DESKTOP

Windows Server 2003 : Domain Name System - Forwarding

1/2/2013 6:16:56 PM
Forwarding, in the simplest terms, is the process by which a nameserver passes on requests it cannot answer locally to another server. You can make forwarding work to your advantage so that you effectively combine the resolver caches for many nameservers into one. By doing this, you allow clients to resolve previously retrieved sites from that "mega-cache" before requiring a true refresh lookup of the information from authoritative nameservers on the public Internet.

Here's how it works. DNS behavior by default is to consult the preferred nameserver first to see if it has the necessary zone information for which the client is searching. It doesn't matter to the client if the preferred nameserver has the zone information but isn't authoritative; having the information is enough for the client, and it takes the returned results and makes the connection. But if the server doesn't have the zone recorded in its files, it must go upstream, to the public Internet, to ask other nameservers for the zone information that's needed. This takes time because it adds a delay to the initial resolution while the preferred nameserver is searching the Internet for the answer. However, after the nameserver looks up the information once, it stores it in its cache of resolved names so that the next user looking for the same resolver information doesn't incur that delay: the preferred nameserver can simply answer out of its cache and return the data nearly instantaneously.

Forwarding takes this cache and expands it to multiple nameservers. Consider an organization with four or five nameservers. Clients likely will have different preferred nameservers, set to one of each of those four or five. So, when one client wants information that's not in his nameserver's cache, his preferred nameserver will search it out and return it, and all future users of that particular preferred nameserver will get information for that zone returned out of its cache. But the other users in the organization won't be able to take advantage of that cached entry because they're likely using other machines as their preferred nameservers.

A forwarder comes in and adds an extra step to this process: if the preferred nameserver doesn't have zone information in its cache, it will ask a separate server, known as the forwarder, if it has information on the requested zone. The forwarder is simply another nameserver that looks up zone information on the Internet and stores it in its own cache for easy reference. So, if all nameservers in an organization are configured to ask the same forwarder for cached information if it has some, all of those nameservers are taking advantage of the forwarder's cache and the near-instantaneous response the forwarder can give to resolution requests. Again, the forwarder acts like a regular nameserver in all respects; it's just that other nameservers in an organization are configured so that they can use the forwarder's cache. If, however, the forwarder machine takes too long to respond to a request, the original preferred nameserver can take over and make a request to the Internet itself, so you don't lose the ability to resolve DNS requests—you're only making it more efficient. You also can have more than one forwarder for your organization if you're worried about a single point of failure, but you lose a bit of the advantage because you're again using more than one cache database.

Now, to set up forwarding:

  1. Open the DNS Management snap-in on the machine you want to set up to forward requests elsewhere.

  2. Right-click the server name and choose Properties from the context menu.

  3. Navigate to the Forwarders tab, and then in the Selected domain's forwarder IP address list, enter the IP address to which requests should be forwarded. This is shown in Figure 1.

  4. Also as shown in the previous figure, enter 5 in the Number of seconds before forward queries time out field. Five seconds is a standard number that ensures efficient name resolution if the forwarders somehow fail at their task.

  5. Click Apply to complete the process.

1. Slaving

Slaving is a logical extension to the forwarding process. Servers slaved to a specific nameserver forward requests to that server and rely entirely on that server for resolution; in plain forwarding, on the other hand, the original nameserver can resolve the request itself after a timeout period by querying the root nameservers. With slaving , the upstream nameserver becomes the proxy through which all slaved nameservers make their requests.

Figure 1. Setting up a forwarding DNS system

This is useful mainly in situations where you need multiple nameservers within your organization to handle Active Directory- and internal-related tasks, but you want outside requests to stay outside the firewall. You can set up one very secure nameserver and place it outside your firewall and internal network, allowing it to service requests from the inside to the outside and from the outside to certain machines within the network. Then, you can slave the internal machines to the one machine outside the firewall, making them depend entirely on the machine in the hostile environment but keeping that environment out of your internal network and away from the many nameservers you administer locally. Because most firewalls are stateful inspection machines that only allow packets inside the firewall that are in response to communications initiated internally, and because your internal nameservers query only the external nameserver and not the Internet itself, the public has no reason to know that your internal nameservers exist, and no ability to get to them, either.

Setting up slaving, as opposed to forwarding, involves only one extra checkbox. To enable slaving, follow these steps:

  1. Open the DNS Management snap-in on the machine you want to set up to slave to another server.

  2. Right-click the server name and choose Properties from the context menu.

  3. Set up forwarding first. Navigate to the Forwarders tab, and then in the Selected domain's forwarder IP address list, enter the IP address to which requests should be forwarded. This is shown in Figure 2.

  4. Also as shown in the previous figure, enter 5 in the "Number of seconds before forward queries time out" field. Five seconds is a standard number that ensures efficient name resolution if the forwarders somehow fail at their task.

  5. Now, check the Do not use recursion for this domain box at the bottom of the screen. This slaves the server to the forwarders listed in the box above.

  6. Click Apply, and then OK, to complete the process.

Figure 2. Setting up a slaved DNS system

2. Conditional Forwarding

There might be occasions, especially when using the split DNS architecture technique that I'll cover in the next section, where you want to assign certain nameservers to answer queries for specific domains that your users ask for. Conditional forwarding can be useful for many reasons, including increasing in the speed of name resolution for clients, to effect a structural DNS change in a case of company acquisitions or divestitures.

Conditional forwarding is supported only in Windows Server 2003.


The Forwarders tab inside the DNS Management snap-in holds multiple lists of domains and their associated forwarders specifically to accommodate the conditional forwarding feature. To set up conditional forwarding, follow these steps:

  1. Open the DNS Management snap-in on the machine you want to set up for conditional forwarding.

  2. Right-click the server name and choose Properties from the context menu.

  3. Navigate to the Forwarders tab, and then click the New button to the right of the DNS domain box.

  4. In the New Forwarder box, enter the name of the DNS domain to configure forwarding for, and then press OK.

  5. Click the new domain within the DNS domain list, and then in the Selected domain's forwarder IP address list, enter the IP address to which requests should be forwarded. 

  6. In the Number of seconds before forward queries time out field, enter 5.

  7. Leave the Do not use recursion for this domain box at the bottom of the screen unchecked because you don't want to slave your nameserver permanently to a forwarder for only certain domains.

  8. Click Apply, and then OK, to complete the process.

Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Exchange Server Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe Photoshop CorelDRAW X5 CorelDraw 10 windows Phone 7 windows Phone 8 Iphone