10 DNS Forwarders Best Practices

DNS forwarders are an important part of any DNS infrastructure. They provide a way to resolve DNS queries for domains that are not hosted locally. By configuring DNS forwarders, you can improve the performance of DNS queries and reduce the load on your DNS servers.

In this article, we will discuss 10 best practices for configuring DNS forwarders. By following these best practices, you can ensure that your DNS infrastructure is efficient and secure.

1. Use Forwarders to Improve DNS Performance

When a DNS server receives a query for a domain name that it is not authoritative for, it will need to send a query to another DNS server to resolve the request. This process is known as recursion.

If the DNS server does not have a forwarder configured, it will need to perform a recursive lookup on its own. This can be time-consuming and may even result in a timeout if the DNS server is unable to resolve the request.

On the other hand, if the DNS server has a forwarder configured, it can simply send the query to the forwarder and get a response back much quicker. This can greatly improve DNS performance, especially for large organizations with many DNS servers.

It’s also important to note that you should only use forwarders for domains that you are not authoritative for. If you use forwarders for domains that you are authoritative for, it can cause problems such as incorrect results being returned or increased latency.

2. Configure the Windows Server 2003 DNS Service for a Secure Environment

By default, the DNS Server service in Windows Server 2003 will accept queries from any computer. This means that if an attacker can send a DNS query to your server, they can potentially get sensitive information about your internal network.

To mitigate this risk, you should configure the DNS Server service to only accept queries from computers that are on your internal network. You can do this by opening the DNS Manager console, right-clicking on the server, and selecting Properties. On the General tab, select the option for “Only answer queries from computers running Windows 2000 or later.”

This best practice will help to prevent attackers from using your DNS server to gain information about your internal network.

3. Use Conditional Forwarding in Your Network

When you use conditional forwarding, you’re essentially telling DNS server X to forward all queries for domain Y to DNS server Z. This is useful in a number of scenarios, but it’s particularly helpful when you have multiple domains and want to keep your DNS traffic localized.

For example, let’s say you have two domains: example.com and test.com. You could configure DNS server X (which is authoritative for both domains) to forward all queries for test.com to DNS server Y, which is authoritative for that domain. All other queries would be handled by DNS server X.

This has a few benefits. First, it reduces the load on DNS server X, since it doesn’t have to process as many queries. Second, it can improve performance, since queries are being handled by the server that’s closest to the source. And finally, it can improve security, since you’re not exposing your entire network to DNS queries for test.com.

Of course, there are some drawbacks to using conditional forwarding. The biggest one is that it can complicate your DNS configuration, since you need to set up and maintain separate zones for each domain. But if you have a large or complex network, the benefits usually outweigh the costs.

4. Use Root Hints When Forwarders Are Not Available

When a DNS server is configured to use forwarders, it will send queries to the forwarders for any domains that are not in its cache. If the forwarders are unavailable, the DNS server will be unable to resolve queries for those domains.

To prevent this from happening, you should configure your DNS server to use root hints. Root hints are a list of DNS servers that are authoritative for the root zone of the DNS namespace. When a DNS server is configured to use root hints, it will send queries to the root servers if the forwarders are unavailable.

Configuring your DNS server to use root hints is a best practice because it ensures that your DNS server will always be able to resolve queries, even if the forwarders are unavailable.

5. Do not use forwarders if you are using Active Directory-integrated zones

When you use Active Directory-integrated zones, the DNS information for those zones is stored in Active Directory. This means that if you have a DNS forwarder configured, and the DNS server that the forwarder points to goes down, your DNS clients will not be able to resolve names for those Active Directory-integrated zones.

Therefore, it is best to only use DNS forwarders if you are not using Active Directory-integrated zones.

6. If your network uses conditional forwarding, configure the root hints on the DNS servers that host the conditional forwarder zone as well as the DNS servers that do not host any conditional forwarder zones

If your network uses conditional forwarding, the DNS servers that host the conditional forwarder zone must have root hints configured in order to resolve queries for domains outside of the conditional forwarder zone. If the DNS servers that do not host any conditional forwarder zones do not have root hints configured, they will not be able to resolve queries for domains outside of the conditional forwarder zone. This can cause problems with name resolution for devices on your network that need to access resources outside of the conditional forwarder zone.

To avoid these problems, make sure that all of the DNS servers on your network have root hints configured. This will ensure that all DNS servers on your network are able to resolve queries for both domains inside and outside of the conditional forwarder zone.

7. Configure the cache time-to-live (TTL) value of the root hints to be less than or equal to the TTL value of the SOA record of the Internet root server zone

The TTL value of the root hints should be less than or equal to the TTL value of the SOA record of the Internet root server zone because if the root hints cache time-to-live (TTL) value is greater than the TTL value of the SOA record of the Internet root server zone, then when the DNS forwarder queries the root servers for information about a particular domain, it may receive outdated information. This could cause the DNS forwarder to provide its clients with inaccurate DNS information, which could lead to serious problems.

It’s also important to note that the TTL value of the root hints should not be set to 0 (zero), because if it is, then the DNS forwarder will never cache any root hint information, which could also lead to serious problems.

8. If you have multiple internal networks separated by firewalls and want to use conditional forwarding, configure the firewall to allow only TCP port 53 traffic between the two networks

By doing this, you can prevent DNS spoofing attacks and ensure that only legitimate DNS traffic is allowed between the networks.

9. If you have multiple internal networks separated by firewalls and want to use conditional forwarding, configure the firewall to allow only UDP port 53 traffic between the two networks

By doing this, you can help prevent DNS spoofing attacks and other types of attacks that could exploit vulnerabilities in the DNS protocol.

10. If you have multiple internal networks separated by firewalls and want to use conditional forwarding, configure the firewall to allow both TCP and UDP port 53 traffic between the two networks

This will ensure that DNS queries are not blocked by the firewall and that the forwarder can resolve queries for all internal domains.