Is it best to use forwarders on DNS or let server perform recursio

Discussion in 'DNS Server' started by Jim A., Jun 19, 2008.

  1. Jim A.

    Jim A. Guest

    My network is very small, about 30 PC's. The previous admin had no
    forwarders setup, so any queries for internet name and such, the server had
    to perform recursion on. As I understand it, recursion has my DNS server
    forward the query to the DNS server of my ISP. If I setup forwarding, I
    would be using that same DNS server anyway, so does it really matter in the
    scenario whether I use forwarding or recursion, since the end result would be
    the same (requests get forwarded to the same DNS server)?

    As I understand it, with forwarding, my DNS server will keep a cache of
    answered quereies so that the first user that wants to go to yahoo.com, my
    DNS forward the request, and then cache the response. So the next user that
    wants to go to yahoo.com, the DNS server will not have to forward the
    request, but will simply look in its cache. Can the same be said with
    recursion?
     
    Jim A., Jun 19, 2008
    #1
    1. Advertisements

  2. If it doesn't use a Forwarder, then it uses Root Hints,...which AFAIK are
    the Root Servers out in Internetland, not your ISP.

    I've done it both ways,..never had a problem either way. My network has
    about 100 units.

    Don't know for sure about caching,..it may still cache locally either way
    but not sure. I don't really care about caching,...it has caused be more
    problems than helped anything, especially when combined with proxy servers.
    No caching at all would suit me fine.
     
    Phillip Windell, Jun 19, 2008
    #2
    1. Advertisements

  3. Jim A.

    Herb Martin Guest

    No, recursion is when your DNS server goes to the root of the Internet
    (namespace actually) asks the Root Servers, then the top level servers
    (e.g., com, edu, CC) then the particular organization down the hierarchy
    until it finds the answer ITSELF.

    Forwarding is when it gets some other server (e.g., the ISP DNS) to do
    this for it.
    Yes, because it doesn't operate as you said in the prior paragraph.
    It does that for all types of requests, recursively resolved or resolved
    through forwarding.
    Yes.

    General thoughts on what is "best":

    No one can say for SURE what is best for you.

    Physical Recursion by an internal server is usually not as fast
    because it doesn't take advantage of the "cache" and
    cache consolidation of having another DNS server (e.g.,
    ISP) answering requests for many DNS Servers.
    Generally that ISP DNS is "closer" to the Internet and
    can do so more efficiently too.

    Forwarding to the ISP CAN (theoretically) be less secure
    than providing your own resolver since you are subject to
    the possibly bad security practices of the ISP
    Most people are not as good as their ISP so this might
    not be realistic threat.

    Internal DNS Servers (especially AD DCs) should probably
    NOT be going "out on the Internet" but rather the ISP DNS
    or (better usually) a dedicated DNS at the firewall/gateway
    should do this.

    Generally, you wish to forward to your Gateway/Firewall DNS
    Server if you have one.

    The Gateway/Firewall DNS EITHER does the actual recursion
    or forwards again to the ISP to take advantage of both the
    cache and the position of the ISP DNS server.
     
    Herb Martin, Jun 19, 2008
    #3
  4. Jim A.

    Jim A. Guest

    So if I have no forwarders enabled and the DNS is on the DC behind the
    firewall, what is the process when a client needs to resolve a name? The DNS
    first checks in its cache, and if there are no entries, does it ask the DNS
    server of the ISP, use root hints, or goes straight to a top level server?
    (at which time the top level would say, "well i dont know that address, but I
    know someone who might. Why dont you ask x.x.x.x" and the process continues
    until a DNS server with the record is found)?
     
    Jim A., Jun 19, 2008
    #4
  5. Jim A.

    Herb Martin Guest

    The DNS first checks it's ZONES -- those held on the DNS Server itself if
    any

    Then it checks any CONDITIONAL forwarding entries, most
    specific first (if any)
    No. That would only be use if it were a forwarder.
    Same thing (generally): http://icannwiki.org/Root_hints

    And yes.
    Yes, But I know who is authoritative for (at least) that top level domain
    Right -- because from here it uses the SAME PROCESS, only one level
    deeper this is what is known as "recursion" (the process is done through
    a recursive algorithm in code too.)

    It quits when it finds the answer, if it every finds an authoritative server
    that SHOULD have the answer but doesn't, or reaches the bottom
    without finding an answer.

    By definition, as this point, the name is NOT in the "Namespace"*

    Many people use the term namespace incorrectly but it is ALL of
    the names that can be found by starting at the root and performing
    this recursive search.

    The "Internet" is a name space. Microsoft.com is publicly NOT
    a namespace but a DNS tree hierarchy.

    To summarize the DNS checks:

    ZONES held on the DNS Server
    Cache
    Conditional Forwarding entries (most specific first)
    Root hints
    Recursively down the hierarchy from root hints to top level (.e.g.
    com)
    to first level (e.g., microsoft.com)
    etc
     
    Herb Martin, Jun 19, 2008
    #5
  6. Jim A.

    Herb Martin Guest

    Root hints are the Root of some namespace, but almost always this is
    the Root Hints/Servers for the Internet namespace. (It doesn't have to
    be and isn't always -- this was more common probably in the past.)
    Yes, caching is used both ways. Caching should NOT cause you
    significant problems.
    As you network size grows or you WAN line capability diminishes,
    caching becomes quite a bit more important.

    Caching is good.

    If you have trouble with caching let us know -- usually this is due
    to mistakes that really are a caching issue.
     
    Herb Martin, Jun 19, 2008
    #6
  7. Read inline please.

    In
    This depends on whether you can fully trust your ISP's DNS for giving you
    all answers, the correct answer, or how fast it is at returning answers it
    doesn't already hold in its cache. The main reason for using a forwarder, is
    for taking advantage of its cached answers.
    With forwarding, the DNS being forwarded to will pass on only the record
    requested. If it answers from its cache, the record will be cached on your
    DNS, but only with the remaining Ttl of the record in the forwarder's cache,
    yahoo.com is not really a good example to use, because yahoo's A records and
    CNAME records typically have a TTL of 1 minute to 5 minutes, depending on
    which name you ask for.
    There is an advantage to using Root Hints only for all name resolution, when
    you resolve a DNS name, your DNS server caches the NS record for each
    Authoritative DNS domain it has to ask, starting with the Root domain, then
    the TLD servers, then the NS record for the domain you are asking for. NS
    records usually have a TTL of two days or more, given that the Maximum
    default cache of 1 day for MS DNS Servers, once a name is resolved, and the
    NS records are cached, all additional names resolved in that domain for the
    next 24 hours are ansered much faster. In most cases, once the NS records
    are cached, DNS will get the answer directly from the NS cached, using a
    forwarder only adds an extra hop in getting the answer.




    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jun 23, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.