Conditional Forwarding in Windows Server 2003
Posted by admin on 11 September 2009 11:40 PM
This article describes the Conditional Forwarding feature that is included in Windows Server 2003. A Windows Server 2003-based DNS server can use conditional forwarding to forward queries to other DNS servers based on the DNS domain names that are in the queries. For example, with conditional forwarding, a Windows Server 2003-based DNS server could be configured to forward all of the queries it receives for names that end with sales.microsoft.com to a specific DNS server's IP address, or to the IP addresses of multiple DNS servers. Only Windows Server 2003-based servers can be configured to do this forwarding, but the servers that are running DNS and that receive these forwarded queries can be running any version of DNS.|
Intranet Name Resolution
In addition to the benefits of forwarders, conditional forwarding allows for more specific name resolution for off-site and internal domains. Conditional forwarding can benefit internal name resolution by configuring DNS servers with specific forwarders for internal domain names. For example, all name servers in the microsoft.com domain could be configured to forward queries for names that end with marketing.microsoft.com to the authoritative server for marketing.microsoft.com, and this removes the step of querying the internal root servers of microsoft.com, if available, or removes the step of configuring DNS servers in the microsoft.com zone with secondary zones for marketing.microsoft.com.
Internet Name Resolution
DNS servers can use forwarding as a means of resolving queries between the domain names of companies that share information. For example, two companies, Company1 and Company2, allow clients of Company1 to resolve the names of the DNS clients of Company2. The administrators from Company2 inform the administrators of Company1 about the set of DNS servers in the Company2 network where Company1 DNS servers can send queries for the domain company2.com. The DNS servers within the Company1 network are configured to forward all queries for names that ending with company2.com to the designated DNS servers in the Company2 company. Consequently, the DNS servers in the Company1 network do not need to query their internal root servers, or the Internet root servers, to resolve queries for names that end with company2.com.
Using Conditional Forwarders
Rather than having a DNS server forward all queries it cannot resolve to forwarders, the DNS server can forward queries for different domain names to different DNS servers according to the specific domain names that are contained in the queries. Forwarding according to these domain-name conditions improves conventional forwarding by adding a second condition to the forwarding process.
A conditional forwarder setting consists of a domain name and the IP address of one or more DNS servers. To configure a DNS server for conditional forwarding, a list of domain names is set up on the Windows Server 2003-based DNS server along with the DNS server IP address. When a DNS client or server performs a query operation against a Windows Server 2003-based DNS server that is configured for forwarding, the DNS server looks to see if the query can be resolved by using its own zone data or the zone data that is stored in its cache, and then, if the DNS server is configured to forward for the domain name that is designated in the query (a match), the query is forwarded to the IP address of a DNS Server that is associated with the domain name. If the DNS server has no domain name listed for the name that is designated in the query, it attempts to resolve the query by using standard recursion.
A DNS server that is configured for forwarding uses forwarders after it has determined that it cannot resolve a query by using its authoritative data (primary or secondary zone data) or cached data. If the server cannot resolve a query by using forwarders, it may attempt recursion.
The order of the IP addresses determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address that is associated with the domain name, it waits a short period for an answer from that forwarder (according to the DNS server's time out setting) before it resumes the forwarding operation with the next IP address that is associated with the domain name. It continues this process until it receives an affirmative answer from a forwarder.
Unlike conventional resolution, where a roundtrip time (RTT) is associated with each server, the IP addresses in the forwarders list are not ordered according to roundtrip time and must be reordered manually to change preference.
â€¢ Authoritative DNS servers cannot forward queries for the domain names for which they are authoritative. For example, the authoritative DNS server for the zone research.microsoft.com cannot forward queries according to the research.microsoft.com domain name. If the DNS server were allowed to do this, it would nullify the server's ability to respond to queries for the research.microsoft.com domain name. The DNS server that is authoritative for research.microsoft.com can forward queries for DNS names that end with uk.research.microsoft.com, if uk.research.microsoft.com is delegated to another DNS server.
â€¢ When a Windows Server 2003-based DNS server that is configured to use conditional forwarding receives a query for a domain name, it compares that domain name with its list of domain name conditions and uses the longest domain name condition that corresponds to the domain name in the query. For example, a DNS server is configured to forward queries to the 10.10.10.1 IP address when the domain name in the query is microsoft.com, and to forward queries to the 10.10.10.100 IP address when the domain name in the query is sales.microsoft.com. When the DNS server receives a query for uk.sales.microsoft.com, it compares that domain name with both microsoft.com and example.microsoft.com. Both microsoft.com and sales.microsoft.com are contained in the query, but sales.microsoft.com is longer and the query is forwarded to the 10.10.10.100 IP address, which is associated with sales.microsoft.com.
â€¢ You can disable recursion for the DNS server so that it does not use recursion on any query. If you disable recursion on the DNS server, you cannot use forwarders on the same server.