Best Practices for DNS Forwarding

Q: What is a DNS Forwarder?
In Domain Name System (DNS) terms, a DNS forwarder is a DNS server that is used to forward DNS queries for external DNS names to DNS servers outside that network. It does it to DNS queries that it cannot resolve locally, meaning DNS queries that it has no personal knowledge of. By using DNS forwarders you can improve the efficiency of name resolution for the computers in your network that query for DNS names outside your network (such as names on the Internet).

Windows-based DNS servers come pre-installed with an automatic method of querying Internet names using a method called “DNS Root Hints.” Once you install the DNS role on a Windows-based server the Root Hints will be automatically added, and practically speaking, will allow you to resolve any Internet name as long as you have Internet connectivity for that server and there is no firewall rule that blocks it from querying those servers. You do not have to perform any additional configuration. You can find an updated list of root hints at ftp://ftp.rs.internic.net/domain/db.cache.

sample listing of root hints

A sample listing of root hints from ftp://ftp.rs.internic.net/domain/db.cache. (Image: Jeff James)

When forwarders are configured on a DNS server, when it receives a DNS query for a name for which it is not authoritative, meaning a query outside the scope of its control, one it has no knowledge of, the server will forward the request to whatever forwarder(s) were configured on it, instead of using root hints. Forwarders will always take precedence over Root Hints.
Note: You can also configure your server to forward queries to different servers depending on the DNS suffix that is specified in the DNS query. To do so, configure conditional forwarding appropriately. I will cover this in a later article.

Best Practices for DNS Forwarding with Windows Server 2012 R2

If you only have one DNS server, you may want to configure it as a forwarder. DNS plays a critical role in today’s Internet-connected IT world. Imagine all the services that we consume from the Web and from cloud-based providers. You want to have more than one DNS server for obvious redundancy purposes. When you have two or more DNS servers, you can configure one of them, some of them, or all of them to use forwarders.

From a network and performance efficiency perspective, having a single forwarder is generally more efficient than using multiple forwarders. This is because of the way DNS queries work. Whenever a DNS server receives a query and resolves it using forwarders (as with Root Hints), it caches the results it sent back to the client. Since query results are concentrated in one forwarder’s cache, any subsequent queries to the same names will be resolved locally from that DNS’s cache. This decreases the Internet traffic over the network and improves the response time for DNS clients.
However, having said that, you may want to have at least 2 working DNS servers acting as forwarders because if one fails you will still have name resolution.

The Difference Between Using DNS Forwarders and Root Hints

Which is the best decision, to use Root Hints, or use my local ISP’s DNS servers as forwarders? For me, this is a frequently asked question.
I recommend using your ISP DNS servers as forwarders. The main reason is related to performance. By using your ISP’s DNS servers as forwarders you will have a much lower number of hops to reach your ISP DNS server when compared to the number of hops needed to access the root hints.

ISP DNS servers are quite reliable and do not change that often, a vast improvement over the last ten years. You also get the benefit of having the ISP cache most of the frequently-used DNS queries for your country or geographical region in their DNS servers’ cache, further improving DNS query performance.
In all these cases you will need the correct names and IP addresses of your ISP. The best ways to get the correct names and IP addresses of your ISP would be either to search for the list on your favorite search engine or simply contact your ISP’s technical support line.
Another reason for my recommendation is related with firewall configuration. It’s relatively easy to allow DNS queries to the 2 or 3 specific ISP DNS servers used for forwarders rather than allowing the DNS to query a large list of external root hints servers and the associated recursive traffic that will result from these queries.
There is one critical thing you need to remember. If you change your ISP in the future you must also change the DNS forwarder information because it’s most likely that the new ISP will block the old ISP’s DNS queries based on your external IP address. In addition, when you are using an Internet connection that is load-balancing connections from several ISPs, you may need to check with all your ISPs to see how to properly configure DNS forwarders or you might experience name resolution failure whenever your connection switches to the other ISP. You do not need to worry about this if you use Root Hints.

One last thing to remember when you are about to perform changes in your Domain Controller topology such as adding, removing or changing IP addresses of DCs. In most cases the DCs (or at least some of them) will also act as DNS servers. When you make a change to these DCs, you must remember to also change the forwarders, firewall rules and any other manual configuration settings you made.