DNS Forwarders vs. Root Hints in Windows Server

A Windows DNS server, like any DNS server, provides authoritative answers to queries for records in the zones stored in the server’s DNS database. It often must answer queries for records not in any of its zones, though. A DNS server in a network connected to the internet must provide a way for other machines on the network to resolve internet hostnames to IP addresses, for example. Responses to queries of this sort are non-authoritative responses, because the server must obtain the requested data from a source other than its own DNS database. The nslookup tool indicates when a response is non-authoritative, as shown below:

There are two ways to configure a Windows DNS server to provide non-authoritative responses: forwarders and root hints. These are both lists of servers that are used to resolve queries that the local DNS server can’t resolve on its own, and both provide the same functionality from the perspective of a client. They do so in different ways, however:

  • Root hints use iterative queries. When the local DNS server can’t resolve a query using its cache or database, it sends a query to one of the root DNS servers on the internet. The root server will respond with a referral, which contains the addresses of the DNS servers authoritative for the top-level domain (such as .com or .net) in the original query. The local server then queries one of the servers in the referral, which will respond with another referral, this time to the servers authoritative for the second-level domain (dell.com, for example) in the original query. This query/referral process continues until a server is reached that is authoritative for the fully qualified domain name (FQDN) in the original query. It will return an authoritative positive or negative response – a response which either contains the record sought by the original query or indicates that it doesn’t exist – and the local server will send that response to the querying client.
  • Forwarders, on the other hand, use recursive queries. If forwarders are configured, when the local DNS server can’t resolve a query, it sends a recursive query to one of the forwarders in its list. This type of query tells the forwarder that the local server will accept either a positive or negative response, but not a referral. Essentially, the forwarder does the work of tracking down the record in the query, which may involve the referral process above, and the local server simply waits for the response, which it then sends to the querying client.

To configure forwarders or root hints on a Windows DNS server, follow this procedure:

  1. Open the DNS Management console.
  2. Right-click the DNS server in the left pane and select Properties.
  3. To configure forwarders, select the Forwarders tab of the properties window:

To configure root hints, select the Root Hints tab of the properties window:

Note: Forwarders must be manually configured, but root hints are present by default on a Windows DNS server. The root hints list can be manually modified, however.

The decision to use root hints or forwarders for external resolution is often a matter of preference, but there are a few things to keep in mind:

  • When configuring forwarders, be sure to add at least two servers to the list. If only a single forwarder is present in the list and that forwarder becomes unreachable, the local server will not be able to resolve external names at all.
  • Properly configured forwarders often provide quicker responses than root hints, but the difference is usually only a matter of milliseconds.
  • Although the root hints list will typically contain only thirteen entries (a.root-servers.net through m.root-servers.net), each of those entries is highly redundant. There are 376 geographically distributed root DNS servers as of this writing.
  • Forwarders are not stored in Active Directory. This is important, since DNS servers in an AD domain are typically domain controllers (DCs). Forwarders configured on one DC will not replicate to other DCs; they must be manually configured on each DC which is also a DNS server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s