We are utilizing Windows 2016+ DNS servers. We rely on LocalNetPriority on our DNS servers. We have several Active Directory DNS servers across multiple sites. The expected behavior is that when a particular query is made to the DNS server, it will return an IP address that is in the same subnet as the query originated, if multiple A records exist for the same host. This works fine in most cases.
However, for requests originating from the DNS server itself, it does not work. First, the DNS server (or Active Directory), by default, configures it's network interface to use itself as the DNS server of choice via localhost (127.0.0.1 and ::1). This causes the LocalNetPriority selection to fail as the originating IP address is not in one of our subnets.
Second, the server is preferring IPv6 over IPv4. We don't use IPv6 but also don't want to disable it as it has clearly caused problems in the past in different scenarios, and Microsoft claims it is mandatory and does not support or recommend disabling it. Using IPv6 is out of the question.
Finally, this has to work when there are network interruptions. This specific requirement demands that localnetpriority work properly when the satellite location is severed from the rest of the network. Therefore, using peer DNS resolvers as the primary server does not fulfill this requirement alone.
It seems like settings IPv4 to be the priority over IPv6, and configuring the server's actual IP address as the DNS server of choice, may be the only solution. However, I learned a long time ago that using 127.0.0.1 is the best choice because during a reboot or if a network cable is unplugged, active directory can completely fall apart.
What am I missing? Is there a more direct way to solve this problem? Maybe I should just add a HOSTS file entry for the specific host that we're having trouble with.
For a DNS server's resolver, configure a different DNS server's IP address first, this DNS server's IP address second, and localhost IP third.
Even when the DNS service is restarting, it still can resolve from the remote server. Also when using AD DS, a different host first is less likely to cause replication problems.
Yes, preferring IPv6 is standard behavior, and Microsoft does not test disabling IPv6. If you do not use IPv6, do not assign IPv6 addresses to hosts. Including, ensure routers do not send IPv6 RAs. If there only are A records for a name and not AAAA, hosts resolve and use IPv4, no further configuration required.
To solve this issue, I had to consider several things:
After all of this, I found the best solution is to change the DNS server settings on the network interface, and make no other changes to anything in Windows. To address all the above concerns I:
<Peer DNS Server IP><IPv4 address of this DNS server>127.0.0.1(Localhost)Any related complaints from BPA have been solved. Localnetpriority works when the network is fully functional, and when the site is severed due to a network failure. And, AD will still function normally, even if the local network cable is unplugged, or some other network interface issue occurs.
The end result answers the question, "How to make localnetpriority work when the DNS server queries itself?" With a secondary requirement that I don't break anything else.