1

I'm doing some research on DNS forwarding and I'm struggling with information on a few items:

What's the difference between DNS forwarding first and forwarding only? Information on the internet doesn't seem that clear.

If you have multiple DNS forwarders configured on a forwarding tab of a DNS server under which conditions is the second forwarder queried?

Thank you

Jay
  • 13
  • 1
  • 3

2 Answers2

4

A DNS server often have a set of root hints. IE the list about a dozen servers that hold the root . zone. So if it needs to resolve a DNS name without forwarding it will start at the root and query things until it finds the answer. Perhaps by asking the root servers for the names servers for .org, and the .org server for the servers that handle .example.org, and finally the .example.org servers what the results are for www.example.org.

When you have forwarding only enabled, this process is completely disabled, and all DNS requests will be forwarded on to some other server. So if you were forwarding to 8.8.8.8 that would be it. You send the request off to 8.8.8.8 and if you get a valid reply you return that, or you fail.

When you have forwarding enabled, but you have not set forwarding only, your DNS server will try to forward a request to another server and if there is a failure or a timeout then the request will fall back to resolving using the standard method starting at the root hints.

Keep in mind that a NXDOMAIN reply is not a failure. A failures is a SERVFAIL, a timeout, or something like that.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • Thank you, Just to summarise: Forward first - use root hints and forwarders Forwarding only - forward all requests immediately (never use root hints) On the primary and secondary forwarders, you think it might be down to the DNS implementation or which server responds first? Presumably if one server returns a timeout, the other forwarder responds? Thanks – Jay Feb 03 '20 at 21:59
  • Never dug into the details much about the ordering of the forwarders for different implementations. Looks like the answer from @Håkan has some links with details for Bind. I would guess most implementations will try others in the case of a failure of some sort. – Zoredache Feb 03 '20 at 23:50
  • @Jay I also expect that it's implementation specific what the exact behavior is regarding multiple forwarders. (I tried to answer specifically for BIND as that was what the question specified.) – Håkan Lindqvist Feb 09 '20 at 00:15
2

Regarding forward only / forward first this is described in the forwarding section of the manual:

forward

This option is only meaningful if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first — and if that doesn't answer the question, the server will then look for the answer itself. If only is specified, the server will only query the forwarders.


How multiple entries in a forwarder { server1; server2; }; list are used does not seem to be detailed in the manual.

That said, word on the street suggest that forwarder selection works much the same as NS selection (maybe exactly the same?), which would make a lot of sense.

In that case, the order in which the servers are listed has no significance, instead all of the servers are used to some extent, round-trip-time (RTT) of queries to the different servers is tracked and the fastest servers are preferred and will receive the bulk of the queries, while a failing or non-responding server is penalized with an very high "RTT".

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90