I would recommend using BIND9 as the DNS resolver instead of the Windows one as the Linux version will have a slightly higher stability and performance. But the Windows DNS service is fully functional if you don't already have a Linux server to put it on. The network where I work at actually uses both side by side for reliability, that way if I botch one of the configs while working on it the workstations will automatically fail over to the other server.
Also, configuring forwarders is not necessary unless you already have DNS servers upstream that you want to relay to. By default Windows and Linux DNS servers when performing a recursive lookup for a client will perform the complete lookup themselves without having to forward upstream. You will want to configure your DHCP server to advertise your DNS servers though instead of alternative servers, and if you want to enforce only your servers use a firewall to block DNS requests going anywhere other than to or from your DNS server.
Oh and be very careful- make sure your server only performs recursive requests for LAN clients. If you allow it to recurse over the WAN, it can be used to launch DDoS attacks via a very serious exploit in the DNS recursion mechanism. Good firewalling is helpful, but the best way is to configure the server's access controls so that only your LAN is allowed to use it for recursion.
But the way a server performs a DNS lookup is this:
- Check if the server is authoritative for the requested info. If so, return records on hand.
- Check if the server has a cached response for that info. By default lookups are cached so that successive requests can used cached data until the TTL expires.
- Contact the root servers for that TLD. Each country has a root mirror group, routes to which are configured using a combination of multicast and anycast addressing along with some route manipulation so that you will almost always hit a nearby root mirror. The root servers return the nameserver records for the second level domain name.
Contact the nameservers obtained from the root server and retrieve the corresponding records from them, which are returned to the client and also cached so that future requests for the same info can be sped up using the cached data- until the TTL expires.
By default what a forwarder config does is makes it so that instead of going to the root servers, it simply hands off the query to an upstream server. This will actually make your DNS slower than just looking it up yourself, but as some ISPs traffic shape DNS it may be necessary for reliable DNS resolution.
What running your own DNS server does though is makes it so that you are only vulnerable to censorship at the root servers, your server contains a default root server list when installed and it is recommended to update the root list every 6 months or so just in case. Public DNS servers and ISP DNS servers are often censored by DNS poisoning- inserting false records for certain sites in order to make them inaccessible. For instance if I wanted to block hotmail.com on a company's LAN, all I would have to do is create an A-record on the DNS resolver for that company that points requests for *.hotmail.com to 127.0.0.1. Clients would then be unable to access hotmail unless they were using a different DNS resolver, or bypassing the main resolver entirely and looking up their own from the roots.