The NHS TN uses a set of core services provided by BT Transition Network Service Provider (TN-SP). One of those services is the (nhs.uk) internal DNS. TNSP DNS servers provide central name resolution services to any client on the TN. These servers will take one of five actions, in the following sequence:
- Respond authoritatively
- Respond from cached entries (previously queried and "remembered" data)
- For specific DNS domains, FORWARD explicitly to partner DNS servers
- Delegate to other DNS servers (for specific DNS domains or 'zones')
- Iteratively resolve from the internet
The internal TN-SP servers can be queried directly by end clients (resolvers) or other DNS servers local to, and used by, a group of end-user clients.
The internal DNS implementation is summarised in the diagram below.
Figure 1 shows the TN-SP internal (TN) DNS provision
To utilise the internal DNS infrastructure, clients and servers must be explicitly configured. Workstations, laptops, and other hosts need only to point to DNS servers that will provide them with name resolution. Workstation configuration varies with hardware and operating system implementation and is beyond the scope of this document.
For the internal DNS infrastructure to be used directly by clients (resolvers), their DNS configurations need only to point to the TN network IP addresses of load-balanced DNS caching server infrastructure - cns0 and cns1.
2019 technical refresh
The TN has completed a technical refresh programme to ensure the core components of the network and key supporting infrastructure (including nhs.uk DNS) continue to perform well during the migration to HSCN.
To facilitate closure of the TN, NHS Digital are running a procurement for a new DNS service. The provider will use NHS Digital IP addresses and all organisations must transition to the new resolution IP addresses.
As part of the DNS refresh, two new resolution IP addresses have been implemented alongside the legacy IP addresses. The new NHS Digital RIPE IP addresses of 220.127.116.11 and 18.104.22.168 will run concurrently alongside the legacy, BT RIPE IP addresses 22.214.171.124 and 126.96.36.199 IP.
The historical IP configurations will continue to use the current internal DNS servers shown as their 'local' servers for DNS queries. They are at the following network IP addresses: cns0.nhs.uk (188.8.131.52) and cns1.nhs.uk (184.108.40.206).
These IP addresses are owned and managed by BT and will eventually be decommissioned when the BT TN DNS service is replaced by an alternate service provider.
Current - DNS BT RIPE IP Addresses
New - NHS Digital RIPE IP Addresses
Any locally-provided DNS servers (typically for local clients on LANs connected to the TN network) need to be configured to use a function called forwarding, to query the TN internal DNS infrastructure. This is a method used by DNS servers to specifically direct some or all their queries to other DNS server(s), which will attempt to resolve the DNS question on behalf of the DNS server doing the forwarding. In other words, it makes the locally-provided 'source' DNS server look exactly like a DNS client to cns0 and cns1. This could be likened to a proxy - where the server(s) being forwarded to will perform all the work on behalf of the source DNS server. While this term is not used in DNS nomenclature, it hopefully illustrates the function.
When a DNS server is forwarding to another server, the query is always of a single type or variant, called a recursive query. In everyday language a recursive query is a request to a DNS server as follows: "here is a question; don't come back until you have an answer." This is the same type of query that resolvers (clients) almost universally perform.
The other type of query is called iterative. It is most commonly seen and used between DNS servers, especially on the internet. Here one DNS server asks another, "here is a question; what is the best answer you can give me?". This leads to a DNS server itself 'learning' the answer, by following a path learned from other DNS servers through a process called referrals. The TN DNS service is designed to be recursive only to the namespace it is authoritative to, namely nhs.uk. With few exceptions, all other resolutions are performed iteratively - that is, best endeavour.
DNS forwarding always uses recursive queries. It is important to know this, since the way that Microsoft sometimes presents its DNS server configuration may confuse administrators, due to unclear wording of some of the options. This is covered in section 5 and section 6 of this document.