The HSCN provides a set of core services including the (nhs.uk) internal DNS. The DNS servers provide central name resolution services to any client on either the HSCN or TN. These servers will take one of five actions, in the following sequence:
- Respond authoritatively
- Respond from cached entries (previously queried and “remembered” data)
- For specific DNS domains, FORWARD explicitly to partner DNS servers
- Delegate to other DNS servers (for specific DNS domains or ‘zones’)
- Attempt to resolve from the internet
The internal DNS servers can be queried directly by end clients (resolvers) or other DNS servers local to a group of end-user clients.
The internal DNS implementation is summarised in the diagram below.
Figure 1 shows the TN-SP internal (TN) DNS provision
To utilise the internal DNS infrastructure, clients and servers must be explicitly configured. Workstations, laptops, and other hosts need only to point to DNS servers that will provide them with name resolution. Workstation configuration varies with hardware and operating system implementation and is beyond the scope of this document.
For the internal DNS infrastructure to be used directly by clients (resolvers), their DNS configurations need only to point to the TN network IP addresses of load-balanced DNS caching server infrastructure - cns0 and cns1.
To utilise the internal DNS, a HSCN connected end-user device may be configured in one of two ways:
- end-user devices at smaller sites with little or no local infrastructure may be configured to send queries directly to the HSCN DNS servers
- larger sites with many users commonly configure devices to send queries to a local DNS server which is configured to forward queries to the HSCN DNS on their behalf and caches the result to improve lookup times for commonly requested resources.
The existing HSCN DNS server IP addresses will be decommissioned when the TN contract ends and, to ensure continuity of service, new DNS server IP addresses have been enabled in parallel. It is necessary for all HSCN organisations to modify their configurations during the period of parallel operation. The DNS service that succeeds the existing TN provided DNS will inherit these new, NHS owned, IP addresses.
It is strongly recommended that organisations migrate their configurations to use the new IP addresses at the earliest opportunity.
Current - DNS BT RIPE IP Addresses
New - NHS Digital RIPE IP Addresses
Any locally-provided DNS servers (typically for local clients on LANs connected to the TN network) need to be configured to use a function called forwarding, to query the TN internal DNS infrastructure. This is a method used by DNS servers to specifically direct some or all their queries to other DNS server(s), which will attempt to resolve the DNS question on behalf of the DNS server doing the forwarding. In other words, it makes the locally-provided 'source' DNS server look exactly like a DNS client to cns0 and cns1. This could be likened to a proxy - where the server(s) being forwarded to will perform all the work on behalf of the source DNS server. While this term is not used in DNS nomenclature, it hopefully illustrates the function.
When a DNS server is forwarding to another server, the query is always of a single type or variant, called a recursive query. In everyday language a recursive query is a request to a DNS server as follows: "here is a question; don't come back until you have an answer." This is the same type of query that resolvers (clients) almost universally perform.
The other type of query is called iterative. It is most commonly seen and used between DNS servers, especially on the internet. Here one DNS server asks another, "here is a question; what is the best answer you can give me?". This leads to a DNS server itself 'learning' the answer, by following a path learned from other DNS servers through a process called referrals.
DNS forwarding always uses recursive queries. It is important to know this, since the way that Microsoft sometimes presents its DNS server configuration may confuse administrators, due to unclear wording of some of the options. This is covered in section 5 and section 6 of this document.