Configure DNS forwarders in Windows Server 2012 R2

In the first article in our series on DNS forwarders, we looked at some best practices for DNS forwarding. In this second article I’ll show you how to configure a DNS server with forwarders in Windows Server 2012 R2.

As always with Windows, you can change, add, and remove forwarders by using either the Windows GUI or the command prompt. I’ve listed steps on how to configure a DNS server to use forwarders using both the Windows GUI and the command prompt below.

Configure a DNS server to use forwarders using the Windows GUI

1. Click Start, point to Administrative Tools, and then click DNS.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Note: You can also type “DNS” without the quotes in the Start page, and it will find it for you.

Opening DNS Manager in Windows Server 2012 R2

2. Open DNS Manager.

Note: To use DNS Manager (and other administrative tools) on a server that does not have the DNS role installed on it, you must install the Remote Server Administration Tools (RSAT) suitable for your OS (the equivalent of adminpak.msi in Windows Server 2003/XP). See our articles on how to install RSAT for Windows 7 and Windows 8 for more information on how to download, install, and configure the RSAT tools on those clients.

3. In the console tree, click on the applicable DNS server, usually it’s the same as the server you’re logged on to.

4.Right-click and select “Properties”.

Note: You may also double-click on the “Forwarders” item in the right pane.

Editing DNS Forwarders in Windows Server 2012 R2

5. On the Forwarders tab click “Edit”.

Note: If you already have existing forwarders, you can choose to edit these as well.

Editing DNS Forwarders in Windows Server 2012 R2

6. In the selected forwarder IP address list, type the IP address of a forwarder, and then click Enter.

Note: You do not need to enter the FQDN of the host, unless you want to. If name resolution traffic is not blocked the name will automatically be resolved.

Note: In this example I’ve used Google’s DNS servers. In most cases you’d want to use your own ISP’s DNS servers. However, in some cases you may want to add internal DNS servers as forwarders, depending on your routing topology.

Editing DNS Forwarders in Windows Server 2012 R2

In Windows Server 2012/R2, by default the DNS server waits 3 seconds for a response from one forwarder IP address before it tries to query the next forwarder’s IP address. This is configurable, if needed.

7. Repeat with additional forwarders, if needed.

Editing DNS Forwarders in Windows Server 2012 R2

8. When done, click “Ok” twice.

Editing DNS Forwarders in Windows Server 2012 R2

Note: In some cases you may want to configure your DNS server to only use forwarders, and if they fail to respond, you may want it not to attempt further recursion. To do so, un-select the “Use root hints if no forwarders are available”.

If you want to remove one or more forwarders in the future, repeat these steps and simply delete the entry.

To configure a DNS server to use forwarders using the Command Prompt:

1. Open the Command Prompt window with elevated permissions (Run as Administrator).

Configure a DNS server to use forwarders using the Command Prompt

2. If you want to add the same DNS forwarders used in my previous example, in the Command Prompt window type the following command:

dnscmd <DNS_server_name_or_IP>/ResetForwarders /timeout 3 /noslave

Using DNSCMD to configure a DNS server

Some Final Notes:

  • Separate the DNS IP addresses by a space.
  • You cannot add individual entries one after the other, you must add all forwarders at the same time in one command. But you can add or change existing entries from DNS Manager.
  • The /timeout switch specifies the amount of time that your DNS server waits for the forwarder to respond.
  • The /slave switch indicates that the DNS server will not attempt to perform its own iterative queries if the forwarder fails to resolve the query.
  • The /noslave switch means that the DNS server will use its root hints file if no forwarders are available to resolve the query.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: