11.3 Building Up a Large, Sitewide Cache with Forwarders

Certain network connections discourage sending large volumes of traffic off-site, either because the network connection is pay-per-packet or because it is a slow link with a high delay, as with a remote office's satellite connection to the company's network. In other cases, a firewall might allow only certain name servers to send queries off the local network to the Internet. In these situations, you don't necessarily want your name server to follow the standard DNS resolution algorithm and start by sending a query to a root name server. A solution is called forwarding, which changes the way a name server resolves queries it can't answer itself.

If you designate one or more servers at your site as forwarders, all off-site queries are sent to the forwarders first. The idea is that the forwarders handle all off-site queries generated at the site, building up a rich cache of information. For any given query for a remote domain, there is a high probability that the forwarder can answer the query from its cache, avoiding the need for the other servers to send packets off-site. Nothing special is done to these servers to make them forwarders; you modify all the other servers at your site to direct their queries through the forwarders. It's worth pointing out that the terminology is a little funny: a name server configured to forward (or, if you prefer, with forwarding enabled) doesn't have an official name, but we use the term forwarding name server. A name server that receives queries forwarded from forwarding name servers is called a forwarder.

A primary or secondary name server's mode of operation changes slightly when it is directed to use a forwarder. If the requested information is already in its database of authoritative data and cache data, it answers with this information; this part of the operation hasn't changed. However, if the information is not in its database, the name server sends the query to its configured forwarders and waits a short period for an answer before resuming normal operation and contacting the remote servers itself. What the name server is doing that's different is sending a recursive query to the forwarder, expecting it to find the answer. At all other times, the name server sends out nonrecursive queries to other name servers and deals with responses that refer only to other name servers.

Microsoft has introduced a new feature called conditional forwarding that makes forwarding even more flexible under Windows Server 2003. In prior versions of the Microsoft DNS Server, all queries that couldn't be resolved locally were sent to the same set of forwarders. Using conditional forwarding, you can configure the DNS server to use a different set of forwarders depending on the domain name of the query. In our experience, this feature is most useful in large networks or networks with a restrictive security policy that limits Internet connectivity to certain hosts. For example, consider a large network where, as in most networks, the name servers need to know how to resolve both internal and external names. One set of forwarders?call them set A?might have complete knowledge of the organization's namespace, while a different bunch of forwarders?set B?might have access through the firewall to resolve Internet domain names. An individual name server is authoritative only for a small number of zones. This name server can resolve queries for names in its local authoritative zones, but how does it resolve other names? If a query is for an internal name, the name server needs to forward to the "A" forwarders, but any external names can only be resolved by the "B" forwarders. With conditional forwarding, such a configuration is a snap.

Forwarding is configured by selecting the Forwarders tab on the server properties window. Figure 11-9 shows how a movie.edu name server is configured to forward all queries to wormhole and terminator. And remember, forwarding is configured on every name server except the forwarders themselves?wormhole and terminator in this case.

Figure 11-9. Forwarders configuration tab

To enable forwarding, you need to specify forwarders for a specific domain or the default of All other DNS domains. The default applies when no other configured domain matches. You can specify up to six forwarders for each domain. The name server forwards to them in the order in which they're listed, using a default timeout of five seconds per forwarder; that is, if the first forwarder doesn't respond within five seconds, try the next, wait five more seconds, try the next, and so on. The forwarding timeout can be changed with the Number of seconds before forward queries time out field.

When you use forwarders, try to keep your site configuration simple. Otherwise, you can end up with configurations that are really twisted. Follow these tips:

  • Avoid having "midlevel" servers forward packets (that is, avoid configuring forwarding on your midlevel name servers). Midlevel servers mostly refer name servers to subdomain name servers. If they have been configured to forward packets, do they refer to subdomain name servers, or do they contact the subdomain name server to find out the answer? Whichever way it works, you're probably making your site configuration too hard for mere mortals (and subdomain administrators) to understand.

  • Avoid chaining your forwarders. Don't configure server a to forward to server b, and configure server b to forward to server c (or worse yet, back to server a).

11.3.1 A More Restricted Forwarding Name Server

You may want to restrict your name servers even further?stopping them from even trying to contact an off-site server if their forwarder is down or doesn't respond. You can do this by telling the server not to fall back to using the recursive resolution process if no forwarders respond: check the Do not use recursion for this domain box on the Forwarders configuration tab (see Figure 11-9). The terminology is confusing: this checkbox has nothing to do with the kind of query being sent to the forwarders. As we said earlier, a name server that's forwarding always sends a recursive query to its forwarders. What this checkbox determines is what happens after that recursive query is sent, which we discuss next. The BIND name server configuration syntax calls this kind of forwarding name server a forward-only server, which we think is a good name.

A forward-only server is a variation on a server that forwards. It still answers queries from its authoritative data and cache data. However, it relies completely on its forwarders; it doesn't try to contact other servers for information if the forwarders don't give it an answer.

However, you must ask yourself if it ever makes sense to use a forward-only server. Such a server is completely dependent on the forwarders. You can achieve much the same configuration (and dependence) by not running a forward-only server at all; instead, configure your hosts' resolvers to point to the forwarders you were using. Thus, you are still relying on the forwarders, but now your applications are querying the forwarders directly instead of having a forward-only name server query them for the applications. You lose the local caching the forward-only server would do, but you reduce the overall complexity of your site configuration by running fewer "restricted" name servers.