DNS forwarding helps speed up your network, and you should implement it if your users request your domain name but their DNS server can’t find the corresponding IP address in the cache. This process is generally used by companies having extensive namespaces.

Keep reading the blog to know what is DNS forwarding and how it’s used for external and internal addresses. 

What is DNS Forwarding?

DNS forwarding is a process where another designated server (root hint server) handles non-resolvable addresses or DNS queries because the initially contacted server doesn’t have the answer. Generally, all the servers meant to convert domain names into IP addresses are assigned a specific forwarder for forwarding all the requests they can’t resolve. 

This technique is used by businesses having very large namespaces or companies collaborating as they can resolve each other’s namespaces. 

How Does DNS Forwarding Work?

Now, let’s see DNS forwarding’s working procedure.

When internal DNS information is private, it can be transmitted online if the root hint server is exposed to the public because no DNS forwarder is used in the internal network. You may also use it if your network’s ISP charges are heavy or the connection isn’t speedy due to the absence of an internal DNS forwarder. This is because an internal DNS forwarder increases external traffic, making it complicated to handle. 

Using a DNS forwarder will help build an internal cache for external DNS data to reduce the external DNS traffic. 

How to Configure DNS Forwarders on Microsoft Windows Server 2008 R2 and 2016?

Before you start the procedure to configure DNS forwarding, note the IP address of the SIA recursive DNS servers and ensure a root file is configured. The root hint file lists root DNS servers that active directory domain contacts for recursion queries. This can be done with the Windows Server graphical user interface or the command line.

Graphical User Interface

Follow these steps to configure DNS forwarders on Windows using the graphical user interface.

  1. Click on Start > Administrative Tools > DNS.
  2. Right-click the DNS server you want to configure as a forwarder.
  3. Go to the Action menu and select Properties.
  4. Select the Forwarders tab.
  5. Click Edit.
  6. In the Edit Forwarders dialog box, enter the primary IP address of the SIA recursive DNS server and press Enter.
  7. Add the secondary IP address of the SIA recursive DNS server and press Enter.
  8. Delete other servers that are listed as forwarders. Only keep the primary and secondary recursive DNS servers in the forwarders list.
  9. Add a value in the Number of seconds before the forward queries times out section to assign the number of seconds a DNS server waits for a response.
  10. Click OK.
  11. Enable the Use Root Hints if no forwarders are available option. This option ensures that DNS servers in a root hints file resolve the name locally.
  12. In the properties dialog, click OK.

Command Line Interface

Follow these steps to configure DNS forwarding on Windows using the command line interface. 

  1. Open a command prompt and run it as an administrator. 
  2. Type dnscmd <ServerName> /ResetForwarders <PrimaryIPaddress …> [/TimeOut <Time>] /noslave and press Enter.


  • <ServerName> is the DNS server’s domain name or IP address.
  • <PrimaryIPaddress> are IP addresses of the DNS servers where you forward queries. Separate each IP address with a space.
  • <Time> is the time in seconds for time-out settings.

Conditional Forwarding

DNS conditional forwarding is done using DNS servers that forward queries for certain domain names instead of forwarding all queries. They send queries to specific forwarders depending on the hostnames mentioned in the query. 

Conditional forwarding DNS improves conventional forwarding by putting up a name-based condition in the forwarding process.

DNS conditional forwarding is beneficial as it establishes a safer, faster, and more reliable internet connection. In this, the DNS server sends recursive queries to the forwarder.

DNS Forwarding for External Addresses

DNS forwarding is important because if there isn’t a designated DNS server as the forwarder for all external queries to be routed to, all the internal DNS servers have to handle the requests. This is undesirable because:

  1. Internal DNS data can get leaked without distinct external and internal DNS. This is a worrisome potential security and privacy vulnerability.
  2. The traffic load increases if you haven’t implied DNS forwarding. When you designate a DNS server as a forwarder, it handles all external DNS resolutions and creates a cache of external addresses to minimize the number of recursive queries, thus cutting down on traffic. 

If your company is small and has limited bandwidth, implying DNS forwarding can make the network more efficient and speedy.

DNS Forwarding for Internal Addresses

Experts recommend having a subset of internal addresses handled through DNS forwarding. Also, for extensive intranets, including several domains and subdomains, it’s practical to have DNS requests for a subset of those domains controlled by a dedicated server. These requests are generally forwarded with the conditional forwarding DNS principle.

Best Practices For DNS Forwarding

DNS is crucial to today’s internet-driven world. If you’ve only one DNS server, it should be configured as a forwarder. If you’ve more than one, then you can configure one of them, some of them, or all of them as forwarders. Apart from this, you can follow the below-listed practices to ensure DNS forwarders perform optimally. 

Disable Recursion

Recursion allows DNS servers to query other servers on behalf of the client. This helps in the DNS forwarding process but also exposes your network to security risks. So, if you disable it, the possibility of getting attacked decreases. It’ll also reduce the traffic load, and your network will become speedy. 

Enable DNSSEC Validation

DNSSEC or Domain name System security Extensions are security protocols that protect against DNS spoofing and cache poisoning attacks. If it’s enabled, DNS forwarders check digital signatures. The response is discarded if the signature doesn’t match, and an error message is sent to the client.

However, you should use it only over a secure connection. Otherwise, hackers can intercept and modify the data being exchanged.

Monitor DNS Servers

Regular monitoring of DNS servers alerts you about potential technical issues, allowing you to take quick action. This reduces the downtime that can heavily impact your business otherwise. 

You should also check DNS forwarder logs to notice suspicious activities or irresponsible user behaviour to stay ahead of potential security risks. 

Create and Test Alternate Configuration

An alternate configuration will allow you to switch to a different forwarder in case of a failure. This will again reduce downtime and keep your resources accessible. Don’t skip testing the alternate configuration before establishing a new setup. 

Regularly Backup DNS Server Data

Malicious actors attack your server and try modifying or deleting data. Backing up DNS server data helps restore it quickly without disrupting the traffic flow on your network. Without backups, it’ll take hours or even days to restore everything, impacting your business strongly.