[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

DNS forwarder question

If you configure a DNS server to use a forwarder, would a wireshark capture show DNS traffic between just you and the forwarder or does the forwarder return the IP of  the authoritative DNS server and would your DNS server go there to finally resolve the name to IP?

I'm trying to figure out if my forwarder is working correctly.


0
jjc_mn
Asked:
jjc_mn
  • 2
1 Solution
 
cuziyqCommented:
Your DNS server would forward the request and the request would be sent back to your DNS server.  The client making the request would be unaware that the request had been forwarded.
0
 
feptiasCommented:
You are describing the difference between iterative and recursive DNS. On the Windows DNS server, on the "Forwarders" tab, there is tick box option "Do not use recursion for this domain". When the option is ticked, it means you want your DNS server to only query the forwarder (i.e. your DNS server should not go elsewhere to finally resolve the name).
0
 
jjc_mnAuthor Commented:
Actually I'm on Lunix not Windows but that should  not matter.

Also I'm disregarding traffic between my DNS server and the client that makes the request. I'm only looking at server to server traffic.

You said :  "your DNS server should not go elsewhere to finally resolve the name". From my wireshark trace it looks like it asks the forwarder and the forwarder comes back and gives it the DNS SOA and then my server goes to the SOA to resolve.

So that behavior is not correct?
0
 
feptiasCommented:
You are possibly mis-interpreting what I meant to say!
In effect, what I said was: "When that option is ticked your DNS server should not go elsewhere..."

When the option is *not* ticked, then your DNS server is very likely to start interrogating other DNS servers. That process is called recursion. I have never investigated the process down to the level of running a packet trace, but SOA records contain information about the primary DNS server for the domain so it makes some sense.

I don't know what the equivalent is of that tick box option in Linux, but no doubt there is an equivalent in the config settings. I believe it is called "slaving" when one DNS server devolves all responsibility for name resolution to the forwarder.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now