DNS forwarding helps speed up your network, and you should implement it if your users request your domain name but their DNS server can’t find the corresponding IP address in the cache. Companies with extensive namespaces often use this process.
Keep reading the blog to know what DNS forwarding is and how it’s used for external and internal addresses.
What is DNS Forwarding?
DNS forwarding is a process where another designated server (root hint server) handles non-resolvable addresses or DNS queries because the initially contacted server doesn’t have the answer. Generally, all the servers meant to convert domain names into IP addresses are assigned a specific forwarder for forwarding all the requests they can’t resolve.
This technique is used by businesses having very large namespaces or companies collaborating as they can resolve each other’s namespaces.
What is a DNS Fowarder?
A DNS forwarder is a DNS server configured to forward queries that cannot be resolved locally to another DNS server, usually an external one. This forwarding DNS server usually acts as an intermediary server which is responsible for simply passing on DNS requests to a more authoritative DNS server for effective query resolution.
How Does DNS Forwarding Work?
Now, let’s see DNS forwarding’s working procedure.
When internal DNS information is private, it can be transmitted online if the root hint server is exposed to the public because no DNS forwarder is used in the internal network. You may also use it if your network’s ISP charges are heavy or the connection isn’t speedy due to the absence of an internal DNS forwarder. This is because an internal DNS forwarder increases external traffic, making it complicated to handle.
Using a DNS forwarder will help build an internal cache for external DNS data to reduce the external DNS traffic.
DNS Forwarding Types
Let’s discuss the 2 primary DNS forwarding types and how each of them works:
1. Conditional Forwarding
DNS conditional forwarding is done using DNS servers that forward queries for certain domain names instead of forwarding all queries. They send queries to specific forwarders depending on the hostnames mentioned in the query. Conditional forwarding DNS enhances conventional forwarding by adding a name-based condition to the process. DNS conditional forwarding is beneficial as it establishes a safer, faster, and more reliable internet connection. In this, the DNS server sends recursive queries to the forwarder.
2. Recursive Forwarding
In this DNS forwarding type, a DNS server forwards a query to another DNS server. The second server conducts a recursive lookup to resolve the query. A use case be when a DNS server forwards queries to a central DNS server for resolution.
Forwarding vs. Caching
In DNS forwarding, a DNS server sends client queries it cannot resolve directly to another DNS server (a forwarder). This is used to offload query resolution tasks or to implement specific query-routing policies.
DNS caching involves storing the results of previous queries temporarily to reduce latency and improve performance. When a DNS server has a cached record, it serves the query immediately instead of forwarding it.
Benefits of DNS Forwarding
Let’s explore the various benefits of DNS forwarding:
1. Improved Query Efficiency
Forwarding queries to a specific DNS server significantly reduces query times, and promotes much faster responses, reducing latency as well.
2. Centralized Management
DNS forwarding simplifies DNS management. This is especially beneficial in large organizations, by allowing administrators to centralize and control DNS query resolution a assigning a few designated DNS servers.
3. Security
Forwarding DNS queries to a secure and trusted DNS server helps prevent cyber attacks such as DNS spoofing attacks.
4. Load Balancing
By distributing query resolution tasks across designated DNS servers, DNS forwarding can help balance the load on a network. This ultimately prevents a singular DNS server from getting overloaded.
5. Multi-Domain Support
For organizations with multiple internal or external domains, conditional forwarding allows seamless domain-specific query resolution.
How to Configure DNS Forwarders on Microsoft Windows Server 2008 R2 and 2016?
Before you start the procedure to configure DNS forwarding, note the IP address of the SIA recursive DNS servers and ensure a root file is configured. An IP address lookup tool can help you easily locate your own domain’s IP address. The root hint file lists root DNS servers that active directory domain contacts for recursion queries. This can be done with the Windows Server graphical user interface or the command line.
Graphical User Interface
You can follow the steps below to set up DNS forwarders on Windows using the graphical user interface.
- Click on Start and go to Administrative Tools > DNS.
- Right-click the DNS server you want to configure as a forwarder.
- Navigate to the Action menu and click on the “Properties” tab.
- Select the Forwarders tab.
- Click Edit.
- In the Edit Forwarders dialog box, enter the primary IP address of the SIA recursive DNS server and press Enter.
- Add the secondary IP address of the SIA recursive DNS server and press Enter.
- Delete other servers that are listed as forwarders. Only keep the primary and secondary recursive DNS servers in the forwarders list.
- Add a value in the Number of seconds before the forward queries times out section to assign the number of seconds a DNS server waits for a response.
- Click OK.
- Enable the “Use Root Hint if no forwarders are available” option. This option ensures that DNS servers in a root hints file resolve the name locally.
- In the properties dialog, click OK.
Command Line Interface
Follow these steps to configure DNS forwarding on Windows using the command line interface.
- Open the following command prompt. Note that this should be run as an administrator.
Type dnscmd <ServerName> /ResetForwarders <PrimaryIPaddress …> [/TimeOut <Time>] /noslave and press Enter.
Where:
- <ServerName> is the DNS server’s domain name or IP address.
- <PrimaryIPaddress> are IP addresses of the DNS servers where you forward queries.
- You need to separate each IP address with a space.
- <Time> refers to the time-out settings time. It is calculated in seconds.
DNS Forwarding for External Addresses
DNS forwarding is important because if there isn’t a designated DNS server as the forwarder for all external queries to be routed to, all the internal DNS servers have to handle the requests. This is undesirable because:
- If the DNS isn’t distinctly separated as external and internal, it is quite possible for the Internal DNS data to get leaked.
- The traffic load increases if you haven’t implied DNS forwarding. When you designate a DNS server as a forwarder, it handles all external DNS resolutions and creates a cache of external addresses to minimize the number of recursive queries, thus cutting down on traffic.
If your company is small and has limited bandwidth, implying DNS forwarding can make the network more efficient and speedy.
DNS Forwarding for Internal Addresses
Experts recommend having a subset of internal addresses handled through DNS forwarding. Also, for extensive intranets, including several domains and subdomains, it’s practical to have DNS requests for a subset of those domains controlled by a dedicated server. These requests are generally forwarded with the conditional forwarding DNS principle.
Best Practices For DNS Forwarding
DNS is crucial to today’s internet-driven world. If you’ve only one DNS server, it should be configured as a forwarder. If you’ve more than one, then you can configure one of them, some of them, or all of them as forwarders. Apart from this, you can follow the below-listed practices to ensure DNS forwarders perform optimally.
Disable Recursion
Recursion allows DNS servers to query other servers on behalf of the client. This helps in the DNS forwarding process but also exposes your network to security risks. So, if you disable it, the possibility of getting attacked decreases. It’ll also reduce the traffic load, and your network will become speedy.
Enable DNSSEC Validation
DNSSEC or Domain Name System Security Extensions are security protocols that protect against DNS spoofing and cache poisoning attacks. If it’s enabled, DNS forwarders check digital signatures. The response is discarded if the signature doesn’t match, and an error message is sent to the client.
However, you should use it only over a secure connection. Otherwise, hackers can intercept and modify the data being exchanged.
Monitor DNS Servers
Regular monitoring of DNS servers alerts you about potential technical issues, allowing you to take quick action. This reduces the downtime that can heavily impact your business otherwise.
You should also check DNS forwarder logs to notice suspicious activities or irresponsible user behavior to stay ahead of potential security risks.
Create and Test Alternate Configuration
An alternate configuration will allow you to switch to a different forwarder in case of a failure. This will again reduce downtime and keep your resources accessible. Don’t skip testing the alternate configuration before establishing a new setup.
Regularly Backup DNS Server Data
Malicious actors attack your server and try modifying or deleting data. Backing up DNS server data helps restore it quickly without disrupting the traffic flow on your network. Without backups, it’ll take hours or even days to restore everything, impacting your business strongly.
- The Rise of Pretexting Scams in Enhanced Phishing Attacks - January 15, 2025
- DMARC for PCI DSS 4.0 Compliance – Mandatory from 2025 - January 12, 2025
- NCSC Mail Check Changes & Their Impact on UK Public Sector Email Security - January 11, 2025