Back To Basics: DNS Server Roles -- Caching-only Servers Page 2

Thomas Shinder

DNS Forwarders and Slave Servers

A Forwarder is a DNS server that accepts recursive queries from a DNS Server downstream in the query chain. Caching-only servers make good forwarders. A Caching-only forwarder can be used to protect internal zone files from Internet intruders.

For example, a DNS client sends a recursive query to its Preferred DNS server for a host located on the Internet. Since the DNS Client's Preferred DNS Server is located on the company's internal network, that corporate DNS Server will not be authoritative for the domain in question.

The Preferred server must resolve the host name for the client or return an error. You can configure the DNS client's Preferred DNS server to forward all queries for zones for which it is not authoritative. This DNS server will then issue a recursive query to a DNS Server configured as its Forwarder.

Forwarding and Forwarder Servers

Some of the terms used in the forwarding process require clarification. In this example, the client's Preferred server is "forwarding" the request to the "forwarder". The client's Preferred server is the forwarding DNS server. The DNS server receiving the forwarding server's query is the Forwarder. Therefore, the process of forwarding a DNS query involves both a forwarding DNS server and a forwarder DNS server.

Host Name Lookup Using Forwarders

The forwarder begins to resolve the host name in the query. It can do this by retrieving the information from its cache, from a zone file, or by issuing a series of iterative queries. If successful, it will answer the recursive query affirmatively and return the IP address to the forwarding server. The forwarding server completes its recursion by returning this IP address to the DNS client that initiated the query.

If the forwarder cannot resolve the hostname to an IP address, it will return to the forwarding DNS server a "host not found" error. If this happens, the Preferred DNS server (the forwarding server) will attempt to resolve the host name itself. The forwarding server will check its cache, zone files, or perform iterative queries to resolve the host name. If unsuccessful, a "host not found" or similar error is finally returned to the client.

You may not want the forwarding DNS server to issue iterative queries to servers located on the Internet. This will typically be the case when the forwarding server is an internal DNS server. Internal DNS servers that issue iterative queries for Internet host name resolution can become targets for hackers seeking information about your internal host naming scheme.

You can configure the forwarding server to not resolve host names when the forwarder fails to return a valid IP address. When the forwarding computer is configured in this fashion, it is referred to as a slave server. The slave server accepts responses from the forwarder and relays them to the client without attempting host name resolution itself, which it would do if the forwarder were not able to answer the query.

This article was originally published on Sep 26, 2000
Page 2 of 4

Thanks for your registration, follow us on our social networks to keep up-to-date