Configure DNS forwarders in Windows Server 2012 R2
In the first article in our series on DNS forwarders, we looked at some best practices for DNS forwarding. In this second article I’ll show you how to configure a DNS server with forwarders in Windows Server 2012 R2.
As always with Windows, you can change, add, and remove forwarders by using either the Windows GUI or the command prompt. I’ve listed steps on how to configure a DNS server to use forwarders using both the Windows GUI and the command prompt below.
Configure a DNS server to use forwarders using the Windows GUI
1. Click Start, point to Administrative Tools, and then click DNS.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Note: You can also type “DNS” without the quotes in the Start page, and it will find it for you.
2. Open DNS Manager.
Note: To use DNS Manager (and other administrative tools) on a server that does not have the DNS role installed on it, you must install the Remote Server Administration Tools (RSAT) suitable for your OS (the equivalent of adminpak.msi in Windows Server 2003/XP). See our articles on how to install RSAT for Windows 7 and Windows 8 for more information on how to download, install, and configure the RSAT tools on those clients.
3. In the console tree, click on the applicable DNS server, usually it’s the same as the server you’re logged on to.
4.Right-click and select “Properties”.
Note: You may also double-click on the “Forwarders” item in the right pane.
5. On the Forwarders tab click “Edit”.
Note: If you already have existing forwarders, you can choose to edit these as well.
6. In the selected forwarder IP address list, type the IP address of a forwarder, and then click Enter.
Note: You do not need to enter the FQDN of the host, unless you want to. If name resolution traffic is not blocked the name will automatically be resolved.
Note: In this example I’ve used Google’s DNS servers. In most cases you’d want to use your own ISP’s DNS servers. However, in some cases you may want to add internal DNS servers as forwarders, depending on your routing topology.
In Windows Server 2012/R2, by default the DNS server waits 3 seconds for a response from one forwarder IP address before it tries to query the next forwarder’s IP address. This is configurable, if needed.
7. Repeat with additional forwarders, if needed.
8. When done, click “Ok” twice.
Note: In some cases you may want to configure your DNS server to only use forwarders, and if they fail to respond, you may want it not to attempt further recursion. To do so, un-select the “Use root hints if no forwarders are available”.
If you want to remove one or more forwarders in the future, repeat these steps and simply delete the entry.
To configure a DNS server to use forwarders using the Command Prompt:
1. Open the Command Prompt window with elevated permissions (Run as Administrator).
2. If you want to add the same DNS forwarders used in my previous example, in the Command Prompt window type the following command:
dnscmd <DNS_server_name_or_IP>/ResetForwarders 184.108.40.206 220.127.116.11 /timeout 3 /noslave
Some Final Notes:
- Separate the DNS IP addresses by a space.
- You cannot add individual entries one after the other, you must add all forwarders at the same time in one command. But you can add or change existing entries from DNS Manager.
- The /timeout switch specifies the amount of time that your DNS server waits for the forwarder to respond.
- The /slave switch indicates that the DNS server will not attempt to perform its own iterative queries if the forwarder fails to resolve the query.
- The /noslave switch means that the DNS server will use its root hints file if no forwarders are available to resolve the query.