Forwarding, in the simplest terms, is the process
by which a nameserver passes on requests it cannot answer locally to
another server. You can make forwarding
work to your advantage so that you effectively combine the resolver
caches for many nameservers into one. By doing this, you allow clients
to resolve previously retrieved sites from that "mega-cache" before
requiring a true refresh lookup of the information from authoritative
nameservers on the public Internet.
Here's how it works. DNS behavior by default is to
consult the preferred nameserver first to see if it has the necessary
zone information for which the client is searching. It doesn't matter to
the client if the preferred nameserver has the zone information but
isn't authoritative; having the information is enough for the client,
and it takes the returned results and makes the connection. But if the
server doesn't have the zone recorded in its files, it must go upstream,
to the public Internet, to ask other nameservers for the zone
information that's needed. This takes time because it adds a delay to
the initial resolution while the preferred nameserver is searching the
Internet for the answer. However, after the nameserver looks up the
information once, it stores it in its cache of resolved names so that
the next user looking for the same resolver information doesn't incur
that delay: the preferred nameserver can simply answer out of its cache
and return the data nearly instantaneously.
Forwarding takes this cache and expands it to
multiple nameservers. Consider an organization with four or five
nameservers. Clients likely will have different preferred nameservers,
set to one of each of those four or five. So, when one client wants
information that's not in his nameserver's cache, his preferred
nameserver will search it out and return it, and all future users of
that particular preferred nameserver will get information for that zone
returned out of its cache. But the other users in the organization won't
be able to take advantage of that cached entry because they're likely
using other machines as their preferred nameservers.
A forwarder comes in and adds an extra step to
this process: if the preferred nameserver doesn't have zone information
in its cache, it will ask a separate server, known as the forwarder, if
it has information on the requested zone. The forwarder is simply
another nameserver that looks up zone information on the Internet and
stores it in its own cache for easy reference. So, if all nameservers in
an organization are configured to ask the same forwarder for cached
information if it has some, all of those nameservers are taking
advantage of the forwarder's cache and the near-instantaneous response
the forwarder can give to resolution requests. Again, the forwarder acts
like a regular nameserver in all respects; it's just that other
nameservers in an organization are configured so that they can use the
forwarder's cache. If, however, the forwarder machine takes too long to
respond to a request, the original preferred nameserver can take over
and make a request to the Internet itself, so you don't lose the ability
to resolve DNS requests—you're only making it more efficient. You also
can have more than one forwarder for your organization if you're worried
about a single point of failure, but you lose a bit of the advantage
because you're again using more than one cache database.
Now, to set up forwarding:
Open the DNS Management snap-in on the machine you want to set up to forward requests elsewhere.
Right-click the server name and choose Properties from the context menu.
Navigate
to the Forwarders tab, and then in the Selected domain's forwarder IP
address list, enter the IP address to which requests should be
forwarded. This is shown in Figure 1.
Also
as shown in the previous figure, enter 5 in the Number of seconds
before forward queries time out field. Five seconds is a standard number
that ensures efficient name resolution if the forwarders somehow fail
at their task.
Click Apply to complete the process.
1. Slaving
Slaving is a logical extension to the forwarding
process. Servers slaved to a specific nameserver forward requests to
that server and rely entirely on that server for resolution; in plain
forwarding, on the other hand, the original nameserver can resolve the
request itself after a timeout period by querying the root nameservers.
With slaving
, the upstream nameserver becomes the proxy through which all slaved nameservers make their requests.
This is useful mainly in situations where you
need multiple nameservers within your organization to handle Active
Directory- and internal-related tasks, but you want outside requests to
stay outside the firewall. You can set up one very secure nameserver and
place it outside your firewall and internal network, allowing it to
service requests from the inside to the outside and from the outside to
certain machines within the network. Then, you can slave the internal
machines to the one machine outside the firewall, making them depend
entirely on the machine in the hostile environment but keeping that
environment out of your internal network and away from the many
nameservers you administer locally. Because most firewalls are stateful
inspection machines that only allow packets inside the firewall that are
in response to communications initiated internally, and because your
internal nameservers query only the external nameserver and not the
Internet itself, the public has no reason to know that your internal
nameservers exist, and no ability to get to them, either.
Setting up slaving, as opposed to forwarding, involves only one extra checkbox. To enable slaving, follow these steps:
Open the DNS Management snap-in on the machine you want to set up to slave to another server.
Right-click the server name and choose Properties from the context menu.
Set
up forwarding first. Navigate to the Forwarders tab, and then in the
Selected domain's forwarder IP address list, enter the IP address to
which requests should be forwarded. This is shown in Figure 2.
Also
as shown in the previous figure, enter 5 in the "Number of seconds
before forward queries time out" field. Five seconds is a standard
number that ensures efficient name resolution if the forwarders somehow
fail at their task.
Now,
check the Do not use recursion for this domain box at the bottom of the
screen. This slaves the server to the forwarders listed in the box
above.
Click Apply, and then OK, to complete the process.
2. Conditional Forwarding
There might be occasions, especially when using
the split DNS architecture technique that I'll cover in the next
section, where you want to assign certain nameservers to answer queries
for specific domains that your users ask for. Conditional forwarding can
be useful for many reasons, including increasing in the speed of name
resolution for clients, to effect a structural DNS change in a case of
company acquisitions or divestitures.
Conditional forwarding is supported only in Windows Server 2003. |
|
The Forwarders tab inside the DNS Management
snap-in holds multiple lists of domains and their associated forwarders
specifically to accommodate the conditional forwarding feature. To set
up conditional forwarding, follow these steps:
Open the DNS Management snap-in on the machine you want to set up for conditional forwarding.
Right-click the server name and choose Properties from the context menu.
Navigate to the Forwarders tab, and then click the New button to the right of the DNS domain box.
In the New Forwarder box, enter the name of the DNS domain to configure forwarding for, and then press OK.
Click
the new domain within the DNS domain list, and then in the Selected
domain's forwarder IP address list, enter the IP address to which
requests should be forwarded.
In the Number of seconds before forward queries time out field, enter 5.
Leave
the Do not use recursion for this domain box at the bottom of the
screen unchecked because you don't want to slave your nameserver
permanently to a forwarder for only certain domains.
Click Apply, and then OK, to complete the process.
