DNS – Forwarders vs Root Hints

First of all I would like to say that there's no right configuration...

... but taking in consideration the work I’ve done during the last years as network and ISA/TMG support engineer I personally recommend the use of forwarders instead of root hints.

When you have TMG/ISA doing requests against a DC this configuration is quite important for having good performance... I had quite some issues related with this.
... also based on DNS Best Practice Analyzer Microsoft also recommends the use of forwarders.

I personally recommend to use your ISP DNS servers as forwarders.
The main reason for you to use Forwarders is related with performance – the number of hops required to reach your ISP DNS server is much lower for sure than to access the root hints.
The reason for use root hints is reliability, however in my opinion - this is an old idea…: - most of the Server providers are now reliable and they don’t change their DNS server IPs without proper information. 10 Years ago this was not the case… DNS Server in ISP sometimes were quite problematic and many people suggested and preferred to use Root Hints.
We have also another reason to use forwarders … this reason is related with Firewall configuration, It’s easy to allow only DNS external traffic against those specific ISP DNS Server used has forwarders.
Some other forums / discussion topics.

Comments (3)

  1. A to-the-point information, Thank you…

    Just a comment, if forwarders are configured then there is no harm in configuring ‘Use root hints if no forwarders are available’. Root hints will only be used, when the ISP DNS servers are not responding.

  2. Steve Duff says:

    While true that using a forwarder generally results in better lookup speeds, there are a couple of other considerations not mentioned that may be useful to understand:

    If you are using a mail server to query RBLs, and those RBLs limit you to a set number of queries per IP per day (as many do), then with a forwarder those queries will appear to be from the forwarder, not you. And busy forwarders will typically hit the RBL
    query limit very quickly. You many not even know your RBL lookups are failing unless you look at a spam diagnostic report carefully

    Another issue is with ISP DNS servers spoofing invalid domain lookups. (E.g., returning a search page when you type "gaggle.com" or whatever.) That kind of antisocial behavior isn’t technically permitted, but a lot of ISPs – even big ones – do it anyway. I
    generally recommend forwarding to Google DNS for that reason. The number of hops to their backbone servers is generally low, and anyway the network traffic for DNS is rarely much of a consideration.

    The last issue is that with root hints you may start seeing DNS query timeouts, especially with some ISPs. That may in some cases necessitate increasing the DNS server query timeout (in the registry), as well as client DNS query timeouts.

  3. Mike Ober says:

    I have no forwarders configured on my Windows 2012 R2 DNS servers and BPA does NOT flag this as an issue.

Skip to main content