Question about DNS forwarders

  • Thread starter Thread starter Veets
  • Start date Start date
V

Veets

G'day!
We're currently running 2 Windows 2000 Domain Controllers behind a firewall.
If I look at the DNS properties for these 2 servers however, I notice that
they aren't using any forwarders. All our Internet traffic is working great
though (we're able to browse the internet, send email, etc, etc). My
question is this:
When/why would I ever need to use a forwarder if all my internet activity is
still working?
Sorry is my question is a little vague but any insight/info is appreciated
Best Regards,
Veets
 
Most likely your using root hints (iteration) for your INET rez on those
servers. That is on by default after you delete the "." zone if that
existed. There could be many reasons why you might you a forwarder in
addition to or instead of root hints. This could be for security/firewall
issues (narrow the open IP/port pare for dns queries), for infrastructure
reasons (i.e. your forwarding to a parent who does the rez), for aggregation
reasons (make a bridgehead), and it can act as redundancy - using
forwarders first, then you root hints. Obviously, if you have w2k3, you may
also want to setup a forward zone at some point.
 
Thanks William,
Yeah, we are using root hints. I just didn't understand why we would use
forwarders if we can use root hints instead. As usual your reply was
informative & to the point. Best regards.
Veets
 
G'day!
Click to expand...

Hi :-) !
We're currently running 2 Windows 2000 Domain Controllers behind a firewall.
If I look at the DNS properties for these 2 servers however, I notice that
they aren't using any forwarders. All our Internet traffic is working great
though (we're able to browse the internet, send email, etc, etc).
Click to expand...

This means that your DNS servers are able to reach the internet -and-
are using the root-servers to carry on DNS resolution on their own, this
is a good thing since it means that aside from the root servers you are
not relying on external servers for your DNS tasks
My question is this:
When/why would I ever need to use a forwarder if all my internet activity
is still working?
Click to expand...

Well, this question has more than one answer; forwarders may be used
if you have a low-powered machine or not so much bandwidth, in such a
case, using the forwarders you'll demand all the real processing related
to DNS resolution to the external servers to which you forward your queries
this means that the local DNS will only act as a "cache"; also, forwarding
may be used in particular situation, for example you may have a DNS
sitting into a DMZ which carries on resolution and point all the LAN DNS
to it (forward) so that the LAN DNS servers won't be allowed to reach the
internet while the DMZ one will, this way only a DNS (or a cluster of DNS)
will carry on external resolution while the others will be kept "insulated"
from the internet... and there's more, mine were just a couple of examples

--

* ObiWan

DNS "fail-safe" for Windows 2000 and 9X clients.
http://ntcanuck.com

408 XP/2000 tweaks and tips
http://ntcanuck.com/tq/Tip_Quarry.htm
 
Thanks ObiWan!

ObiWan said:
Hi :-) !


This means that your DNS servers are able to reach the internet -and-
are using the root-servers to carry on DNS resolution on their own, this
is a good thing since it means that aside from the root servers you are
not relying on external servers for your DNS tasks


Well, this question has more than one answer; forwarders may be used
if you have a low-powered machine or not so much bandwidth, in such a
case, using the forwarders you'll demand all the real processing related
to DNS resolution to the external servers to which you forward your queries
this means that the local DNS will only act as a "cache"; also, forwarding
may be used in particular situation, for example you may have a DNS
sitting into a DMZ which carries on resolution and point all the LAN DNS
to it (forward) so that the LAN DNS servers won't be allowed to reach the
internet while the DMZ one will, this way only a DNS (or a cluster of DNS)
will carry on external resolution while the others will be kept "insulated"
from the internet... and there's more, mine were just a couple of examples

--

* ObiWan

DNS "fail-safe" for Windows 2000 and 9X clients.
http://ntcanuck.com

408 XP/2000 tweaks and tips
http://ntcanuck.com/tq/Tip_Quarry.htm
Click to expand...
 
Back
Top