However, the local DNS server will eventually return to CNN.com's DNS server to determine whether http://www.cnn.com's IP address has changed. The reason for the return trip is that when the CNN.com DNS server responded to the initial query, the response included not only http://www.cnn.com's IP address but also the amount of time that the local DNS server should cache that IP address. That amount of time is called the Time to Live (TTL). All responses to DNS resolution requests contain a TTL. After the TTL expires, a new query causes the local DNS server to return to the Internet to resolve the name.
Centralizing Cache with Forwarders
You can see that caching DNS resolutions is a great idea. If CNN.com's TTL were 2 days long, a local caching-only DNS server could resolve http://www.cnn.com for 2 days before having to recontact CNN.com's DNS server.
Now, consider the effects of adding a second local caching-only DNS server—let's call the first local DNS server DNS1 and the second server DNS2. When DNS1 learns something, it doesn't share that information with DNS2. For example, if someone were to ask DNS2 for http://www.cnn.com's IP address, DNS2 must get the information from CNN.com's DNS server even if DNS1 has cached that IP address. In other words, DNS1 and DNS2 don't share a cache.
But if you use a forwarder, servers can share a cache. The idea with a forwarder is this: You set up some local caching-only DNS servers as usual to serve the name-resolution needs of workstations and other servers. Then, you set up another server that acts as a sort of DNS server for these DNS servers. In DNS terms, this server is a forwarder.
When one of the local caching-only DNS servers gets a request to resolve a name that it doesn't already have in its cache, that DNS server doesn't go to the Internet to resolve the name; instead, the server asks the forwarder to resolve the name. If the forwarder—which is on the same LAN as the local caching-only DNS server and can communicate with that server at high speeds—knows the answer, the forwarder can quickly answer the local caching DNS server's question. If the forwarder doesn't know the answer, the forwarder obtains the answer from the Internet.
Suppose DNS1 serves the first person to ask for the IP address for http://www.cnn.com. Because DNS1 doesn't know the answer, it asks the forwarder. The forwarder doesn't know, either, because no one has asked the question before, so the forwarder goes to the Internet for the answer. After the forwarder finds http://www.cnn.com's IP address, it caches the address, then sends that information to DNS1.
Now, suppose the second person who wants the IP address for http://www.cnn.com is connected to DNS2. DNS2 can't resolve the address from its cache, so DNS2 asks the forwarder. This time, the forwarder knows http://www.cnn.com's IP address and satisfies DNS2's request at LAN speed.
To tell a Win2K DNS server to use another DNS server as a forwarder, simply open the Microsoft Management Console (MMC) DNS snap-in and right-click the icon that represents the DNS server that you want to act as a forwarder. Choose Properties, and you'll see a Forwarders tab, which Figure 1 shows. The Forwarders tab lets you specify one or more forwarders and a timeout value.
Why would you want a timeout value? Well, if your forwarder stops working, DNS1 and DNS2 won't be able to get the answers to new name-resolution questions. DNS handles that eventuality with a timeout. If a local caching DNS server such as DNS1 or DNS2 asks the forwarder a question and the forwarder doesn't respond within a certain length of time, the local caching DNS server goes to the Internet and resolves the name on its own. (As I explain later, that action is a potential liability.)
Using Split-Brain DNS
Take a look at a DNS zone in an AD domain, and you'll notice two things. First, AD stores a lot of stuff in DNS. Second, much of that stuff is information that you wouldn't want anyone outside the organization to see. In particular, a zone in an AD domain contains the names and addresses of your DCs, and you probably don't want the world to have that information.
One way to avoid running a too-visible network is to keep two sets of DNS books: one DNS zone that the outside world can see and another DNS zone that only the internal organization can see. Some people call this arrangement split-brain DNS. Here's how it works.
When you ask your preferred DNS server to resolve a name for you, the server first looks in its cache. Then, if the name isn't in the cache and the DNS server holds any zones, it looks in those zones to try to resolve your request. The server goes to a forwarder or to the Internet only if it can't answer the request from its cache or its zones. The key to split-brain DNS is that the DNS server favors the information in its zones over information it can find on the Internet.
Register
