Tag Archives: Conditional Forwarder

Conditional Forwarder

Posted by Amithabh C P on

Conditional forwarders are useful when DNS queries for certain domains must be redirected by a local DNS server to other known DNS servers, typically servers authoritative for the domain in the query. The process of creating a conditional forwarder depends on the version of Windows running on the DNS server on which they are created.

To create a conditional forwarder in Windows Server 2003:

  1. Open the DNS Management console.
  2. Right-click the DNS server’s name in the left pane and select Properties.
  3. Select the Forwarders tab of the properties window.
  4. Click the New button in the DNS Domain section.
  5. Type the name of the domain for which the forwarder is being created.
  6. With that domain selected, enter the IP addresses of the servers to which queries should be sent in the Selected domain’s forwarder IP address list field, clicking Add after each one. The result should look similar to the following:
  7. Click OK to close the properties window.

 

To create a conditional forwarder in Windows Server 2008, 2008 R2, or 2012:

  1. Open the DNS Management console.
  2. Right-click Conditional Forwarders in the left pane and select New Conditional Forwarder.
  3. Type the name of the domain for which the forwarder is being created in the DNS Domain field.
  4. Type the fully qualified domain names (FQDNs) or IP addresses of the servers to which queries should be sent in the IP addresses of the master servers field. If DNS is functioning properly and the appropriate records exist, typing the FQDN of a server should cause the wizard to resolve its IP address and vice versa.
    Note: Validation may fail with the error “The server with this IP address is not authoritative for the required zone.” Ignore this error if you are certain that the server is authoritative for the given zone.
  5. If desired, select the Store this conditional forwarder in Active Directory, and replicate it as follows checkbox, then select a replication scheme from the dropdown list. The result should look similar to the following:
  6. Click OK to close the New Conditional Forwarder wizard.

DNS Forwarders vs. Root Hints in Windows Server

Posted by Amithabh C P on

A Windows DNS server, like any DNS server, provides authoritative answers to queries for records in the zones stored in the server’s DNS database. It often must answer queries for records not in any of its zones, though. A DNS server in a network connected to the internet must provide a way for other machines on the network to resolve internet hostnames to IP addresses, for example. Responses to queries of this sort are non-authoritative responses, because the server must obtain the requested data from a source other than its own DNS database. The nslookup tool indicates when a response is non-authoritative, as shown below:

There are two ways to configure a Windows DNS server to provide non-authoritative responses: forwarders and root hints. These are both lists of servers that are used to resolve queries that the local DNS server can’t resolve on its own, and both provide the same functionality from the perspective of a client. They do so in different ways, however:

  • Root hints use iterative queries. When the local DNS server can’t resolve a query using its cache or database, it sends a query to one of the root DNS servers on the internet. The root server will respond with a referral, which contains the addresses of the DNS servers authoritative for the top-level domain (such as .com or .net) in the original query. The local server then queries one of the servers in the referral, which will respond with another referral, this time to the servers authoritative for the second-level domain (dell.com, for example) in the original query. This query/referral process continues until a server is reached that is authoritative for the fully qualified domain name (FQDN) in the original query. It will return an authoritative positive or negative response – a response which either contains the record sought by the original query or indicates that it doesn’t exist – and the local server will send that response to the querying client.
  • Forwarders, on the other hand, use recursive queries. If forwarders are configured, when the local DNS server can’t resolve a query, it sends a recursive query to one of the forwarders in its list. This type of query tells the forwarder that the local server will accept either a positive or negative response, but not a referral. Essentially, the forwarder does the work of tracking down the record in the query, which may involve the referral process above, and the local server simply waits for the response, which it then sends to the querying client.

To configure forwarders or root hints on a Windows DNS server, follow this procedure:

  1. Open the DNS Management console.
  2. Right-click the DNS server in the left pane and select Properties.
  3. To configure forwarders, select the Forwarders tab of the properties window:

To configure root hints, select the Root Hints tab of the properties window:

Note: Forwarders must be manually configured, but root hints are present by default on a Windows DNS server. The root hints list can be manually modified, however.

The decision to use root hints or forwarders for external resolution is often a matter of preference, but there are a few things to keep in mind:

  • When configuring forwarders, be sure to add at least two servers to the list. If only a single forwarder is present in the list and that forwarder becomes unreachable, the local server will not be able to resolve external names at all.
  • Properly configured forwarders often provide quicker responses than root hints, but the difference is usually only a matter of milliseconds.
  • Although the root hints list will typically contain only thirteen entries (a.root-servers.net through m.root-servers.net), each of those entries is highly redundant. There are 376 geographically distributed root DNS servers as of this writing.
  • Forwarders are not stored in Active Directory. This is important, since DNS servers in an AD domain are typically domain controllers (DCs). Forwarders configured on one DC will not replicate to other DCs; they must be manually configured on each DC which is also a DNS server.