Hey everyone, I'm a bit confused about a particular DNS configuration I've never encountered before. In our DNS Manager under Properties, I noticed that a Domain Controller (DC) was added as a forwarder. My understanding of how forwarders work makes me wonder why anyone would set up their own DC as a forwarder. I also saw that someone added Google as a forwarder, which I'm planning to change. Can someone explain if there's a valid reason to have the Domain Controller set up in this way?
4 Answers
It could be if there's a forest trust involved. However, I personally prefer to use a conditional forwarder for clarity. The usual setup would be something like AD –> Forwarder –> DNS in the DMZ –> then to the internet DNS servers. Also, it's more secure to disable recursion and only allow it for specific clients.
You’d be surprised at some of the things people do! Sometimes it's just a misconfiguration or oversight.
When a domain controller is promoted, it typically adds other DCs to the forwarders by default. I’m not certain if it picks the FSMO holder or just the DC it’s replicating from. It's likely someone promoted a DC and forgot to update the forwarders afterward.
Yeah, and they might only have one DC right now, which complicates things. So it seems like this shouldn’t be there and could probably be removed.
I’m actually surprised there hasn’t been more expert input here. The purpose of those forwarders is to handle requests that the DNS isn’t authoritative for. So, for example, if your domain is example.com, it can handle requests for that, but forwards anything like google.com to a public DNS server. This setup is really useful if you’re using services like Cisco Umbrella.
Right, that makes sense. I’m starting to grasp what forwarders do, but I’m still puzzled about why the DC would be listed as one.
Isn’t this only the case with Read-Only Domain Controllers (RODC)?