Back to basics - Root Hints vs Forwarders

[earlyriser]

Hi all. I'm wondering if there is a 'best practice' with regards to DNS Forwarders and Root hints in general? I'll describe my situation and perhaps it'll make it clearer what I'm looking for.

We have an AD domain, Server 2008 R2 native. 2 DC's handling DHCP and DNS. On those 2 DNS Servers, I have forwarders setup for our 'schoolzone' ISP's DNS servers, so obviously any DNS queries that are outside of my AD get forwarded to those DNS servers. This all works fine and as expected.

Recently however, I have introduced a second DSL router onto the network, to separate the traffic from our 'admin' side of the school from the 'teaching and learning' side of things. I'm using DHCP reservations to dish out IP addresses to my admin PCs, and DHCP option 003 to specify the new DSL router as the router. I have added forwarders for the DSL's ISP to the internal DNS servers also.

The result is that although internet access for the admin PCs is working, it is very slow. I think this is due to the fact that the 'SchoolZone' DNS servers are private only to traffic from within the SchoolZone network. i.e from our SchoolZone router. So what happens is:

- admin PC requests DNS resolution for an internet address
- Internal DNS servers cannot service the request, so they forward the request to the schoolzone DNS servers first
- traffic is going out through the normal DSL router, so cannot connect to the schoolzone DNS
- Attempts this twice (once for each SchoolZone DNS), fails
- Finally gets to the third DNS forwarder in the list which resolves the address and the page loads

So my question is should I perhaps remove the forwarders from my DNS servers and rely on root hints only? Or would this be worse? Or should I be configuring things differently? I don't currently have the option to setup VLANs etc.

Hope this makes sense. Thanks

[Jamman960]

I'd either go along the root hints route or use one of the public DNS servers such as Google DNS or OpenDNS(which can also do some basic content filtering) rather than SchoolZone

[earlyriser]

I'd either go along the root hints route or use one of the public DNS servers such as Google DNS or OpenDNS(which can also do some basic content filtering) rather than SchoolZone

Thanks. I have just tried using root hints only and also removing the schoolzone and telecom DNS addresses as forwarders, and using the google dns servers instead. Both things failed for some reason. On both occasions, the machines that are routed out via the schoolzone connection continued to function on the internet, but my admin pc's could not resolve any external addresses. My internal DNS servers were also unable to resolve any external addresses in the DNS console. Now I'm confused.