DNS Forwarders vs. Root Hints

[Brian Rodeck]

My Win2K network has two AD-integrated DNS servers on a private network that
reference each other in their DNS clients, then forward to DNS servers
specified by our ISP through an ISA server.

What role do Root Hints play in my environment?

What's the difference between forwarders and root hints in this scenario?

TIA for your help!

 

[Keith W. McCammon]

Root hints are a last resort. They don't perform resolution for you, but
merely point you in the right direction, so to speak. The hierarchy looks
like this:

YourDNS -> YourISP'sDNS -> ABunchOfOtherDNSServers -> Root

 

[stevta [MSFT]]

Typical setup is to forward dns queries to the ISP's DNS
servers. If you have a child domain the child would
forward to the parent and the parent would delegate the
child's domain.
There are lots of exceptions based on network
configuration but this is the most simple and common
method.
Steve

 

[Brian Rodeck]

Thanks to both of you for the quick reply. I have a simple, single domain
environment, so I guess I should just leave them in there.

BTW, was it correct for me to remove the root level in my DNS? I've seen
info on both sides on this but my entire domain is on a single IP subnet. I
was unable to set forwarders with the root in place.

 

[William Stacey]

Right. If you need to use forwarding or root-hints, then you must remove
the "." zone.

 

[William Stacey]

Root hints are a last resort. They don't perform resolution for you, but

merely point you in the right direction, so to speak.

Assuming only root-hints is configured and recursion in advanced tab is not
turned off then...
If the query is a recursive query (i.e. rd bit set), then the DNS server
will use root hints to perform the resolution on behalf of the client
resolver. If the query is iterative, then the server will return the answer
closest to the destination and the client will need to take it from there.

 

[Jonathan de Boyne Pollard]

TR> Using forwarders is Quicker than using root hints, [...]

Not necessarily. It depends from the speed of the service
provided by the forwardees relative to the speed of performing
query resolution directly. If the forwardee doesn't have a
better pipe to the rest of Internet's content DNS servers
than the forwarding proxy DNS server itself does, in the event
of a cache miss forwarding can actually be slower than direct
query resolution would be.

This is why a recommendation to use forwarding is usually
accompanied by a qualification of there being an expensive,
congested, or slow link involved.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ForwardingProxy>

 

[Jonathan de Boyne Pollard]

KWMcC> The hierarchy looks like this:
KWMcC>
KWMcC> YourDNS -> YourISP'sDNS -> ABunchOfOtherDNSServers -> Root

No, it does not. The proxy DNS server run by the ISP is (most
often) a resolving proxy DNS server, which talks directly to the
content DNS servers on the rest of Internet, including to the "."
content DNS servers.

For a somewhat better idea of what things look like (albeit that
you will have to translate from Unix and ISC terminology to Windows
and Microsoft terminology), read
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/bind-big-picture.html>.

(The product documentation for Microsoft's DNS has pictures that are
in colour, and not Text Art. I'd refer you to them were it not for
the fact that the entities important to this particular discussion are
depicted therein as a single vague cloud labelled "Internet". (-: )

 

[Keith W. McCammon]

KWMcC> The hierarchy looks like this:
KWMcC>
KWMcC> YourDNS -> YourISP'sDNS -> ABunchOfOtherDNSServers -> Root

No, it does not. The proxy DNS server run by the ISP is (most
often) a resolving proxy DNS server, which talks directly to the
content DNS servers on the rest of Internet, including to the "."
content DNS servers.

You just said, in only slightly more detail, what my obviously crude scheme
shows.

For a somewhat better idea of what things look like (albeit that
you will have to translate from Unix and ISC terminology to Windows
and Microsoft terminology), read
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/bind-big-picture.html
.

(The product documentation for Microsoft's DNS has pictures that are
in colour, and not Text Art. I'd refer you to them were it not for
the fact that the entities important to this particular discussion are
depicted therein as a single vague cloud labelled "Internet". (-: )

Actually, all the OP wanted to know was the generic difference between
forwarders and root hints in a very typical corporate DNS architecture. And
the difference, simply, is that root hints are essentially the last resort.
Any one of us could spend all day depicting complex situational scenarios,
but the question was answered.

 

[William Stacey]

No, it does not. The proxy DNS server run by the ISP is (most

often) a resolving proxy DNS server, which talks directly to the

Again, these are not called "proxy" DNS servers. Is there a reason you keep
using that term over and over? A DNS server (depending on config) can
answer from cache, from content, or forward, or use iteration to get an
answer and return a reply. None of that is called proxy anywhere in the
RFCs, by MS, in the BIND ngs, in DNS & BIND or any other doco I have seen on
the subject. This made up terminology can be confusing for others and
should be avoided.

 

[William Stacey]

True. Another good reason to use forwarding is the ability to set your
firewall rules to a finite set of forwarders (send and receive.) If you use
root hints, then you need to open queries and replies on port 53 to all IPs
which can enlarge your attack surface. However, there can be (and are) good
reasons to use one, or the other, or both.

--
William Stacey, DNS MVP

TR> Using forwarders is Quicker than using root hints, [...]

Not necessarily. It depends from the speed of the service
provided by the forwardees relative to the speed of performing
query resolution directly. If the forwardee doesn't have a
better pipe to the rest of Internet's content DNS servers
than the forwarding proxy DNS server itself does, in the event
of a cache miss forwarding can actually be slower than direct
query resolution would be.

This is why a recommendation to use forwarding is usually
accompanied by a qualification of there being an expensive,
congested, or slow link involved.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html
#ForwardingProxy>