Module 4: Resolving Host Names by Using Domain Name System

Contents

Overview 1

Multimedia: The Role of DNS in the Network Infrastructure 2

Lesson: Installing the DNS Server Service 3

Lesson: Configuring the DNS Server Service 10

Lesson: Configuring DNS Zones 30

Lesson: Configuring DNS Zone Transfers 51

Lesson: Configuring a DNS Client 62

Lab: Resolving Host Names by Using DNS 69

Module 4: Resolving Host Names by Using Domain Name System

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2005 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, PowerPoint, Windows, Windows Media, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Module 4: Resolving Host Names by Using Domain Name System iii

Instructor Notes This module provides students with the knowledge and ability to configure name resolution by using DNS.

After completing this module, students will be able to:

! Describe the role of Domain Name System (DNS) in the network infrastructure.

! Install the DNS Server service. ! Configure the DNS Server service. ! Configure DNS zones. ! Configure DNS zone transfers. ! Configure a DNS client.

To teach this module, you need the following materials:

! Microsoft® Office PowerPoint® file 2277c_04.ppt ! The multimedia presentation The Role of DNS in the Network Infrastructure

It is recommended that you use Microsoft Office PowerPoint 2002 or later to display the slides for this course. If you use Microsoft PowerPoint Viewer or an earlier version of PowerPoint, some features of the slides may not be displayed correctly.

To prepare for this module:

! Read all of the materials for this module. ! Complete all practices and the lab. ! Review the multimedia presentation The Role of DNS in the Network

Infrastructure. ! Review prerequisite courses and modules.

Presentation: 4 hours 15 minutes Lab: 15 minutes

Required materials

Important

Preparation tasks

iv Module 4: Resolving Host Names by Using Domain Name System

How to Teach This Module This section contains information that will help you to teach this module.

Practices and Labs Explain to the students how the practices and labs are designed for this course. A module includes two or more lessons. Most lessons include a practice. After completing all of the lessons for a module, students finish the module with a lab.

This module includes only one instructor demonstration topic, but you should demonstrate many of the administrative tasks as you teach them. After you have covered the contents of the topics, explain that a practice will give students a chance for hands-on learning of all the tasks discussed in the lesson.

At the end of each module, the lab enables the students to practice the tasks that are discussed and applied in the module.

Using a scenario that is relevant to the job role of the students, the lab gives a set of instructions in a two-column format. The left column provides the task (for example, �Create a group�). In the right column are specific instructions that the students will need to perform the task (for example, �From Active Directory Users and Computers, double-click the domain node�).

An answer key for each lab exercise is located on the Student Materials CD, in case the students need step-by-step instructions to complete the lab. They can also refer to the practices and How To pages in the module.

Practices

Labs

Module 4: Resolving Host Names by Using Domain Name System v

Multimedia: The Role of DNS in the Network Infrastructure This section describes the instructional methods for teaching this multimedia presentation.

! The multimedia files are installed on the instructor computer. To open a multimedia presentation, click the animation icon on the slide for that multimedia presentation.

! Explain that this multimedia presentation provides a visual and high-level overview of DNS and the domain namespace. The details of how DNS works are provided in the topic pages.

! Estimated time required for the multimedia presentation is 7 minutes.

Lesson: Installing the DNS Server Service This section describes the instructional methods for teaching this lesson.

! Define DNS. ! Explain the purpose of DNS. ! Explain the purpose of Internet Network Information Center (InterNIC). For

more information about InterNIC, go to the InterNIC Web site at http://www.internic.net.

! Explain the history of DNS.

! Explain the purpose of a domain namespace. ! Explain what a domain namespace, domain, root domain, top-level domain,

second-level domain, and subdomain are by referring to the illustration in the slide.

! Explain what a fully qualified domain name (FQDN) is. ! Provide examples of domain namespace, domain, root domain, top-level

domain, second-level domain, and subdomain.

! Explain the purpose of DNS naming standards. ! Discuss the DNS naming standards. ! Provide examples of DNS names that comply with the DNS naming

standards.

! Direct the students to practice installing the DNS Server service. ! Reconvene class after all students have completed the practice and discuss

the results of the practice.

Overview of Domain Name System

What Is a Domain Namespace?

Standards for DNS Naming

Practice: Installing the DNS Server Service

vi Module 4: Resolving Host Names by Using Domain Name System

Lesson: Configuring the DNS Server Service This section describes the instructional methods for teaching this lesson.

! Describe the components of DNS, including the DNS server, DNS client, and DNS resource records.

• Only briefly describe resource records; this content is explained in depth later in the lesson.

! Define query.

• Only briefly explain that there are two types of queries; later topics in this lesson explain recursive and iterative queries in detail.

! Describe how DNS clients and DNS servers can initiate queries for name resolution.

! Explain that a DNS server can be either authoritative or nonauthoritative for the namespace of the query.

• Describe how a DNS server will respond if it is authoritative.

• Describe how a DNS server will respond if it is nonauthoritative.

! Define recursive query. ! Explain the purpose of a recursive query. ! Explain the characteristics of a recursive query. ! Describe how a recursive query works by referring to the slide.

• This topic has a detailed animated slide, so be sure to review the slide prior to class.

! Define iterative query. ! Explain the purpose of an iterative query. ! Explain the characteristics of an iterative query. ! Describe how an iterative query works by referring to the example

illustrated in the slide.


! Describe how a referral works. ! Describe how recursion works.

! Define forwarders. ! Explain the purpose of forwarders. ! Describe how a forwarder works by referring to the example illustrated in

the slide.


! Describe forwarder behavior, including using forwarders with or without recursion.

What Are the Components of a DNS Solution?

What Is a DNS Query?

How Recursive Queries Work

How Iterative Queries Work

How Forwarders Work

Module 4: Resolving Host Names by Using Domain Name System vii

! Define conditional forwarding. ! Explain how conditional forwarding works. ! Explain when to use conditional forwarding.

! Define root hint. ! Describe the function of a root hint on the Internet and within an

organization by referring to the slide.

! Define caching. ! Explain the purpose of DNS server caching. ! Describe how DNS server caching works by referring to the example

illustrated in the slide.


! Describe how negative caching works. ! Explain what caching-only servers are. ! Briefly explain what DNS client-side resolver caching is.

• If students want more information about the DNS client resolver, see Module 3, �Resolving Names,� in Course 2277, Implementing, Managing, and Maintaining a Microsoft Windows Server� 2003 Network Infrastructure: Network Services.

Complete the following steps to demonstrate how to configure a DNS server to use forwarding and root hints. As you complete the demonstration, explain the options and explain why you would choose each option.

To update root hints on a DNS server:

1. Open the DNS console. 2. In the DNS console, select the appropriate server. 3. On the Action menu, click Properties. 4. On the Root Hints tab, you can click:

• Add to add a Name Server. Enter the FQDN and IP address of the Name Server.

• Edit to edit a Name Server. Edit the FQDN or IP address of the Name Server.

• Remove to remove a Name Server.

• Copy from Server to copy the list of Name Servers from a DNS server. 5. Click OK to close the Properties dialog box, and then close the DNS

console.

How Conditional Forwarding Works

How Root Hints Work

How DNS Server Caching Works

Demonstration: Configuring the DNS Server Service

viii Module 4: Resolving Host Names by Using Domain Name System

To configure a DNS server to use a forwarder:

1. Open the DNS console. 2. In the DNS console, select the appropriate server. 3. On the Action menu, click Properties. 4. On the Forwarders tab, click New. 5. In the New Forwarder dialog box, type the name of the DNS domain that

the DNS server will forward queries for, and then click OK. 6. On the Forwarders tab, in the Selected domain�s forwarder IP address list

field, type the IP address of the DNS server that will act as the forwarder for queries that are in the server�s DNS domain, and then click Add.

7. On the Forwarders tab, in the Number of seconds before forward queries time out box, type the value in seconds.

8. If required, on the Forwarders tab, select the option Do not use recursion for this domain, and then click OK.

9. Close the DNS console.

To clear the DNS server cache by using the DNS console:

1. Open the DNS console. 2. In the DNS console, select the server. 3. On the Action menu, click Clear Cache.

To clear the DNS server cache by using the dnscmd command:

1. On the DNS server, install Support Tools from the Windows 2003 Server CD.

2. On the DNS server, at the command prompt, type dnscmd Server_Name /clearcache (where Server_Name is the name of the DNS server).

! Discuss using a central forwarder for Internet name resolution. ! Discuss considerations for using conditional forwarding. ! Discuss when to disable recursion. ! Use the build slide to discuss DNS server configuration. As you move

through each part of the build slide, discuss the reasons for choosing each type of DNS server configuration.

! Direct the students to practice configuring properties for the DNS Server

service. ! Reconvene class after all students have completed the practice and discuss


Best Practices for Configuring DNS

Practice: Configuring Properties for the DNS Server Service

Module 4: Resolving Host Names by Using Domain Name System ix

Lesson: Configuring DNS Zones This section describes the instructional methods for teaching this lesson.

! Define resource record, zone, and zone file. ! Describe how DNS data is stored and maintained by referring to the slide.

• Only briefly describe resource records and zones; these two topics will be covered in depth later in this lesson.

! Define resource record set. ! Explain the purpose of resource records. ! Describe the resource types. ! Provide an example of a resource record and record types.

• For example, you could create different types of resource records for the Demo.com zone.

! Provide an example of a resource record set.

! Explain the purpose of a DNS zone. ! Discuss the characteristics of a DNS zone. ! Provide examples of DNS zones, by referring to the illustration in the slide. ! Demonstrate how to create a DNS zone.

! Direct the students to practice configuring a DNS zone. ! Reconvene class after all students have completed the practice and discuss


! Explain that there are four DNS zone types: primary, secondary, stub, and Active Directory® directory service integrated.

! Explain the purpose of DNS zone types. ! Explain what a primary zone is and when it is beneficial to use a primary

zone. ! Explain what a secondary zone is and when it is beneficial to use a

secondary zone.

! Define stub zone. ! Describe how stub zones work. ! Discuss the difference between stub zones and conditional forwarding.

! Explain the purpose of DNS forward and reverse lookup zones. ! Explain what a forward lookup and a forward lookup zone are. ! Explain what a reverse lookup and a reverse lookup zone are. ! Provide an example of a forward lookup zone and a reverse lookup zone by

referring to the illustration in the slide.

How DNS Data Is Stored and Maintained

What Are Resource Records and Record Types?

What Is a DNS Zone?

Practice: Configuring a DNS Zone

What Are DNS Zone Types?

What Are Stub Zones?

What Are Forward and Reverse Lookup Zones?

x Module 4: Resolving Host Names by Using Domain Name System

! Explain when reverse lookups are used. ! Provide examples of when reverse lookups are used. ! Define zone delegation. ! Explain why delegation is used. ! Explain the delegation process. ! Explain how delegation allows for Internet name resolution.

! Discuss the problems with having more than one primary zone for the same

domain name. ! Discuss using secondary zones for fault tolerance and load balancing. ! Explain when to use split DNS. ! Use the build slide to discuss DNS zone configuration. As you move

through each part of the build slide, discuss the reasons for choosing each type of DNS zone configuration.

! Direct the students to practice configuring reverse lookup zones and zone

delegation. ! Reconvene class after all students have completed the practice and discuss


Lesson: Configuring DNS Zone Transfers This section describes the instructional methods for teaching this lesson.

! Explain that there are two types of DNS zone transfers: full and incremental. ! Define primary DNS server, secondary server, master server, DNS zone

transfer, full zone transfer (AXFR) and incremental zone transfer (IXFR). ! Explain the purpose of a DNS zone transfer. ! Describe the DNS zone transfer process by referring to the illustration in the

slide.


! Explain the incremental zone transfer process. ! Highlight instances in which AXFR is used instead of IXFR. ! Explain that Microsoft Windows NT® version 4.0 does not support IXFR.

! Define DNS notify and notify list. ! Explain the purpose of DNS notify. ! Describe the process of DNS notify, by referring to the illustration in the

slide. ! This topic has a detailed animated slide, so be sure to review the slide prior

to class.

Why Use Reverse Lookup Zones?

What Is Delegation of a DNS Zone?

Guidelines for Configuring DNS Zones

Practice: Configuring Reverse Lookup Zones and Zone Delegation

How DNS Zone Transfers Work

How Incremental Zone Transfers Work

How DNS Notify Works

Module 4: Resolving Host Names by Using Domain Name System xi

! Explain how to restrict zone transfers to other servers. ! Explain that you can use Internet Protocol Security (IPSec) or virtual private

networks (VPNs) to secure zone transfers. ! Briefly explain that using Microsoft Active Directory integrated zones can

further secure a zone. This topic will be covered in greater detail in the next module.

! Direct the students to read the scenario. ! Direct the students to practice configuring DNS zone transfers. ! Reconvene class after all students have completed the practice and discuss


Lesson: Configuring a DNS Client This section describes the instructional methods for teaching this lesson.

! Define preferred DNS server and alternate DNS server. ! Explain the purpose of preferred and alternate DNS servers. ! Explain the Suffix Selection option by referring to the illustration in the

slide. ! Explain the connection-specific suffix by referring to the illustration in the

slide. ! Describe how suffixes are applied.

! Explain the purpose of configuring suffixes. ! Describe the process of contacting preferred and alternate servers by

referring to the illustration in the slide.

! Direct the students to practice configuring a DNS client. ! Reconvene class after all students have completed the practice and discuss


Lab: Resolving Host Names by Using DNS Remind the students that they can review the module for assistance in completing the lab. Tell students that a detailed answer key for each lab is provided in the Labdocs folder on the Student Materials CD.

In preparation for the lab, consider drawing a diagram on the whiteboard that shows each of the computers used in the lab. Include the IP addresses in the diagram.

As students finish the lab, use the diagram to discuss how the students configured name resolution. For each task in the lab, discuss how the name resolution configuration was modified, or how the names were resolved.

How to Secure Zone Transfers

Practice: Configuring DNS Zone Transfers

How Preferred and Alternate DNS Servers Work

How Suffixes Are Applied

Practice: Configuring a DNS Client

Module 4: Resolving Host Names by Using Domain Name System 1

Overview

*****************************ILLEGAL FOR NON-TRAINER USE******************************

A network solution needs to include Domain Name System (DNS) to provide name resolution services. An important factor in connecting components is the resolution of the host names to Internet Protocol (IP) addresses. In this module, you will learn how to resolve host names by using DNS.

After completing this module, you will be able to:

! Describe the role of DNS in the network infrastructure. ! Install the DNS Server service. ! Configure the DNS Server service. ! Configure a DNS zone. ! Configure DNS zone transfers. ! Configure a DNS client.

Introduction

Objectives

2 Module 4: Resolving Host Names by Using Domain Name System

Multimedia: The Role of DNS in the Network Infrastructure


To start the presentation The Role of DNS in the Network Infrastructure, open the Web page on the Student Materials CD, click Multimedia, and then click the title of the presentation.

At the end of this presentation, you will be able to:

! Explain the role and benefits of DNS in the network infrastructure. ! Define the key components of DNS. ! Discuss the DNS domain namespace. ! Discuss DNS zones and zone transfer. ! Discuss DNS name servers. ! Explain how the host name resolution process works. ! Explain forward lookup queries.

! DNS is a distributed database system that can serve as the foundation for

name resolution in an IP network. ! DNS is used by most internetworking software (such as electronic mail

programs and Web browsers) to locate servers and to resolve, or map, a user-friendly name of a computer to its IP address.

! The domain namespace provides the structure of a DNS distributed database.

! Domains can be organized into zones, which are discrete and contiguous areas of the domain namespace.

! The name-to�IP address data for all computers located in a zone is stored in a zone database file on a DNS name server.

File location

Objectives

Key points


Lesson: Installing the DNS Server Service


The first step in preparing to resolve host names is to install the DNS Server service.

After completing this lesson, you will be able to:

! Explain the purpose and basics of DNS. ! Explain what a domain namespace is. ! Explain the standards for DNS naming. ! Install the DNS Server service.

Introduction

Lesson objectives


Overview of Domain Name System


DNS is a name resolution service. DNS resolves human-friendly addresses (such as www.microsoft.com) into IP addresses (such as 192.168.0.1).

Domain Name System (DNS) is a hierarchical distributed database that contains mappings of DNS host names to IP addresses. DNS enables user access to Internet resources through easy-to-remember alphanumeric host names. DNS maps the alphanumeric host name to the numeric IP address. DNS also enables the system discovery of network services, such as e-mail servers and domain controllers in the Microsoft® Active Directory® directory service.

DNS is the foundation of the Internet naming scheme, and it is also the foundation of an organization�s Active Directory domain-naming scheme. Without DNS, you would have to locate the IP addresses of resources to access those resources. Because resource IP addresses can change, it would be difficult to maintain an accurate list of IP addresses and matching resources. DNS allows users to focus on alphanumeric names, which remain relatively constant in an organization, rather than on IP addresses.

With DNS, the host names reside in a database that can be distributed among multiple servers, decreasing the load on any one server and providing the ability to administer this naming system on a per-domain name basis. DNS supports hierarchical names and allows registration of various data types in addition to the host name�to�IP address mapping that is used in the Hosts files. Because the DNS database is distributed, its size is unlimited, and performance does not degrade much when servers are added.

Introduction

Definition

Purpose of DNS


The conceptual naming system on which DNS is based is a hierarchical and logical tree structure called the domain namespace. The Internet Network Information Center (InterNIC) manages the root, or highest level, of the domain namespace.

InterNIC is responsible for delegating administrative responsibility for portions of the domain namespace, and also for registering domain names. Domain names are managed through the use of a distributed database system of name information stored on name servers, which are located throughout the network. Each name server has database files that contain recorded information for a selected region within the domain tree hierarchy.

For more information about InterNIC, go to the InterNIC Web site at http://www.internic.net.

DNS began in the early days of the Internet, when the Internet was a small network that the United States Department of Defense established for research purposes. The host names of the computers in this network were managed by the use of a single Hosts file that was located on a centrally administered server. Each site that needed to resolve host names on the network downloaded this file.

As the Internet and the number of hosts grew, the burden of maintaining and distributing the Hosts file became unsupportable. A new system was needed to make this process manageable. The new Domain Name System was implemented and is still in use today. DNS features scalability, decentralized administration, and support for various data types.

DNS was introduced in 1984.

InterNIC

Note

History of DNS


What Is a Domain Namespace?


A DNS namespace includes the root domain, top-level domains, second-level domains, and (possibly) subdomains. The DNS namespace allows display names of resources to be organized in a logical structure. The hierarchical structure of the DNS namespace simplifies organizing and locating resources.

The domain namespace is a hierarchical naming tree that DNS uses to identify and locate a given host in a given domain relative to the root of the tree.

The names in the DNS database establish a logical tree structure called the domain namespace. The domain name identifies a domain�s position in the name tree relative to its parent domain. In the context of using and administering a DNS service, the domain namespace refers to any domain name tree structure in its entirety, from the root of the tree to the bottom-level branches of the tree. The tree must fit the accepted conventions for representing DNS naming. The principal convention is simply this: for each domain level, a period (.) is used to separate each subdomain descendent from its parent-level domain.

A domain, in DNS, is any tree or subtree within the overall domain namespace. Although the names for DNS domains are used to name Active Directory domains, they are not the same as and should not be confused with Active Directory domains.

The root domain is the root node of the DNS tree. It is unnamed (null). It is sometimes represented in DNS names by a trailing period (.) to designate that the name is at the root, or highest level, of the domain hierarchy. All DNS names end with a hidden trailing period and therefore are part of the root domain.

Introduction

Domain namespace

Domain

Root domain


The top-level domain is the trailing (rightmost) portion of a domain name. Usually a top-level domain is stated as a two- or three-character name code that identifies either organizational or geographical status for the domain name. In the example www.microsoft.com, �.com� is the top-level domain name portion of the domain namespace. The .com top-level domain name denotes a business or commercial organization. Other examples of top-level domain names include .org, .ca, .gov, and .tv.

An internal corporate namespace, such as an Active Directory forest, does not have to end in a valid top-level domain. For internal purposes, you can use the domain corp.example.local or another namespace that is not recognized on the Internet.

A second-level domain name is a unique name of varying length that InterNIC formally registers to an individual or organization that connects to the Internet. In the example of www.microsoft.com, the second-level name is the �.microsoft� portion of the domain name, which InterNIC registers and assigns to Microsoft Corporation.

In addition to a second-level name that is registered with InterNIC, a large organization can choose to further subdivide its registered domain name by adding subdivisions or departments that are each represented by a separate name portion. Examples of subdomain names are as follows:

! sales.microsoft.com ! finance.microsoft.com ! corp.example.local

A fully qualified domain name (FQDN) is a DNS domain name that has been stated unambiguously for the purpose of indicating with absolute certainty its location in the domain namespace tree. Together, the DNS namespace and the host name make up the FQDN.

The illustration in the slide shows the DNS namespace for a company that is Internet-connected.

The root domain and first-tier domains .net, .com, and .org represent the Internet namespace�the portion of the namespace under the administrative control of the InterNIC (the Internet governing body).

The second-tier domain nwtraders, and its subdomains west, south, east, and sales, all represent the private namespace under administrative control of the company Northwind Traders.

The FQDN for the host Server1, server1.sales.south.nwtraders.com., tells you exactly where this host resides in the namespace relative to the root of the namespace.

Top-level domain

Note

Second-level domain

Subdomain

Fully qualified domain name

Example


Standards for DNS Naming


DNS naming standards are designed to support the consistent implementation of DNS. DNS naming standards are the global rules, so no matter who implements DNS, their implementation can interoperate with other DNS implementations.

DNS naming standards allow a limited subset of the ASCII character set for DNS. Request for Comments (RFC) 1123 specifies the following characters as valid for DNS names:

! A through Z ! a through z ! 0 through 9 ! Hyphen (-)

All invalid characters are replaced by hyphens. For example, if you use an underscore in the computer name, it will be replaced by a hyphen.

Although DNS servers running Microsoft Windows® 2000 and later include support for extended ASCII and Unicode characters, it is strongly recommended that DNS names be limited to the characters specified in RFC 1123.

The underscore (_) character is reserved for special purposes in Service Locator SRV records. For more information, see RFC 2782, �A DNS RR for Specifying the Location of Services (DNS SRV).�

Purpose of DNS naming standards

DNS naming standards

Note


Practice: Installing the DNS Server Service


In this practice, you will install the DNS Server service.

Ensure that the DEN-DC1 and DEN-SRV2 virtual machines are started.

! Install the DNS Server service

1. Log on to DEN-SRV2 as Contoso\Administrator, with the password Pa$$w0rd.

2. Click Start, point to Control Panel, and then click Add or Remove Programs.

3. Click Add/Remove Windows Components. 4. In the Windows Component Wizard, select Networking Services and then

click Details. 5. Select Domain Name System (DNS) and then click OK. 6. Click Next. 7. Click Finish to complete the installation. 8. Close the Add or Remove Programs window.

Objective

Instructions

Practice


Lesson: Configuring the DNS Server Service


A DNS solution comprises the DNS server, DNS clients, and resources that are referenced by the resource records in DNS. After you install the DNS Server service, the next step is to properly configure the DNS server for your environment.


! List the components of a DNS solution. ! Explain what a DNS query is. ! Explain how recursive queries work. ! Explain how iterative queries work. ! Explain how forwarders work. ! Explain how conditional forwarding works. ! Explain how root hints work. ! Explain how DNS server caching works. ! List the best practices for configuring DNS. ! Configure the properties for the DNS Server service.

Introduction

Lesson objectives


What Are the Components of a DNS Solution?


The components of a DNS solution are described in the following table.

Component Description DNS server • A computer running the DNS server service.

• May host a namespace or portion of a namespace (domain).

• May be authoritative for a namespace or domain.

• Resolves the name resolution requests that DNS clients submit (DNS client = resolver).

DNS client • A computer running the DNS Client service. The DNS client service is fully integrated in the TCP/IP implementation of all Microsoft operating systems.

DNS resource records • Entries in the DNS database that map host names to resources.

For the purposes of this course, the name server is referred to as a DNS server.

Components of DNS

Note


What Is a DNS Query?


A query is a request for name resolution that is sent to a DNS server. There are two types of queries: recursive and iterative.

Recursive and iterative queries will be covered later in this lesson.

The primary purpose of a DNS solution is to allow users to access resources by using alphanumeric names. A DNS query is a request sent by the DNS client resolver to the DNS server for the IP address of the supplied name. The DNS query is the way the service or application obtains the resource IP address and enables user access.

DNS clients and DNS servers both initiate queries for name resolution. A client system may issue a query to a DNS server, and that DNS server may then issue queries to other DNS servers to resolve requests on behalf of the client.

A DNS server can be either authoritative or nonauthoritative for the namespace of the query. A DNS server is authoritative when it hosts a primary or secondary copy of a DNS zone.

If the DNS server is authoritative for the namespace of the query, the DNS server will check the zone and then will do one of the following:

! Return the requested address ! Return an authoritative �No�

Definition

Note

Purpose of a DNS query

How DNS queries are initiated

Authoritative and nonauthoritative DNS servers


If the local DNS server is nonauthoritative for the namespace of the query, the DNS server will do one of the following:

! Check its cache and return a cached response. ! Forward the unresolvable query to a specific server called a forwarder. ! Use well-known addresses of multiple root servers to attempt to find an

authoritative DNS server to resolve the query. This process is also called root hints.

Forwarders and root hints are discussed later in this lesson.

Note


How Recursive Queries Work


A recursive query is a query made to a DNS server, in which the DNS client asks the DNS server to provide a complete answer to the query. The only acceptable response to a recursive query is either the full answer or a reply that the name cannot be resolved.

A recursive query sent from the DNS client expects the DNS server to search its sources for a resolution of the host name to the IP address. The DNS client requires a full response and does not accept referrals to other DNS servers.

Recursive queries can be initiated either by a DNS client or by a DNS server that is configured for forwarders. A recursive query puts the burden of delivering a final answer on the queried server.

The answer to a recursive query will always be either positive or negative, yielding one of the following responses:

! The requested data ! An error stating that data of the requested type does not exist ! A response stating that the name specified does not exist

The following steps describe how a recursive query from a client to that client�s configured DNS server works:

1. The client sends a recursive query to the local DNS server. 2. The local DNS server enumerates its zones to see if it is authoritative for the

domain name and checks its cache for an answer to the query. 3. If the answer to the query is found, the DNS server returns the answer to the

client. 4. If an answer is not found, the DNS server may use alternate means of

resolving the name, such as issuing a recursive query to another DNS server that it has been configured to use as a forwarder or issuing an iterative query to a root server.

Definition

Purpose of a recursive query

Recursive query

How a recursive query works


In the illustration in the slide, the DNS client asks the DNS server for the IP address of the supplied display name. The DNS client then accepts the response from the DNS server.

The DNS client, using the DNS resolver service, sends a DNS query to the DNS server for the IP address of Mail1.contoso.msft. The DNS server checks the cache to locate the record. If the cache does not contain the record, the DNS server locates the authoritative DNS server for the Contoso.msft domain. If the DNS server is authoritative for the domain, it searches the zone for the resource record. If the record exists, the server returns the IP address for the queried record. If the record does not exist, the DNS server informs the client that the record was not found.

Example


How Iterative Queries Work


An iterative query is a query made to a DNS server in which the DNS client requests the best answer that the DNS server can provide without seeking further help from other DNS servers. Iterative queries are also sometimes called nonrecursive queries. The result of an iterative query is often a referral to another DNS server lower in the DNS tree. A referral would not be an acceptable response to a recursive query.

Iterative queries allow a DNS server to locate an authoritative DNS server through the DNS hierarchy in response to a client�s request. The DNS server may query DNS servers at different levels in the domain namespace to eventually locate the authoritative DNS server.

A DNS server typically makes an iterative query to other DNS servers after it has received a recursive query from a client. In an iterative query, the queried name server returns the best answer it currently has to the requester. Answers to iterative queries can be:

! Positive answers. ! Negative answers. ! Referrals to other servers.

One local DNS server usually issues iterative queries to another DNS server elsewhere in the namespace while trying to resolve a name query on behalf of a client.

A referral is a list of target name servers that a DNS server receives from another DNS server when querying a root server or a link in the DNS namespace. The referral information is cached on the DNS server for a time period specified in the DNS configuration.

Definition

Purpose of an iterative query

Iterative query

Note

Referral


If the queried DNS server has no exact match for the query, the best possible information it can return is a referral. A referral points to a DNS server that is authoritative for a lower level of the domain namespace.

The DNS client, on the local DNS server, can then query the referred DNS server. This process continues until the local DNS server locates an authoritative DNS server for the queried name or until an error occurs or a time-out condition is met.

Recursion is a DNS server function in which one DNS server issues a series of iterative queries to other DNS servers while responding to a recursive query that a DNS client issues.

The queried DNS servers return referrals, which the querying server follows until it receives a definitive answer. Recursion always ends when a server that owns the namespace gives either a positive or a negative reply.

In the illustration in the slide, the local DNS server has failed to resolve the requested name by using cached data and is not authoritative for the domain. So it begins the process of locating the authoritative DNS server by querying additional DNS servers. To locate the authoritative DNS server for the domain, the DNS server resolves the FQDN from the root to the host by using iterative queries. The following example illustrates this process, as shown in the illustration:

1. The local DNS server receives a recursive query from a DNS client. For example: The local DNS server receives a recursive query from Computer1 for Mail1.nwtraders.com.

2. The local DNS server sends an iterative query to the root server to obtain an authoritative name server.

3. The root server responds with a referral to a DNS server closer to the submitted domain name. For example: The root server responds with a referral to the DNS server for .com.

4. The local DNS server makes an iterative query to the DNS server that is closer to the submitted domain name. For example: The local DNS server makes an iterative query to the DNS server for .com.

5. The process continues until the local DNS server receives an authoritative response. For example: The DNS server for .com responds with a referral to the DNS server for Nwtraders.com. Next, the local DNS server sends an iterative query to the DNS server for Nwtraders.com to obtain an authoritative name from the authoritative name server. The local DNS server then receives an authoritative response from the DNS server for Nwtraders.com.

6. The response is sent to the DNS client. For example: The local DNS server sends this authoritative response to Computer1, which can then connect to Mail1.nwtraders.com by using the appropriate IP address.

Recursion

How an iterative query works


How Forwarders Work


A forwarder is a DNS server to which other internal DNS servers are configured to forward queries. Forwarders can help other DNS servers resolve external or offsite DNS domain names.

When a DNS name server receives a query, it attempts to locate the requested information within its own zone files. If this attempt fails, either because the server is not authoritative for the domain requested or because it does not have the record cached from a previous lookup, the server must communicate with other name servers to resolve the request. On a globally connected network like the Internet, DNS queries that are outside a local zone may require interaction with DNS name servers across wide area network (WAN) links outside of the organization. Creating DNS forwarders is a way to designate specific name servers for WAN-based DNS traffic responsibility.

Specific DNS name servers can be selected to be forwarders. These servers will resolve DNS queries on behalf of other DNS servers.

In the illustration in the slide, the local DNS server has failed to resolve the requested name by using its zone files and cached data, so it forwards the request to the forwarder (another DNS server). The forwarder then attempts to resolve the name. The forwarder may respond immediately if it is authoritative for the zone, it may forward the request to another DNS server that is configured as a forwarder, or it may issue an iterative query to one of the root servers to try to find an authoritative DNS server.

Definition

Purpose of forwarders

Process of DNS forwarders


A name server can use a forwarder in the following ways:

! If the DNS server is configured to use recursion and the forwarder is unable to resolve the query, the DNS server that received the original query can issue iterative queries to root servers to resolve the name.

! If the DNS server is configured not to use recursion and the forwarder is unable to resolve the request, the DNS server that received the original query will not issue iterative queries to root servers to resolve the name. These DNS servers make no attempt to resolve the query on their own if the forwarder is unable to satisfy the request.

DNS servers may be configured with the IP address of one or more forwarders. If a DNS server is configured to use more than one forwarder, the request will be forwarded to the first server in the list. If the query is answered authoritatively by the first forwarder, the response is passed back to the client, and the name resolution process ends. If the first forwarder fails to successfully resolve the request, the DNS server can forward the request to another forwarder. This process will continue until a forwarder successfully resolves the query or the list of configured forwarders is exhausted. After all forwarders have been queried, root hints may be used.

Forwarder behavior


How Conditional Forwarding Works


Conditional forwarding allows a DNS server to forward requests to other DNS servers using a specific domain name. This type of forwarding improves conventional forwarding by adding a second condition to the forwarding process.

In standard forwarding, if a DNS server is unable to resolve the name locally, it forwards all requests to its configured forwarder. This process may be unsuitable in an environment that has multiple domain names that are hosted on multiple DNS servers.

Conditional forwarding adds another layer of logic to the forwarding process, allowing a DNS server to selectively forward requests to other DNS servers using a domain name condition. When you configure conditional forwarding, you can configure the DNS servers to forward request to DNS servers that are authoritative for specific domains.

A DNS server can be configured with multiple conditional forwarders for different domain names.

As illustrated in the slide, if the client computer issues a query to its local DNS server for www.contoso.msft, the process is as follows:

1. The local DNS server enumerates its zones to search for a zone for Contoso.msft.

2. The local DNS server checks its cache to see if the name has recently been resolved.

3. Because the local DNS is configured with a conditional forwarder for Contoso.msft, the server issues a recursive query to the Contoso.msft DNS server to resolve the name www.contoso.com.

Introduction

How conditional forwarding works

Example


If the client computer issues a query to the local DNS server for www.microsoft.com, the process is as follows:

1. The local DNS server enumerates its zones to search for a zone for Microsoft.com.

2. The local DNS server checks its cache to see if the name has recently been resolved.

3. The local DNS server issues a recursive query to the Internet service provider (ISP) DNS server to resolve the name www.microsoft.com.

If your internal network has no private root and your users need access to other namespaces, such as a domain names belonging to a partner company, use conditional forwarding to enable servers to query for names in other namespaces. Conditional forwarding in Microsoft Windows Server� 2003 DNS may eliminate the need for secondary zones by configuring DNS servers to forward queries to different servers using the domain name condition.

When to use conditional forwarding


How Root Hints Work


Root hints are DNS resource records stored on a DNS server that list the IP addresses for the DNS root servers.

When the DNS server receives a DNS query, it checks the cache to see if the name has recently been resolved. If the name is not in the cache, the DNS server attempts to locate the authoritative DNS server for the queried domain. If the DNS server does not have the IP address of the authoritative DNS server for that domain, and if the DNS server is configured with the root hints IP addresses, the DNS server will query a root server for a list of name servers that are authoritative for the appropriate top-level domain.

The DNS root server then returns the IP address of the authoritative name servers for the appropriate top-level domain. The DNS server continues along the FQDN until it locates a name server that is authoritative for the domain name.

Root hints are stored in the file Cache.dns, which is located in the %Systemroot%\System32\Dns folder.

Under normal circumstances, root hints list the IP addresses for the DNS root servers that InterNIC maintains on the Internet. Root hints can also point to a local DNS server. If the root hints point to a local server, the only names that will be available for resolution are those to which the local DNS server can refer (normally local addresses only). This configuration, limiting resolution to local domains, is sometimes used for security purposes. This configuration may also be implemented in environments where clients do not need to resolve Internet names directly. An example would be users who connect to the Internet through a proxy server.

You can configure an internal DNS server to host the root zone by creating a zone named �.�. A server hosting a root zone will be unable to use forwarders or other root hints to resolve names.

Definition

Function of a root hint

Function of root hints within the organization


How DNS Server Caching Works


DNS caching provides faster query responses and reduces DNS network traffic. By caching DNS responses, the DNS server can resolve future queries for recently resolved record from the cache. Caching greatly reduces response time and eliminates the network traffic caused by sending the query out to another DNS server.

When a server is processing a recursive query, it might be required to send out several queries to find the definitive answer. In a worst-case scenario for resolving a name, the local name server starts at the top of the DNS tree with one of the root name servers and works its way down until the requested data is found.

The server caches all of the information that it receives during this process and deletes it after a specified time. The unit of measurement for this specified period is seconds, and the period is referred to as Time to Live (TTL). The server administrator for the primary zone that contains the data decides on the TTL for the data. Smaller TTL values help ensure that information about the domain is consistent across the network, in the event that this data changes often. However, a smaller TTL increases the load on the name servers that contain the name, and it also increases Internet traffic. Because data is cached, changes made in resource records might not be immediately available to the entire Internet.

After a DNS server caches data, the TTL starts to count down so that the DNS server can determine when to delete the data from its cache. When the DNS server answers a query by using its cached data, it includes the remaining TTL for the data. The client�s resolver then caches this data and uses the TTL that the server sends.

Introduction

Process for DNS server caching


Whereas all DNS name servers cache queries that they have resolved, caching-only servers are DNS name servers whose only job is to perform queries, cache the answers, and return the results. They are not authoritative for any domains, and they contain only information that they have cached while resolving queries. Caching-only servers have no primary or secondary zones.

A DNS server running Windows Server 2003 in its initial installation configuration has no zones. With the help of root hints, it becomes a caching-only server in its initial state.

To view the DNS cache on a Windows Server 2003 DNS server, you need to enable the Advanced view option in the DNS console. In the DNS console, click the View menu and then click Advanced. In the DNS console tree, a cached lookup node will appear.

The DNS client resolver also caches resolved host-to-IP-address mapping data. The DNS client first checks the local cache before contacting the DNS server. DNS clients can also perform negative caching.

For more information about the DNS client resolver, see Module 3, �Resolving Names,� in Course 2277, Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services.

In the illustration in the slide, you can see that the first time Client1 sends a query for ServerA.contoso.msft, the DNS server must use iterative queries to locate the resource. When the authoritative response is sent to the local DNS server, the DNS server caches the resource with a TTL value. (The TTL is provided by the authoritative DNS server that supplies the response.) The DNS client also caches the record in its local DNS resolver cache by using the TTL that the DNS server provides.

When Client2 queries for ServerA.contoso.msft, the DNS server can respond from the cached response for this resource, provided that the data is still in the cache. This means that the DNS server can respond faster to the query because the local DNS server does not have to query DNS servers outside the organization. This eliminates the network traffic that would be required to resolve the query if it had not been in the cache. DNS caching is also beneficial in a scenario where a branch office has a slow connection to a main office. Over time, the DNS server in the branch office will accumulate a cache of DNS entries.

Caching-only server

Note

DNS client�side resolver caching

Note

Example


Demonstration: Configuring the DNS Server Service



Best Practices for Configuring DNS


When configuring your DNS environment, consider the following best practices:

! Use a central forwarder for Internet name resolution. In an environment that includes many DNS servers, it may be beneficial to configure your DNS servers to forward requests to a central forwarder. This central forwarder can be configured to use the root hints to resolve queries for Internet-based hosts. The advantage of this configuration is that the central forwarder will be able to amass a large cache. It can in turn respond more quickly to resolution requests, reducing the need to generate traffic over the Internet WAN links for previously cached lookups. This configuration can also help increase security by allowing only one system to perform DNS queries on the Internet.

! Use conditional forwarders if you have multiple internal namespaces. If you have multiple DNS servers internally hosting different domain names, link the name servers together by using conditional forwarding. This ensures that name requests from internal DNS servers are forwarded to appropriate name servers without attempting to use name servers on the Internet.

! Consider disabling recursion for specific domains. If you use a central forwarder, you may want to select the option Do not use recursion for this domain on the Forwarders tab on all other DNS servers. If a DNS server forwards a request to a central forwarder and receives a negative response, it may use root hints to attempt to resolve the name on the Internet. If the central forwarder has already attempted to do this, the result is the same. By disabling recursion for the domains, you rely on the central forwarder as the only server to resolve Internet names, thus reducing unnecessary name resolution queries over your Internet WAN links.

Best practices


You can also disable recursion on the Advanced tab of the DNS server properties. If you enable this option, the server will not use recursion or forwarders to resolve DNS names. If you enable this option, the DNS server will not be able to resolve Internet host names.

Note


Practice: Configuring Properties for the DNS Server Service


In this practice, you will configure a DNS server to use a forwarder.


! Prepare for this practice

1. If necessary, log on to DEN-SRV2 as Contoso\Administrator, with a password of Pa$$w0rd.

2. Click Start, point to Control Panel, point to Network Connections, and then click Local Area Connection.

3. Click Properties. 4. Select Internet Protocol (TCP/IP) and then click Properties. 5. In the Preferred DNS Server field, enter the value 10.10.0.11 (the IP address

of DEN-SRV2) and then click OK. 6. Click Close and then click Close again.

! Configure DEN-SRV2 to use a forwarder

1. On DEN-SRV2, click Start, point to All Programs, point to Accessories, and then click Command Prompt.

2. At the command prompt, type ipconfig /flushdns and then press ENTER. 3. Type ping den-dc1.contoso.msft and then press ENTER. Was DEN-

DC1.contoso.msft successfully resolved to an IP address? No ____________________________________________________________

Objective

Instructions

Practice


4. Click Start, point to Administrative Tools, and then click DNS. 5. In the console tree, click DEN-SRV2, click the Action menu, and then click

Properties. 6. Click the Forwarders tab. 7. In the Selected domain�s forwarder IP address list field, type 10.10.0.2 (the

IP address of DEN-DC1), click Add, and then click OK. 8. At the command prompt, type ipconfig /flushdns and then press ENTER. 9. Type ping den-dc1.contoso.msft and then press ENTER. Was DEN-

DC1.contoso.msft successfully resolved to an IP address? Yes ____________________________________________________________

10. Close all open windows.


Lesson: Configuring DNS Zones


After you have created DNS zones, and when the DNS zones are populated with resource records, the DNS service will be able to support host name resolution.


! Describe how data is stored and maintained. ! Explain what resource records and record types are. ! Explain what a DNS zone is. ! Configure a DNS zone. ! Explain what DNS zone types are. ! Explain what a stub zone is. ! Explain what forward lookup zones and reverse lookup zones are. ! Explain why reverse lookup zones are used. ! Explain what delegation of a DNS zone is. ! Explain the guidelines for configuring DNS zones. ! Configure forward lookup zones and reverse lookup zones.

Introduction

Lesson objectives


How DNS Data Is Stored and Maintained


Resource records (RR) are contained within a DNS database. Each resource record identifies a particular resource within the DNS database, such as a name server, mail server, or host.

A zone is a portion of the DNS database that contains the resource records that belong to the contiguous portion of the DNS namespace.

A zone file is the file on the DNS server�s local hard drive that contains all of the configuration information for a zone and the resource records contained therein.

After you have installed the DNS Server service and configured the properties of the DNS service, you are ready to complete the DNS service configuration by adding host name�to�IP address mappings. These mappings are referred to as resource records in DNS. There are many types of resource records. Which resource records you store in your DNS will depend on your DNS needs.

Before you can add resource records, you must configure a DNS structure to hold them. In DNS, the containers for these records are called zones. Zones are files that store the zone properties and the resource records.

After you have created DNS zones, and when the DNS zones are populated with resource records, the DNS service will be able to support host name resolution for a portion of the DNS namespace.

Definitions

Process


What Are Resource Records and Record Types?


Clients can directly query or indirectly query for resource records. Examples of the use of DNS resource records include the following:

! When a user enters a URL in a Web browser, a forward lookup query is sent to a DNS server.

! When a user logs on to a computer in a domain, the logon process locates a domain controller by querying a DNS server.

Different record types represent different types of data stored within the DNS database. The following table lists record types, along with a description and an example for each type. The resource records listed in the examples are shown in the preceding slide.

Record type Description Example Host (A) • An A record represents a computer or device on the

network.

• A records are the most common and most frequently used DNS records.

• An A record resolves a host name to an IP address.

Web1.nwtraders.msft resolves to 10.10.0.51

Pointer (PTR) • A PTR record is used to find the DNS name that corresponds to an IP address.

• The PTR record is found only in a reverse lookup zone.

• PTR records resolve an IP address to a host name.

10.10.0.51 resolves to Web1.nwtraders.msft

Purpose of resource records

Resource types


(continued) Record type Description Example Start of Authority (SOA) • An SOA resource record is the first record in any

zone file.

• An SOA resource record identifies the primary DNS name server for the zone.

• An SOA resource record identifies the e-mail address for the administrator in charge of the zone.

• An SOA resource record specifies the information required for replication (such as the serial number, the refresh interval, the retry interval, and the expiry values for the zone).

• An SOA resource record resolves from a domain name (which is the same as the parent folder) to a host name.

NWTraders.msft resolves to den-dc1.contoso.msft

Service Locator (SRV) • An SRV resource record indicates a network service that a host offers.

• SRV records are used in an Active Directory environment to locate domain controllers.

• An SRV resource record resolves from a service name to a host name and port.

_tcp._ldap.nwtraders.msft resolves to den-dc1.nwtraders.msft

Name Server (NS) • An NS record facilitates delegation by identifying DNS servers for each zone.

• An NS record appears in all forward and reverse lookup zones.

• Whenever a DNS server needs to send a query to a delegated domain, it refers to the NS resource record for DNS servers in the target zone.

• An NS record resolves from a domain name (which is the same as the parent folder) to a host name.

NWTraders.msft resolves to den-dc1.contoso.msft

Mail Exchanger (MX) • An MX resource record indicates the presence of a Simple Mail Transfer Protocol (SMTP) e-mail server.

• An MX resource record resolves to a host name.

• A mail server priority can be set if multiple MX records exist for a zone.

Mail server for NWTraders.msft resolves to Mail.nwtraders.msft

Alias (CNAME) • A CNAME resource record is a host name that refers to another host name.

• A CNAME resource record resolves from a host name to another host name.

• Multiple CNAME records can all point to the same A record. If you need to update the IP address for the record, you need to update only the A record.

www.nwtraders.msft resolves to Web1.nwtraders.msft


What Is a DNS Zone?


A zone can hold the resource records for one or more contiguous domain names, connected by a direct parent-child relationship.

A zone is also the physical representative of a DNS domain or domains. For example, if you have a DNS domain namespace of North.contoso.msft, you could create a zone on a DNS server called North.contoso.msft. This zone would contain all resource records for the North.contoso.msft domain as well as for the Training subdomain.

DNS allows a DNS namespace to be divided into zones. For each DNS domain name included in a zone, the zone becomes the authoritative source for information about that domain.

Zone files are maintained on DNS servers. You can configure a single DNS server to host zero, one, or multiple zones. Characteristics of a zone include the following:

! A zone is a collection of resource records for a contiguous portion of the DNS namespace.

! Zone data is maintained on a DNS server and is stored in one of two ways:

• As a flat zone file containing lists of mappings

• In an Active Directory database ! A DNS server is authoritative for a zone if it hosts the resource records for

the names and addresses that the clients request in the zone file.

A DNS zone is:

! A primary, secondary, or stub zone type. ! Either a forward or a reverse lookup zone.

Purpose of a DNS zone

DNS zone


Zone types and lookup zones are covered in detail later in this lesson.

Three zones are highlighted in the illustration in the slide:

! North.contoso.msft ! Sales.north.contoso.msft ! Support.north.contoso.msft

The first zone (North.contoso.msft) is authoritative for two contiguous domains (North.nwtraders.com and Training.north.nwtraders.com), whereas the other two zones (Sales.north.nwtraders.com and Support.north.nwtraders.com) each represent a single domain.

Note

Example


Practice: Configuring a DNS Zone


In this practice, you will:

! Create a forward lookup zone. ! Create resource records.


! Create a forward lookup zone

1. If necessary, log on to DEN-SRV2 as Contoso\Administrator, with a password of Pa$$w0rd.

2. Click Start, point to Administrative Tools, and then click DNS. 3. In the console tree, right-click DEN-SRV2 and then click New Zone. 4. On the New Zone Wizard page, click Next. 5. Ensure that Primary Zone is selected and then click Next. 6. Ensure that Forward Lookup Zone is selected and then click Next. 7. In the Zone Name field, type nwtraders.msft and then click Next. 8. In the Create a new file with this file name field, ensure that

nwtraders.msft.dns is entered and then click Next. 9. Click Next and then click Finish.

Objective

Instructions

Practice


! Create resource records

1. In the console tree, expand DEN-SRV2, expand Forward Lookup Zones, and then click nwtraders.msft.

2. In the console tree, right-click Nwtraders.msft and then click New Host (A)�.

3. In the Name field, type NW-SRV11. 4. In the IP address field, type 192.168.1.10, click Add Host, click OK, and

then click Done. 5. In the console tree, right-click nwtraders.msft, and then click New Alias

(CNAME)�. 6. In the Alias name field, type www. 7. In the Fully qualified domain name (FQDN) for target host field, type

NW-SRV11.nwtraders.msft and then click OK. 8. Click Start, point to All Programs, point to Accessories, and then click

Command Prompt. 9. At the command prompt, type ping www.nwtraders.msft and then press

ENTER. What name and IP address was www.nwtraders.msft resolved to? 192.168.1.10 ____________________________________________________________

10. Close all open windows.

! Prepare for the next practice

1. Ensure that the DEN-DC1 and DEN-SRV2 virtual machines are started. 2. Start the DEN-SRV1 virtual machine.


What Are DNS Zone Types?


When you configure a DNS server, you can configure it either with several zone types or with none at all. Zone configuration varies, depending on the network role assigned to the DNS server.

There are numerous options for optimal configuration of the DNS server, based on decisions made about such things as the network topology and the size of the namespace. Normal DNS server operation involves three zone types: primary, secondary, and stub.

By using different zones, you can configure your DNS solution to best meet your needs. For example, it is recommended that you configure a primary zone and a secondary zone on separate DNS servers, to provide fault tolerance to reduce the impact of a possible server failure. You can configure a stub zone to provide referrals for zones maintained on separate DNS servers.

A primary zone is the authoritative copy of the DNS zone, in which resource records are created and managed. It is a writable copy of the zone.

When setting up DNS servers to host zones for a domain, the server hosting the primary zone is normally centrally located, where it will be accessible for administering and updating the zone file.

A secondary zone is a read-only copy of a DNS zone. Although these records cannot be directly modified, they may be modified through zone replication.

Secondary zones are normally configured for fault tolerance and load balancing of client requests. Multiple secondary servers might be configured at other locations so that the records from the zone can be resolved without the query crossing WAN links.

Introduction

Purpose of DNS zone types

Primary zone

Secondary zone


Stub zones are copies of a zone that contain only the resource records that are necessary to identify the authoritative DNS server for that zone. A stub zone contains a subset of zone data consisting of an SOA, NS, and A record (also known as a glue record). A stub zone is like a bookmark that points to the DNS server that is authoritative for that zone.

Active Directory integrated zones store DNS data in the Active Directory database rather than in a standard zone file. Storing zones in this manner allows an administrator to take advantage of the Active Directory topology to manage zone replication and also provides additional security benefits.

Active Directory integrated zones are covered in detail in Module 5, �Integrating Domain Name System and Active Directory,� in Course 2277, Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services.

Stub zone

Active Directory integrated zone

Note


What Are Stub Zones?


Stub zones provide DNS servers with information on how to resolve names for nonauthoritative zones. Stub zones contain only enough information to allow a DNS server to determine which DNS server to contact to resolve names for a given domain name.

A stub zone is a copy of a zone that contains only the resource records necessary to identify the authoritative DNS servers for the zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate structure requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces. This situation might occur during corporate mergers or reorganizations.

When you create a stub zone, you must specify a master server. This server is used for the initial replication of the zone information. After the initial replication, a stub zone consists of:

! The start of authority (SOA) resource record, name server (NS) resource records, and host (A) resource records for the name servers in the delegated zone.

! The IP address of one or more master servers that can be used to update the stub zone.

After the initial replication, the stub zone is updated automatically through zone replication. This means that a DNS server hosting a stub zone can automatically be updated with information about name servers. For instance, in the example illustrated in the slide, if a new name server were added to the Contoso.msft zone on DEN-SRV1, the information about the new name server would be replicated to MTL-SRV2.

Introduction

Definition

How stub zones work


Stub zones are updated through zone replication. This means that the master DNS server must be configured to allow replication to the server that is hosting the stub zone. More information on zone replication will be presented later in this module.

Information from the stub zone is used by a DNS server during the recursion process. For example, if a client queried MTL-SRV2 for www.contoso.msft, MTL-SRV2 would:

! Check its zones and to determine whether it has zone information for Contoso.msft.

! Issue an iterative query to either DEN-SRV1 or DEN-SRV2.

Both the stub zone and the conditional forwarder provide the DNS server with a more efficient means of resolving names for nonauthoritative zones. Stub zones have an advantage over conditional forwarders because the name server information is dynamic and can reflect changes that occur within the network, such as newly added name servers or servers changing their IP addresses. Stub zones are well suited for internal name resolution in environments where there is a distributed naming hierarchy or where multiple domain names are hosted on multiple internal servers.

Zones are transferred using Transmission Control Protocol (TCP) port 53, whereas DNS queries use User Datagram Protocol (UDP) port 53. (This includes DNS servers issuing queries to forwarders.) Many organizations may block TCP port 53 to their DNS servers from the Internet to reduce their overall attack surface.

Conditional forwarders use recursive queries to resolve names. The list of conditional forwarders is static and must be updated manually to reflect changes in the DNS environment. However, conditional forwarders do not perform zone replication to receive information. Conditional forwarders may be well suited to organizations that need to resolve names hosted in partner organizations, such as through an extranet.

Important

Stub zones vs. conditional forwarding

Note


What Are Forward and Reverse Lookup Zones?


You can store a mapping as either a host name�to�IP address mapping in a forward lookup zone or an IP address�to�host name mapping in a reverse lookup zone. You can choose the type of mapping that you need for a zone, depending on how you want your clients and services to query resource records.

In DNS, a forward lookup is a query process that attempts to resolve a host name to an IP address.

In DNS Manager, forward lookup zones are based on DNS domain names and typically hold host (A) resource records.

In DNS, a reverse lookup is a query process that attempts to resolve an IP address to a host name.

In DNS Manager, reverse lookup zones are based on the in-addr.arpa domain name and typically hold pointer (PTR) resource records.

Client1 sends a query for the IP address for Client2.training.nwtraders.msft. The DNS server searches its forward lookup zone (Training.nwtraders.msft) for the IP address that is associated with the host name and returns the IP address to Client1.

Client1 sends a query for the host name for 192.168.2.46. The DNS server searches its reverse lookup zone (2.168.192.in-addr.arpa) for the host name that is associated with the IP address and returns the host name to Client1.

Introduction

Forward lookup zone

Reverse lookup zone

Example


Why Use Reverse Lookup Zones?


Reverse lookup zones allow clients to convert IP addresses into host names. Although most clients issue forward lookup queries, reverse lookups can be used by different applications to map user-friendly names to IP addresses. They can also be used by some application servers for security verification.

Some network management applications that monitor network devices such as switches and routers collect data that travels over the network. They can generate reports on this traffic and may display IP addresses. Often these applications can be configured to perform reverse lookups on the collected IP address information so that an administrator can view the display names associated with the IP addresses.

Internet Information Services (IIS) is a Web server component that can be installed on Windows Server 2003. IIS provides a variety of ways to grant users access to resources such as Web sites and Web applications. IIS can use domain name restriction to grant or reject access to content. In IIS you can specify a domain name suffix for allowed computers; when a host attempts a connection, IIS performs a reverse lookup on the client�s IP address to identify the associated FQDN. If there is a domain name match, the user is granted access.

For more information on installing and configuring security for IIS, consult Windows Server 2003 Help and Support documentation.

You can test reverse lookups on your network by using the ping command. At the command prompt, type ping -a <IP address> to perform a reverse lookup on an IP address.

Introduction

Examples uses of reverse lookup

Note

Note


What Is Delegation of a DNS Zone?


DNS provides the option of dividing the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. This process is referred to as delegation.

When a DNS server is configured with a zone, it assumes responsibility for resolving all names within that namespace, including names of subdomains. In some environments it may be beneficial to distribute name resolution across multiple name servers.

When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons for using additional zones:

! A need to delegate management of part of your DNS namespace to another location or department within your organization

! A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improving DNS name resolution performance, or creating a more fault-tolerant DNS environment

The delegation process involves two major steps. First, you must create a zone for a subdomain on a DNS server. Second, you must configure the server that hosts the parent zone in which DNS servers will maintain the naming information for the subdomain.

Introduction

Why use delegation?

Delegation process


Without delegation, the DNS server for Contoso.msft assumes responsibility for resolving all names that end with contoso.msft. If a client were to request a lookup for the name Mtl-srv3.sales.contoso.msft, the Contoso.msft DNS server would answer the query authoritatively and would not attempt to resolve the name outside of its zone, even if it had no specific information for Mtl-srv3.sales.contoso.msft.

With delegation, the DNS server for Contoso.msft is configured so that it is no longer authoritative for the Training.contoso.msft and Sales.contoso.msft zones. If a client were to request a lookup for Mtl-srv3.sales.contoso.msft, the DNS server would contact one of the DNS servers for the sales subdomain to attempt name resolution.

Delegation is used on the Internet to distribute name resolution across many servers, allowing for delegated administration and distribution of traffic over multiple servers. Without delegation, Internet name resolution would be slow at best.

Internet root servers are configured to host the root (�.�) zone. This zone represents all names ending with the hidden period. This means that root servers should be able to resolve all names on the Internet. Hosting all names on the Internet would cause the zones on the root servers to become unmanageably large. Instead of maintaining information for all hosts on the Internet, the root servers use delegation to partition the database. Requests for names ending in .com, .edu, .org, .ca, and other suffixes are delegated to many other top-level DNS servers. When a company such as Microsoft registers its domain name, Microsoft.com, with Internet authorities, a delegation is created on the .com name servers to point to the Microsoft.com name servers. Once this process is done, Microsoft can manage its own namespace.

Internally, you can use stub zones instead of delegations to provide a more dynamic environment. As name server information is added or removed in subdomains, the DNS server that hosts the parent zone can be automatically informed.

Examples of delegation

Delegation and the Internet

Note


Guidelines for Configuring DNS Zones


! Limit internal domain names to one primary zone. Primary zones contain a writable copy of the zone database. Having multiple primary zones for the same domain name may result in inconsistent name resolution. Because there is no simple way to synchronize two primary zones, multiple zones per domain name require additional administrative overhead to keep information updated.

! Use secondary zones for fault tolerance. Secondary zones contain a replica of the information from a primary zone. If the server hosting the primary zone is unavailable, clients can contact the server hosting the secondary zone for name resolution requests.

! Use secondary zones for load balancing. Secondary zones can be implemented at locations across your WAN. Clients can be configured to use a local server hosting a secondary server to resolve internal names, thus reducing the burden on the server hosting the primary zone. Additionally, this infrastructure results in less name resolution traffic over WAN links.

! Use split DNS for external resources. Many organizations use the same domain name for internally accessible resources (file servers, database servers, and so on) and external resources (public Web sites, SMTP servers, and so on). Exposing your internal zone information (such as the IP addresses of your domain controllers) to the Internet may present a security risk. Additionally, much of the zone information is unusable to Internet-based hosts because firewall and other security measures may prevent Internet hosts from directly connecting to these internal resources.

Guidelines


In these environments you should implement a split DNS structure. With split DNS, you configure an internal DNS server to host a primary zone. This zone contains all information about internally accessible resources. You also configure an external DNS server to host a primary zone for the same domain name. The only entries present in the external DNS server are for Internet-accessible resources, such as the address of your Web server and SMTP server.


Practice: Configuring Reverse Lookup Zones and Zone Delegation



! Configure a reverse lookup zone. ! Configure a zone delegation.

Ensure that the DEN-DC1, DEN-SRV1, and DEN-SRV2 virtual machines are started.


• If necessary, log on to DEN-DC1, DEN-SRV1, and DEN-SRV2 as Contoso\Administrator, with a password of Pa$$w0rd.

! Configure a reverse lookup zone on DEN-SRV2


2. At the command prompt, type ping -a 10.10.0.50 and then press ENTER. Was the address resolved to a name? No ____________________________________________________________

3. On DEN-SRV2, click Start, point to Administrative Tools, and then click DNS.

4. In the console tree, expand DEN-SRV2 and then click Reverse Lookup Zones.

5. Right-click Reverse Lookup Zones and then click New Zone. 6. Click Next. Ensure that Primary Zone is selected and then click Next. 7. In the Network ID field, type 10.10.0 and then click Next.

Objective

Instructions

Practice


8. In the Create a new file with this file name field, ensure that 0.10.10.in-addr.arpa.dns is entered and then click Next.

9. Click Next and then click Finish. 10. Expand Reverse Lookup Zones and then click 10.10.0.x Subnet. 11. In the console tree, right-click 10.10.0.x Subnet and then click New

Pointer (PTR). 12. In the Host IP number field, type 50. In the Host name field, type

test.contoso.msft and then click OK. 13. To flush the DNS cache, type ipconfig /flushdns at the command prompt. 14. At the command prompt, type ping -a 10.10.0.50 and then press ENTER.

Was the address resolved to a name? Yes ____________________________________________________________

! Configure a delegated subdomain for Dev.contoso.msft


2. In the console tree, click DEN-SRV1, click the Action menu, and then click New Zone.

3. On the New Zone Wizard page, click Next. 4. Ensure that Primary zone is selected and then click Next. 5. Ensure that Forward lookup zone is selected and then click Next. 6. In the Zone Name field, type dev.contoso.msft and then click Next. 7. In the Create a new file with this file name field, ensure that

dev.contoso.msft.dns is entered and then click Next. 8. Click Next and then click Finish. 9. In the console tree, expand DEN-SRV1, expand Forward Lookup Zones,

and then select dev.contoso.msft. 10. In the console tree, right-click dev.contoso.msft, and then click New

Host (A)�. 11. In the Name field, type DEN-DEVSRV1. 12. In the IP address field, type 192.168.1.11, click Add Host, click OK, and

then click Done. 13. On DEN-DC1, open a command prompt, and type

ping den-devsrv1.dev.contoso.msft. Did you successfully resolve the name to an IP address? No ____________________________________________________________

14. On DEN-DC1, click Start, point to Administrative Tools, and then click DNS.


15. In the DNS console tree, expand DEN-DC1, expand Forward Lookup Zones, and then click Contoso.msft.

16. Right-click Contoso.msft and then click New Delegation. Click Next. 17. In the Delegated Domain field, type Dev and then click Next. 18. In the Name Servers window, click Add. 19. In the Server fully qualified domain name (FQDN) field, type

DEN-srv1.contoso.msft and then click Resolve. Click OK. 20. Click Next and then click Finish. 21. At the command prompt, type ipconfig /flushdns and then press ENTER. 22. Type ping DEN-devsrv1.dev.contoso.msft and then press ENTER. Did

you successfully resolve the name to an IP address? Yes ____________________________________________________________

23. Close all open windows on both DEN-DC1 and DEN-SRV1.


Lesson: Configuring DNS Zone Transfers


Zone transfers are the complete or partial transfer of data in a zone from one DNS server to another DNS server hosting a zone for the same domain name. When changes are made to the primary zone on a DNS server, zone transfers can occur to update servers hosting secondary and stub zones.


! Describe how DNS zone transfers work. ! Explain how incremental zone transfers work. ! Describe how DNS notify works. ! Secure zone transfers. ! Configure DNS zone transfers.

Introduction

Lesson objectives


How DNS Zone Transfers Work


There are two types of DNS zone transfers: full zone transfers and incremental zone transfers.

A primary DNS server is both the administrative location for and the master copy of a zone. The primary DNS server contains the read/write copy of the zone database and controls changes to the zone.

A secondary server is a server that maintains a copy of an existing DNS zone.

A master server is a DNS server that transfers zone changes to another DNS server. A master server can be either a primary DNS server or a secondary DNS server, depending on how the server obtains its zone data.

A DNS zone transfer is the synchronization of authoritative DNS data between DNS servers. A DNS server configured with a secondary zone periodically queries the master DNS servers to synchronize its zone data.

A full zone transfer is the standard query type that all DNS servers support to update and synchronize zone data when the zone has been changed. When a DNS query is made by using AXFR as the specified query type, the entire zone is transferred as the response.

An AXFR query is a request for a full zone transfer.

An incremental zone transfer is an alternate query type that some DNS servers use to update and synchronize zone data when a zone has been changed since the last update. When two DNS servers support incremental zone transfer, the servers can keep track of and transfer only resource record changes between each version of the zone.

An IXFR query is a request for an incremental zone transfer.

Introduction

Definitions


The SOA record for a zone contains information on how servers hosting a secondary zone should initiate replication. You can modify the SOA record to change when replication should be initiated, or you can specify what to do if replication is impossible because of network failure or server outage. The following settings on the SOA record can be modified to control replication:

! Refresh Interval: This value indicates the time interval that a server hosting a secondary zone waits before requesting a zone update. The default value is 15 minutes.

! Retry Interval: If the refresh is unsuccessful, the server hosting a secondary zone will use this interval to retry the request for a zone update. The server will continue to attempt an update to the zone at the configured retry interval until a successful update has occurred or until the Expires After interval is reached. The default value is 10 minutes.

! Expires After: This value indicates how long the server hosting the secondary zone will consider the records in the zone to be reliable. Once this value is met, the server expires the zone and will no longer use the secondary zone to resolve names for that namespace. The default value is 1 day.

A zone transfer ensures that the same zone information is contained on both DNS servers that host the same zone. Without zone transfers, the data on the primary server would be current, but the secondary DNS server would not have up-to-date zone information; therefore, the secondary DNS server could not support name resolution for that zone.

Following is the process for either a full or an incremental zone transfer.

1. The secondary server for the zone waits for a certain period of time (specified in the Refresh field of the SOA resource record that the secondary server obtained from the master server), and then the secondary server queries the master server for its SOA.

2. The master server for the zone responds with the SOA resource record. 3. The secondary server for the zone compares the returned serial number to its

own serial number. If the serial number that the master server sends for the zone is higher than the secondary server�s serial number, the secondary server determines that its zone database is out of date.

4. The master server then sends an AXFR query to request a full zone transfer. If the DNS server supports incremental zone transfers (as in Windows Server 2003 and Windows 2000), it sends an IXFR to request an incremental zone transfer, which transfers resource records that have been modified since the last transfer.

5. For a full zone transfer, the master server for the zone sends the zone database to the secondary server; for an incremental zone transfer, the master server sends only that zone data that has changed.

Zone transfers and SOA records

Purpose of a DNS zone transfer

Zone transfer process


When you create a secondary zone, the DNS server performs a full zone transfer to initially populate the database.

By default, the DNS Server service allows zone information to be transferred only to servers that are listed in the name server (NS) resource records of a zone. This is a secure configuration. For increased security, however, select the option to allow zone transfers only to specified IP addresses. Allowing zone transfers to any server might expose your DNS data to an attacker attempting to compromise your network.

Note

Important


How Incremental Zone Transfers Work


Incremental zone transfers help reduce zone replication traffic by allowing replication to include only updated information.

When a name server capable of IXFR initiates a zone transfer, it sends an IXFR message containing the SOA serial number of its copy of the zone.

A master name server responding to the IXFR request keeps a record of the newest version of the zone and the differences between that version and several older versions. When an IXFR request containing an older serial number is received, the master name server sends only the changes required to update the IXFR client�s version. A full zone transfer may be chosen instead of an incremental transfer when:

! The sum of the changes is larger than the entire zone. ! For performance reasons, only a limited number of recent changes to the

zone are kept on the server. If the client�s serial number is lower than the one the server has in its delta changes, a full zone transfer will be initiated.

! If a name server responding to the IXFR request does not recognize the query type, the IXFR client will automatically initiate an AXFR transfer instead.

DNS servers running Windows 2000 Server and Windows Server 2003 support both AXFR and IXFR. DNS servers running Windows NT 4.0 Server or earlier versions support only AXFR.

You can manually initiate zone transfers by using the DNS console. To manually initiate a zone transfer, right-click a secondary zone and then select Transfer from master. To force a full zone transfer, right-click the secondary zone and then click Reload from master.

Introduction

How incremental zone transfers work

Note

Note


How DNS Notify Works


DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur.

A notify list is a list configured on a zone of other DNS servers that should be notified when zone changes occur. The notify list that the master server maintains comprises IP addresses for DNS servers that are configured as secondary servers for the zone. When the listed servers are notified of a change to the zone, they initiate a zone transfer with another DNS server to update the zone.

Servers that are notified can initiate a zone transfer to obtain zone changes from their master servers and update their local replicas of the zone as changes occur. DNS notify is an improvement over using the time intervals to initiate zone transfers. When you use DNS notify, the copies of the DNS zone are updated when unscheduled changes occur.

DNS notify can help improve consistency of zone data among secondary servers. For example, if DNS zone transfers occur only at certain times interval, two situations can occur within that time period:

! No changes may have occurred to a DNS zone. ! Several minutes may have passed before a zone transfer is initiated, during

which the zone may have undergone many changes, and these changes have not yet transferred to the secondary DNS server.

With DNS notify, updates occur whenever changes occur.

DNS servers running Windows Server 2003 or Windows 2000 Server support incremental transfers, so only the data that has been changed in the master DNS server is transferred to the secondary DNS server. Using DNS notify with servers that do not support incremental zone transfers may cause a significant increase in DNS replication traffic since a single change could cause a full zone transfer to occur.

Definitions

Purpose of DNS notify


The following steps, illustrated in the slide, outline the DNS notify process:

1. The local zone on a primary DNS server is updated. 2. The Serial Number field in the SOA record is updated to indicate that a new

version of the zone has been written to a disk. 3. The primary server sends a notify message to all other servers that are part

of its notify list. 4. All of the zone�s secondary servers that receive the notify message respond

by initiating an SOA-type query to the notifying primary server. This query begins the DNS zone transfer process.

Process of DNS notify


How to Secure Zone Transfers


Zone replication can occur either by means of zone transfer or as part of Active Directory replication. If you do not secure zone replication, you risk exposing the names and IP addresses of your computers to attackers. You can secure DNS zone replication by doing the following:

! Restrict zone transfer to authorized servers. ! Encrypt zone replication sent over public networks such as the Internet. ! Use Active Directory replication.

Zone transfers can increase the burden on your DNS servers and allow unauthorized individuals to gain information about your network. You can restrict which servers are allowed to initiate zone transfers with your DNS server by configuring the properties of a primary zone. Your options for controlling zone transfers include:

! Disallowing zone transfers. ! Allowing zone transfers to any server. ! Allowing zone transfers to all servers listed as name servers in the

properties of the zone. ! Allowing zone transfers to a specified list of IP addresses.

Some troubleshooting tools, such as Nslookup command, can initiate zone transfers to help diagnose network problems. Consider allowing zone transfers not only to authorized DNS servers but also to computers where management tasks are performed.

Introduction

Restricting zone transfers

Note


Zone transfer data is sent in an unencrypted format. If zone transfer will be performed over a public network, such as the Internet, consider using Internet Protocol Security (IPSec) or a virtual private network (VPN) to further secure the communication.

Zone information can be stored and replicated as part of Active Directory. Active Directory replication occurs only between domain controllers in a single forest. Active Directory replication is encrypted and therefore secure.

For more information on integrating DNS with Active Directory, see Module 5, �Integrating Domain Name System and Active Directory,� in Course 2277, Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services.

Encrypting zone replication

Using Active Directory

Note


Practice: Configuring DNS Zone Transfers



! Configure DNS zone transfers. ! Configure a secondary zone.

Ensure that the DEN-DC1, DEN-SRV1, and DEN-SRV2 virtual machines are started.


• If necessary, log on to DEN-DC1 and DEN-SRV1 as Contoso\Administrator, with a password of Pa$$w0rd.

! Configure DEN-DC1 to allow zone transfers

1. On DEN-DC1, click Start, point to Administrative Tools, and then click DNS.

2. Expand DEN-DC1, expand Reverse Lookup Zones, and then click 10.10.0.x Subnet.

3. Right-click 10.10.0.x Subnet and then click Properties. 4. On the Zone Transfers tab, ensure that Allow zone transfers and Only to

servers listed on the Name Servers tab are selected and then click Notify. 5. In the Notify window, ensure that Servers listed on the Name Servers tab

is selected and then click OK. 6. On the Name Servers tab, click Add. 7. In the Server fully qualified domain name (FQDN) field, type

Den-srv1.contoso.msft, click Resolve, and then click OK. 8. Click OK.

Objectives

Instructions

Practice


! Configure DEN-SRV1 with a secondary zone


2. Expand DEN-SRV1 and then click Reverse Lookup Zones. 3. Right-click Reverse Lookup Zones and then click New Zone. 4. Click Next. 5. Click Secondary Zone and then click Next. 6. In the Network ID field, type 10.10.0 and then click Next. 7. In the Master DNS Server window, in the IP Address field, type 10.10.0.2,

click Add, and then click Next. 8. Click Finish. 9. On DEN-DC1, in the DNS console tree, right-click 10.10.0.x Subnet and

then click New Pointer (PTR). 10. In the Host IP number field, type 51. 11. In the Host name field, type test2.contoso.msft and then click OK. 12. On DEN-SRV1, in the DNS console tree, expand Reverse Lookup Zones

and then click 10.10.0.x Subnet. 13. In the details pane, ensure that the entry 10.10.0.51 has replicated.


Lesson: Configuring a DNS Client


You have installed and configured the DNS server properties and created the appropriate zones on the DNS server. Now you need to ensure that clients can register or create their resource records in DNS and use DNS to resolve queries.


! Describe how preferred and alternate DNS servers work. ! Describe how suffixes are applied. ! Configure a DNS client.

Introduction

Lesson objectives


How Preferred and Alternate DNS Servers Work


A preferred DNS server is the first server that a DNS client attempts to query.

An alternate DNS server is a server that is used if the preferred DNS server is unreachable or cannot resolve DNS names to IP addresses for DNS clients queried by this computer.

Without a preferred DNS server, the DNS client cannot query a DNS server. Without an alternate DNS server, your queries will not be resolved if the preferred DNS server fails or if it cannot resolve the query. You can have more than one alternate DNS server.

The following steps outline the process for contacting preferred and alternate DNS servers:

1. The preferred DNS server responds first to a DNS query. 2. If the preferred DNS server does not respond to a DNS query or cannot

resolve the query, the query is redirected to the alternate DNS server. 3. If the alternate DNS server does not respond or cannot resolve the query,

and if the DNS client is configured with the IP addresses of additional DNS servers, the DNS client sends the query to the next DNS server in the list.

4. If a DNS server (a preferred server, an alternate server, or any other server on the list) is unresponsive, it is temporarily removed from the list.

5. If no DNS servers respond, the DNS client query fails.

Multihomed computers may list multiple preferred servers, one for each adapter. In this situation, the client will issue a name resolution request to the preferred server on the first network adapter in the binding order. If the client receives a negative response, it will attempt to resolve the name with the preferred server on the second network adapter. It will continue this process until it receives a positive name resolution response or until it has queried all preferred servers.

Definitions

Purpose of preferred and alternate DNS servers

Process

Multihomed computers


How Suffixes Are Applied


If you have no DNS suffix configured on the client, name resolution and dynamic update may not function correctly. By properly configuring DNS suffixes on the client, you ensure the success of name resolution for unqualified names.

The Suffix Selection option limits resolutions for unqualified names on the computer to the domain suffixes of the primary DNS suffix up to the second-level domain.

For example, suppose that your primary DNS suffix is contoso.msft. If you attempt to contact Server1, the computer queries for Server1.contoso.msft, in addition to any suffixes that are configured in the connection-specific suffixes.

The Append Parent Suffixes option limits resolutions for unqualified names on the computer to the domain suffixes of the primary suffix and connection-specific suffix.

For example, suppose your primary DNS suffix is sales.south.contoso.msft. If you attempt to contact Server1, the computer queries for Server1.sales.south.contoso.msft. If the query is not resolved, the computer queries Server1.south.contoso.msft. If the query is still not resolved, the computer queries Server1.contoso.msft.

The connection-specific suffix provides a space to configure a DNS suffix for the specified connection. If a Dynamic Host Configuration Protocol (DHCP) server configures this connection, and if you specify no DNS suffix, the DHCP server assigns a DNS suffix if the server is configured to do so.

Purpose of configuring suffixes

Suffix Selection option

Connection-specific suffix


When a user enters an FQDN, the DNS resolver queries DNS by using that FQDN as follows:

1. The DNS client resolver sends the query to the primary DNS server by using the primary DNS suffix.

2. If resolution is unsuccessful, the DNS client resolver appends each connection-specific DNS suffix.

3. If resolution is still unsuccessful, the DNS resolver devolves the FQDN by appending the parent suffix of the primary DNS suffix name, the parent of that suffix, and so on until only two labels remain. For example, Server1.sales.south.contoso.msft devolves to Server1.south.contoso.msft, which then devolves to Server1.contoso.msft.

4. However, if the user has specified a domain suffix search list, both the primary DNS suffix and the connection-specific domain name are ignored. Neither the primary DNS suffix nor the connection-specific domain name is appended to the host name before the FQDN is submitted to DNS. Instead, the DNS resolver appends each suffix from the domain search list in order and submits the query to the DNS server until the name is successfully resolved or the end of the list is reached.

How suffixes are applied


Practice: Configuring a DNS Client


In this practice, you will configure a DNS client. Ensure that the DEN-DC1, DEN-SRV1, and DEN-SRV2 virtual machines are started.


• If necessary, log on to DEN-SRV2 as Contoso\Administrator, with the password Pa$$w0rd.

! Configure a DNS client


2. At the command prompt, type ipconfig /flushdns and then press ENTER. 3. Type ping den-cl1 and then press ENTER. Was the address resolved?

Yes ____________________________________________________________

4. Type ping den-devsrv1 and then press ENTER. Was the address resolved? No ____________________________________________________________

5. Type ping nw-srv11 and then press ENTER. Was the address resolved? No ____________________________________________________________

Objective Instructions

Practice



7. Click Properties, select TCP/IP, click Properties, and then click Advanced.

8. On the DNS tab, in the DNS suffix for this connection field, type dev.contoso.msft and then click OK.

9. Click OK, click Close, and then click Close again. 10. At the command prompt, type ipconfig /flushdns and then press ENTER. 11. Type ping den-cl1 and then press ENTER. Was the address resolved?

Yes ____________________________________________________________

12. Type ping den-devsrv1 and then press ENTER. Was the address resolved? Yes ____________________________________________________________

13. Type ping nw-srv11 and then press ENTER. Was the address resolved? No ____________________________________________________________


15. Click Properties, select TCP/IP, click Properties, and then click Advanced.

16. On the DNS tab, in the DNS suffix for this connection field, clear dev.contoso.msft.

17. Click Append these DNS suffixes (in order). 18. Click Add, type contoso.msft and then click Add. 19. Click Add, type dev.contoso.msft and then click Add. 20. Click Add, type nwtraders.msft and then click Add. 21. Click OK three times, and then click Close. 22. At the command prompt, type ipconfig /flushdns and then press ENTER. 23. Type ping den-cl1 and then press ENTER. Was the address resolved?

Yes ____________________________________________________________

24. Type ping den-devsrv1 and then press ENTER. Was the address resolved? Yes ____________________________________________________________


25. Type ping nw-srv11 and then press ENTER. Was the address resolved? Yes ____________________________________________________________

26. Close all open windows on DEN-SRV2 and DEN-DC1.

! Prepare for the lab

1. Shut down the DEN-SRV1 virtual machine and do not save changes. 2. Start the DEN-CL1 and DEN-SRV1 virtual machines.


Lab: Resolving Host Names by Using DNS


In this lab, you will implement a DNS infrastructure.

Ensure that the following virtual machines are running:

! DEN-DC1 ! DEN-SRV1 ! DEN-SRV2 ! DEN-CL1

Objectives

Instructions

Estimated time to complete this lab: 60 minutes


Exercise 1 Implementing a DNS Infrastructure In this lab, you will implement a DNS infrastructure to meet your organization�s needs.

Scenario You are responsible for the DNS infrastructure of Contoso, Ltd. Although DNS is implemented in your environment, the current infrastructure has several shortcomings that need to be addressed. Additionally, a recent merger with Northwind Traders has occurred. You need to take steps to integrate Northwind Trader�s DNS environment with that of Contoso, Ltd.

DNS is installed on three servers: DEN-DC1, DEN-SRV1, and DEN-SRV2. The following table describes the current configurations.

Server Configurations DEN-DC1 • IP address: 10.10.0.2

• Primary zone Contoso.msft Zone transfers are not allowed.

• Primary reverse lookup zone 10.10.0.x Zone transfers are allowed to DEN-SRV1

DEN-SRV1 • IP address: 10.10.0.10

• Fresh installation of DNS. (No configurations have been made.)

DEN-SRV2 • IP address: 10.10.0.11

• Primary zone Nwtraders.msft

• Configured to use 10.10.0.2 as a forwarder

Your desired DNS infrastructure needs to meet the following criteria:

! Clients must use DEN-DC1 and DEN-SRV1 for name resolution. ! Name resolution must be fault tolerant in the event that either DEN-DC1 or DEN-SRV1 fails. ! Clients should be able to resolve names for Contoso.msft and Nwtraders.msft by using both

qualified and unqualified domain names. ! A separate administrative group will maintain name resolution for Nwtraders.msft. DEN-SRV2

will continue to maintain the forward lookup zone for Nwtraders.msft. Additional DNS servers may be added at a later date. A process must be put in place on DEN-DC1 and DEN-SRV1 so that they are automatically informed if new name servers are added for Nwtraders.msft.


Tasks Specific instructions

1. Implement a secondary zone for Contoso.msft on DEN-SRV1.

a. If necessary, log on to DEN-DC1 and DEN-SRV1 as Administrator with the password of Pa$$w0rd.

b. On DEN-DC1, add a name server record for DEN-SRV1 in the Contoso.msft zone.

c. Configure the Contoso.msft zone to allow zone transfers to servers listed on the Name Servers tab.

d. On DEN-SRV1, create a secondary zone for Contoso.msft.

2. Implement a secondary zone for the 10.10.0.x subnet on DEN-SRV1.

" On DEN-SRV1, create a secondary reverse lookup zone for the 10.10.0.x subnet.

3. Test fault-tolerant name resolution.

a. On DEN-DC1, stop the DNS Server service.

b. Log on to DEN-CL1 as Administrator with the password of Pa$$w0rd.

c. Configure DEN-CL1 to use DEN-DC1 as its preferred DNS server and DEN-SRV1 as its alternate DNS server.

d. On DEN-CL1, flush the DNS resolver cache.

e. On DEN-CL1, use the ping command to confirm successful name resolution for den-srv1.contoso.msft. The ping should succeed.

f. On DEN-DC1, start the DNS Server service.

4. Implement stub zones for Nwtraders.msft on DEN-DC1 and DEN-SRV1.

a. From DEN-CL1, use the ping command to test name resolution for Nw-srv11.nwtraders.msft. The name resolution should fail.

b. On DEN-SRV2, configure the Nwtraders.msft zone to allow zone transfers to DEN-SRV1 and DEN-DC1.

c. On DEN-SRV1, create a stub zone for Nwtraders.msft.

d. On DEN-DC1, create a stub zone for Nwtraders.msft.

5. Test name resolution for Nwtraders.msft by using the stub zone.

a. On DEN-CL1, flush the DNS resolver cache.

b. From DEN-CL1, use the ping command to test name resolution for Nw-srv11.nwtraders.msft. The name resolution should be successful. However, because there is no server using the IP address, the ping will fail.

6. Implement name resolution by using unqualified domain names for Nwtraders.msft and Contoso.msft on DEN-CL1.

a. From DEN-CL1, use the ping command to test name resolution for DEN-SRV1 and NW-SRV11.

b. Configure DEN-CL1 to append the following DNS suffixes when attempting to resolve unqualified domain names: contoso.msft and nwtraders.msft.

c. From DEN-CL1, use the ping command to test name resolution for DEN-SRV1 and NW-SRV11. Both server names should be successfully resolved.

7. Complete the lab exercise. a. Close all programs and shut down all computers. Do not save changes.

b. To prepare for the next module, start the DEN-DC1 and DEN-SRV1 virtual machines.

THIS PAGE INTENTIONALLY LEFT BLANK

Module 4: Resolving Host Names by Using Domain Name System

Documents

Transcript of Module 4: Resolving Host Names by Using Domain Name System