Skip to main content

5. Microsoft DNS servers basic forwarding configuration

This chapter forms part of the Transition Network guidance for DNS local forwarding and server configuration.

As stated previously, DNS forwarding always uses recursive queries. It is important to know this, since the way that Microsoft sometimes presents its configuration may confuse administrators, due to unclear wording of some of the options.

Microsoft DNS is usually configured on servers using the DNS Microsoft Management Console (MMC) - a Windows graphical application that provides access to the Microsoft DNS server settings. The appearance of the forwarding options is different between different versions of Windows server environments. In this document the forwarding configuration of three different DNS MMCs will be described:

  • Windows 2003 (SP2)
  • Windows 2008 (SP2) and Windows 2008 (R2)
  • Windows  Server 2012 (SP2) 2016 (SP1)

This appearance and operation of DNS MMC is the same regardless of:

  • whether Windows Server is running in 32-bit or 64-bit mode
  • the Windows Server variants (Standard, Enterprise, etc.).

5.1 Microsoft DNS server terminology/options

Microsoft's DNS does not use the terms forward first or forward only explicitly; rather there are options in their DNS MMC that effectively select which configuration is in use. The options are described and set differently in Windows 2003 and Windows 2008 (SP2 and R2). In both Windows 2003 and 2008 though, the default is forward first.

Below are basic forwarding configurations for Microsoft DNS Servers - Windows 2003 and Windows 2008 variants.

Section 8 describes how to set forwarding behaviour for Microsoft DNS Servers (to forward first or forward only).

5.2 Windows 2003

Once the Windows 2003 DNS MMC is launched from Start > Programs > Administrative Tools > DNS, the server Properties should be selected:

5.2a

On the server Properties page, select the Forwarders tab:

5.2b

In the DNS domain area, make sure that All other DNS domains is highlighted. Then, in the Selected domain's forwarder IP address list: enter the cns0 and cns1 IP addresses - 194.72.7.137 and 194.72.7.142. By selecting All other DNS domains, you are implementing "Global Forwarding".

Note: This tab is also where Microsoft implements "Zone Forwarding", which they term "Conditional Forwarding". Further discussion of zone/conditional forwarding is beyond the scope of this document.

The default number of seconds before forward queries time out: is 5 seconds. This is intolerant of many transient network conditions that may affect the DNS requests; since DNS packets are most often User Datagram Protocol (UDP).

This approach is more susceptible to being dropped on an IP network. Additionally, there is no retry logic with forwarding on Windows 2003. That is, the first IP address in the forwarder list is tried, the time out value waited, the second IP address in the forwarder list is tried and the timeout valued waited. After the two attempts, once only to each server, this DNS server will then respond to the client based on the setting of the Do not use recursion for this domain. If that box is checked, the DNS server will go no further and respond to the querying client with the response (or lack of) received. The Do not use recursion for this domain will be discussed in more detail later on.

It is suggested that the default value in the number of seconds before forward queries time out: field be changed to a value of at least 15 seconds. This is more in line with non-Microsoft DNS server timeout values.

5.3 Windows 2008, SP2 and R2

Once the Windows 2008 DNS MMC is launched from Start > Programs > Administrative Tools > DNS, the server Properties should be selected:

5.3a

Alternatively, the Windows 2008 Server Manager can be used to access DNS configuration operation.

On the server Properties page, select the Forwarders tab. Unlike Windows 2003, this tab only deals with Global Forwarding. Zone/Conditional Forwarding is defined elsewhere in the DNS MMC.

5.3b

Select the "Edit..." button.

5.3c

Enter the IP Addresses, see below for current and future IP addressing, by typing them into the <Click here to add an IP Address or DNS Name> field.

2019 technical refresh

As part of the DNS refresh, two new resolution IP addresses have been implemented alongside the legacy IP addresses. The new NHS Digital RIPE IP addresses of 155.231.231.1 and 155.231.231.2 will run concurrently alongside the legacy, BT RIPE IP addresses 194.72.7.137 and 194.72.7.142 IP.

The historical IP configurations will continue to use the current internal DNS servers shown as their 'local' servers for DNS queries. They are at the following network IP addresses: cns0.nhs.uk (194.72.7.137) and cns1.nhs.uk (194.72.7.142). 

These IP addresses are owned and managed by BT and will eventually be decommissioned when the BT TN DNS service is replaced by an alternate service provider.

The Number of seconds before forward queries time out: checkbox is the same function as in Windows 2003. However, the Windows 2008 default is 3 seconds; even less tolerant than Windows 2003.

Again, the suggested value for this is at least 15 seconds, to compensate for transient conditions on the network that may delay the packets from being received.

5.4 Windows Server 2012 (SP2) and 2016 (SP1)

Adds server level forwarders to a DNS server:

The Add-DnsServerForwarder cmdlet adds one or more forwarders to the forwarders list of a Domain Name System (DNS) server. If you prefer one of the forwarders, put that forwarder first in the series of forwarder IP addresses. After you first use this cmdlet to add forwarders to a DNS server, this cmdlet adds forwarders to the end of the forwarders list.

Add-DnsServerForwarder [-IPAddress] <IPAddress[]> [-ComputerName <String>] [-PassThru] [-CimSession <CimSession[]>] [-ThrottleLimit <Int32>] [-AsJob] [-WhatIf] [-Confirm] [<CommonParameters>

Example: add a forwarder to a DNS server by using an IP address

PS C:> Add-DnsServerForwarder -IPAddress 194.72.7.137 -PassThru

PS C:> Add-DnsServerForwarder -IPAddress 194.72.7.142 -PassThru

This command adds the IP address 194.72.7.137 and 194.72.7.142 to the list of forwarders on a local DNS server.

Last edited: 10 April 2019 8:19 am