Forwarding

Forwarding, in the simplest terms, is the process by which a nameserver passes on requests it cannot answer locally to another server. You can make forwarding work to your advantage so that you effectively combine the resolver caches for many nameservers into one. By doing this, you allow clients to resolve previously retrieved sites from that “mega-cache” before requiring a true refresh lookup of the information from authoritative nameservers on the public Internet.

Here’s how it works. DNS behavior by default is to consult the preferred nameserver first to see if it has the necessary zone information for which the client is searching. It doesn’t matter to the client if the preferred nameserver has the zone information but isn’t authoritative; having the information is enough for the client, and it takes the returned results and performs the connection process. But if the server doesn’t have the zone recorded in its files, it must go upstream, to the public Internet, to ask other nameservers for the zone information that’s needed. This takes time because it adds a delay to the initial resolution while the preferred nameserver is searching the Internet for the answer. However, after the server looks up the information once, it stores it in its cache of resolved names so that the next user looking for the same resolver information doesn’t incur that delay: the preferred nameserver simply can answer out of its cache and return the data nearly instantaneously.

Forwarding takes that cache and expands it to multiple nameservers. Consider an organization with four or five nameservers. Clients likely will have different preferred nameservers, set to each of those four or five. So, when one client wants information not in his nameserver’s cache, his preferred nameserver will search it out and return it, and all future users of that particular preferred nameserver will get information for that zone returned out of its cache. But the other users in the organization won’t be able to take advantage of that cached entry because they’re likely using other machines as their preferred nameservers.

A forwarder comes in and adds an extra step to this process: if the preferred nameserver doesn’t have zone information in its cache, it will ask a separate server, known as the forwarder, if it knows the zone information. The forwarder is simply another nameserver that looks up zone information on the Internet and stores it in its own cache for easy reference. So, if all nameservers in an organization are configured to ask the forwarder for cached information if it has some, all of those nameservers are taking advantage of the forwarder’s cache and the near-instantaneous response the forwarder can give to resolution requests. Again, the forwarder acts like a regular nameserver in all respects; it’s just that other nameservers in an organization are configured so that they can use the forwarder’s cache. If, however, the forwarder machine takes too long to respond to a request, the original preferred nameserver can take over and make a request to the Internet itself, so you don’t lose the ability to resolve DNS requests—you’re only making it more efficient. You also can have more than one forwarder for your organization if you’re worried about a single point of failure, but you lose a bit of the advantage because you’re again using more than one cache database.

Now, to set up forwarding:

  1. Open the DNS Management snap-in on the machine you want to set up to forward requests elsewhere.

  2. Right-click the server name and choose Properties from the context menu.

  3. Navigate to the Forwarders tab, and then in the Selected domain’s forwarder IP address list, enter the IP address to which requests should be forwarded. This is shown in Figure 4-23.

    Setting up a forwarding DNS system

    Figure 4-23. Setting up a forwarding DNS system

  4. Also as shown in the previous figure, enter 5 in the Number of seconds before forward queries time out field. Five seconds is a standard number that ensures efficient name resolution if the forwarders somehow fail at their task.

  5. Click Apply to complete the process.

Slaving

Slaving is a logical extension to the forwarding process. Servers slaved to a specific nameserver forward requests to that server and rely entirely on that server for resolution; in plain forwarding, on the other hand, the original nameserver can resolve the request itself after a timeout period by querying the root nameservers. With slaving, the upstream nameserver becomes the proxy through which all slaved nameservers make their requests.

This is useful mainly in situations where you need multiple nameservers within your organization to handle Active Directory- and internal-related tasks, but you want outside requests to stay outside the firewall. You can set up one very secure nameserver and place it outside your firewall and internal network, allowing it to service requests from the inside to the outside and from the outside to certain machines within the network. Then, you can slave the internal machines to the one machine outside the firewall, making them depend entirely on the machine in the hostile environment but keeping that environment out of your internal network and away from the many nameservers you administer locally. Because most firewalls are stateful inspection machines that only allow packets inside the firewall that are in response to communications initiated internally, and because your internal nameservers query only the external nameserver and not the Internet itself, the public has no reason to know that your internal nameservers exist, and no ability to get to them, either.

Setting up slaving, as opposed to forwarding, involves only one extra checkbox. To enable slaving, follow these steps:

  1. Open the DNS Management snap-in on the machine you want to set up to slave to another server.

  2. Right-click the server name and choose Properties from the context menu.

  3. Set up forwarding first. Navigate to the Forwarders tab, and then in the Selected domain’s forwarder IP address list, enter the IP address to which requests should be forwarded. This is shown in Figure 4-24.

    Setting up a slaved DNS system

    Figure 4-24. Setting up a slaved DNS system

  4. Also as shown in the previous figure, enter 5 in the Number of seconds before forward queries time out field. Five seconds is a standard number that ensures efficient name resolution if the forwarders somehow fail at their task.

  5. Now, check the Do not use recursion for this domain box at the bottom of the screen. This slaves the server to the forwarders listed in the box above.

  6. Click Apply, and then OK, to complete the process.

Conditional Forwarding

There might be occasions, especially when using the split DNS architecture technique that I’ll cover in the next section, where you want to assign certain nameservers to answer queries for specific domains that your users ask for. Conditional forwarding can be useful for many reasons, including increasing in the speed of name resolution for clients, to effect a structural DNS change in a case of company acquisitions or divestitures, and for other reasons.

Tip

Conditional forwarding is supported only in Windows Server 2003.

As counterintuitive as it might be, the Forwarders tab inside the DNS Management snap-in holds multiple lists of domains and their associated forwarders specifically to accommodate the conditional forwarding feature. To set up conditional forwarding, follow these steps:

  1. Open the DNS Management snap-in on the machine you want to set up to slave to another server.

  2. Right-click the server name and choose Properties from the context menu.

  3. Navigate to the Forwarders tab, and then click the New button to the right of the DNS domain box.

  4. In the New Forwarder box, enter the name of the DNS domain to configure forwarding for, and then press OK.

  5. Click the new domain within the DNS domain list, and then in the Selected domain’s forwarder IP address list, enter the IP address to which requests should be forwarded. This is shown in Figure 4-25.

  6. In the Number of seconds before forward queries time out field, enter 5.

    Setting up a conditionally forwarded DNS system

    Figure 4-25. Setting up a conditionally forwarded DNS system

  7. Leave the Do not use recursion for this domain box at the bottom of the screen unchecked because you don’t want to slave your nameserver permanently to a forwarder for only certain domains.

  8. Click Apply, and then OK, to complete the process.

Get Learning Windows Server 2003 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.