nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

DNS Forwarder

jescab

What is a DNS Forwarder? Also how do you know when to use it? In what scenerio would youuse a DNS forwarder? What is the difference between a forwarder and a root hint?

Also, THANKS for help yesterday.

JB

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

TeKniques

jescab wrote:

What is a DNS Forwarder?

A DNS forwarder is a computer that you would forward DNS requests to so that it can resolve names for you

jescab wrote:

Also how do you know when to use it? In what scenerio would youuse a DNS forwarder?

A good time to use it would be if you did not want any of your internal clients names known outside the internal network. In this case, you could have an Internal DNS server that serves as your main DNS server for the internal clients that forwards requests to another DNS server say in your DMZ or perimeter network. Likewise you could forward to your ISP's DNS server.

jescab wrote:

What is the difference between a forwarder and a root hint?

A root hint is what the forwarder is retrieving for you. The difference is that the DNS server will store all the root hints, but if you are using a forwarder then you are referring to that machine's root hints to resolve names.

royal

Also, if you want to resolve dns names higher in the namespace, you can create a conditional forwarder. For example, if you're a client in the domain staff.contoso.com (client01.staff.contoso.com), and you need to make a query to filesvr.contoso.com for a file, then you can create a conditional forwarder on the dns server in the staff.contoso.com domain that points all queries to the authoritative server for the constoso.com domain.

blargoe

A strategic use of DNS forwarder addresses on your DNS server can speed up name resolution.

If your users in domain1.com have to access resources in another company who has a domain named domain2.com, "conditional forwarding" to forward name resolution requests directly to a authoritative DNS server for that other domain, rather than have the request be passed to, say, a root server, then the .com server, then the authoritative server for domain2.com, then back to you.

Sometimes it is useful to have a DNS server to speed up name resolution in a remote office but not have it host a zone, due to not wanting to have the zone transfer traffic. You could configure this server with a DNS forwarder containing the address of a server that is authoritative for your domain. This server would cache the names that have been resolved for an amount of time (this is called a caching only DNS server).

Danman32

Root hints are used for iterative queries, which tell the DNS server where the root servers are, which is usually the internet dot (.) servers. Those dot servers will then tell your DNS server where the first level DNS servers are (such as .com, .net, .org, etc). Your server queries those servers, and usually the first level DNS server will refer you to the second level DNS server, for example 'mycompany.com'.

Forwarders usually are for recursive queries where the entire query responsibility will fall to the forwarded server, such as your ISP's DNS server. In the case of the ISP server, there's a good chance most, if not all, your potential queries will be cached since many other clients are also using it as a DNS server, so it can answer right away without doing iterations starting at the root servers.
And, as others have shown, forwarding can be used to send queries to a server that has the zones that have the answers to the common queries.

garv221

TeKniques is correct, fowarders alot of the time are used by the internal DNS. When a internal node requests a website, it runs through the internal DNS and the internal cannot answer the question, so in turn fowards the request to an external DNS who can. To better understand root hints, go to www.dnsstuff.com and do a MX lookup on some domains and watch the site pull different root hints to discover the domains server.

Danman32

Ah yes, DNSStuff. I love how they show you exactly how/where they got their query answers.