none
DNS Forwarders

    Question

  • Hi!

    What is the benefit of using DNS Forwarders and is it recommended to use them? Secondly, what should be the DNS Settings on the Firewall WAN Interface? Should it be the internal dns server's address or ISP DNS?

    Thanks.

    dimanche 18 mars 2012 09:14

Réponses

  • Hello,

    Whether or not you use DNS forwarders depends on your requirements.  For example, if you have many DNS servers in your internal network, for example at branch offices, and two dNS servers at your main office, it usually makes sense to configure the branch office DNS servers as forwarders so that they forward to the main office DNS and take advantage of their cache.

    Now, with regard to your main office DNS servers, should you forward to your ISP, open public DNS, or use root hints?  There is no right or wrong.  I always prefer to use root hints, but many like to forward to their ISP.  This all depends on your provider, and possibly where you are in the world.

    DNS settings for Firewall WAN Interface?  I do not know what you mean by this...  I am going to assume that you mean what the DNS settings should be for the DNS server itself?  If so, configure the DNS SErver's NIC to point to its own interface's IP, or its loopback address is OK - 127.0.0.1.  Do not configure the DNS server's NIC to point to an external DNS server.


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube

    • Proposé comme réponse Jonathan - IT Am lundi 19 mars 2012 14:03
    • Marqué comme réponse Tiger Li jeudi 22 mars 2012 10:27
    dimanche 18 mars 2012 21:34
  • Hi,

    Thanks for posting here.

    > What is the benefit of using DNS Forwarders and is it recommended to use them?

    It depends , we will set to use forwarder in conditions when try to forward incoming queries that local DNS servers cannot resolve to remote or other DNS servers. We can get the explications form the link below:

    Using Query Forwarding
    http://technet.microsoft.com/en-us/library/cc816653(WS.10).aspx

    >Secondly, what should be the DNS Settings on the Firewall WAN Interface? Should it be the internal dns server's address or ISP DNS?

    If the firewall you referred is the edge device of our network which be configured as a NAT device for sharing internet connection then we’d better to use the DNS servers that provided by ISP on external facing interface , we have a similar scenario for reference :

    How to configure Network Address Translation in Windows Server 2003
    http://support.microsoft.com/kb/816581

    But all above are general discussion, could you discuss your current networking conditions and concerns in more detail ?

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Marqué comme réponse Tiger Li jeudi 22 mars 2012 10:28
    mardi 20 mars 2012 06:58
  • You use a DNS forwarder for the following reason as far as I know:

    If a client goes to your internal DNS server that you have set up to find the IP adres of google.com and your internal DNS server can't find it then you can forward that question to another DNS server which mostly can find external addresses like google.com. In most cases I use google's public DNS server (8.8.8.8 and 8.8.4.4) which everyone can use to forward those DNS questions.

    My drawing may suck, but this is how I learned it. ;)

    So in short u use a forwarder if that DNS server can't find the name/website that you want to visit. Without it you can't get a connection.

    For your firewall I would use as DNS your internal DNS server which you have set up. This is the best for security reasons.


    Jonathan,

    Unless I'm missing something in your drawing, or misunderstanding the top part of the drawing, I would like to point out that if a DNS server does not have a Forwarder configured, it will simply use the Root Hints by default, so it will still resolve external names, unless one of two things are changed: Disable Recursion (advanced tab), or create a Root zone.

    So unless I'm missing something, the top part of the drawing should have something about using the Root Hints if no Forwarder has been configured.

    .

    And if I'm missing something, please let me know!

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposé comme réponse Tiger Li mardi 20 mars 2012 14:15
    • Marqué comme réponse Tiger Li jeudi 22 mars 2012 10:28
    mardi 20 mars 2012 13:33
  • Jonathan, no problem. And taht is a good link about understanding forwarders (its title, too).

    .

    As far as the original question whether we should use one or not, as Jorge said, for security reasons, I also prefer Root Hints, and to expand on this topic, there are time when Roots may not do the trick, such as if your firewall is blocking EDNS0, or in some isolated incidents, in Windows 2008 R2 resolving certain malformed CNAMEs.

    More on CNAME problems that a forwarder will overcome:

    Good explanation of what's going on with DIG examples showing the differences in the TTLs:
    TechNet thread: "Found a bug in Server 2008 R2 DNS. it will NOT resolve a valid entry that all other DNS implementations do just fine" 2/17/2012
     http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e4a97a9b-cb1d-43f1-aa5b-1abb34bddfa5

    Read Obi's explanations in his posts in the following thread for a greater understanding regarding cache protection from poisoning. He's a DNS engineer/developer who wrote Treewalk.
    TechNet thread: "Windows 2008 R2 DNS Query Not Retrieving all Records" (7/19/2012)
     http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/3f5a0947-f2a7-4d59-9eed-9fcea1df5558

    .

    More on EDNS0 that a forwarder will overcome:

    What is EDNS0? (Extension mechanisms for DNS)
    http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx 

    .

    In a scenario such as requiring a forwarder, but with wanting to keep it secured, we can configure a secured forwarder, such as your own DNS server (unjoined, not part of a domain, etc), in the DMZ with no zones on it. It's only job is to act as a proxying forwarder, such as the picture below:

    .

    .

    And to expand further on forwarders, here's a snippet from that KB link you posted (Understanding Forwarders), and an explanation:

    "Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs."

    What does this mean?

    There is always a risk of exposing internal resources one way or another when requiring internet connectivity.

    As for forwarding or Roots, that's been a long discussed and argued topic. Me? I prefer forwarders to offload queries externally, plus it overcomes any EDNS0 issues on the firewall.

    Is it safe? Who knows. Root recursions does directly send out queries, then again, if using a fowarder, the forwarder is acting as a proxy resolver anyway and the traffic can be captured. Maybe the better way is to install a slave resolver in the DMZ or in another part of the network with it's sole purpose as a Forwarder for company internet resolution, then forward that guy to an external resolver. But captured traffic will still show the queries.

    So what's the best way? Who knows. Sometimes it comes down to how much money you want to throw at it. Anyone targeting a specific company's traffic is not safe from anything, whether using Roots or Forwarders. If someone wants something from a particular company, they will find a way to get it.

    More on Forwarders, as well as a great conversation between myself and ObiWan on the pros and cons:

    Forum thread: Problems disabling EDNS
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/4f39e565-5bf3-4d8f-8aea-580baac38d15/

    DNS question - Root hints vs. Forwarders 6/15/2011
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2f35cae2-341c-4bfe-9dac-724ddace6d51

    DNS forwarders is not resolving in W2k8
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56d5eb14-9115-4078-b64a-1970b009e9fd

    W2003 DNS cache snooping vulnerability for PCI-DSS compliance.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/67e9189b-606a-40d2-9944-8b4c7d084017

    .

    I hope that helps!

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marqué comme réponse Tiger Li jeudi 22 mars 2012 10:28
    mardi 20 mars 2012 14:27

Toutes les réponses

  • Hello,

    Whether or not you use DNS forwarders depends on your requirements.  For example, if you have many DNS servers in your internal network, for example at branch offices, and two dNS servers at your main office, it usually makes sense to configure the branch office DNS servers as forwarders so that they forward to the main office DNS and take advantage of their cache.

    Now, with regard to your main office DNS servers, should you forward to your ISP, open public DNS, or use root hints?  There is no right or wrong.  I always prefer to use root hints, but many like to forward to their ISP.  This all depends on your provider, and possibly where you are in the world.

    DNS settings for Firewall WAN Interface?  I do not know what you mean by this...  I am going to assume that you mean what the DNS settings should be for the DNS server itself?  If so, configure the DNS SErver's NIC to point to its own interface's IP, or its loopback address is OK - 127.0.0.1.  Do not configure the DNS server's NIC to point to an external DNS server.


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube

    • Proposé comme réponse Jonathan - IT Am lundi 19 mars 2012 14:03
    • Marqué comme réponse Tiger Li jeudi 22 mars 2012 10:27
    dimanche 18 mars 2012 21:34
  • Agree with Jorge

    Everything depends on your network topology and size.

    actually i prefer to use isp as forwarder as they have a biger cache and will get a faster response then root hints,

    i dont recommend public dns like 8.8.8.8 as forwardes. theyr downtime is higher then your isp.


    Renato Kurti CCNA,CCNP Security,CCAI,MCP,MCTS,MCITP:EA,MCT

    lundi 19 mars 2012 13:31
  • - DNS server from ISP is most of the time faster.
    - DNS server from GOOGLE has never given me problems and haven't seen downtime so far
    - Want to be sure what is faster? Please go to http://code.google.com/p/namebench/ and do some testing.

    May I ask where you get the information that google's public DNS server was down Mr. Kurti? I have never seen it go down. It could be me of course. I'm not a pro yet and still studies.

    ---

    Jonathan

    lundi 19 mars 2012 14:02
  • Hi,

    Thanks for posting here.

    > What is the benefit of using DNS Forwarders and is it recommended to use them?

    It depends , we will set to use forwarder in conditions when try to forward incoming queries that local DNS servers cannot resolve to remote or other DNS servers. We can get the explications form the link below:

    Using Query Forwarding
    http://technet.microsoft.com/en-us/library/cc816653(WS.10).aspx

    >Secondly, what should be the DNS Settings on the Firewall WAN Interface? Should it be the internal dns server's address or ISP DNS?

    If the firewall you referred is the edge device of our network which be configured as a NAT device for sharing internet connection then we’d better to use the DNS servers that provided by ISP on external facing interface , we have a similar scenario for reference :

    How to configure Network Address Translation in Windows Server 2003
    http://support.microsoft.com/kb/816581

    But all above are general discussion, could you discuss your current networking conditions and concerns in more detail ?

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Marqué comme réponse Tiger Li jeudi 22 mars 2012 10:28
    mardi 20 mars 2012 06:58
  • You use a DNS forwarder for the following reason as far as I know:

    If a client goes to your internal DNS server that you have set up to find the IP adres of google.com and your internal DNS server can't find it then you can forward that question to another DNS server which mostly can find external addresses like google.com. In most cases I use google's public DNS server (8.8.8.8 and 8.8.4.4) which everyone can use to forward those DNS questions.

    My drawing may suck, but this is how I learned it. ;)

    So in short u use a forwarder if that DNS server can't find the name/website that you want to visit. Without it you can't get a connection.

    For your firewall I would use as DNS your internal DNS server which you have set up. This is the best for security reasons.


    Jonathan,

    Unless I'm missing something in your drawing, or misunderstanding the top part of the drawing, I would like to point out that if a DNS server does not have a Forwarder configured, it will simply use the Root Hints by default, so it will still resolve external names, unless one of two things are changed: Disable Recursion (advanced tab), or create a Root zone.

    So unless I'm missing something, the top part of the drawing should have something about using the Root Hints if no Forwarder has been configured.

    .

    And if I'm missing something, please let me know!

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposé comme réponse Tiger Li mardi 20 mars 2012 14:15
    • Marqué comme réponse Tiger Li jeudi 22 mars 2012 10:28
    mardi 20 mars 2012 13:33
  • You got a point there! I'm still learning, but forwarding comes in handy if the current DNS server hasn't got an A record about a certain machine which also can't be found through the root hints. That www.google.com is a big mistake on my side and thank you for pointing this out!

    Maybe it's better to post this for the OP: http://technet.microsoft.com/en-us/library/cc782142(v=ws.10).aspx I'm just confusing everybody.

    mardi 20 mars 2012 13:55
  • Jonathan, no problem. And taht is a good link about understanding forwarders (its title, too).

    .

    As far as the original question whether we should use one or not, as Jorge said, for security reasons, I also prefer Root Hints, and to expand on this topic, there are time when Roots may not do the trick, such as if your firewall is blocking EDNS0, or in some isolated incidents, in Windows 2008 R2 resolving certain malformed CNAMEs.

    More on CNAME problems that a forwarder will overcome:

    Good explanation of what's going on with DIG examples showing the differences in the TTLs:
    TechNet thread: "Found a bug in Server 2008 R2 DNS. it will NOT resolve a valid entry that all other DNS implementations do just fine" 2/17/2012
     http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e4a97a9b-cb1d-43f1-aa5b-1abb34bddfa5

    Read Obi's explanations in his posts in the following thread for a greater understanding regarding cache protection from poisoning. He's a DNS engineer/developer who wrote Treewalk.
    TechNet thread: "Windows 2008 R2 DNS Query Not Retrieving all Records" (7/19/2012)
     http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/3f5a0947-f2a7-4d59-9eed-9fcea1df5558

    .

    More on EDNS0 that a forwarder will overcome:

    What is EDNS0? (Extension mechanisms for DNS)
    http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx 

    .

    In a scenario such as requiring a forwarder, but with wanting to keep it secured, we can configure a secured forwarder, such as your own DNS server (unjoined, not part of a domain, etc), in the DMZ with no zones on it. It's only job is to act as a proxying forwarder, such as the picture below:

    .

    .

    And to expand further on forwarders, here's a snippet from that KB link you posted (Understanding Forwarders), and an explanation:

    "Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs."

    What does this mean?

    There is always a risk of exposing internal resources one way or another when requiring internet connectivity.

    As for forwarding or Roots, that's been a long discussed and argued topic. Me? I prefer forwarders to offload queries externally, plus it overcomes any EDNS0 issues on the firewall.

    Is it safe? Who knows. Root recursions does directly send out queries, then again, if using a fowarder, the forwarder is acting as a proxy resolver anyway and the traffic can be captured. Maybe the better way is to install a slave resolver in the DMZ or in another part of the network with it's sole purpose as a Forwarder for company internet resolution, then forward that guy to an external resolver. But captured traffic will still show the queries.

    So what's the best way? Who knows. Sometimes it comes down to how much money you want to throw at it. Anyone targeting a specific company's traffic is not safe from anything, whether using Roots or Forwarders. If someone wants something from a particular company, they will find a way to get it.

    More on Forwarders, as well as a great conversation between myself and ObiWan on the pros and cons:

    Forum thread: Problems disabling EDNS
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/4f39e565-5bf3-4d8f-8aea-580baac38d15/

    DNS question - Root hints vs. Forwarders 6/15/2011
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2f35cae2-341c-4bfe-9dac-724ddace6d51

    DNS forwarders is not resolving in W2k8
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56d5eb14-9115-4078-b64a-1970b009e9fd

    W2003 DNS cache snooping vulnerability for PCI-DSS compliance.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/67e9189b-606a-40d2-9944-8b4c7d084017

    .

    I hope that helps!

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marqué comme réponse Tiger Li jeudi 22 mars 2012 10:28
    mardi 20 mars 2012 14:27
  • Before i read all the above, can i have one recommendation for my kind of network which consists of 2 Windows 2003 Dcs with DNS and DHCP Roles installed, ISA 2006 (Single NIC), a Hardware Firewall on the Edge?

    Is it ok to use your ISP DNS Servers as Forwarders on your DNS Server even if the Server is a Domain Controller as well?

    Thanks.

    jeudi 29 mars 2012 22:16
  • Using or not using Forwarders has been highly debated over the years. It also depends on your vertical market your company is in, and if you have to follow US Federal or your own local country laws, such as if you are a pharma, deal with sensitive data or products, etc.

    In many cases, the secure method is to simply use the Root hints. The more secure method is to setup a secure resolver design, like I've shown above. Otherwise, you can simply use your ISP's DNS for forwarders, no matter what other roles are on the DNS server.

    .

    I assume your DC is single homed, too.

    And you have DHCP on both DCs? Are they setup in an 80/20 split scope design?

    .

    As for the ISA box, if using a single NIC, I assume it's just for web browsing control and caching, and you are not using it's firewall features.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    vendredi 30 mars 2012 00:39
  • Yes you are right. ISA is for Web Control and Caching. Dcs are also single NIC but i am using only one dc for DHCP but need to use both.

    Thanks.

    vendredi 30 mars 2012 10:23
  • Yes you are right. ISA is for Web Control and Caching. Dcs are also single NIC but i am using only one dc for DHCP but need to use both.

    Thanks.

    So you want to also use SPlit-Scopes? Ok, no problem. Here's some info on it to help you:

    .

    ======
    DHCP Split Scopes

    DHCP Step-by-Step Guide: Demonstrate DHCP Split Scope with Delay on a Secondary Server in a Test Lab
    http://technet.microsoft.com/en-us/library/ee405264(WS.10).aspx

    DHCP - How to configure split-scope using wizard
    "Split-scope configuration (Widely known as 80/20 Configurations) is typically considered as high-availability deployment scenario for the DHCP Server. It involves configuring scopes with the same subnet address and subnet mask and configuration on two distinct DHCP Servers."
    http://blogs.technet.com/b/teamdhcp/archive/2009/01/22/how-to-configure-split-scope-using-wizard.aspx

    Windows 2008 R2 features part V: DHCP Split-scope
    http://blog.studiographic.nl/?p=219

    .

    Two great threads on DHCP Failover, including a post from Obi Wan about a 100/100 rule using four servers and adding a bit to the mask to increase it. Please read for specifics:

    Technet Thread - DHCP Failover
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b384c07c-008f-4176-aee9-643288292321/
    and
    TechNet Thread - DHCP Failover:
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/d0d6b210-c57c-4a05-8763-a6a67895ace5/

    Technet Thread: "dual dhcp servers serving same scope possible 4 windows2008?"
     http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0fa16179-24e9-4b0b-be1d-cc0a6b38b350 


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    vendredi 30 mars 2012 15:35