(MP) BGP recursive lookups

Similar Messages

• CEF Load Sharing Recursive Lookup

  Hi,
  i have this scenario:
  | ----P1----P2---|
  PE1----| |----PE2
  | ----P3----P4---|
  IP Loop PE1: 5.5.5.5
  There are 2 Gigabitethernet betweenn the router PE and the router P.
  PE1 advertise 1.1.1.1/32 to PE2:
  PE2#sh ip route 1.1.1.1
  Routing entry for 1.1.1.1/32
  Known via "bgp 65000", distance 200, metric 0, type internal
  Last update from 5.5.5.5 01:57:03 ago
  Routing Descriptor Blocks:
  * 5.5.5.5, from 4.4.4.4 , 01:57:03 ago
  Route metric is 0, traffic share count is 1
  AS Hops 0, BGP network version 0
  PE2 has 4 link (2 towards P2 and 2 towards P4) at equal cost to reach 5.5.5.5/32 via OSPF:
  PE2# sh ip route 5.5.5.5
  Routing entry for 5.5.5.5/32
  Known via "ospf 65000", distance 110, metric 200, type inter area
  Last update from 23.23.23.24 on GigabitEthernet8/0/0, 01:13:45 ago
  Routing Descriptor Blocks:
  * 22.22.22.21, from IP-P1, 01:13:45 ago, via GigabitEthernet3/0/0
  Route metric is 200, traffic share count is 1
  23.23.23.23, from IP-P1, 01:13:45 ago, via GigabitEthernet8/0/0
  Route metric is 200, traffic share count is 1
  22.22.22.22, from IP-P2, 01:13:45 ago, via GigabitEthernet3/0/0
  Route metric is 200, traffic share count is 1
  23.23.23.24, from IP-P2, 01:13:45 ago, via GigabitEthernet8/0/0
  Route metric is 200, traffic share count is 1
  If I look cef table I have all the 4 link too:
  PE2# sh ip cef 5.5.5.5
  5.5.5.5/32, version 3101050, epoch 0, per-destination sharing
  0 packets, 0 bytes
  Flow: AS 0, mask 32
  tag information set, shared, all rewrites owned
  local tag: 1541
  via 22.22.22.21, GigabitEthernet3/0/0, 14 dependencies
  traffic share 1
  next hop 22.22.22.21, GigabitEthernet3/0/0
  valid adjacency
  tag rewrite with Gi3/0/0, 22.22.22.21, tags imposed {390}
  via 23.23.23.23, GigabitEthernet8/0/0, 14 dependencies
  traffic share 1
  next hop 23.23.23.23, GigabitEthernet8/0/0
  valid adjacency
  tag rewrite with Gi8/0/0, 23.23.23.23, tags imposed {390}
  via 22.22.22.22, GigabitEthernet3/0/0, 15 dependencies
  traffic share 1
  next hop 22.22.22.22, GigabitEthernet3/0/0
  valid adjacency
  tag rewrite with Gi3/0/0, 22.22.22.22, tags imposed {390}
  via 23.23.23.24, GigabitEthernet8/0/0, 15 dependencies
  traffic share 1
  next hop 23.23.23.24, GigabitEthernet8/0/0
  valid adjacency
  tag rewrite with Gi8/0/0, 23.23.23.24, tags imposed {390}
  0 packets, 0 bytes switched through the prefix
  tmstats: external 0 packets, 0 bytes
  internal 0 packets, 0 bytes
  But if i Look the cef table for the address 1.1.1.1/32 I have only 1 link:
  PE2# sh ip cef 1.1.1.1
  1.1.1.1/32, version 6477717, epoch 0, per-destination sharing
  0 packets, 0 bytes
  Flow: AS 0, mask 32
  tag information from 5.5.5.5/32, shared, all rewrites owned
  local tag: 1541
  via 5.5.5.5, 0 dependencies, recursive
  next hop 22.22.22.22, GigabitEthernet3/0/0 via 5.5.5.5/32 (Default)
  valid adjacency
  tag rewrite with Gi3/0/0, 22.22.22.21, tags imposed {390}
  Recursive load sharing using 5.5.5.5/32.
  The question is: why PE2 doesn't utilize all the 4 link (towards P2 and P4) to reach 1.1.1.1/32?
  Thanks in advance
  Rgds
  Gianluca

  Although the "show ip cef 1.1.1.1" command only displays one interface, the recursive loadsharing will take place as expected.
  Do a "show ip cef 1.1.1.1 internal", which will show you the 4 outbound interfaces being used.
  Hope this helps,

• Using PowerShell to do a recursive lookup of members of a Exchange Distribution Group

  I am trying to get the members (DisplayName, PrimarySMTPAddress) of several Exchange distribution groups. Using Get-DistributionGroupMember gets me the first level of information, but in many cases there are nested distibution groups. How can I get the
  members of each nested group?Paul Arbogast

  Paul
  Change lines 66 and 67 to
  $obj | Add-Member -membertype noteproperty -Name GroupMember -Value $member.DisplayName
  $obj | Add-Member -MemberType noteproperty -Name EmailAddress -Value $member.PrimarySMTPAddress
  Optionally, change 90 to
  $obj | Add-Member -MemberType noteproperty -Name EmailAddress -Value $LostGroup
  Karl
  My Blog: http://unlockpowershell.wordpress.com
  My Book:
  Windows PowerShell 2.0 Bible
  My E-mail: -join ("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})

• BGP LOAD BALANCING

  BGP chooses only a single best path to reach a specific destination. BGP is not designed to perform load balancing..
  what i learned from every doc... but suppose this two ebgp neighbor have multiple path, creating neighborship by using loopback ip, to reach loopback router have 2 equal cost igp routes...in that case after recursive lookup router will load balance the traffic ...
  Plzzz let me know am i right... or what is the meaning of this statement :
  At one side it is said bgp is not made for load balancing specially in ccna, ccnp other exam books, but after doing google found following link, saying load balancing/load sharing can be done.... Why this confusion...
  http://ccieblog.co.uk/bgp/bgp-unequal-load-cost-sharing
  Please tell me what is truth...

  Milan,
  link will help me lot...
  but...
  The maximum-paths command for BGP works if your router has multiple parallel paths to different routers in the same remote AS; this command affects only the number of routes kept in the IP routing table, not the number of paths selected as best by BGP. For BGP, the paths parameter defaults to one.
              Suppose R1 have 2 paths to reach any destination; Without the maximum-paths command under the router bgp, there is only one path in R1’s routing table. After the maximum-paths 2 command is added to the R1 BGP configuration, both paths appear in the IP routing table, However, only one path is still selected as the best in the BGP table.
  Vasilii & Reza,
  means what is right statement for bgp load balancing ....or is it changed case to case..?? please clear me...
  Guies ...can you also tell me bgp support for "load balancing" & "load sharing"???

• BGP and ASA NAT

  Hello Everyone,
  I have a need to multihome out two MAN links to the same ISP. The two links will connect via an ISR and will participate in an eBGP adjacency. On the internal side, iBGP will be used to create the alternate default route to the ISP. Each of the ISR’s downstream ports participates on the same Ethernet subnet. On the same subnet/broadcast domain, there are two ASA5510 appliances that will use HSRP to advertise the public IPv4 addresses and will NAT them into the private network.
  My question is, since the ASAs do not participate in BGP, and since we are going to NAT the traffic eliminating the need to use a route map to inject the default route into the downstream EIGRP network, would I simply build a static default route in the ASAs out the upsteam interfaces?  My initial thought is to not worry about recursive lookups because they are connected via Ethernet.
  ip route 0.0.0.0 0.0.0.0 fa0/0; and so on.
  I’ve attached a simple topology for reference.
  Thanks…Matt

  Yes Jcarvaja, HSRP is not a feature on the ASAs, and yes HSRP is difficult to setup natively to support active/active load balancing on any device. That's not really the point though is it. FHRP's are typically used for distribution switches and finely tuned to access layer 2 and layer 3 convergence, unless using GLBP (and even then should be considered). My mistake for using the term HSRP and thank you for pointing it out.
  As for the iBGP links, they represent the same subnet as I mentioned. The cat switches are there to facilitate physical restraints as each pair of ISRs and ASAs are two miles apart. Since the ASA's are performing NAT, they don't really participate in the BGP network and there is no need or capability to inject the BGP default route into the EIGRP network. They will participate in the downstream EIGRP network. If the MAN connection on one ISR goes down, then the iBGP route to the Internet will be graduated. I guess I could have indicated on the drawing that these were all a part of the same subnet. 
  How do I configure the ASA's static default route? Wouldn't I be able to inject  a static default route in each ASA using the ASA's outside interface when using active/active? If I have to, I could see if we can use EIGRP on the network upstream of the ASAs if there is no other way of doing this, but this is not preferred.
  Any help you can provide is greatly appreciated. 
  Thank you...Matt

• BGP continuosly flapping

  Hi,
           I'm getting below logs in my router frequently and BGP flaps. could someone tell me what are the possible causes of this issue.
  Oct 2 02:33:50: %BGP-3-NOTIFICATION: received from neighbor 192.168.181.217 4/0 (hold time expired) 0 bytes
  Oct 2 02:33:50: %BGP-5-ADJCHANGE: neighbor 192.168.181.217 Down Peer closed the session
  Oct 2 02:33:50: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.181.217 IPv4 Unicast topology base removed from session  Peer closed the session
  Oct 2 02:33:57: %BGP-5-ADJCHANGE: neighbor 192.168.181.217 Up
  Oct 2 03:35:52: %BGP-3-NOTIFICATION: received from neighbor 192.168.181.217 4/0 (hold time expired) 0 bytes
  Oct 2 03:35:52: %BGP-5-ADJCHANGE: neighbor 192.168.181.217 Down Peer closed the session
  Oct 2 03:35:52: %BGP_SESSION-5-ADJCHANGE: neighbor 192.168.181.217 IPv4 Unicast topology base removed from session  Peer closed the session
  Oct 2 03:36:03: %BGP-5-ADJCHANGE: neighbor 192.168.181.217 Up

  Hi,
  As Paul suggested check your connectivity, run an extended ping between BGP peers, might be as simple as layer 1 issue. Else check that you don't have recursive lookup for peer address where by you are peering with an address you you receive via BGP peering.
  /Samir 

• Loop in MPLS

  Hi,
  Here is the standard MPLS network with vrf INTERNET:
  PE2--P2--P1--PE1--INTERNET
  |
  CPE
  PE1-routes
  ip route vrf INTERNET 0.0.0.0 0.0.0.0 --> PE1
  IP route vrf INTERNET 0.0.0.0 0.0.0.0 -- > INTERNET
  vrf INTERNET 10.10.0.0/16 connected
  192.168.0.5 is loopback for MP-BGP
  PE2-routes
  ip route vrf INTERNET 0.0.0.0 0.0.0.0 --> PE1
  ip route vrf INTERNET 111.111.111.111 255.255.255.255 10.10.0.10
  Route on PE2:
  ip route vrf INTERNET 111.111.111.111 255.255.255.255 10.10.0.10 is misconfigured because nexthop is from network 10.10.0.0/16 which is directly is connected on PE1, and address 111.111.111.111 is not active
  When I start the ping from CPE to 111.111.111.111 route on PE1 sends packet via P1, and P2 to PE2. PE2 has route that recursively points back to PE1. Ofcourse there is LOOP in routing network.
  All devices except CPE are Cisco7600
  Here are the questions:
  1) With only one continuous PING packet-size 1500Bytes from CPE toward address 111.111.111.111 link utilisation P1-P2 goes up to 150Mbps. And with pings from more CPEs link utilisation rises. Why TTL doesn't prevent increasing of link utilisation?
  2) CPU on PE2 goes up to 70-80%. Shouln't Cisco 7600 forward packets in hardware? Or maybe recursive lookup is done with CPU?
  output from PE2:
  Sh ip route vrf INTERNET 111.111.111.111
  Routing entry for 111.111.111.111/32
  Known via "static", distance 1, metric 0
  Redistributing via bgp 65001
  Advertised by bgp 65001
  Routing Descriptor Blocks:
  * 10.10.0.10
  Route metric is 0, traffic share count is 1
  PE2#sh ip route vrf INTERNET 10.10.0.10
  Routing entry for 10.10.0.0/16
  Known via "bgp 65001", distance 200, metric 0, type internal
  Last update from 192.168.0.5 6d17h ago
  Routing Descriptor Blocks:
  * 192.168.0.5 (Default-IP-Routing-Table), from 192.168.0.5, 6d17h ago
  Route metric is 0, traffic share count is 1
  AS Hops 0
  Regards,
  A

  sorry, I made a mistake.
  CPE is connected to PE1 like this:
  PE2--P2--P1--PE1--INTERNET
  |
  CPE

• Configuring MPLS VPN using static routing

  Hi,
  I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.

  You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
  1) Creating the LIB
  This thing lies in having LDP neighborship netween two peers and you have Label bindings.
  This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
  2) Creating the LFIB
  Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
  as a next hop, those Label bindings get installed in the LFIB.
  So considering the above two points, we have to be careful in static routes
  only for interfaces like Ethernet (Multiaccess Segments).
  As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
  GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
  Now you may observe that when you give a static route only pointing to an Ethernet interface,
  you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
  Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
  GLean and you would have a Valid Cached Adjacency.
  So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
  For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
  ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
  Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
  running MPLS.
  And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
  So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
  HTH-Cheers,
  Swaroop

• Windows Server 2008 R2 - Won't load certain web pages - Happens in all browers - Won't do windows updates

  This server (Windows Server 2008 R2 Standard with SP1) is used to host thin clients as well as RDP sessions.  One morning the office is fine, they come back from lunch and all of the sudden they can't load certain web pages, such as adobe.com
  and pandora.com to name a couple.  This was roughly 3 days ago. 
  1.)  I have tried machines that are not connected to this server (not thin client or RDP), but are on the same network, they can load up any web page fine with no issues.
  2.) On the server I have tried Opera, Chrome, IE and Firefox, all have the same exact problem.
  3.) Tried different DNS servers just to be sure, even though it only effects the server and no one else.
  Based on these facts I know that it is something wrong with the server, but not tied to a specific brower.  In all browsers when you load up a page in question it just sits there with a blank screen trying to load, it never generates any errors. 
  The Event Viewer is also clean, no errors.  So with no errors I have had trouble trying to find a starting place for this.  Things I have tried:
  1.) ipconfig /flushdns to try and clear out any DNS issues
  2.) Changing the DNS servers for the server to 8.8.8.8 and 4.2.2.2
  3.) Scanning for Viruses and Malware/Spyware
  4.) Checking proxy settings on the server
  5.) Updating and then removing Adobe Flash (thought it was tied to flash at first).  Problem persists even with no flash player installed.
  6.) Completed a failed update of .net, no effect
  7.) Loading up browsers in debug mode to try and find anything in the site code that I could relate between failed sites.  I found nothing I could identify
  Of all issues to finally be stumped on this seems like an easy one, but I can't even begin to come up with an idea at this point. 
  I have tried to lay out all of the facts that I know as plainly as I can.  I am hoping that someone has seen this before as this issue is effecting a number of differnt users and keeping them from doing portions of their job.
  Help is most appreciated, thank you!

  I was able to figure out a solution.
  CAUSE:
  It appears that the Internet isn’t fully up to date and ready to use EDns -- which is enabled on Windows Server 2008 R2 by default. The solution for this is to disable Edns. Note that this isn’t
  a problem for most Windows Server 2008 R2 member servers.  It’s only a problem for DNS *servers* that do recursive lookups.  i.e. likely only your domain controller will be affected if that is where your DNS Server role exists.
  SOLUTION:
  To disable EDns, you can do it from the command prompt, or by editing the registry.
  Create a DWORD called EnableEDNSProbes and set to 0 in HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters
  Restart the DNS Server service for it to take effect.

• Setting Up DNS - Making Sure I'm Not Running Split Horizon

  Hello everyone - I'm wanting to make sure I am running my DNS correctly and that it isn't split horizon.
  I purchased a domain name (johnsonsfromtyler.com). I have public "@" and "mail" A host names pointing to my public IP address, have a MX for johnsonsfromtyler.com pointing to mail.johnsonsfromtyler.com, and have a reverse lookup setup all via public DNS.
  On my SLS running the private DNS I have the primary zone name set as johnsonsfromtyler.com. For the nameserver I have the zone johnsonsfromtyler.com. pointing to server.johnsonsfromtyler.com which has a static IP of 10.0.1.10. I also have a mail exchanger hostname of mail.johnsonsfromtyler.com with a priority of 10. I also have an alias for mail.johnsonsfromtyler.com pointed to server.johnsonsfromtyler.com. I also have forwarder IP addresses pointing to the OpenDNS servers.
  I have my router setup to use the private DNS server located at 10.0.1.10 and the search domain as johnsonsfromtyler.com. server.johnsonsfromtyler.com is running DNS and all other server services.
  So am I running DNS correctly and is this setup a split horizon setup? Also, do I need to have forwarder IP addresses pointing to external DNS servers?

  As Mr Hoffman writes if your "reuse" a public IP domain name in an internal private IP only LAN DNS your are using a "split horizon" DNS (where did that "designation" come from?).
  To reach pubic IP servers using the same domain name from your LAN using only the internal DNS, you need to put also the pubic IP servers in your internal DNS with their public IPs. The reverse zone for any "remote" public IPs that Server Admin creates should be removed to let the DNS responsible for that zone answer those lookups - probably not too important for most configurations though.
  BIND views can be used to give answers to lookups depending on where (what IP) the query comes from. The same DNS could be setup with different views where public and private IPs are in separate views so that private name -> IP lookups only gets answered when the query comes from the private IP LAN. If you can have a different response (IP) for the same name -> IP lookup? - probably(?) - if the private IP view is listed before the public one in the DNS config.
  And I think a DNS is always caching lookups (?) not depending on if forwarders is used or not. Forwarders can speed up lookups but can also make trouble if they stop working/starting refusing answering recursive lookup queries. Without forwarders the DNS has to go "the long way" via root DNS servers (you should update /var/named/named.ca regularly especially if not using forwarders).

• 450 Host Down message/between domains

  Using Groupwise 6.5 and Novell 6, we can not successfully send email to a
  specific domain OUTSIDE of our company. We get the following messages in
  the GWIA log:
  Detected error on SMTP command
  Command : (the intended recipient)
  Response: 450 Host Down (the intended recipient)
  Deferring message
  The recipient's ISP claims to have never received any message. We can
  successfully email this recipient using a different email client.
  Any ideas?
  Fred Jeffers

  [email protected] wrote:
  > Using Groupwise 6.5 and Novell 6, we can not successfully send email to a
  > specific domain OUTSIDE of our company. We get the following messages in
  > the GWIA log:
  >
  > Detected error on SMTP command
  > Command : (the intended recipient)
  > Response: 450 Host Down (the intended recipient)
  > Deferring message
  >
  > The recipient's ISP claims to have never received any message. We can
  > successfully email this recipient using a different email client.
  >
  > Any ideas?
  This is really a question best posed on the support forums. These forums
  are intended for peer support for software developers. However, since
  you can provoke the behaviour at will could you use a number of
  techniques to investigate it. Given the description I'd guess at DNS
  problems first. Start with NSLookup (preferably on your host that does
  the SMTP forwarding). Then use the following commands:
  SET TYPE=MX
  foreign.domain
  Replace foreign.domain with the domain name you can't send to, e.g.:
  SET TYPE=MX
  novell.com
  You should see the mail exchanger (MX) record for the domain and the
  address (A) record for the mail exchanger. Then switch to a public
  server that is external to your own domain/network:
  SERVER 137.65.1.1
  SET TYPE=MX
  foreign.domain
  137.65.1.1 is Novell's public DNS server and it will do recursive
  lookups for external queries. If the result of the second set of
  commands is different from the first then the probable cause is DNS
  mis-configuration on your mail forwarder. It could be that it has the
  wrong DNS IP or that the DNS server it is using has a stale MX or A
  record for the problem domain.
  If that doesn't work you could try Ethereal or another packet capture
  application to capture frames that target the foreign domain's MX IP
  address and simply send it an e-mail. You should capture the SMTP
  exchange and the cause might be obvious. Note that you will have to run
  the capture program on your mail forwarder or use a hub or configure a
  switch port to echo your mail forwarder's switch port.

• Log file size

  We have a DNS Server running on solaris 9, it's generating huge logs hence /var/adm/messages file size is vey big. Is there any way to create seperate log file for everyday or can I restrict the log file size for a single file.
  Thank you

  Hmmm,
  For what type environment is this DNS server used for? How many domains/delegated domains are configured on the host?
  I think by default BIND allows 1000 recursive lookup connections. (That is already plenty and if you have that amount of legitimate traffic you will have to add more DNS servers and configure the nodes accordingly)
  Is the server listed as a Name Server for your domain and used externally for name resolution for your domain host entries, maybe the SOA?
  nslookup (enter)
  set type=ns (enter)
  you_domain_mane (i.e. your_domain.com) (enter)Or
  dig �q NS your_domain.com
  If the affected server returns in the list it is NEVER EVER a good idea to allow recursive lookups.
  My guess is that you are subject to denial of service, unless you host a fairly large environment with 1000s of hosts.
  Change the recursive-cient connection back (you system cannot handle 5000 recursive lookups and your system utilization shows this.)
  Then configure
  �category queries { your_query_file; };� In your namd.conf
  restart BIND
  Use �rndc� to change the trace level to 1
  Let it run for 2 -5 min and stop BIND entirely
  Then run something like:
  �cat your_query_file | cut -d'/' -f2 | sort | uniq �c | more� (depends on the log file format, better yet use nwak)
  take a quick look to see if there is one IP that is hammering your system.

• GSS response

  Hi Iftekhar,
  Found the follwing traffic flow in one of your responses to a qurey for integrating DNS with GSS.
  Typical flow is as follows
  1. Client will hit their DNS servers (configured on their machines as primary/backup dns server).
  2. "Client's DNS server" will query "DNS server authoritative for abc.com" for www.abc.com.
  3. "DNS server authoritative for abc.com" will ask "client's DNS server" to query "GSS - Authoritative for <A HREF="javascript:newWin('http://www.abc.com"')">www.abc.com"</A>
  4. "Client's DNS server" will query GSS for www.abc.com.
  5. GSS will send the ip add of www.abc.com (which should be configured on ACE as VIP).
  6. "Client's DNS server" will handover this VIP to client
  7. Client will hit the VIP configured on ACE (for application www.abc.com).
  Syed iftekhar Ahmed
  My doubt is about steps 3 and 4.
  In our scenario, we had done delegation of a subdomin to the GSS. Hence the DNS has two NS entries for the same subdomain.
  and when a reuest comes from the Client to the DNS, the DNS does not reply back with the GSS ip address. IT inturn does a recursive lookup with the GSS, The GSSS returns the IP of the server to the DNS which inturn forwrds to the client. hence the client never sees the GSS.
  WE had done a staggibg activity to test the effectiveness of this, and it was working fine.
  Do you see any drawbacks in this recursive mode of operation when compared to your iterative mode.
  please advice.
  rgds
  Sanju

  The "DNS server authoritative for for Domain" should have a NS record pointing towards the GSS.
  For example if DNS server is authoritative for "abc.com" and you make GSS authritative for "www.abc.com" then primary DNS server should have folloiwng records
  www.abc.com. IN NS gss01.abc.com. <-- NS record for http://www.abc.com via GSS01
  www.abc.com. IN NS gss02.abc.com. <-- NS record for http://www.abc.com via GSS02
  gss01.abc.com. IN A 1.1.1.1 <-- A record for GSS01
  gss02.abc.com. IN A 2.2.2.2 <-- A record for GSS02
  When "Client DNS Server" request A-record for "www.abc.com" then since primary DNS server has an NS record for www.abc.com, it should only hand over the NS record to "client's DNS Server". So the client's DNS server should contact the GSS to get the final answer.
  Proximity/Sticky logic wont make any sense if "DNS server authoritative" for domain is the only GSS client.
  Syed Iftekhar Ahmed

• DNS shambles

  Hello everyone
  Been subscribed to BT Broadband for several years now, and i've just had enough of this shambles.
  BT are caching DNS requests far down the wire... so far there's nothing you can do about it. For most people, it's not a problem, but for a web designer, it's an absolute shambles, and I cannot believe the practice still goes on. (I have a good connection at work by the way, but I also need to work at home).
  Quick description:
  1. Change the A record of a domain name (www.bbc.co.uk for example, not the real one obviously)
  2. Go to www.bbc.co.uk
  3. Still going to old A record..... what?
  4. Flush local dns cache. Reboot router. Change router DNS server to google's DNS servers. Reboot router again. Go to zonedit.com to make sure A record is updated - OK
  5. Back to BT - still get old A record.... ???
  6. Ask friend to go to to www.bbc.co.uk - NEW A RECORD
  7. Go to iphone 3g network, and go to www.bbc.co.uk - NEW A RECORD
  8. Back to BT - still get old A record.... ???
  9. Shambles
  BT, you are caching DNS requests, and there's nothing anyone can do about it. You have so much bandwidth, so much money, so much monopoly, but not only is your infrastructure so crippled, you're also doing this. Why...?

  DNS entries are designed to be cached, it is fundamental to how the system operates and scales.
  There are essentially two types of DNS server:
  a) Authoritative servers - these contain the master records and are used from anywhere in the Internet to get the record
  b) Caching servers - these perform lookups and cache data for end users - typically provided by ISPs
  http://en.wikipedia.org/wiki/Domain_Name_System has a good explanation
  The BT & Google servers you mention are caching servers - they take requests from end users and then do the full lookup if they don't have the data or pass the cached value back if they do. The length of time these servers cache DNS records is controlled by the TTL value on the master record.
  When changing a master record such as an A record you need to be very aware of that TTL value. The length of time it takes for the record to completely switch to the new value on all servers will be anywhere from instant to the TTL value set (worst case being the server just did the lookup before you changed the value). So if you have a TTL value of one week set, then depending upon the server a mix of old and new DNS will get used for that one week.
  To get the change to happen rapidly the best practice is to change the TTL value down to a low setting say 30 seconds at least the old TTL length of time before the change. Then when you make the change the caching DNS servers will update within 30 seconds. So if you have a TTL of a week then you would need to plan a week ahead.
  The reason the caching value is normally quite high for static sites is that a low value can cause your authoritative DNS server to get swamped so you set it high to reduce load. It also speeds up the lookup for the end users as their local server will have the info in its cache rather than having to do a full recursive lookup.
  http://www.dnswatch.info/articles/dns-update - is a good description of how to change things.
  So in your case what is the TTL value set on your A record you are trying to change? It would take upto that time for the BT Caching DNS server to report the new value.
  As to why Google DNS reports the new value straight away; I suspect that Google has a number of large farms of caching DNS servers behind the 8.8.8.8 address which won't be using a common cache database. If you hit a different server that has not got your A record cached it will do a lookup and get the new value. In the BT case I would suspect it is a single server behind each IP as they seem to have lots of different IPs for DNS.
  Adam

• DNS Forwarders Setup

  I'm just reviewing DNS as it was configure by someone else.  We have 4 DCs all with AD integrated DNS.  One of the DCs is configured with Forwarders to our external ISPs two DNS servers, a rule is also in place in our firewall to allow all DCs
  on to the internet everywhere via port 53 for DNS (not happy with this rule want to lock it down more).  The other 3 DCs are configured with 1 Forwarder pointing to the first DC which points to the external DNS servers.  I can see that this is a
  single point of failure on the part of just one DC is getting external DNS, if that DC goes down external DNS won't work.  Also I'm not that happy about DCs connecting directly to the internet.  Can someone recommend if this is a poor setup and what
  they would do differently.
  Thanks

  I would indeed consider having at least 2 dns servers that forward to the outside dns server(s).
  all other dns servers should contain these 2 servers to forward to.
  opening up port 53 to everywere might make sense if the dns server has to do a recursive lookup (ie if no forwarder is available). It seems the current design was to have that as a fallback on all dc's. It is not need if you have reliable forwarders (ie
  not from one ISP)
  There is not much security impact from opening port 53 from your server towards the internet. the reverse route should be closed (unless you want to host a public zone, but in that case you will have to do more than this for a design ;) )
  MCP/MCSA/MCTS/MCITP