Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


DNS Forwarders

Posted on 2005-03-18
Medium Priority
Last Modified: 2012-06-21
I'm studying "DNS on Windows Server 2003" (O'Reilly 2004) to get a final grip on DNS.

As I understand it, now, a forwarding name server will use its forwarders first (given it can't resolve the query with cache or zone data), and if the forwarders are unreachable, the forwarding name server will go for the root hints. That's how I understand the following:

"...the [forwarding] name server sends the query to its configured forwarders and waits a short period for an answer before resuming normal operation and contacting the remote servers itself. What the name server is doing that's different is sending a recursive query to the forwarder, expecting it to find the answer. At all other times, the name server sends out nonrecursive queries to other name servers and deals with responses that refer only to other name servers." (p. 230)

There's the option to make the forwarding name server a "forward-only name server", by checking the "Do not use recursion for this domain" box in the Forwarders configuration tab (a check box with "confusing terminology", but never mind). The writers say:

"If you want to restrict your name servers even further -- stopping them from even trying to contact an off-site server if their forwarder is down or doesn't respond. You can do this by telling the server not to fall back to using the recursive resolution process if no forwarders respond: check the "Do not use recursion for this domain" box on the "Forwarders" configuration tab." (pp. 231-232)

My question concerns this sentence: "You can do this by telling the server not to *fall back to using the recursive resolution* process if no forwarders respond..."

Shouldn't it say: "... fall back to using the *nonrecursive* resolution." As I understand it, if the forwarders aren't responding, the forwarding name server will use the root hints, and the root hints query is by definition nonrecursive.

Am I right?

Question by:DiamondJoe
  • 2

Expert Comment

ID: 13573681
Good places to understand it...



Recursive means I ask you, you go find out answer and tell me.

Opposite is iterative: I ask you, you tell me which name server I go to to find the answer myself.

Author Comment

ID: 13575269
Thanks for the links, the first one was great fun and also confirms my point. As far as I know, in the scenario above, where the forwarders aren't answering the forwarding name server, the forwarding name server would fall back to using the nonrecursive (or iterative) resolution using the root name server, not fall back to recursive resolution, as the writers states in the book I quoted.

I'm asking since this book is very highly respected and printed in numerous editions (with slightly different titles), wherefore I can't just ignore this strange statement as simply incorrect.

Accepted Solution

minmei earned 750 total points
ID: 13575769
nslookup is a wonderful thing.

you can use it as a tool to check the answer.

Each nslookup request defaults to recursion. this means it will ask until it finds the answer, then deliver it back.

When you do a set norecurse, you see only the next authoritative nameserver. This is why it's called iterative. You can go to the roots, then get to the authoritative nameserver, then ask it for the answer, just like the dns server would.

Highly respected does _not_ mean error free.  Play with nslookup.  Find your forwarding server from your ISP, use it to run both recursive and non-recursive queries.

Here's the help on the win2k3 dns checkbox for "do not use recursion..."

Specify that the DNS server not attempt any _further_ recursion if the forwarders fail. If the forwarding servers fail to resolve, a failure message is returned.

Bad checkbox name. Bad explanation from the book. It just means it will stop if the forwarders fail. Has _nothing_ to do with recursive or iterative queries.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question