3. DNS server forwarding behaviour

When forwarding is used on a DNS server there are two different behaviours that can be configured:

3.1.1 Forward first

A 'local' DNS server may receive one of the following responses from an upstream server they are forwarding to:

1. Timeout
2. Non-Existent Domain, NXDOMAIN = an answer does not exist, but a server authoritative for the domain exists and is correctly responding
3. Server Failure, SERVFAIL = the server believed to be authoritative for a domain either does not respond or indicates it is not authoritative for a domain

The server will then further attempt to resolve the name itself using iterative name resolution, starting at the root name servers as configured/defined (for example, for Microsoft DNS servers - as configured in the "Root Hints" tab of Properties) and then follow referrals to obtain an answer.

3.1.2 Forward only

The DNS server will only ever follow the forwarding path. Only answers from the servers this DNS server is forwarding to will be processed. The forwarding DNS server will not attempt to use iterative name resolution (as described above) to try to get an answer if a Timeout, NXDOMAIN, or SERVFAIL is received from the server being forwarded to.

It is important to understand that whatever IP address(es) the DNS server is configured to forward to, that operation is always performed first. If an answer is received back from a server that has been forwarded to, that answer will be sent back to the client or source initiating the query and no further process will take place.