and intermittent" DNS means. Does it mean that it takes an extra half-second to resolve a web site? Or does it mean that people can't reach needed sites at all, sometimes for hours at a time?

A Server 2003 DNS server would cache Internet DNS listings, and would be able to do DNS Root Server resolution and completely avoid the use of an unreliable ISP's DNS servers.

Of course, what I'd really do is recommend installing a new SBS 2003 server as a Domain Controller and email server and make the current server a Member Server and SQL server. You can get a modern Dell Server with SBS 2003 Standard Edition with a RAID 1 array for less than $1000 sometimes. You'd need SBS User CALS, too.

If you wanted to completely dump the old server, you could get SBS 2003 Premium Edition for about $500 more, with SQL 2000, along with ISA 2004 as a heavy-duty firewall.

SBS 2003 is really low maintenance. I manage a couple of offices with 20-25 users and spend a few hours a month on the Servers themselves. If there are problems, it's usually with the client PCs rather than the SBS Servers.

Slow intermittent, would be pretty much what you described. You click and it take anywhere from a second (normal), to as high as 6 min. Other times you click and it right away goes to the "cannot find server" error page in IE6. When it does that, if you hit refresh, it either works normally or your right back where you started. It seems to be about half the time it is slow, 25% not at all (name resolution fails right away) and the last 25% works perfect like it should. I know it isn't the physical connection because you can be transferring files in between servers at the same time and that works just fine. The outages are never contiguous. You could open two different browser windows, one open fine, the other fail to open anything.

 

[RebateMonger]

Ouch. That's pretty bad! I doubt the PR firm will put up with that for long.

I'm not sure what the problem is, but, assuming your Server 2003 is the DHCP Server for your workgroup, it'd be pretty easy and painless to create a DNS zone and make Server 2003 your DNS Server. If it doesn't fix the problem, you can start troubleshooting other things.

Services like DNS and DHCP take almost no effort on the part of the Server. If turning on DNS breaks your Server, you probably have other issues!

----------------------------------------------------------------------------
For simplicity, I'd add a second NIC to the Server and make it the Default Gateway, DHCP Server, DNS Server, and WINS Server for the Domain.
----------------------------------------------------------------------------

But you could simply turn on DNS for a quick test:

1) Enable DNS on the Server
2) Create a Forward Lookup Zone in DNS
3) Set the DNS server to use Root Hints for external name resolution
4) Tell all the client PCs to use the Server for their DNS resolution. Do NOT put any other DNS server in the TCP/IP settings on the clients. Just the IP address of your Server's DNS Service.

You should be able to tell immediately if this fixes your problem.

 

[spidey07]

Sounds like a circuit problem.

 

[RebateMonger]

Originally posted by: spidey07
Sounds like a circuit problem.

I have my doubts that it's truly a DNS problem.

 

[Tsaico]

Well, to tell you the truth, so do I. I was just thinking it is so fast and relatively easy to instal DNS on a windows 2003, why not? When you guys say circuit, do you mean the physical cat5e lines? (I already updated nic drivers, and replaced patch cables, but not the jacks themselves, nor have I tested the actual lines beyond a wire map to make sure they are wired correclty on each end.)

 

[ScottMac]

The Telco / provider can't test "up to the firewall"; they can only test "up to the CSU/DSU," which is on the telco-facing side of the gateway router.

If this is a fairly recent thing, then sit on it for a bit to see it's stabilzed ... there have been some pretty ugly cable cuts in the last couple weeks.

An easy thing to try is to reverse the primary/secondary DNS assignments given to you by the provider. Sometimes it's just a load issue, sometimes it's a path issue ...

When we say "circuit" we're talking about the T1/Frame-Relay/DSL Telco circuit.

Also verify with the provider that you are using the correct DNS for your location. Most providers will have regional DNS to keep the DNS relatively local to the customers.

Also make sure the Linux/Novell is up to current patch level, and verify that the DNS caching is enabled on the Linux.

I'd be willing to wager that this is not a single component issue, chances are it's a system problem and several things will need to be tweaked in order to get the network up to speed.

Things that would be helpfu; for us would be a "show interface" dump of the gateway router (the one that connects to the Telco/T1/Frame-Relay/DSL), as well as interface stats from the firewall (something that would show an error count for each interface).

Good Luck

Scott

 

[Tsaico]

You know, I don't even know why I didnt think of all this. It should have been pretty clear... sigh, I am just moving from internal issues to baby steps of CDU/DSU, router, and firewall configurations. I will take all your suggestions to try to get to the guts of it all. Then share my work with the normal IT guy and see what he has to say... Thanks all!

 

[nweaver]

Step one in network troubleshooting...physical layer. You can swap some in yours, to ensure it's working, but where it's effected everywhere, it's most likely a wire between the router/primary switch or router/DMARK point. Check and swap
Step 2-LLC/Switching: Make sure switches are working correctly, check ports for stats that may show duplex mismatch problems
Step 3 IP/Routing: Tracert to your DNS servers, is it an excessive distance? Try using a root DNS (think 4.2.2.1 is a good root server, may be 4.4.2.1)

So in essense, start at Physical, and work through the OSI model

 

[spikespiegal]

They do have a inhouse web, run Novell for their email and scripts

My sympathy for being forced to run Groupwise. 😀

I agree with above that internal DNS isn't a requirement given you don't run AD.

I'm not sure if I missed it, but one thing that doesn't seem to be mentioned is the quality of the router used to serve 25 clients. I'm also a little dissapointed that nobody mentioned it given the advice here is usually pretty good.

If the shop has the typical Linksys/Dlink/Netgear/Belkin 'housewife class' router, then your troubleshooting need go no further.

 

[Tsaico]

Found it, ScottMac was the guess winner here. The DNS that was listed were still working, but they were old servers from who knows when. I updated the information in the DHCP and it is a gazillion times more reliable after people refreshed or rebooted.

They have now asked questions about wanting to do things that are more domain related (or at least easier to do in a domain from an IT standpoint), such as limiting who can install applications and what people can put on their desktops as wall paper, etc and being able to log into any workstation that is available, instead of a single place. So it looks like we are going to move them into a domain after all... I guess I just came in at the right time.

 

[kevnich2]

For that many PC's, I would definately recommend a domain environment. I couldn't imagine managing 25 computers in peer-to-peer environment. For me, anything over 7-8 pc's warrants a central server.

 

[cmetz]

Tsaico, I have to disagree with some other folks here and suggest you run a good local recursing name server. (recursing. Not an authoritative server.) Good server means grab a spare PC, run BSD or Linux, and BIND in a caching-only nameserver config.

Ordinary, naive users evaluate "Internet" performance as how fast web pages display. That's a very latency sensitive operation. Having the DNS server locally can greatly reduce the latency seen by a web user - especially with all the $#%^$@^%$ sites who insist on loading 10 web bugs and ads from various excess domains, requiring 10 DNS lookups to display one page.

Also, if your connection goes down, you will find that having your PCs configured to directly run off the ISP's name server will result in many random things perfoming poorly, or not at all. Not a happy place.

In a pinch, you can run BIND on your Windows box, there's a port. There's also the Microsoft name server, but its recursive performance is poor in my experience. Only use the MS DNS server if you're using AD, in which case you pretty much have to start drinking the Microsoft Kool-Aid. (It's possible to implement AD with many free/open tools instead of the MS ones, but unless you really know what you're doing you're asking for trouble even thinking about it. Just do things the Microsoft way.)

 

[Smilin]

Originally posted by: kevnich2
For that many PC's, I would definately recommend a domain environment. I couldn't imagine managing 25 computers in peer-to-peer environment. For me, anything over 7-8 pc's warrants a central server.

ditto.

 

[bsobel]

Bear in mind that most modern operating systems (such as XP) have reasonable local dns client caches, so you won't see much improvement from a local one on the network.

 

[cmetz]

bsobel, XP has a local DNS client cache, yes.

Reasonable it is not.

Trouble, it is.

Microsoft, typical of.

It gets poisoned pretty easily and then you're walking to every PC to fix your problem.

 

[Smilin]

Originally posted by: cmetz
bsobel, XP has a local DNS client cache, yes.

Reasonable it is not.

Trouble, it is.

Microsoft, typical of.

It gets poisoned pretty easily and then you're walking to every PC to fix your problem.

Proof you must provide or shenanigans I will call.

 

[spikespiegal]

My solution to keep the Microsoft boxes 'nice and pretty' in terms of DNS is daily scheduled 'ipconfig / flushdns' scripts. Especially on mail or AD servers.

I have mixed thoughts on the domain vs workgroup debate. While the domain mode obviously has better management tools, the fact is, you then spend time managing it. I also feel better about granting a local user admin rights in a workgroup so I don't have to babysit each and every app and install it. In a workgroup model there's less chance of a security breach or Spyware on one box migrating to another. Both have advantages, and it depends on the company as to which is better. Some shops require the IT dept to control everything from the wallpaper being used and restricting access to any desktop function the user doesn't need. Other companies consider it annoying to require IT to get involved at all and users have full reign on their desktops. All depends on the shop.

 

[ArchAngel777]

Personally, I think they should be moved to a domain. I don't think I would workgroup more than 5 - 10 computers together. But that is more of a personal thing.

If something works decently well, I would keep it that way. If it takes 20 - 30 tech hours to change something that will only marginal speed things up, then it might not be worth it. It is always something you can go over with the owner of the company. The best advice I can give when dealing with small firms and so on is to just give them two options and the cost of it. Don't oversell anything! Before giving them their options carefully price out everything, carefully think it out and run your plan by more than one experienced tech. Even though some of us may be extremely experience, we make common mistakes and overlook some very minor things. People who I work with and respect as superb technicians have been found lacking common sense some days, something I think we all do, especially under pressure. Things end up costing more than we realized and also taking more tech time. Never be scared to run your ideas with other people and double and triple verifying your plans. It looks like you are already doing that though, so two thumbs up 😀

 

[Tsaico]

Thanks for your input guys!

But the kinds of stuff they want to do is overly complicated in my opinion, but if they want to control what kind of stuff thier employees are installing, what kind of wall paper they are using, etc I am not going to waste my time going to 24 workstations and change settings. They also want to be able to work from any desk if their current one is dead or occupied. Then add in the fact they want some interns having access to some other intern's resources but not the other way around, you just can't do that kind of stuff well from a workgroup scenario. Why they want isn't really up to me, I just tell them about the technical possibilities. I try to judge my honest ability on how long it will take me, initial and over time, but it is their responsibilty to firgure out their own ROI.

So while suggesting they use a different workflow, (like agreeing on saving information at a central place instead of my documents on the local drive or in the c🙂, I don't see any easy way of doing what they want without a domain.

As for what they are doing is working well, I don't know. It sounds like they have been having a lot of different issues, and because their normal IT is in another state, much of it has been neglected.