DNS Forwarding is a solution which changes the way the DNS servers resolves queries it can’t answer itself. If you designate one server at your site as DNS forwarder, all off-site queries are sent to the DNS forwarder first. For more information about DNS check the definition of DNS here.
DNS forwarding in the previous system of the Microsoft DNS Server resolves all the queries that cannot resolved locally. All queries that couldn’t be resolved locally were sent to the same set of DNS forwarders. In Windows 2003, you can use conditional forwarders depending on the domain name of the query.
DNS forwarder is very essential in large scale organizations which have lots of sites and domains. Before understanding the DNS forwarding, firstly the concept of default gateway needs to be understood. More detail about DNS setting check this link.
Understanding Default Gateways
If a TCP/IP host needs to communicate with a host on another network, it usually does so through a router. Routers contain multiple interfaces connected to separate networks, and routing is the process of receiving IP packets at one interface and sending these packets out another interface toward a final destination. For a given host on a TCP/IP network, the default gateway is the IP address of a router, within broadcast range, that is configured to forward IP traffic to other networks. DNS forwarding uses the same concept o default gateway.
When a computer attempts to communicate with another host on an IP network, the computer uses the subnet mask to determine whether the destination host is local or remote. If the destination is a host on the local network segment, the computer simply sends the packet on the local network by means of a broadcast. If, however, the destination is a remote host, the computer forwards the packet to the default gateway defined in its TCP/IP properties. The router specified at the default gateway address is then responsible for forwarding the packet to the correct network. In large organizations, DNS forwarder can be set conditionally depending on the domain name of the query.
Configuring DNS Server Properties
Once you have installed a DNS server, you might need to modify its default settings to suit your network needs. DNS settings can be configured through the server properties dialog box in the DNS console. The settings you configure in this properties dialog box do not apply to a particular zone but to the server in general. You can manage DNS using command line tools for faster and remote capable managements.
Building Large Site wide Cache with DNS Forwarders
As network administrators, you might not allow sending large volumes of traffic off-site, either because the network connection is a slow link with a high delay, as with a remote office’s satellite connection to the company’s network. Therefore you need to manage the DNS traffic by setting up DNS forwarding and if necessary you can use the DNS forwarder conditionally – the new features in Windows 2003. A name server that receives queries forwarded from forwarding name servers is called a forwarder.
If you designate one or more servers at your site as forwarders, all off-site queries are sent to the forwarders first. The idea is that the forwarders handle all off-site queries generated at the site, building up a rich cache of information. For any given query for a remote domain, there is a high probability that the forwarder can answer the query from its cache, avoiding the need for the other servers to send packets off-site.
A primary or secondary name server’s mode of operation changes slightly when it is directed to use a DNS forwarder. If the requested information is already in its database of authoritative data and cache data, it answers with this information; this part of the operation hasn’t changed. However, if the information is not in its database, the name server sends the query to its configured forwarders and waits a short period for an answer before resuming normal operation and contacting the remote servers itself. What the name server is doing that’s different is sending a recursive query to the DNS forwarder, expecting it to find the answer. At all other times, the name server sends out non-recursive queries to other name servers and deals with responses that refer only to other name servers.
Microsoft has introduced a new feature called conditional forwarding that makes DNS forwarding even more flexible under Windows Server 2003. In prior versions of the Microsoft DNS Server, all queries that couldn’t be resolved locally were sent to the same set of forwarders. Using conditional forwarding, you can configure the DNS server to use a different set of forwarders depending on the domain name of the query.
Conditional DNS forwarder is most useful in large networks or networks with a restrictive security policy that limits Internet connectivity to certain hosts. For example, consider a large network where, as in most networks, the name servers need to know how to resolve both internal and external names.
DNS Forwarding is configured by selecting the Forwarders tab on the server properties window. And remember, forwarding is configured on every name server except the forwarders themselves.
Configuring DNS Forwarders
To enable DNS forwarding, you need to specify DNS forwarders for a specific domain or the default of All other DNS domains. The default applies when no other configured domain matches. You can specify up to six forwarders for each domain. The name server forwards to them in the order in which they’re listed, using a default timeout of five seconds per forwarder; that is, if the first forwarder doesn’t respond within five seconds, try the next, wait five more seconds, try the next, and so on. The forwarding timeout can be changed with the Number of seconds before forward queries time out field.
When you use DNS forwarder, try to keep your site configuration simple. Otherwise, you can end up with configurations that are really twisted. Follow these tips:
- Avoid having “midlevel” servers forward packets (that is, avoid configuring forwarding on your midlevel name servers). Midlevel servers mostly refer name servers to sub-domain name servers. If they have been configured to forward packets, do they refer to sub-domain name servers, or do they contact the sub-domain name server to find out the answer? Whichever way it works, you’re probably making your site configuration too hard for mere mortals (and sub-domain administrators) to understand.
- Avoid chaining your forwarders. Don’t configure server a to forward to server b, and configure server b to forward to server c (or worse yet, back to server a).
A More Restricted Forwarding Name Server
You may want to restrict your name servers even further—stopping them from even trying to contact an off-site server if their forwarder is down or doesn’t respond. You can do this by telling the server not to fall back to using the recursive resolution process if no forwarders respond: check the Do not use recursion for this domain box on the Forwarders configuration tab. The terminology is confusing: this checkbox has nothing to do with the kind of query being sent to the forwarders. As we said earlier, a name server that’s forwarding always sends a recursive query to its forwarders. What this checkbox determines is what happens after that recursive query is sent. The BIND name server configuration syntax calls this kind of forwarding name server a forward-only server, which we think is a good name.
A forward-only server is a variation on a server that forwards. It still answers queries from its authoritative data and cache data. However, it relies completely on its forwarders; it doesn’t try to contact other servers for information if the forwarders don’t give it an answer.
However, you must ask yourself if it ever makes sense to use a forward-only server. Such a server is completely dependent on the forwarders. You can achieve much the same configuration (and dependence) by not running a forward-only server at all; instead, configure your hosts’ resolvers to point to the forwarders you were using. Thus, you are still relying on the forwarders, but now your applications are querying the forwarders directly instead of having a forward-only name server query them for the applications. You lose the local caching the forward-only server would do, but you reduce the overall complexity of your site configuration by running fewer “restricted” name servers.
Suggested readings:
- WAN Technologies
- STP protocol – managing bridging loops free site
- Layer 3 Switching
- An example of risk assessment
- Internet security tools
Recent Comments