083006 Windows Server 2003 DNS

8/14/2019 083006 Windows Server 2003 DNS

1/31

Windows Server 2003DNS

[email protected]


2/31

What Is a Domain Namespace?

Root DomainRoot Domain

SubdomainsSubdomains

Second-LevelSecond-Level

DomainDomain

Top-LevelTop-Level

DomainDomain

FQDN:server1.sales.south.nwtr

aders.com

FQDN:server1.sales.south.nwtr

aders.com

south

south

nwtraders

nwtraders

com

com

sales

sales

west

west east

east

org

orgnet

net

Host: server1Ho

st: server1


3/31

Overview of the DNS Query Process

Query TypesQuery Types

Query TypesQuery Types

Iterative Query

Iterative QueryThe DNS server returns the best answer that it canprovide without help from other servers

The DN

S server returns the best answer that it canprovide without help from other servers

Recursive Query

Recursive Query

The D

NS server returns a complete answer to the

query, not a pointer to another DNS server

The D

NS server returns a complete answer to the

query, not a pointer to another DNS server

Lookup TypesLookup Types

Lookup TypesLookup Types

Forward Lookup

Forward Lookup

Requires name-to-address resolution

Requires name-to-address resolution

Reverse Lookup

Reverse Lookup

Requires address-to-name resolution

Requires address-to-name resolution


4/31

How Recursive Queries Work

Computer1

Computer1

Recursive queryfor

mail1.nwtraders

.com172.16.64.11

A recursive queryis a query made to a DNSserver, in which the DNS client asks the DNSserver to provide a complete answer to thequery

A recursive queryis a query made to a DNS

server, in which the DNS client asks the DNSserver to provide a complete answer to thequery

DNS server checks theforward lookup zone and

cache for an answer to thequery

DNS server checks theforward lookup zone and

cache for an answer to thequery

Database

Local DNS ServerLo

cal DNS Server


5/31

How Iterative Queries WorkAn iterative query is a query made to a DNS server inwhich the DNS client requests the best answer that

the DNS server can provide without seeking furtherhelp from other DNS servers.The result of aniterative query is often a referral to another DNSserver lower in the DNS tree

An iterative query is a query made to a DNS server inwhich the DNS client requests the best answer that

the DNS server can provide without seeking furtherhelp from other DNS servers.The result of aniterative query is often a referral to another DNSserver lower in the DNS tree

Computer1

Computer1

Local

DNS Server

Local

DNS Server

nwtraders.comnw

traders.com

Root Hint (.)Ro

ot Hint (.)

.com

.com

Recu

rsiv

equery

for

mail1

.nwtr

aders

.com

172.1

6.64

.11

Iterative Query

IterativeQuery

IterativeQuery

Ask

.com

Asknwtraders.com

AuthoritativeResponse


6/31

How Root Hint Works

Root hints are DNS resource records stored ona DNS server that list the IP addresses for theDNS root servers

Root hints are DNS resource records stored ona DNS server that list the IP addresses for theDNS root servers

microsoft

microsoft

Corp. or ISP

DNS Servers

Corp. or ISP

DNS Servers

Root Hints

Root Hints

LocalDNS Server

LocalDNS Server

InterNIC

Root (.) Servers

InterNIC

Root (.) Servers

com

com

Computer1

Computer1


7/31

How Forwarders WorkA forwarderis a DNS server designated by other

internal DNS servers to forward queries forresolving external or offsite DNS domain names

A forwarderis a DNS server designated by other

internal DNS servers to forward queries forresolving external or offsite DNS domain names

Computer1Computer1

nwtraders.comnwtraders.com

Root Hint (.)Root Hint (.)

.com.com

Iterative Query

IterativeQuery

IterativeQuery

Ask.com

Asknwtraders.com

AuthoritativeResponse

LocalDNS Server

LocalDNS Server

ForwarderForwarder

Recursivequeryfor

mail1.nwtraders.com

172.16.64.11

172

.16

.64

.11

Recursiv

eQuery


8/31

What Is a DNS Zone?

NwtradersNwtraders

WestWestSouthSouth

SupportSupportSalesSales TrainingTraining

NorthNorth


9/31

What Are DNS Zone Types?

Zones Description

Primary Read/write copy of a DNSdatabase

Secondary Read-only copy of a DNSdatabase

Stub Copy of a zone containinglimited records

Read/Write

Read-Only

Copy oflimitedrecords


10/31

Selecting Zone Data Location

Standard Zones

Primary Zone Secondary Zone

ChangeChangeZone Transfer

Active Directory Integrated Zones

ChangeChange ChangeChange ChangeChange

Zone Transfer


11/31

Configuring Standard Zones You can configure a DNS server to host standard primary zones,

standard secondary zones, or any combination of zones You can designate a primary server or a secondary server as a

master server for a standard secondary zone

DNS

Server A AA

DNSServer B

BBSecondary Zone

(Master DNS Server =DNS Server A)

CC

DNSServer C

Secondary Zone(Master DNS Server =

DNS Server A)

Primary Zone

ZoneInforma

tion


12/31


13/31

Zone Transfer Process

A Zone Transfer is Initiated When

A master DNS server sends notification of zone changes tothe secondary server or servers

The secondary server queries a master DNS server forchanges to the zone file

DNSServer

(Master)

nwtraders

trainingsupport

Primary ZoneDatabase File

Secondary ZoneDatabase File

DNSServe

r

Zone 1


14/31

Configuring Zone Transfers

Zone Transfer Types Full zone transfer (AXFR)

Incremental zone transfer (IXFR)

Configuring Zone Transfer Properties

Configuring DNS Notify

Serial number:2 Increment

15 minutes

10 minutes

1 days

Refresh interval:

Retry interval:

Expires after:

0 :1 :0 :0Minimum (default) TTL:


15/31

Configuring Zone Transfersnwtraders.msft Properties

WINS Zone Transfers Security

General Start of Authority (SOA) Name Servers

Serial number:

28

Primary server:

london.contoso.com

Responsible person:

admin.contoso.com

Increment

Browse

Browse

15 minutes

10 minutes

1 days

0 :1 :0 :0

0 :1 :0 :0

OK Cancel

Refresh interval:

Retry interval:

Expires after:

Minimum [default] TTL:

TTL for this record:

ApplyApply

OK Cancel AApplypplyAApplypply

nwtraders.msft Properties



Allow zone transfers

To any server

Only to servers listed on the Name Servers tab

Only to the following servers

IP address:

To specify secondary servers to be notified of zoneupdates, click Notify.

AAddddAAdddd

RRemoveemoveRRemoveemove

Notify

A zone transfer sends a copy of the zone to requestingservers.


16/31

How DNS Notify Works

Secondary Server Primary andMaster Server

DNS notify

Zone transfer

A DNS notifyis an update to the original DNSprotocol specification that permits notificationto secondary servers when zone changesoccur

A DNS notifyis an update to the original DNSprotocol specification that permits notificationto secondary servers when zone changesoccur

Source ServerSource ServerDestination ServerDestination Server 1

2

3

4

Resource

record isupdatedSOA serialnumber isupdated


17/31

Configuring AD Integrated Zones

Active Directory Integrated Zone Data Is Stored as an Active Directory object

Replicated as part of domain replication

Active DirectoryActive Directory contoso.com

DNS Server

Active Directory

Integrated Zone

Active Directory

Integrated Zone


18/31

What Are Directory Partitions?

Active DirectoryDatabase

Active DirectoryDatabase

Configurable

replication

Domain

Forest Schema

Configuration

Definitions and rulesfor creating andmanipulating objectsand attributes

Definitions and rules

for creating andmanipulating objectsand attributes

Information aboutthe Active Directorystructure

Information aboutthe Active Directorystructure

Information aboutdomain-specificobjects

Information aboutdomain-specificobjects

Information about

applications

Information about

applications

Contains:


19/31

Selecting a Partition

Forest Application

Domain Partition

Domain

Application


20/31

Configuring Dynamic Updates DNS Dynamic Update Protocol

Allows clients to automatically update DNS servers

Can be used in conjunction with DHCP

DNS Server

Request for IP addressRequest for IP address11

Assign IP addressof 192.168.120.133

Assign IP addressof 192.168.120.133

22

Zone Database

Computer1192.168.120.133

Computer1192.168.120.133

DHCP

Server

Windows clientupdates forwardresource recordon DNS server

Windows clientupdates forward

resource recordon DNS server

DHCP updates reverseresource record forWindows 2000, XP and2003 clients and bothresource records forother clients

DHCP updates reverseresource record forWindows 2000, XP and

2003 clients and bothresource records forother clients


21/31

Securing Dynamic Updatesnwtraders.msft. Properties



Status:

Type:

Running

Active Directory-integrated

Pause

Change

Data is stored in Active Directory.

Allow dynamic updates?

Aging

Only secure updates

To set aging/scavenging properties,

click Aging

OK Cancel Apply

SecureSecureDynamic UpdatesDynamic Updates

SecureSecureDynamic UpdatesDynamic Updates

Active DirectoryActive DirectoryIntegrated ZoneIntegrated ZoneActive DirectoryActive DirectoryIntegrated ZoneIntegrated Zone


22/31

Creating a Subdomain

Create a Subdomain to Better Organize Your Namespace

Delegate Authority of a Subdomain To Delegate management of portions of the namespace

Delegate administrative tasks of maintaining one large DNS

database

org.org. com.com.com.com. edu.edu. tw.tw.

....

microsoft.com.

training.microsoft.com.

SubdomainSubdomainSecond-Level DomainSecond-Level DomainTop-Level DomainTop-Level DomainRootRoot


23/31

DNS Server Roles

Role SituationCaching-onlyservers

A remote office has a limited amount ofavailable bandwidth

Non-recursiveservers

You have Internet-facing DNS that areauthoritative for one or more zones

Forward-onlyservers

You want to manage the DNS traffic betweenyour network and the Internet

Conditionalforwarders

You want DNS clients in separate networks toresolve each others names without having toquery the DNS server on the Internet


24/31

How the Time-to-Live Value Works

The records in the zone are sent to other DNSservers and clients in response to queriesThe records in the zone are sent to other DNSservers and clients in response to queries1

DNS servers and DNS clients that store therecord in their cache hold the record for theTTL period supplied in the record

DNS servers and DNS clients that store therecord in their cache hold the record for theTTL period supplied in the record

2

When the TTL expires, the record is removedfrom the cacheWhen the TTL expires, the record is removedfrom the cache3

The Time-to-Live (TTL) value is a time-out valueexpressed in seconds that is included with DNSrecords that are returned in a DNS query

The Time-to-Live (TTL) value is a time-out valueexpressed in seconds that is included with DNSrecords that are returned in a DNS query

Zone

TTL seton the zone

DNS Server1DNS Server1DNS ClientDNS ClientAuthoritativeDNS Server2

AuthoritativeDNS Server2

Cac

he

Cac

he

Cac

he

Cac

he

Resource RecordResource RecordResource RecordResource Record


25/31

Reducing Network Traffic by Using

Caching-Only Servers

Caching-Only Servers Perform name resolution on behalf of client computers andcache the results

Can be used to reduce DNS-related traffic across a WAN

Caching-OnlyDNS ServerClient

Client

Client

Remote Office

DNS Server

Corporate Headquarters

Slow WAN Link


26/31

How Aging and Scavenging Works

Jan 1 Jan 15Jan 8

Scave

nge

Scave

nge

No-Refreshinterval

No-Refreshinterval

Refresh

interval

Refresh

interval

Timestampe

d

Timestampe

d

AgingAging

7-days 7-days


27/31

What Is DNS Debug Logging?

Primary DNS Server1Primary DNS Server1

DNS debug logging is an optional logging toolfor DNS that stores the DNS information that

you select

DNS debug logging is an optional logging toolfor DNS that stores the DNS information that

you select

Secondary DNS Server2Secondary DNS Server2


28/31

Planning a DNS Implementation

Small Companies Can use ISP DNS servers for queries and to

store company domain names

Larger Companies Maintain their own DNS servers

Two DNS Servers Recommended

Primary name server Secondary name server


29/31

DNS Namespace Options

SameNamespac

e

SameNamespac

e

DelegatedNamespac

e

DelegatedNamespac

e

UniqueNamespac

e

UniqueNamespac

eExistingDNS

Namespace

ExistingDNS

Namespace

ExistingDNS

Namespace

ExistingDNS

Namespace

ExistingDNS

Namespace

ExistingDNS

Namespace

nwtraders.com

nwtraders.com

nwtraders.com

nwtraders.local

ad.nwtraders.comnwtraders.com

InternalNamesp

ace

InternalNamesp

ace

InternalNamesp

ace

InternalNamesp

ace

InternalNamesp

ace

InternalNamesp

ace


30/31


31/31

Integrating DNS into Screened Subnets

Zones Contain Records for PublicResources

Configure Firewalls to PermitAppropriate DNS Traffic

Place Only Secondary Zones

Encrypt Replication Traffic with IPSec

public.contoso.msft

Firewall

Firewall

Internet

ScreenedSubnet

public.contoso.msft

Primary DNS Zone Secondary DNS Zone

Private

Network

Documents

083006 Windows Server 2003 DNS