Configuring DNS Recursion and Forwarder Settings

 

Configuring DNS recursion settings

DNS recursion is a process where a DNS server queries other DNS servers to resolve a domain name that is not within its own authoritative zones. Configuring DNS recursion settings is crucial for optimizing query responses and ensuring the security of your DNS infrastructure. The image illustrates the interface for configuring DNS recursion settings in a Microsoft DNS environment.

How to configure DNS recursion settings

  1. Get into the DNS module.
  2. Select Config menu. On the Configuration page, navigate to the DNS Recursion Settings tab.
  3. The DNS Recursion Settings page appears. Here enter the following essential details:

  4. ADDITIONAL TIMEOUT: Specify the additional time (in seconds) the DNS server will wait for a response after the initial timeout period has expired. This helps in extending the wait time for responses from remote servers, which can be useful in environments with network latency.
    Note: We recommend setting the value within the range of 0x00000000 to 0x0000000F (0 to 15 seconds), inclusive of 0 and 15. While you can use any value, we suggest a default value of 4.
  5. RETRY INTERVAL: Define the interval (in seconds) between retry attempts when the DNS server does not receive a response. This property determines how frequently the DNS server will retry the query to get a response from another DNS server.
    6. Note: If the property is left undefined or zero, the DNS server will retry after three seconds. Valid values range from 1 to 15 seconds.

    Generally, we recommend keeping this property unchanged. However, there are specific situations where adjusting it may be beneficial. For instance, if a DNS server communicates with a remote server over a slow connection and retries the lookup before receiving a response, consider increasing the retry interval to just above the typical response time observed.

  6. TIMEOUT: Set the total time (in seconds) the DNS server will wait for a response before giving up on the query. This helps in determining the maximum wait time for responses to DNS queries, ensuring timely query resolution.
    Note: The valid range for this property is from 0x1 to 0xFFFFFFFF, corresponding to 1 second to 15 seconds. The default setting is 0x8, which is 8 seconds. We recommend increasing this value when recursion happens over a slow link.
  7. RECURSION ENABLE: Toggle to enable or disable DNS recursion on the server. When enabled, the DNS server will perform recursive queries to resolve domain names. When disabled, the server will only respond to queries for which it is authoritative.
  8. SECURE RESPONSE: The property determines whether a DNS server filters DNS records against the zone of authority for the remote server to prevent cache pollution. Selecting Yes, the DNS server caches only records that belong to the queried remote server's zone of authority. Selecting No leads the recursion server to cache all the records from the remote server.
  9. Click Save to apply the settings.

Benefits of configuring DNS recursion properly:

  1. Optimized Query Response: Proper timeout and retry settings ensure that DNS queries are resolved efficiently, reducing wait times for end-users.
  2. Enhanced Security: Enabling secure responses helps protect against DNS spoofing and other attacks, ensuring the integrity of DNS responses.
  3. Improved Reliability: By configuring appropriate retry intervals and timeouts, the DNS server can handle network latency and temporary failures more gracefully, improving overall reliability.

Configuring DNS recursion settings in Microsoft DNS is essential for ensuring efficient, secure, and reliable resolution of domain names. By adjusting timeout values, enabling recursion, and securing responses, administrators can optimize their DNS infrastructure to meet the specific needs of their network environment.

Configuring DNS Forwarders for your Microsoft DNS infrastructure

What are DNS Forwarders and how they work?

DNS forwarders are servers in a DNS infrastructure that handle queries that the local DNS server cannot resolve. When the local DNS server receives a query for a domain that it is not authoritative for and does not have a cached answer, it forwards the query to another external DNS server specified as a forwarder for resolution.

Why use DNS Forwarders?

  1. Improved Query Resolution: By forwarding queries to a more knowledgeable DNS server, you can ensure quicker and more accurate query resolutions.
  2. Reduced Network Traffic: Forwarders can help reduce the amount of DNS traffic on the network by reducing the need for the local DNS server to recursively query other DNS servers on the internet.
  3. Centralized Control: Forwarders allow for centralized control of DNS query processing, making it easier to manage DNS traffic and policies.
  4. Enhanced Security: Using forwarders can enhance security by allowing only specific DNS servers to communicate with external DNS servers, reducing the attack surface.

How to configure DNS Forwarders in DDI Central?

To configure DNS forwarders for your Microsoft DNS servers:

  • Get into the DNS module
  • Select the Config menu within the DNS module.
  • On the Configuration page, navigate to the DNS Recursion tab.
  • On the DNS Recursion Settings page, locate the Forwarders List text box. Enter the IP addresses of the DNS servers to which queries will be forwarded. These IP addresses can be either IPv4 or IPv6 addresses. This list should include reliable and authoritative DNS servers to ensure accurate and efficient DNS resolution.

    Note: The priority is given in the order the IP addresses are entered in the forwarders list, meaning the DNS server will try the first IP address in the list first, and if it fails, it will move on to the next one.

    If you've enabled DNS recursion, it's mandatory to configure the Forwarders list as well. Without a forwarders list, Microsoft DNS recursion servers will not be able to resolve non-hosted domains.

  • Enter the TimeoutM value, which specifies the maximum time the DNS server will wait for a response from the forwarder before trying the next forwarder or giving up. This value is crucial for maintaining DNS query performance and reliability. The minimum value is 0, and the maximum value is 15. The default value is 5.
  • Once you have entered the desired forwarder IP addresses and set the timeout, click the Save button to apply the configuration.

By following these steps, the DNS server will forward unresolved queries to the specified forwarder servers, enhancing the efficiency and reliability of DNS resolution within your network.