DNS forwarding plays a crucial role in efficient name resolution on the Internet. It ensures that DNS queries are forwarded to other servers if the requesting server itself is unable to provide an answer - this increases response times and reduces unnecessary network load.
Key points
- Conditional forwarding: Forwarding of special domains via defined rules
- Recursive forwarding: Query processing by a third DNS server
- Cache vs. forwarding: Different strategies for improving performance
- DNS records: A and AAAA records control the resolution
- Network security: External visibility protection is crucial for companies
What is DNS forwarding?
With the DNS forwarding a DNS server forwards queries that it cannot resolve itself to another specified server. This second server - often referred to as a forwarder - then takes over the resolution. This procedure is often used in internal networks to centralize DNS tasks. At the same time, it improves performance as forwarders avoid unnecessary queries to the DNS root server. The result is an efficient process that brings measurable benefits, especially for large IT infrastructures.
Types of DNS forwarding and their use
There are two main types: conditional and recursive forwarding. The Conditional forwarding is based on definable rules - it is used to bind specific domains to specific servers. The recursive variant on the other hand, works generically and forwards all unsolvable requests to a central server, which handles all name resolution. This ensures centralized administration and relieves the burden on smaller servers.
DNS forwarding vs. DNS caching
A common mistake is to confuse DNS forwarding with DNS caching. While forwarding means that a request is specifically sent to another DNS server the caching temporarily stores the results that have already been resolved. This reduces the network load for repeated requests. Both methods can be combined and take on different roles in the DNS.
Especially in larger networks, it is common to use both in order to distribute traffic as efficiently as possible. DNS forwarders forward the request to a central resolver, while caching holds the response for a certain period of time (TTL) after successful resolution. The choice of the appropriate configuration depends on the intended use, the size of the network and the security requirements.
Technical implementation in practice
A practical example: A company operates its own DNS servers for different departments. Using conditional forwarding, queries relating to the departmental domain "marketing.intern", for example, are answered directly on the responsible internal DNS server. This bypasses the entire external DNS tree. This Targeted division increases security and reduces latency.
When setting up such a structure, it is important to define clear responsibilities. Administrators need to know which DNS zone is processed by which internal server and how external domains are resolved. In addition, central forwarders should be designed with as much redundancy as possible to ensure that DNS name resolution continues to function in the event of a failure. In many company environments, at least two forwarders are therefore stored so that there is no interruption in the event of server maintenance or malfunctions.
DNS records: Key to resolution
Each domain uses certain DNS entries - in particular the A and AAAA record. These records store IP addresses (IPv4 or IPv6) for the domain and provide the client with an address for the connection. During DNS forwarding, the forwarded server uses these entries to retrieve the correct address. If you want to change your DNS setting with IONOS, for example, you will find the IONOS guide to DNS settings helpful steps for this.
In addition to A and AAAA records, other resource entries such as CNAME (alias entry) or MX entries (for mail servers) play a role. When forwarding internal domains to external servers in particular, it must be ensured that all relevant entries are stored correctly. Anyone dealing with more complex DNS issues will also come across aspects such as SPF, DKIM and DMARC entries, which secure email communication. If one of these entries is missing, problems can occur even if forwarding has been set up correctly.
Advantages of DNS forwarding
DNS forwarding brings measurable benefits. It saves bandwidth, reduces response times and protects sensitive network structures. It also enables centralized management of DNS queries. Companies benefit because they can better shield their internal processes. The main advantage lies in the increased efficiency with simultaneous Security.
Administration is also easier if a handful of central forwarders coordinate the resolution instead of many decentralized DNS servers. The import of changes - for example for new subdomains - can thus be controlled centrally. Lengthy searches in individual DNS zones are no longer necessary, as the forwarders generally support a clearly documented catalog of rules. Troubleshooting is also easier: you can specifically check whether the request is being forwarded correctly and where a fault may be occurring.
Comparison of DNS operating modes
The following table summarizes the differences between simple DNS operation, forwarding and caching:
| DNS mode | Functionality | Advantage | Use |
|---|---|---|---|
| Standard operation | Direct request along the DNS hierarchy | Independent of central servers | Small networks |
| Forwarder | Forwarding to defined DNS server | Simple administration | Medium and large networks |
| Caching | Saving answers | Quick response for repetitions | All networks |
What role does DNS forwarding play for companies?
Corporate networks use DNS forwarding specifically to demarcate internal communication. Particularly in multi-domain environments, conditional forwarding enables a Targeted control of DNS traffic. Administrators retain control over which requests are processed internally or externally. In addition, the use of external DNS services can be reduced - ideal for combining data protection and performance. Those who use STRATO's Set up forwarding of your domain can configure this in just a few steps.
Especially in sensitive areas with strict compliance rules - such as banks or public authorities - conditional forwarding is indispensable. They ensure that internal resources are not accidentally resolved via external DNS services. In this way, control over data flows remains in-house. At the same time, the level of security is increased as communication channels are easier to trace and less susceptible to manipulation.
Configuration of DNS Forwarding
Configuration is usually carried out via the server platform or the DNS server itself. Recursive redirects can be set up there as default fallbacks or directed redirects (e.g. for specific domains). It is important to design the redirection in such a way that loops or incorrect target servers are prevented. Modern server solutions offer graphical user interfaces and logging options for analysis. The result is a Stable DNS system with clearly defined paths.
Typical steps include storing forwarders in Microsoft DNS or customizing the named.conf in BIND under Linux. Here you specifically define which external or internal server the queries for certain zones are assigned to. A common tip is to always specify several forwarder entries so that an alternative DNS server is available in the event of a failure. To test the configuration, tools such as nslookup or dig which can be used to send targeted requests.
Common mistakes and how to avoid them
Classic errors include entering forwarding destinations that cannot be reached. Incomplete domains in the rules can also lead to misrouting. If you check your DNS infrastructure regularly, you can avoid long loading times and resolver errors. In addition, no open DNS resolvers should be configured - they offer gateways for attacks. A stable set of rules ensures that Targeted DNS access and do not scatter through networks.
Correct time stamps for the validity period (TTL) must also be observed. A TTL value that is too short leads to unnecessarily frequent requests, while a TTL that is too long is problematic if IP addresses change quickly. It should also be recognized whether recursive forwarding is even necessary in certain zones. If forwarders are entered incorrectly, endless loops can occur in which the request and response no longer match. Proper documentation of the DNS topology is therefore essential.
Advanced aspects of DNS forwarding
Modern IT architectures are complex and often include hybrid cloud environments in which services are operated partly locally and partly in the cloud. Here, DNS forwarding can help to direct access from the internal company network to the cloud or vice versa. Split-brain DNS - i.e. the separation into an internal and an external zone of the same domain - can also be implemented using conditional forwarding. It is important to strictly separate the different views of the domain so that internal resources remain protected from external views.
In addition, the protection of DNS queries by DNSSEC (Domain Name System Security Extensions) is becoming increasingly important. DNSSEC ensures that DNS data has not been manipulated en route by signing it. In a forwarding environment, the forwarders must be able to process DNSSEC-validated responses correctly. This requires an end-to-end security chain in which every DNS server involved understands DNSSEC. Even if DNSSEC is not mandatory in all corporate networks, many security strategies rely precisely on this technology.
Monitoring and logging of DNS forwarding
Comprehensive monitoring allows bottlenecks to be identified more quickly. DNS servers can be monitored using tools such as Prometheus or Grafana can be monitored to measure latency times and response times. This provides an insight into the performance of the forwarders and can quickly uncover weak points such as overloaded DNS instances. Logging options - for example in Microsoft Windows DNS or in BIND - show when and how often requests are sent to certain forwarders. This data can be used not only to detect attacks, but also to identify optimization potential, for example when placing a new, local DNS server.
Detailed logging is also particularly valuable for forensic analyses. For example, if an internal attacker attempts to access malicious domains, these attempts can be clearly traced in the log data. DNS forwarding therefore not only contributes to performance, but also to security if it is properly monitored and documented. In large IT landscapes, this even becomes a prerequisite for effective incident management.
Optimal use of DNS forwarding in large infrastructures
In very large networks there are often multistage forwarding chains are used. A local forwarder first forwards queries to a regional DNS server, which in turn is bound to a central DNS server in the data center. This hierarchy can reduce latency if the nearest DNS server has already cached relevant entries. However, the network paths should always be taken into account. A distributed approach only makes sense if the locally deployed forwarders actually provide relief.
Interaction with firewalls and proxies also plays a role. If you want to send DNS queries via encrypted channels (e.g. DNS-over-TLS or DNS-over-HTTPS), you should configure the forwarders accordingly. Not every company proxy supports these new protocols seamlessly. Nevertheless, they are gaining in importance because they protect DNS queries from potential eavesdroppers. In restricted or strictly regulated environments, it is therefore advisable to develop a strategy for encrypted DNS traffic and clearly define which forwarders and protocols are supported.
Summarized: Targeted use of DNS forwarding
DNS forwarding is much more than just a technical measure - it is a tool for controlling network traffic and protecting internal data structures. Whether via conditional rules or recursive queries, those who use this technology strategically will benefit from reduced server load in the long term, higher efficiency and better control. Medium and large infrastructures in particular can hardly manage without forwarding. Their implementation is now standard practice in modern IT architectures.
