To use forwarders to manage the Domain Name System (DNS) traffic between your network and the Internet, configure your network's firewall to allow only one DNS server to communicate with the Internet. When you configure the other DNS servers in your network to forward queries that they cannot resolve locally to that DNS server, it acts as your forwarder. For more information about forwarders, see Understanding Forwarders.

Forwarding sequence

The order of the IP addresses that are listed as forwarders on a DNS server determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address, it waits a short period of time for an answer from that forwarder (according to the DNS server's forwarding time-out setting) before resuming the forwarding operation with the next IP address. It continues this process until it receives an affirmative answer from a forwarder.

For example, in the following illustration the DNS servers with the first and second forwarder IP addresses do not respond to the DNS server. The DNS server with the third forwarder IP address responds, and the query is forwarded to that DNS server.

Outsourced VPN remote access

Unlike conventional resolution, where a roundtrip time (RTT) is associated with each server, the IP addresses in the forwarders list are not ordered according to roundtrip time. You must reorder them manually to change the preference.

Conditional forwarders

Conditional forwarders are DNS servers that forward queries according to domain names. Rather than having a DNS server forward all queries it cannot resolve locally to a forwarder, you can configure DNS servers to forward queries to different forwarders according to the specific domain names that are contained in the queries. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process.

The conditional forwarder setting for a DNS server consists of the following:

  • The domain names for which the DNS server will forward queries

  • One or more DNS server IP addresses for each domain name that is specified

When a DNS client or server performs a query operation against a DNS server, the DNS server checks to determine if the query can be resolved with its own zone data or the data stored in its cache. If the DNS server is configured to forward for the domain name that is designated in the query, the query is forwarded to the IP address of a forwarder that is associated with that domain name. For example, in the following illustration, each of the queries for the domain names is forwarded to a DNS server that is associated with the domain name.

Dial-up and VPN remote access

If the DNS server has no forwarder listed for the name that is designated in the query, it attempts to resolve the query using standard recursion. For more information, see Configure a DNS Server to Use Forwarders.

You can use conditional forwarders to improve name resolution between internal (private) DNS namespaces that are not part of the DNS namespace of the Internet. Such DNS namespaces may be a result of a company merger. When you configure the DNS servers in one internal namespace to forward all queries to the authoritative DNS servers in a second internal namespace, conditional forwarders enable name resolution between the two namespaces without performing recursion on the DNS namespace of the Internet. This enhancement to name resolution also avoids your DNS servers performing recursion to your internal root for different namespaces within your network.


A DNS server cannot forward queries for the domain names in the zones that it hosts. For example, the authoritative DNS server for the zone cannot forward queries according to the domain name The DNS server that is authoritative for can forward queries for DNS names that end with, if is delegated to another DNS server.

Conditional forwarder domain name length

When a DNS server that is configured with a conditional forwarder receives a query for a domain name, it compares that domain name with its list of domain name conditions and uses the longest domain name condition that corresponds to the domain name in the query. For example, in the next illustration, the DNS server performs the following conditional forwarding logic to determine how a query for a domain name will be forwarded:

  1. The DNS server receives a query for

  2. It compares that domain name with both and

  3. The DNS server determines that is the domain name that more closely matches the domain name query.

  4. The DNS server forwards the query to the DNS server with the IP address, which is associated with

Ethernet switch access