DNS: The forwarding timeout value should be 2 to 10 seconds
Updated: October 15, 2010
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 |
Product/Feature |
DNS |
Severity |
Warning |
Category |
Configuration |
Issue
The forwarding timeout value is less than 2 seconds or greater than 10 seconds.
The forwarding server needs to be given a reasonable amount of time to answer a DNS query. For example, a forwarding server that has root hints enabled may have to query on the Internet for an answer, which can require additional time. If the forwarding timeout value is too small, the DNS server might not have time to complete an Internet query. However, a forwarding timeout value that is too large can also DNS query failures when DNS queries time out. The default timeout for DNS queries from clients running a Microsoft Windows operating system is 15 seconds.
Impact
The timeout value is not within the recommended range of 2 to 10 seconds. DNS resolutions failures can occur if the value is too small. A timeout value of more than 10 seconds can cause DNS resolution delays.
If the forwarding timeout value is set to a small value, the forwarding server may not have sufficient time to respond, causing DNS queries to fail. If the forwarding timeout value is set to a large value, then the DNS server may wait for a long time for the forwarding server to respond. This can cause delays and timeouts when responding to DNS queries.
If a forwarding server does not respond before the timeout value, the DNS server forwards the query to the next server in the forwarders list. If none of the servers respond in time, the DNS server responds to the original query based on whether or not recursion is enabled on the DNS server. If the Use root hints if no fowarders are available check box is cleared and forwarding servers do not respond, then the server will attempt to resolve the query with iterative DNS queries. If Use root hints if no forwarders are available is enabled and forwarding servers do not respond, the DNS server will send a SERVER_FAILURE response to the DNS client.
Important
Due to a code defect in Windows ServerĀ® 2008, the checkbox next to Use root hints if no forwarders are available actually configures the opposite behavior. The code defect is fixed if the DNS server is running Windows ServerĀ® 2008 R2. In Windows Server 2008, you must clear the checkbox next to Use root hints if no forwarders are available to use recursion when forwarding servers do not respond.
Resolution
Configure the forwarding timeout value to a value between 2 seconds and 10 seconds.
Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To configure the forwarding timeout value using the Windows interface
Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.
In the console tree, right-click the name of the DNS server and then click Properties.
On the Forwarders tab, click the IP address of the forwarder you wish to configure, and then click Edit.
Type the forwarding timeout value next to Number of seconds before forward queries time out and then click OK twice. By default, the DNS server waits three seconds for a response from one forwarder IP address before it tries another forwarder IP address.
To configure the forwarding timeout value using a command line
Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
At the command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /ResetForwarders <MasterIPaddress ...> [/TimeOut <Time>] [/Slave]
Parameter | Description |
---|---|
dnscmd |
The command-line tool for managing DNS servers. |
<ServerName> |
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). |
/ResetForwarders |
Required. Configures a forwarder. |
<MasterIPaddress...> |
Required. Specifies a space-separated list of one or more IP addresses of the DNS servers where queries are forwarded. You may specify a list of space-separated IP addresses. |
/TimeOut |
Specifies the timeout setting. The timeout setting is the number of seconds before unsuccessful forward queries time out. |
<Time> |
Specifies the value for the /TimeOut parameter. The value is in seconds. The default timeout is three seconds. |
/Slave |
Determines whether or not the DNS server uses recursion. |
To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:
dnscmd /ResetForwarders /help