DNS Server – How to Make Localnetpriority/Netmask Ordering Work on Windows

active-directorydomain-name-systemlocalhost

We are utilizing Windows 2016+ DNS servers. We rely on LocalNetPriority on our DNS servers. We have several Active Directory DNS servers across multiple sites. The expected behavior is that when a particular query is made to the DNS server, it will return an IP address that is in the same subnet as the query originated, if multiple A records exist for the same host. This works fine in most cases.

However, for requests originating from the DNS server itself, it does not work. First, the DNS server (or Active Directory), by default, configures it's network interface to use itself as the DNS server of choice via localhost (127.0.0.1 and ::1). This causes the LocalNetPriority selection to fail as the originating IP address is not in one of our subnets.

Second, the server is preferring IPv6 over IPv4. We don't use IPv6 but also don't want to disable it as it has clearly caused problems in the past in different scenarios, and Microsoft claims it is mandatory and does not support or recommend disabling it. Using IPv6 is out of the question.

Finally, this has to work when there are network interruptions. This specific requirement demands that localnetpriority work properly when the satellite location is severed from the rest of the network. Therefore, using peer DNS resolvers as the primary server does not fulfill this requirement alone.

It seems like settings IPv4 to be the priority over IPv6, and configuring the server's actual IP address as the DNS server of choice, may be the only solution. However, I learned a long time ago that using 127.0.0.1 is the best choice because during a reboot or if a network cable is unplugged, active directory can completely fall apart.

What am I missing? Is there a more direct way to solve this problem? Maybe I should just add a HOSTS file entry for the specific host that we're having trouble with.

Best Answer

To solve this issue, I had to consider several things:

  • IPv6 link local addressing is enabled regardless if we use IPv6 or not. So every server / host is going to have an IPv6 address and use IPv6 if it can.
  • Promoting a server to a Domain Controller w/DNS adds "localhost" as a DNS server on the local network interface for both IPv4 and IPv6. This is an MS best practice.
  • We cannot disable IPv6 as this is unsupported by Microsoft.
  • Windows prefers IPv6 over IPv4 so any configured IPv6 DNS server will take priority.
  • In a multi-DC environment, servers should refer to a peer as the primary DNS, and to themselves in secondary, tertiary, etc.
  • I need localnetpriority to work even when other DNS servers / sites are unavailable.
  • When a Windows DNS server queries itself, if it uses "localhost" to do so, it will break localnetpriority.
  • The MS Best Practice analyzer provides useful insight in to DNS server configuration problems, and will complain about improperly configured DNS settings on the network interface.

After all of this, I found the best solution is to change the DNS server settings on the network interface, and make no other changes to anything in Windows. To address all the above concerns I:

  • Removed the "localhost" DNS server configured in IPv6. There are NO IPv6 DNS servers configured now.
  • I reconfigured the IPv4 DNS server listing as follows:
    1. Primary: <Peer DNS Server IP>
    1. Secondary: <IPv4 address of this DNS server>
    1. Tertiary: 127.0.0.1 (Localhost)

Any related complaints from BPA have been solved. Localnetpriority works when the network is fully functional, and when the site is severed due to a network failure. And, AD will still function normally, even if the local network cable is unplugged, or some other network interface issue occurs.

The end result answers the question, "How to make localnetpriority work when the DNS server queries itself?" With a secondary requirement that I don't break anything else.

Related Topic