Solved

DNS forwarder question

Posted on 2008-06-25
4
283 Views
Last Modified: 2010-04-07
If you configure a DNS server to use a forwarder, would a wireshark capture show DNS traffic between just you and the forwarder or does the forwarder return the IP of  the authoritative DNS server and would your DNS server go there to finally resolve the name to IP?

I'm trying to figure out if my forwarder is working correctly.


0
Comment
Question by:jjc_mn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 14

Expert Comment

by:cuziyq
ID: 21869924
Your DNS server would forward the request and the request would be sent back to your DNS server.  The client making the request would be unaware that the request had been forwarded.
0
 
LVL 19

Expert Comment

by:feptias
ID: 21872572
You are describing the difference between iterative and recursive DNS. On the Windows DNS server, on the "Forwarders" tab, there is tick box option "Do not use recursion for this domain". When the option is ticked, it means you want your DNS server to only query the forwarder (i.e. your DNS server should not go elsewhere to finally resolve the name).
0
 

Author Comment

by:jjc_mn
ID: 21872784
Actually I'm on Lunix not Windows but that should  not matter.

Also I'm disregarding traffic between my DNS server and the client that makes the request. I'm only looking at server to server traffic.

You said :  "your DNS server should not go elsewhere to finally resolve the name". From my wireshark trace it looks like it asks the forwarder and the forwarder comes back and gives it the DNS SOA and then my server goes to the SOA to resolve.

So that behavior is not correct?
0
 
LVL 19

Accepted Solution

by:
feptias earned 500 total points
ID: 21872886
You are possibly mis-interpreting what I meant to say!
In effect, what I said was: "When that option is ticked your DNS server should not go elsewhere..."

When the option is *not* ticked, then your DNS server is very likely to start interrogating other DNS servers. That process is called recursion. I have never investigated the process down to the level of running a packet trace, but SOA records contain information about the primary DNS server for the domain so it makes some sense.

I don't know what the equivalent is of that tick box option in Linux, but no doubt there is an equivalent in the config settings. I believe it is called "slaving" when one DNS server devolves all responsibility for name resolution to the forwarder.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NSLOOKUP Question 7 32
Trust DNS Resolution for Unqualified Names 3 55
Force Windows clients to authenticate to a specific domain controller 21 107
DNS Record Manupluation 11 41
If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question