DNS Forwarding improves performance, load balances, and makes your network more resilient. It provides a way to pass on namespaces or resource records that are not contained in a local Domain Name System (DNS) server’s zone to remote DNS server for resolution of name queries both inside and outside a network.
There are two methods that we’ll discuss: forwarding and Conditional Forwarding. To understand the benefits of Conditional Forwarding, we must first understand how forwarding works.
In a simple example, a DNS forwarder sends name queries of external domains to a remote DNS servers outside of its local network for resolution. Internal name queries are handled by the Internal DNS server.
If the DNS server has no forwarder listed for the name designated in the query, it can attempt to resolve the query using standard recursion using root hints file.
There are two types of DNS name queries: recursive and iterative. While both DNS forwarding and Conditional DNS Forwarding follows the general steps above, each is a little different.
Recursive Name Query
Forwarded queries are sent as a recursive. In this scenario, the DNS client requires that the DNS server respond to the client with either the requested resource record or an error message stating that the record or domain name does not exist. The DNS server cannot just refer the DNS client to a different DNS server.
Iterative Name Query
DNS client allows the DNS server to return the best answer it can give based on its cache or zone data.
A DNS server configured to use a forwarder will behave differently than a DNS server that is not configured to use a forwarder. Here’s how a DNS server works when using forwarding:
1.When the DNS server receives a name query, it attempts to resolve this query using its primary zones, secondary zones and finally its cache in that order.
2. If the name query cannot be resolved using its local zone data or cache, then it will forward the query to the DNS server designated as a forwarder. As a result, root hints method of name resolution will not be used.
3. The original DNS server that received the initial query will wait briefly for an answer from the forwarder. If that fails, it will attempt to contact the DNS servers specified in its root hints as a last resort.
Conditional forwarders allow you to improve name resolution between internal (private) DNS namespaces that are not part of the DNS namespace of the Internet, such as results from a company merger.
Conditional forwarders are DNS servers that only forward queries for specific domain names. Instead of forwarding all queries it cannot resolve locally to a forwarder, a conditional forwarder is configured to forward a query to specific forwarders based on the domain name contained in the query. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process.
Let’s walk through two examples where Conditional Forwarding really comes in handy. The first example is an internal name and the second is an external name resolution scenario.
Example 1. Intranet name resolution
When a DNS server configured with a conditional forwarder receives a query for a domain name, it will compare that domain name with its list of domain name conditions and use the longest domain name condition that corresponds to the domain name in the query. For example, in the figure below, the DNS server performs the following conditional forwarding logic to determine how a query for a domain name will be forwarded:
- The DNS server receives a query for networks.example.microsoft.com.
- It compares that domain name with both microsoft.com and example.microsoft.com.
- The DNS server determines that example.microsoft.com is the domain name that more closely matches the domain name query.
- The DNS server forwards the query to the DNS server with the IP address 172.31.255.255, which is associated with example.microsoft.com.
Example 2: Internet name resolution
DNS servers can use conditional forwarders to resolve queries between the DNS domain names of companies that share information. For example, two companies, Widgets Toys and TailspinToys, want to improve how the DNS clients of Widgets Toys resolve the names of the DNS clients of Tailspin Toys. The administrators from Tailspin Toys inform the administrators of Widgets Toys about the set of DNS servers in the Tailspin Toys network where Widgets can send queries for the domain dolls.tailspintoys.com. The DNS servers within the Widgets Toys network are configured to forward all queries for names ending with dolls.tailspintoys.com to the designated DNS servers in the network for Tailspin Toys. Consequently, the DNS servers in the Widgets Toys network do not need to query their internal root servers, or the Internet root servers, to resolve queries for names ending with dolls.tailspintoys.com.
The result is better performance, less network bandwidth, and happier end users because their name queries between different domains are resolved faster.
Conditional Forwarding Benefits
Conditional Forwarding leads to a safer, faster, smarter and more reliable Internet. When a DNS server forwards a query to a forwarder, it sends a recursive query to the forwarder. This is different than the iterative name query that a DNS server will send to other DNS servers during standard name query resolution (name resolution that does not involve a forwarder).
By configuring the DNS servers in one internal namespace to forward queries to the authoritative DNS servers in a second internal namespace, conditional forwarders enable name resolution between the two namespaces without performing iterative name query on the DNS namespace of the Internet, which leads to better performance and utilization of DNS servers and reduced traffic on a Local Area Network (LAN) subnet.
A LAN is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, or office building. A local area network is contrasted in principle to a wide area network (WAN), in which two or more LANs are connected and thus covers a larger geographic distance and may involve leased telecommunication circuits, while the media for LANs are locally managed.
When you designate a DNS server as a forwarder, you make that forwarder responsible for handling external traffic, thereby limiting DNS server exposure to the Internet. A forwarder will build up a large cache of external DNS information because all of the external DNS queries in the network are resolved through it. In a small amount of time, a forwarder will be able to resolve a good portion of external DNS queries using this cached data and thereby decrease the Internet traffic over the network and the response time for DNS clients. As a result, root hint usage is greatly reduced.
Setting up a DNS Server Forwarder
Instructions to setup a conditional DNS forwarder for external domain name resolution using Windows Server 2012 R2 are described below.
1. In the console tree, double-click the applicable DNS server. Expand DNS, and then double-click Applicable DNS server.
2. In the console tree, double-click the applicable DNS server. Expand DNS, and then double-click Applicable DNS server.
3. In the console tree, click Conditional Forwarders, and then on the Action menu, click New Conditional Forwarder.
4. In DNS domain, type the fully qualified domain name (FQDN) of the domain for which you want to forward queries.
5. Click the IP addresses of the master servers list, type the IP address of the server to which you want to forward queries for the specified DNS domain, and then press Enter.
6. Click check box “Store this conditional forwarder in Active Directory,” and replicate it.
The DNS protocol is an important part of the web’s infrastructure, serving as the Internet’s phone book: every time you visit a website, your computer performs a DNS lookup. Complex pages often require multiple DNS lookups before they start loading, so your computer may be performing hundreds of lookups a day. DNS Conditional Forwarding can provide higher performance and security.
Even if you do not have access to Windows Server or the ability to run a local DNS server, you can still experiment with DNS forwarding using a Google Public DNS or Cisco’s OpenDNS. Both are free options that allow you to experiment with DNS forwarding. In both cases, all your DNS traffic will be forwarded to them and not your Internet Service Provider (ISP). Benefits are increased performance and security from phishing, malware, botnets, and targeted online attacks. In both cases, your traffic will probably be tracked and profiled, so buyer beware. At the very least, these services help you understand how DNS Forwarding works in real life.
While setup of DNS Forwarding in Windows Server is elaborate, on a normal Windows computer, however, it only takes one screen to configure.
- Open Control Panel
- Open Network and Internet
- Open Network and Sharing Center
- Click Change Adapter Setting
- View Properties sheet of Active Network Connection
- View Properties sheet for Internet Protocol Version 4
To use OpenDNS instead of Google Public DNS, where it says “Preferred DNS Server” and “Alternate DNS server”, use IP OpenDNS’s IP address.
For OpenDNS, the IP addresses are always:
If you have questions or need more information about Conditional DNS Forwarding, please leave your comments below. While you’re at it, why don’t you like, comment, and subscribe to this article if topics like this are of interest to you.
Thank you Saron Yitbarek for editing this article.