Using forwarders

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using forwarders

To use forwarders to manage the DNS traffic between your network and the Internet, configure the firewall used by your network to allow only one DNS server to communicate with the Internet. When you have configured the other DNS servers in your network to forward queries they cannot resolve locally to that DNS server it will act as your forwarder. For more information about forwarders, see Understanding forwarders.

Forwarding sequence

The order of the IP addresses listed as forwarders on a DNS server determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address, it waits a short period for an answer from that forwarder (according to the DNS server's time out setting) before resuming the forwarding operation with the next IP address. It continues this process until it receives an affirmative answer from a forwarder.

For example, in the following figure the DNS servers with the first and second forwarder IP addresses do not respond to the DNS server. The DNS server with the third forwarder IP address responds and the query is forwarded to that DNS server.

Outsourced VPN remote access

Unlike conventional resolution, where a roundtrip time (RTT) is associated with each server, the IP addresses in the forwarders list are not ordered according to roundtrip time and must be reordered manually to change preference.

Conditional forwarders

Conditional forwarders are DNS servers that only forward queries for specific domain names. Instead of forwarding all queries it cannot resolve locally to a forwarder, a conditional forwarder is configured to forward a query to specific forwarders based on the domain name contained in the query. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process.

The conditional forwarder setting for a DNS server consists of the following:

  • The domain names for which the DNS server will forward queries.

  • One or more DNS server IP addresses for each domain name specified.

When a DNS client or server performs a query operation against a DNS server, the DNS server looks to see if the query can be resolved using its own zone data or the data stored in its cache. If the DNS server is configured to forward for the domain name designated in the query, then the query is forwarded to the IP address of a forwarder associated with the domain name. For example, in the following figure, each of the queries for the domain names is forwarded to a DNS server associated with the domain name.

Dial-up and VPN remote access

If the DNS server has no forwarder listed for the name designated in the query, it can attempt to resolve the query using standard recursion. For more information, see Configure a DNS server to use forwarders and How DNS query works.

Conditional forwarders allow you to improve name resolution between internal (private) DNS namespaces that are not part of the DNS namespace of the Internet, such as results from a company merger. By configuring the DNS servers in one internal namespace to forward all queries to the authoritative DNS servers in a second internal namespace, conditional forwarders enable name resolution between the two namespaces without performing recursion on the DNS namespace of the Internet. This enhancement to name resolution also avoids having your DNS servers perform recursion to your internal root for different namespaces within your network.

Important

  • A DNS server cannot forward queries for the domain names in the zones it hosts. For example, the authoritative DNS server for the zone microsoft.com cannot forward queries according to the domain name microsoft.com. The DNS server authoritative for microsoft.com can forward queries for DNS names that end with example.microsoft.com, if example.microsoft.com is delegated to another DNS server.

Conditional forwarder domain name length

When a DNS server configured with a conditional forwarder receives a query for a domain name, it will compare that domain name with its list of domain name conditions and use the longest domain name condition that corresponds to the domain name in the query. For example, in the figure below, the DNS server performs the following conditional forwarding logic to determine how a query for a domain name will be forwarded:

  1. The DNS server receives a query for networks.example.microsoft.com.

  2. It compares that domain name with both microsoft.com and example.microsoft.com.

  3. The DNS server determines that example.microsoft.com is the domain name that more closely matches the domain name query.

  4. The DNS server forwards the query to the DNS server with the IP address 172.31.255.255, which is associated with example.microsoft.com.

Ethernet switch access

Forward-only servers

When a DNS server configured to use forwarders cannot resolve a query locally, or using its forwarders, the server attempts to resolve the query using standard recursion. A DNS server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries to resolve the name. Instead, if it does not get a successful query response from any of the servers configured as forwarders, then it fails the query. A DNS server configured in this manner is called a forward-only DNS server. If all forwarders for a name in the query do not respond to a forward-only DNS server, that DNS server will not attempt recursion.

A forward-only DNS server is different from a nonrecursive DNS server because it builds up a cache relating to the domain name and will use this cache to attempt to resolve the domain name. A nonrecursive DNS server will not build up a cache relating to the domain, nor will it perform recursion. In both configurations, the DNS servers will attempt to resolve the query using their authoritative data before using their forwarders.

Note

  • You can disable recursion for the entire DNS server or on a per domain name basis. If you disable recursion on the entire DNS server, you will not be able to use forwarders on that DNS server.

For more information, see Directing queries through forwarders and Disable recursion on the DNS server.