Hands-On Microsoft Windows Server 2003

Networking

Chapter 6

Domain Name System

2

Objectives

• Describe the functions of the Domain Name System• Install DNS• Explain the function of DNS zones• Configure a caching-only server to speed hostname

resolution• Integrate Active Directory and DNS, including

Dynamic DNS• Configure and manage a DNS server• Manage DNS zones• Troubleshoot DNS

3

Functions of the Domain Name System

• Domain Name System (DNS)– Essential service for a network that uses Active

Directory

– Has the ability to store DNS information in Active Directory

– Once DNS information is stored in Active Directory, it is automatically replicated to all domain controllers

– Storing DNS data in Active Directory allows security control for Dynamic DNS

4

Functions of the Domain Name System (Continued)

– Used internally to resolve hostnames to IP addresses

– Can be integrated with the worldwide system for resolving hostnames to IP addresses

– Can be used as a repository for service information and perform reverse lookups to convert IP addresses to host names

5

Hostname Resolution

• Windows Sockets (WinSock) and NetBIOS– Two standard methods Windows applications can

use to access network resources– Name accessed through WinSock is known as a

hostname

• Steps followed to resolve hostnames– Hostname

• Server first checks if hostname being resolved is its own

• If it is, then it uses its own IP address and resolution process stops

6

Hostname Resolution (Continued)• Steps (Continued)

– Hosts file is loaded into cache• HOSTS file is used to list hostnames and IP

addresses for resolution• Contents of the HOSTS file are placed in DNS

cache– DNS cache

• Contents are evaluated• If hostname being resolved is in DNS cache,

then IP address in the cache is used– DNS

• If required hostname is not the hostname of this server and has not been found in DNS cache, then Windows Server 2003 submits a request to a DNS server for resolution

7

HOSTS File

• Simple text file that stores hostname information• Must be located in C:\WINDOWS\system32\

drivers\etc• Contents are a list of IP addresses and

hostnames

8

HOSTS file

9

Forward Lookup

• Resolves hostnames to IP addresses• Two-packet process

– First packet is request from DNS client to DNS server containing hostname to be resolved

– Second packet is response from server containing the IP address of requested hostname

10

Forward Lookup (Continued)

• Root servers– 13 root servers that control overall DNS lookup

process

– ICANN DNS Root Server System Advisory Committee is main body responsible for maintenance

– If servers become unavailable, much of the Internet

would be inaccessible • Recursive lookup

– DNS query that is resolved through other DNS servers until requested information is located

11

DNS Lookup Process

12

Registering a Domain

• Top-level domain names – Organized by either country or category

– Category names defined by the Internet Corporation for Assigned Names and Numbers (ICANN)

– To merge with worldwide DNS lookup system you must register your domain name with a registrar

• Registrars– Have ability to put domain information into top-

level domain DNS servers

13

Top-level domains

14

Reverse Lookup

• Resolves IP addresses to hostnames• Often performed for the system logs of Internet

services• Web server can be configured to perform

reverse lookup of all clients accessing a Web site

• Reverse lookup DNS information maintained by ISP

15

DNS Record Types

• Created on a DNS server to resolve queries• Each type of record holds different information about

– A service– Hostname– IP address – Domain

• DNS has ability to hold many different record types

16

DNS records types

17

Domain Name System (DNS) and Berkeley Internet Name Domain (BIND)

• BIND– The de facto standard for DNS implementation on

UNIX and Linux systems

– Other implementations of DNS reference BIND version numbers for feature compatibility

18

BIND versions and features

19

Installing DNS

• Windows Server 2003 has the ability to act as a DNS server

• Small organizations– During installation of Active Directory, if no DNS

server has been configured for the domain, DCPROMO asks whether it should install DNS

• Large organizations– DNS is often installed on multiple servers

20

DNS Zones

• The part of a DNS namespace for which a DNS server is responsible

• Forward lookup zone– A zone that holds records for forward lookups

• Reverse lookup zone – A zone that holds records for reverse lookups

21

Primary and Secondary Zones

• Used to automatically synchronize DNS information between DNS servers

• Primary zone– First to be created– DNS records created here

• Secondary zone– Takes copies of primary zone information– Cannot be copied

22

Primary and Secondary Zones (Continued)• For fault tolerance and to reduce network traffic

– Keep copies of DNS domain information on more than one server

– Servers must automatically synchronize information between them

• Zone Transfer – Moving information from primary zone to secondary

zone

• Incremental Zone Transfer – Copies information that has changed from the

primary zone

23

Active Directory Integrated Zone

• Stores information in Active Directory rather than in a file on the local hard drive

• Advantages of Storing DNS information in Active Directory– Automatic backup of zone information

– Multimaster replication

– Increased security

24

DNS Zone Storage in Active Directory

• Two areas DNS zones can be stored in Active Directory– Domain directory partition

• Holds information about objects specific to a particular Active Directory domain

• Replicated to all domain controllers in an Active Directory domain

• Cannot be replicated to domain controllers in other Active Directory domains

25

DNS Zone Storage in Active Directory (Continued)

– Application directory partition• Allows information to be stored in Active Directory

but be replicated only among a defined set of domain controllers

• Domain must be in the same Active Directory forest but can be in different Active Directory domains

26

Storing a zone in the domain directory partition

27

Storing a zone on all DNS servers in an Active Directory forest

28

Merging Active Directory Integrated Zones with Traditional DNS

• Active Directory integrated zones– Interact with traditional zones by acting as a

primary zone to traditional secondary zones• Situations where a DNS server cannot participate

in an Active Directory integrated zone– DNS server is pre-Windows 2000– DNS server is Windows 2000 and Active Directory

integrated zone is stored in an application directory partition

– DNS server is a non-Windows server– DNS server is a member server, but not a domain

controller– DNS server is in a different forest

29

Stub Zones

• A DNS zone that holds only NS records for a domain

• NS records – Define the name servers that are responsible for

a domain

30

DNS lookup using a stub zone

31

Caching-only Server

• Does not have zones configured on it• Exists only to be a local DNS server for client

computers• On very slow WAN links

– Caching-only servers may create less network traffic than storing Active Directory integrated zones or secondary zones locally

• To create a caching-only server– Install the DNS Service and do not create any

zones

32

Active Directory and DNS

• Active Directory requires DNS to function properly

• Most important function DNS performs for Active Directory is locating services

33

Active Directory and DNS (Continued)

• Dynamic DNS– Used to simplify management of DNS records for

Active Directory

– System in which records can be updated on a DNS server automatically

– Defined by RFC 2136

– Service records for domain controllers are placed in DNS zone using Dynamic DNS

– Windows 2000/XP clients perform their own Dynamic DNS updates

34

DNS records for Active Directory

35

Configuring a Zone for Dynamic DNS

• Can be done during creation process or by modifying properties of the zone after configuration

• “Allow only secure dynamic updates” option– Available only if the zone is Active Directory

integrated• “Allow only dynamic updates” option

– If selected, then any client can update records• Do not allow dynamic updates option

– Stops this zone from accepting dynamic updates

36

Dynamic update options when creating an Active Directory integrated zone

37

Changing the dynamic update option

38

Managing DNS Servers

• Aging and Scavenging– New feature of DNS in Windows Server 2003

– Allows DNS records created by Dynamic DNS to be removed after a certain period of time if they have not been updated

– Must be enabled on the Advanced tab of the DNS server properties

39

Managing DNS Servers (Continued)

• Update Server Data Files– Option is available when you right-click on the

server

• Clear Cache– DNS server automatically caches all lookups that

it performs

– Must clear cache to force a DNS server to perform a new lookup before the record times out

40

Managing DNS Servers (Continued)

• Configure Bindings– You can configure DNS to only respond on certain

IP addresses that are bound to server

• Forwarding– Allows you to configure local DNS server to

forward queries from clients to another DNS server

41

The DNS Server Properties Interfaces Tab

42

Root Hints

• Servers used to perform recursive lookups• Root Hints tab

– Automatically populated with names and IP addresses of DNS root servers on the Internet

• Possible to configure one of your internal DNS servers to act as a root server– Create a forward lookup zone named “.”

– DNS server with zone named “.” is considered a root server

43

The DNS Server Properties Forwarders tab

44

The DNS Server Properties Root Hints Tab

45

Logging

• Event logging– Records errors, warnings, and information to

event log• Debug logging

– Records packet-by-packet information about queries the DNS server is receiving

– Can reduce information recorded by specifying• Packet direction• Transport protocol• Packet contents• Packet type

46

DNS Server Properties Event Logging Tab

47

Advanced Options

• Configurable options on Advanced tab of server properties– Disable recursion (also disables forwarders)

– BIND secondaries

– Fail on load if bad zone data

– Enable round robin

– Enable netmask ordering

– Secure cache against pollution

48

The DNS Server Properties Advanced Tab

49

Managing Zones

• Options that can be configured for a zone– Reload zone information

– Create a new delegation

– Change the type of zone and replication

– Configure aging and scavenging

– Modify the Start of Authority (SOA) record

– Name servers

– Enable WINS resolution

– Enable zone transfers

– Configure security

50

Troubleshooting DNS• Most DNS problems are a result of incorrectly

configured DNS records• Iterative query

– DNS server looks only in the zones for which it is responsible

• NSLOOKUP– Queries DNS records

– Allows you to confirm that each DNS server is configured with the correct information

– Can be used from a command prompt to resolve hostnames

– Most powerful in interactive mode

51

DNS Server Properties Monitoring Tab

52

Summary

• Hostname resolution– Check if hostname being resolved matches

hostname of local computer– Load HOSTS file into DNS cache– Check DNS cache for third step– DNS is used if required

• Forward lookup– Resolves hostnames to IP addresses

• Reverse lookup– Resolves IP address to hostname

53

Summary (Continued)• Recursive lookup

– Performed when local DNS server queries root servers on the Internet on behalf of a DNS client Common DNS record types

– A, MX, CNAME, NS– SOA, SRV,AAAA, and PTR

• DNS zones– Hold records for a portion of DNS namespace– Primary and secondary zones stored in a zone file– Active Directory integrated zones stored in Active

Directory– Stub zone contains name server records

54

Summary (Continued)

• Caching-only server– Reduces network traffic generated by DNS

queries Dynamic DNS– Allows records to be automatically updated on a

DNS server• Aging and scavenging

– Remove outdated records created by Dynamic DNS

• Root hints– Used for recursive lookups

55

Summary (Continued)

• Event logging and debug logging – Used to troubleshoot DNS problems

• WINS server – Used to help resolve hostnames

• NSLOOKUP – Used to verify that DNS server is properly

configured