Planning DNS
Transcript of Planning DNS
-
8/13/2019 Planning DNS
1/70
Contents
Overview 1
Lesson: Planning DNS Servers 2
Multimedia: How DNS Clients Resolve
Names 3
Multimedia: Resolving Names with a DNS
Server 8
Lesson: Planning a Namespace 18
Multimedia: A Planning DNS NamespaceStrategy 19
Lesson: Planning Zones 31
Lesson: Planning Zone Replication and
Delegation 42
Lesson: Integrating DNS and WINS 53
Multimedia: Integrating DNS and WINS 54
Lab A: Planning a DNS Strategy 62
Module 5: Planning aDNS Strategy
-
8/13/2019 Planning DNS
2/70
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2003 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, MSDN, PowerPoint, SharePoint,
Visual Basic, and Windows Media are either registered trademarks or trademarks of Microsoft
Corporation in the U.S.A. and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
-
8/13/2019 Planning DNS
3/70
-
8/13/2019 Planning DNS
4/70
iv Module 5: Planning a DNS Strategy
How to Teach This ModuleThis section contains information that will help you to teach this module.
How To Pages, Guidelines and Practices, and LabsExplain to the students how the How To pages, practices, and labs are designed
for this course. A module includes two or more lessons. Most lessons includeHow To pages and a practice. After completing all of the lessons for a module,
the module concludes with a lab.
The How To pages are designed for the instructor to demonstrate how to do atask. The students do not perform the tasks on the How To page with the
instructor. They will use these steps to perform the practice at the end of eachlesson.
The guidelines pages are pages that provide you with the key decision pointsfor the topic of the lesson. You will use these guidelines as a reinforcement ofthe lesson content and objectives.
After you have covered the contents of the topic, and demonstrated the How To
procedures for the lesson, explain that a practice will give students a chance forhands-on learning of all the tasks discussed in the lesson.
At the end of each module, the lab enables the students to practice the tasks that
are discussed and applied in the entire module.
Using scenarios that are relevant to the job role, the lab gives students a set ofinstructions in a two-column format. The left column provides the task, for
example: Create a group. In the right column are specific instructions that thestudents need to perform the task, for example: From Active Directory Usersand Computers, double-click the domain node.
An answer key for each lab exercise is located on the Student Materialscompact disc, in case the students need step-by-step instructions to complete thelab. They can also refer to the practices and How To pages in the module.
Lesson: Planning DNS Servers
This section describes the instructional methods for teaching this lesson.
When you introduce this lesson, emphasize that the planning decisions studentswill make for DNS servers are influenced by whether or not they will use the
Active Directorydirectory service.
When you teach this topic, point out that there are several issues that affect the
placement of DNS servers. These include client considerations, the physicalstructure of the network, and the number of DNS servers on the network that
perform different roles.
How To pages
Guidelines pages
Practices
Labs
Overview
Determining DNS ServerPlacement
-
8/13/2019 Planning DNS
5/70
Module 5: Planning a DNS Strategy v
When you discuss DNS server roles, tell students that they can use servers in
any or all of these roles in an environment to provide a DNS solution.
When you teach this topic, emphasize that it is unlikely that students would
choose to implement low-level security on a DNS server. Also, clarify thatthese security levels are not discrete choices or setting labels. Instead they aregeneral categories of security measures that the students implement using a
variety of settings.
Lesson: Planning a NamespaceThis section describes the instructional methods for teaching this lesson.
When you discuss DNS namespace options, point out that .local is not a valid
domain suffix on the Internet; it is only valid internally. If the students choosean internal namespace that is valid on the Internet, they should register it.
Lesson: Planning ZonesThis section describes the instructional methods for teaching this lesson.
When you discuss zone types, tell the students that in Microsoft WindowsServer 2003, they select zone types first and then choose the storage location.
To clarify this, you may want to demonstrate creating a new zone by using thewizard in Windows Server 2003.
In this topic, recommend the use of an Active Directory zone wheneverappropriate. In most cases, an Active Directory zone is more secure and easier
to manage than a traditional zone.
Lesson: Planning Zone Replication and DelegationThis section describes the instructional methods for teaching this lesson.
Emphasize that in an exclusive Active Directory environment, if the students
use Active Directoryintegrated zones, they will not require secondary zones.
When you discuss the necessity of planning for zone delegation, emphasize that
the students should also have a plan for forwarding.
Lesson: Integrating DNS and WINSThis section describes the instructional methods for teaching this lesson.
When you introduce this lesson, explain to students that they will need tointegrate DNS and Windows Internet Name Service (WINS) when they have
DNS clients that need to query names that are only located in WINS.
Point out to students that modifying cache timeout settings is an optimization
step and that you will discuss optimizing in more detail in Module 6,Optimizing and Troubleshooting DNS.
DNS Server Roles
Levels of SecuringMicrosoft DNS Servers
DNS NamespaceOptions
Selecting Zone Types
Selecting Zone DataLocation
When to Create aSecondary Zone
Zone Delegation
Overview
Modifying CacheTimeout Settings
-
8/13/2019 Planning DNS
6/70
vi Module 5: Planning a DNS Strategy
Lab A: Planning a DNS Strategy
Before beginning the lab, students should have completed all of the practices.
Remind the students that they can return to guidelines and content pages in the
module for assistance. The answer key for each lab is provided on the Student
Materials compact disc.
Customization Information
This section identifies the lab setup requirements for a module and theconfiguration changes that occur on student computers during the labs. Thisinformation is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The lab in this module is also dependent on the classroom configuration that is
specified in the Customization Information section at the end of theAutomated
Classroom Setup Guidefor Course 2278,Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure.
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab ResultsThere are no configuration changes on student computers that affect replication
or customization.
-
8/13/2019 Planning DNS
7/70
-
8/13/2019 Planning DNS
8/70
2 Module 5: Planning a DNS Strategy
Lesson:Planning DNS Servers
*****************************ILLEGAL FOR NON-TRAINER USE******************************
This lesson covers DNS server configurations and properties. In addition, thelesson discusses security for DNS servers.
After completing this lesson, you will be able to:
Determine DNS server configurations.
Determine DNS server properties.
Determine DNS Security (DNSSEC) support.
Determine User Datagram Protocol (UDP) message size.
Introduction
Enabling objectives
-
8/13/2019 Planning DNS
9/70
Module 5: Planning a DNS Strategy 3
Multimedia: How DNS Clients Resolve Names
*****************************ILLEGAL FOR NON-TRAINER USE******************************
The objective of this presentation is to explain how DNS clients resolve hostnames to IP addresses.
You will learn how to:
Explain the functionality of a DNS server in a routed network.
Identify a fully qualified domain name.
Explain the process for using a DNS server to resolve a HOST name to an
IP address.
When viewing this presentation, you should consider the following questions:
What is the function of a DNS server?
How does a DNS server process fully qualified domain names?
How does a DNS server resolve a HOST name to an IP address?
Introduction
Objectives
Key questions
-
8/13/2019 Planning DNS
10/70
4 Module 5: Planning a DNS Strategy
Determining DNS Server Requirements
*****************************ILLEGAL FOR NON-TRAINER USE******************************
After you have defined your DNS plan, you need to determine the serverrequirements. You will need to consider several factors when planning your
DNS server. You should:
Perform capacity planning and review the server hardware requirements.
Determine the number of DNS servers you need and their roles in your
network. When deciding the number of DNS servers to use, you need to
decide the servers that will host primary and secondary copies of the zones.
Also, if you are using the Active Directorydirectory service, determinewhether the server computer performs as a domain controller or a member
server for the domain.
Decide where you are going to place DNS servers on your network for
traffic loads, replication, and fault tolerance.
Decide whether to use only DNS servers running MicrosoftWindows
Server 2003 for all of your DNS servers or whether you will employ a
mixture of Windows and other DNS server implementations.
Introduction
-
8/13/2019 Planning DNS
11/70
Module 5: Planning a DNS Strategy 5
Planning and deploying DNS servers on your network involves examining
several aspects of the network and the capacity requirements for any DNSservers that you intend to use in it. Consider the following factors when
planning server capacity:
Determine the number of zones that the DNS server is expected to load and
host.
For each zone that the server is loading for service, determine the size of the
zone based on the size of the zone file or the number of resource records
that are used in the zone.
For a multiple-homed (more than one IP address) DNS server, determine thenumber of addresses that are to be enabled for listening to and servicing
DNS clients on each of the servers connected subnets.
Define the total number of client DNS query requests that a DNS server is
expected to receive and service.
In many cases, adding more RAM to a DNS server can result in noticeable
performance improvement. This improvement is because the DNS server
service fully loads all of its configured zones into memory at startup. If yourserver is operating and loading a large number of zones, and if dynamic updates
occur frequently for zone clients, additional memory can be helpful.
Keep in mind that, for typical usage, the DNS server consumes system memory
as follows:
Approximately 4 megabytes (MB) of RAM is used when the DNS server is
started without any zones.
The DNS server consumes additional server memory for each zone or
resource record that is added to the server.
It is estimated that an average of approximately 100 bytes of server memory
are used for every resource record that is added to a server zone. For
example, if a zone containing 1000 resource records is added to a server, itwill require approximately 100 kilobytes (KB) of server memory.
You can begin determining your server plans by reviewing sample DNS server
performance test results collected by the Windows Server 2003 DNSdevelopment and testing teams. In addition, you can use DNS serverrelated
counters that are provided for use with Windows Server 2003 monitoring toolsto obtain your own performance measurements for the DNS servers that are
running Windows Server 2003 that you deploy on your network.
The preceding recommendations are not intended to indicate themaximum performance or limitations for DNS servers that are running
Windows Server 2003.
These numbers are approximate and can be influenced by the type of theresource records that are entered in zones, the number of resource records that
have the same owner name, and the number of zones in use at a specific DNSserver.
Planning server capacity
DNS server systemrequirements
Important
-
8/13/2019 Planning DNS
12/70
6 Module 5: Planning a DNS Strategy
Determining DNS Server Placement
*****************************ILLEGAL FOR NON-TRAINER USE******************************
You need to consider several factors when deciding where to place your DNSservers. You need to determine not only where to place the servers, but also the
number of servers you need and their system configuration.
In general, place your DNS servers at a location on your network that is mostaccessible to your clients. It is often most practical to use a DNS server on each
subnet. Consider the following factors when deciding where to place a DNSserver:
If you are deploying DNS to support Active Directory, identify if the DNS
server computer is also a domain controller or is likely to be promoted toone in the future.
If the DNS server stops responding, determine if its local clients are able to
gain access to an alternate DNS server.
If the DNS server is located on a subnet that is remote to some of its clients,
identify the other DNS servers or name resolution options that are available
if the routed connection stops responding.
For DNS server installations in which the use of Active Directory is an
issue, review special interoperability issues and installation details.
For all DNS server installations, including those in which the use of Active
Directory is not an issue, it can be useful to apply the following server
placement and planning guidelines.
Introduction
DNS server placement
-
8/13/2019 Planning DNS
13/70
Module 5: Planning a DNS Strategy 7
When determining the number of DNS servers you need to use, assess the effect
of zone transfers and DNS query traffic on slower links in your network.Although DNS is designed to help reduce broadcast traffic between local
subnets, it does create some traffic between servers and clients. You shouldreview this traffic, particularly when implementing DNS in complexly routed
LAN or WAN environments.
Consider the effects of zone transfer over slower links such as those typicallyused for a WAN connection. Although the DNS service supports incremental
zone transfers, and Windows Server 2003 DNS clients and servers can cacherecently used names, traffic can still be an issue particularly when shortened
Dynamic Host Configuration Protocol (DHCP) leases result in more frequentdynamic updates in DNS. One option for dealing with remote locations on
WAN links is to set up a DNS server at these locations to provide caching-onlyDNS service.
With most installations, you should have at least two server computers hosting
each of your DNS zones for fault tolerance. DNS was designed to have twoservers for each zone: one as the primary server and the other as a backup orsecondary server. Before deciding the number of servers you will use, you
should first assess the level of fault tolerance you need for your network.
If you have a routed LAN and high-speed links that are fairly reliable, youmight be able to use one DNS server for a larger, multiple subnetted networkarea. If you have a large number of client nodes on a single subnet design, you
might want to add more than one DNS server to the subnet to provide backupand failover in case the preferred DNS server stops responding.
When using only a single server running Windows Server 2003 on asmall LAN in a single-subnet environment, you can configure the single serverto simulate both the primary and secondary servers for a zone.
How many serversshould you have?
DNS server placementexample
Note
-
8/13/2019 Planning DNS
14/70
8 Module 5: Planning a DNS Strategy
Multimedia: Resolving Names with a DNS Server
*****************************ILLEGAL FOR NON-TRAINER USE******************************
The objective of this presentation is to explain the process for resolving nameswith a DNS server.
You will learn how to:
Explain the functionality of a DNS server.
Define the process for name resolution using a DNS server.
Identify the query types.
Explain DNS and WINS integration.
When viewing this presentation, you should consider the following questions:
What are the two types of queries that a resolver can make to a DNS server?
Why was the special zone in-addr.arpa created?
What is a pointer (PTR) record?
How do forward queries resolve host names?
How do reverse queries resolve host names?
Introduction
Objectives
Key questions
-
8/13/2019 Planning DNS
15/70
-
8/13/2019 Planning DNS
16/70
10 Module 5: Planning a DNS Strategy
When a remote office has a limited amount of available bandwidth for
connecting to a corporate office, a caching-only server should be configured atthe remote office to send recursive queries to a DNS server at the corporate
office. A recursive query is one in which the DNS server assumes the fullworkload and responsibility for providing a complete answer to the query. The
DNS server at the corporate office is better equipped to handle recursive queries
because it has a greater amount of available bandwidth for connecting to theInternet or an intranet.
A non-recursiveserver is a DNS server on which recursion has been disabled.This prevents the server from using recursion to resolve names on behalf of
clients. The server is also prevented from forwarding requests. If a non-recursive server is unable to resolve a name directly, it returns a negative
response to the query.
You should disable recursion on Internet-facing DNS servers that areauthoritative for one or more zones. This will allow the DNS server to respond
to queries from other DNS servers for your zone information but will preventInternet clients from using your DNS server to resolve other domain names onthe Internet. You can also disable recursion if you want to restrict your clients
to resolving names internal to your organization.
When a DNS server that is configured to use forwarders cannot resolve a querylocally or by using its forwarders, the server attempts to resolve the query byusing standard recursion. You can also configure a DNS server to not perform
recursion after the forwarders fail. In this configuration, the server does notattempt any further recursive queries to resolve the name. Instead, if the server
does not receive a successful query response from any of the servers that areconfigured as forwarders, it fails the query. A DNS server that is configured in
this manner is called a forward-only DNS server. If all forwarders for a name inthe query do not respond to a forward-only DNS server, that DNS server does
not attempt recursion.
Unlike a non-recursive DNS server, a forward-only DNS server builds up acache relating to the domain name and uses this cache to attempt to resolve host
names.
You use forwarders to manage the DNS traffic between your network and theInternet by configuring the firewall used by your network to allow only one
DNS server to communicate with the Internet.
Non-recursive servers
Forward-only servers
-
8/13/2019 Planning DNS
17/70
Module 5: Planning a DNS Strategy 11
A conditional forwarderis a DNS server that is used to forward DNS queries
according to the DNS domain name in the query.
The conditional forwarder setting for a DNS server consists of the following
elements:
The domain names for which the DNS server will forward queries.
One or more DNS server IP addresses for each domain name specified.
A DNS server that is configured to use a forwarder behaves differently than aDNS server that is not configured to use a forwarder. A DNS server configured
to use a forwarder behaves as follows:
When the DNS server receives a query, it attempts to resolve this query by
using the primary and secondary zones that it hosts and its cache.
If the query cannot be resolved by using this local data, the server forwardsthe query to the DNS server that is designated as a forwarder.
The DNS server waits briefly for an answer from the forwarder before
attempting to contact the DNS servers that are specified in its root hints.
When a DNS server forwards a query to a forwarder, it sends a recursive
query to the forwarder. This is different than the iterative query that a DNS
server sends to another DNS server during standard name resolution (that is,
name resolution that does not involve a forwarder).
In situations in which you want DNS clients in separate networks to resolveeach others names without having to query DNS servers on the Internet, you
can configure the DNS servers in each network to forward queries for names inthe other network. DNS servers in one network will forward names for clients
in the other network to a specific DNS server that will build up a large cache ofinformation about the other network. When forwarding in this way, you create adirect point of contact between the two networks DNS servers, reducing the
need for recursion.
Conditional forwarders
-
8/13/2019 Planning DNS
18/70
12 Module 5: Planning a DNS Strategy
Levels of Securing Microsoft DNS Servers
*****************************ILLEGAL FOR NON-TRAINER USE******************************
There are three levels of DNS security. You need to determine the appropriatesecurity level for your network based on your organizations needs. The
following three levels of DNS security will help you understand your currentDNS configuration and enable you to increase your organizations DNS
security.
Low-level security is a standard DNS deployment without any securityprecautions configured. You deploy this level of DNS security only in network
environments in which there is no concern for the integrity of your DNS data orin a private network in which there is no threat of external connectivity.
When you implement low-level security:
Your organizations DNS infrastructure is fully exposed to the Internet.
Standard DNS resolution is performed by all DNS servers in your network.
All DNS servers are configured with root hints pointing to the root serversfor the Internet.
All DNS servers permit zone transfers to any server.
All DNS servers are configured to listen on all of their IP addresses.
Cache pollution prevention is disabled on all DNS servers.
Dynamic updating is allowed for all DNS zones.
UDP and TCP/IP port 53 is open on your network firewall for both sourceand destination addresses.
Introduction
Low-level security
-
8/13/2019 Planning DNS
19/70
Module 5: Planning a DNS Strategy 13
Medium-level security uses the DNS security features that are available without
running DNS servers on domain controllers and storing DNS zones in ActiveDirectory.
When you implement medium-level security:
Your organizations DNS infrastructure has limited exposure to the Internet.
All DNS servers are configured to use forwarders to point to a specific list
of internal DNS servers when they cannot resolve names locally.
All DNS servers limit zone transfers to servers listed in the name server(NS) resource records in their zones.
DNS servers are configured to listen on specified IP addresses.
Cache pollution prevention is enabled on all DNS servers.
Dynamic updating is not allowed for any DNS zones.
Internal DNS servers communicate with external DNS servers through the
firewall, allowing only a limited list of source and destination addresses.
External DNS servers in front of your firewall are configured with root hints
pointing to the root servers for the Internet.
All Internet name resolution is performed by using proxy servers and
gateways.
High-level security uses the same configuration as medium-level security, in
addition to the security features that are available when the DNS server serviceis running on a domain controller and DNS zones are stored in Active
Directory. In addition, high-level security completely eliminates DNScommunication with the Internet. This is not a typical configuration, but it isrecommended whenever Internet connectivity is not required.
When you implement high-level security:
Your organizations DNS infrastructure allows no Internet communication
with internal DNS servers.
Your network uses an internal DNS root and namespace where all authority
for DNS zones is internal.
DNS servers that are configured with forwarders use internal DNS server IPaddresses only.
All DNS servers limit zone transfers to specified IP addresses.
DNS servers are configured to listen on specified IP addresses.
Cache pollution prevention is enabled on all DNS servers.
Internal DNS servers are configured with root hints pointing to the internal
DNS servers hosting the root zone for your internal namespace.
All DNS servers are running on domain controllers. A discretionary access
control list (DACL) is configured on the DNS Server service to allow only
specific individuals to perform administrative tasks on the DNS server.
All DNS zones are stored in Active Directory. A DACL is configured to
allow only specific individuals to create, delete, or modify DNS zones.
Medium-level security
High-level security
-
8/13/2019 Planning DNS
20/70
14 Module 5: Planning a DNS Strategy
DACLs are configured on DNS resource records to allow only specific
individuals to create, delete, or modify DNS data.
Secure dynamic updating is configured for DNS zones, except the top-level
and root zones, which do not allow dynamic updates at all.
For additional information about DNS security threats, see the followingtopic in the DNS help files: Security Information for DNS.Note
-
8/13/2019 Planning DNS
21/70
Module 5: Planning a DNS Strategy 15
Guidelines for Planning a DNS Server
*****************************ILLEGAL FOR NON-TRAINER USE******************************
The following guidelines are recommended for planning a DNS server.
Planning and deploying DNS servers on your network involve defining the
server capacity that your enterprise requires and determining the DNS serverconfiguration.
When determining server placement, you need to determine the number of
servers and their placement. This depends on whether you implement ActiveDirectory and the connection speed between offices.
Your DNS server can have any of several different functions. You need todetermine if you will employ a caching-only solution, a forward-only server,
conditional forwarders, or stub zones. Each of the options has uniquecharacteristics and specialized performance.
Finally, you need to determine whether to implement high-level, medium-level,
or low-level security based on your DNS configuration and organizationalneeds.
Introduction
Determine serverrequirements
Determine DNS serverplacement
Determine server
functionality
Determine the level ofsecurity to implement
-
8/13/2019 Planning DNS
22/70
16 Module 5: Planning a DNS Strategy
Practice: Planning DNS Server Security
*****************************ILLEGAL FOR NON-TRAINER USE******************************
In this practice, you will plan and discuss the challenges of securing a DNSserver configuration.
The objective of this practice is to plan the DNS server security.
1. Read the scenario.
2. Prepare to discuss the challenges of this task in a post-practice discussion.
You are a DNS consultant for Contoso, Ltd, a fast-growing custom automobileparts distributor and manufacturer. The company recently completed a security
review by a security consulting firm and was warned that its DNS server wasvulnerable to attack because its firewall allowed DNS traffic to and from anyserver. All of Contoso, Ltds DNS servers were allowed direct Internet
communication through the firewall.
The DNS design document has been changed to read as follows:
The firewall will only allow DNS traffic out to the Internet from the one DNS
server on the screened subnet. The only DNS traffic allowed from the intranetwill be from the three DNS servers on the corporate network to the DNS server
on the screened subnet.
Introduction
Objective
Instructions
Scenario
-
8/13/2019 Planning DNS
23/70
-
8/13/2019 Planning DNS
24/70
18 Module 5: Planning a DNS Strategy
Lesson:Planning a Namespace
*****************************ILLEGAL FOR NON-TRAINER USE******************************
This lesson discusses concepts and required decisions for planning anamespace.
After completing this lesson, you will be able to:
Examine an existing network environment for factors that might affect DNS
design.
Determine the need for Internet access and multiple namespaceconsiderations.
Determine namespace design.
Introduction
Objectives
-
8/13/2019 Planning DNS
25/70
Module 5: Planning a DNS Strategy 19
Multimedia: A Planning DNS Namespace Strategy
*****************************ILLEGAL FOR NON-TRAINER USE******************************
The objective of this presentation is to provide guidelines for planning a DNSnamespace.
You will learn how to:
Explain how to separate the internal and external namespaces.
Apply the guidelines for integrating the Active Directory namespace and
DNS namespace.
Explain the importance of choosing a unique name for an internalnamespace.
Decide how the public and private namespaces will be related.
Explain the importance of planning a hierarchal namespace.
When viewing this presentation, you should consider the following questions:
How will you integrate your internal private namespace and your external
public namespace?
What service must be available before you can create your first Active
Directory domain controller?
What are your business identity needs?
What are your organizations security requirements?
What do you need to do to ensure that your private namespace is unique?
Why do you need to do to ensure that only one DNS server requires a root
hints file?
Introduction
Objectives
Key questions
-
8/13/2019 Planning DNS
26/70
-
8/13/2019 Planning DNS
27/70
Module 5: Planning a DNS Strategy 21
(continued)
Top-level name Purpose Example
.mil United States military organizations, such as
the U.S. Air Force
af.mil
.net Networking organizations, including Internet
service providers (ISPs)
psi.net
.org Noncommercial organizations, such as
ICANN
ICANN.org
You can find a complete listing of top-level domains athttp://www.icann.org.
To obtain top-level domains, request them from ICANN or another Internetnaming authority. When you receive your domain names, you can connect to
the Internet and use DNS servers to manage the mapping of names to IPaddresses, and vice versa, for host devices contained within their portion of the
namespace.
After obtaining a domain name, you may choose to:
Name the computers and network devices within the assigned domain andits subdivisions.
Delegate subdomains of your domain to other users or customers.
It is strongly recommended that you only use characters in your names that are
part of the Internet standard character set permitted for use in DNS hostnaming. Allowed characters are defined in RFC 1123 as follows: all uppercase
letters (AZ), lowercase letters (az), numbers (09), and the hyphen (-).
When determining your namespace requirements, you need to decide how you
plan to use DNS and your goals. Consider the following when making yourdecisions:
Do you plan to use your namespace for internal purposes only?
For an internal namespace, you can implement your own DNS root, use anydomain name you want, and use characters outside of the Internet standard
as defined in RFC 1123.
Do you plan to use your namespace on the Internet?
If you plan to use your namespace on the Internet, or think that you mightdo so in the future, you should register your own unique domain name by
using the Internet root servers and ensure that the name conforms to Internetnaming standards.
Do you implement or plan to implement Active Directory?
If you implement or plan to implement Active Directory, you need to ensure
that the namespace hierarchy effectively represents the entire organization
so that it can be used for the Active Directory namespace.
Note
Obtaining top-leveldomain names
Domain options
Domain namingconventions
Determining your
namespacerequirements
-
8/13/2019 Planning DNS
28/70
22 Module 5: Planning a DNS Strategy
You should choose a domain name that is meaningful and represents your entire
organization, even if you do not currently plan to use this name externally. Thisallows you to continue to use the name in the future if you change your plans. It
will also enable you to use the namespace for any future Active Directoryimplementation.
After you have chosen a domain name that you would like to use, you need to
check if it is unique. To check the uniqueness of a domain name, you can:
Use the Registry Whois tool at http://www.internic.net. This site allows
you to see if anybody has previously registered a particular domain name.
Visit http://www.domainsurfer.com to view a list of all registered domain
names that contain the text you want to use in your domain name.
Selecting a domainname
Checking a domain
name for uniqueness
-
8/13/2019 Planning DNS
29/70
-
8/13/2019 Planning DNS
30/70
24 Module 5: Planning a DNS Strategy
A primary benefit of using an existing namespace is that you do not need to
identify and register an internal name. If you decide to use your existing DNSnamespace as your internal namespace, consider the following facts and
guidelines:
Users can access a single domain name when they access resources both
internally and externally.
You do not need to register additional names with a DNS name registration
authority.
Additional administration is required by DNS administrators to ensure that
appropriate records are stored on internal and external DNS servers.
The benefits of a separate public and private namespace include:
Improved security because users and computers outside the organizationcannot access the private namespace.
Minimal impact on the existing namespace.
Minimal effort on the part of the current DNS administrators.
You can integrate DNS into an organizations existing namespace by creatingseparate public and private namespaces. The existing namespace is contained
within the public portion of the namespace. The DNS service inWindows Server 2003 would manage the private portion of the namespace.
If you decide to use a namespace that is different from the existing DNSnamespace, consider the following facts and guidelines:
Resources are easy to manage and secure.
Existing DNS server content does not need to be replicated to the DNS
servers for the internal namespace.
Existing DNS zones and DNS topology can remain unchanged.
The internal namespace is not exposed on the Internet.
Internal resources are not accessible from the Internet.
Creating a single subdomain within the namespace is very similar to thestrategy of creating separate public and private namespaces. However, in this
case you do not divide the namespace into public and private portions, butinstead specify that all Windows Server 2003based DNS servers residebeneath a single subdomain within the namespace. For security reasons, it is
generally recommended that you enable internal clients to achieve DNSresolution of both internal and external DNS namespaces but not permit
external clients to access the internal namespace.
The primary benefit of using a delegated namespace is that there is minimalimpact on the existing namespace. In addition, this strategy requires minimal
effort on the part of the current DNS administrators.
Guidelines for using anexisting DNSnamespace
Benefits of using aunique namespace
Guidelines for using aunique namespace
Using a delegatednamespace
Benefit of using adelegated namespace
-
8/13/2019 Planning DNS
31/70
Module 5: Planning a DNS Strategy 25
If you decide to use a delegated namespace as the internal namespace or the
Active Directory root, consider the following facts and guidelines:
The contiguous namespace that is used is more easily understood by the
administrative staff and users.
All internal data is isolated in a domain or domain tree.
A separate DNS server is required for the delegated internal domain.
The internal namespace can be long.
Whatever name you use for your internal namespace, make sure that
it is a name that you can and will register with a registrar. You want avoid asituation in which two companies merge and use the same name for their Active
Directory namespace.
Guidelines for using adelegated namespace
Important
-
8/13/2019 Planning DNS
32/70
26 Module 5: Planning a DNS Strategy
Best Practices for Namespace Planning
*****************************ILLEGAL FOR NON-TRAINER USE******************************
As with any planning decision, wherever possible, you should follow theestablished best practices when planning to implement namespaces. These best
practices include the use of distinguished names, separation of internal andexternal namespaces, and the creation of namespaces that are compatible with
Active Directory. Following these practices will help to minimize the impact onsupporting the namespace.
When planning your DNS namespace, it is recommended that you use a set of
distinguished names that do not overlap as the basis for your internal andexternal DNS use.
For example, assuming that your organizations parent domain name is
microsoft.com, you could do the following:
Make the internal domain separate and discontiguous with the external
name space, using a name such as microsoft.net(ormicrosoft.localif you
never plan to make the resources available externally).
Make the internal domain separate from the external domain but contiguous
with it by using a name such as corp.microsoft.com.
Separating your internal and external namespaces makes it simpler to maintainconfigurations such as a domain name filter or exclusion lists. If you choose to
use the same namespace for internal and external resolution, you need to create
a split DNS infrastructure to support decision.
When planning your namespace, you need to consider whether you are
implementing Active Directory now or in the future. If you plan to implementActive Directory, you must ensure that the namespace you select is compatible
with an Active Directory namespace.
Introduction
Use distinguishednames
Examples
Separate internal andexternal namespaces
Create an ActiveDirectorycompatiblenamespace
-
8/13/2019 Planning DNS
33/70
Module 5: Planning a DNS Strategy 27
Guidelines for Planning a Namespace
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Resolving names by using DNS is central to Windows Server 2003 operation.Without proper name resolution, users cannot locate resources on the network.
It is critical that you create your DNS namespace with Active Directory in mindand that the larger namespace that exists on the Internet does not conflict with
your organizations internal namespace. Consider the following guidelineswhen planning your namespace.
Identify the domain name that your organization has registered for use on the
Internet (for example, contoso.com). If your company does not yet have aregistered domain name, you might want to register a name on the Internet.
If you choose not to register a name, make sure that the name you choose isunique. You can find out the domain names that are already in use athttp://www.internic.net.
For internal use, you could use a namespace, such as contoso.com, or asubdomain of the external name, such as corp.contoso.com. The subdomain
structure can be useful if you already have an existing DNS namespace. Tosimplify administration, you can assign different locations or organizationsdifferent subdomains such as nameone.corp.contoso.com or
nametwo.corp.contoso.com.
Introduction
Select a DNSnamespace for yourdomain
Use differentnamespaces for internaland external use
-
8/13/2019 Planning DNS
34/70
-
8/13/2019 Planning DNS
35/70
Module 5: Planning a DNS Strategy 29
Practice: Planning a DNS Namespace
*****************************ILLEGAL FOR NON-TRAINER USE******************************
In this practice, you will plan a DNS namespace that is able to support yourorganizations existing and future plans.
The objective of this practice is to plan a DNS namespace.
1. Read the scenario.
2. Prepare to discuss the challenges of this task in a post-practice discussion.
The consulting company that you work for has assigned you to a new account,Contoso, Ltd to help plan their DNS namespace.
Contoso, Ltd is a fast-growing custom automobile parts distributor and
manufacturer. The company is quickly outgrowing its Microsoft Windows NTversion 4.0 network infrastructure and is in the planning stages for a migration
to Windows Server 2003. The company currently has a WINS infrastructure butno DNS infrastructure.
Contoso, Ltd currently has a Web presence at http://www.contoso.com, which
is hosted by its ISP, which also hosts its DNS, mail, and file transfer protocol(FTP) services.
The consulting company that Contoso, Ltd was working with previously hadprepared a design document for the upgrade. In this document, you found the
following information:
Contoso, Ltd is paying its ISP an exorbitant fee to host its computing
services. The company would like to host these services itself after it trains
or hires the necessary IT professionals and completes its Windows Server
2003 migration.
An Active Directory plan has not begun yet, but after the migration is
finished, the company most likely will implement it. Any plans should take
this eventuality into account.
Client workstations should be able to resolve both intranet and Internet
names and to connect to services on both.
Introduction
Objective
Instructions
Scenario
-
8/13/2019 Planning DNS
36/70
30 Module 5: Planning a DNS Strategy
Plan the DNS namespace for Contoso, Ltds new computing infrastructure.
Describe the steps that you would take to ensure that the namespace meets thetechnical and business needs now and in the future.
A possible answer could be:
You could use the existing external namespace. This will be hosted on the
companys externally accessible DNS server. An internal DNS server canprovide services for the internal namespace. The servers should
communicate to resolve external names from the internal clients but not
the internal names from external (Internet) clients.
Provide several possible names for the internal namespace that would be
able to support future technologies, such as Active Directory, which could
possibly use the new name as its namespace.
For example, you might come up with names such as contoso-corp01.com,
contoso.biz, and so on.
Check to see that the name candidates are available and can be registered
with a registrar. If they are not available, continue thinking of other names
and check them for availability.
Take a short list of available name candidates to the Contoso, Ltd decision
makers and get an approval on the final name, and then register this name
with a registrar.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Practice
-
8/13/2019 Planning DNS
37/70
Module 5: Planning a DNS Strategy 31
Lesson: Planning Zones
*****************************ILLEGAL FOR NON-TRAINER USE******************************
This lesson presents information that you will need to determine whether to useone or more zones in a DNS strategy. In addition, the lesson discusses required
zone configurations.
After completing this lesson, you will be able to:
Determine zone requirements.
Identify zone types.
Identify zone security requirements.
Specify zone configurations.
Introduction
Objectives
-
8/13/2019 Planning DNS
38/70
32 Module 5: Planning a DNS Strategy
Selecting Zone Types
*****************************ILLEGAL FOR NON-TRAINER USE******************************
You need to determine the zone types to use in your DNS plan and choose theappropriate storage locations for the zones. The DNS zone types you choose
will influence the placement of DNS servers in a name resolution designbecause each zone type solves a specific requirement within a DNS plan.
Standard zone files, also known as traditional DNS zone files, are zone files
that are stored as text files on the servers hard drive. To use standard zone files,you create a zone on the DNS server that you plan to use to perform DNS
database administration. This server becomes the primary zone server where allupdates occur, such as resource record additions or deletions. When you create
a DNS server to function as a secondary zone server, you specify the name orthe IP address of the primary zone server that will provide a copy of the zonefile. You can use secondary zone servers to provide load balancing and a certain
degree of fault tolerance.
Standard DNS zones store the zone information in a file on a computer running
Windows Server 2003 and DNS. Standard DNS zones:
Follow a single master model for storing and replicating zone information.
Primary zones are the only zone types that support a read/write copy of the
zone information. You are allowed only one primary zone, but you can
replicate read-only copies of the zone information to any number of
secondary zones and stub zones.
Allow zone transfers between primary and secondary or stub zones to occurincrementally or by transferring the entire zone contents. The DNS Server
service in Windows Server 2003 supports both incremental and complete
zone transfers.
Function identically to Berkeley Internet Name Domain (BIND)based
DNS servers. Traditional DNS zones have the same benefits and constraintsas BINDbased DNS zones. You can use traditional DNS zones if high
interoperability with BINDbased DNS servers is a design requirement.
Introduction
What are standard zonefiles?
-
8/13/2019 Planning DNS
39/70
Module 5: Planning a DNS Strategy 33
Active Directoryintegrated zones store DNS zone information in Active
Directory. Active Directoryintegrated zones are:
Multimaster, read/write copies of the zone information.
The multimaster characteristic enables you to make updates to the original
Active Directoryintegrated zone or make replicated copies of the zone. It
ensures that you can always perform updates to the DNS zone information.
As a best practice, select Active Directoryintegrated zones if your DNS
design includes dynamic updates to DNS. Traditional DNS zones are notmultimaster, so the failure of a DNS server with a primary zone preventsdynamic updates.
Replicated by Active Directory.
Because Active Directoryintegrated zones store the zone information in
Active Directory, zone information is replicated along with the other ActiveDirectory data.
Required for secured, dynamically updated DNS zones.
Because Active Directoryintegrated zones store the zone information, you
establish permissions for the computer, group, or user that can update theDNS zone information.
Replicated according to an administrative selectable scope.
You can replicate DNS data to a DNS server within a forest, domain, or
specific domain controllers in an Active Directory partition. You can alsoreplicate Active Directoryintegrated zone information to traditional
secondary zones outside the domain.
Treated as a traditional primary zone by another BINDbased DNS server.
Active Directoryintegrated zones appear as traditional primary zones to a
BINDbased DNS server. You can replicate DNS data to other ActiveDirectoryintegrated zones or to traditional secondary zones.
What are ActiveDirectoryintegratedzones?
Note
-
8/13/2019 Planning DNS
40/70
34 Module 5: Planning a DNS Strategy
There are three different zone types to choose from in a DNS plan.
Primary
Primary zones are read/write copies of zone information. A traditionalprimary zone is periodically transferred to servers hosting secondary zones
to ensure that the secondary zone servers copy of the file is current. With
Windows Server 2003 DNS servers, the primary zone server initiallytransfers a full copy of the zone file and then subsequently sends only
changes to the secondary zone server. Active Directoryintegrated primaryzone information is replicated by Active Directory to other servers hosting
the Active Directoryintegrated zone.
Secondary
Secondary zone servers provide only limited fault tolerance because they
continue to respond to DNS queries and cannot perform updates becausethey only have a read-only copy of the zone file. Windows 2000 DNS
supports incremental zone transfers (IXFR), which the primary zone serversends only changes that have occurred to the zone file since the last zone
transfer. Secondary zone types cannot be stored in Active Directory.
Stub
A stub zone is also a read-only copy of a zone. However, a stub zone justcontains a subset of the records associated with that zone. It contains
information about the name servers that are authoritative for that domain,allowing a client (or other DNS server) to go directly to an authoritativeserver without having to visit intermediate servers. This can increase the
efficiency of the name resolution process across zones across discontiguousnamespaces. Information in a stub zone may be transferred if a traditional
stub zone is used or replicated by Active Directory if the stub zone is ActiveDirectoryintegrated.
Stub zones enable a DNS server to perform recursion by using the stub zones
list of name servers without needing to query the Internet or internal root serverfor the DNS namespace.
Using stub zones throughout your DNS infrastructure enables you to distributea list of the authoritative DNS servers for a zone without using secondary
zones. However, stub zones do not serve the same purpose as secondary zonesand should not be considered when addressing redundancy and load sharing.
A DNS server configured with a stub zone is not authoritative forthat zone. The stub zone identifies DNS servers that are authoritative for the
zone.
DNS zone types
Using stub zones
Important
-
8/13/2019 Planning DNS
41/70
Module 5: Planning a DNS Strategy 35
Selecting Zone Data Location
*****************************ILLEGAL FOR NON-TRAINER USE******************************
When planning your DNS implementation, you need to identify where the DNSzone files will be located. You can store DNS data in standard DNS zones, but
in an Active Directory environment, you can choose Active Directoryintegrated zones or a combination of the two.
Because Active Directoryintegrated zones can replicate DNS data to
traditional secondary DNS zones, you can use a combination of both zonetypes. You might want to do this if you have DNS servers from different
vendors.
The following table compares Active Directoryintegrated zones withtraditional DNS zones.
Features of DNS
Active
Directory
integrated
zones
Traditional
DNS zones
Adheres to current Internet Engineering Task Force
(IETF) specifications.
Yes Yes
Uses a zone information replication method that is
based on Active Directory replication.
Yes No
Improves availability because each DNS server
contains a read/write copy of the zone information.
Yes No
Allows updates to the zone information, even with
the failure of a single DNS server.
Yes No
Supports incremental zone transfers. Yes Yes
Introduction
Comparison of zonetypes
-
8/13/2019 Planning DNS
42/70
36 Module 5: Planning a DNS Strategy
Zone Security Considerations
*****************************ILLEGAL FOR NON-TRAINER USE******************************
After you have identified the zones and their storage locations, you need toconsider how to secure them. You can secure DNS access from private and
public networks in several ways. Your security measures will depend on howyou have planned your zones. The DNS zone security considerations include:
Secured dynamic updates in Active Directory.
Dynamic updates from DHCP.
DNS client dynamic updates.
Secured dynamic updates are a feature found only in Active Directoryintegrated zones. Because the DNS zone information is stored in Active
Directory, you can secure this information by using Active Directory securityfeatures. After you integrate a zone with Active Directory, you can use the
access control list (ACL) editing features that are available in the DNS consoleto add or remove users or groups from the ACL for a specified zone or resourcerecord.
When planning to secure dynamically updated DNS zones in your plan,consider the permissions:
To update the DNS zone that are made in the DNS zone container within
Active Directory.
That can be assigned for the entire DNS zone or for individual resourcerecords within the zone.
That can be assigned to a computer, group, or user account.
Introduction
Secured dynamicupdates in ActiveDirectory
-
8/13/2019 Planning DNS
43/70
Module 5: Planning a DNS Strategy 37
You can specify that the DHCP servers within your network dynamically
update DNS when the DHCP server configures a DHCP client computer. Onthe DHCP server, you specify the DNS zone(s) that the DHCP server is
responsible for automatically updating. On the DNS server, you specify theDHCP server as the only computer that is authorized to update the DNS entries.
If you use multiple Windows Server 2003 DHCP servers on your network and
also configure your zones to allow secure dynamic updates only, you need touse Active Directory Users and Computers to add your DHCP servers to the
built-in DnsUpdateProxyGroup. This will grant all of your DHCP serverssecure rights to perform proxy updates for any of your DHCP clients.
You should include dynamic DNS updates from DHCP servers if:
The DNS client operating system is not Windows 2000, Windows XP, or
Windows Server 2003.
Assigning the permissions that enable each computer, group, or user to
update their respective DNS entries becomes unmanageable.
Allowing individual DNS clients to update DNS entries presents security
risks that could potentially allow unauthorized computers to impersonateauthorized computers.
DNS clients running Windows 2000, Windows XP, and Windows Server 2003
can directly update DNS automatically. When these clients start, the DNS clientcan connect to the DNS server and automatically register the DNS client with
the DNS server. You should include DNS clients that directly update DNS if:
The computer has a manually assigned, fixed IP address.
Assigning the permissions that enable the computer to update DNS entries is
manageable.
Allowing individual DNS clients to update DNS entries poses no potential
security risks. By default, the Dynamic updates setting is not configured toallow dynamic updates. This is the most secure setting because it preventsan attacker from updating DNS zones, but this setting prevents you from
taking advantage of the benefits to administration that dynamic update
provides. To have computers securely update DNS data, store DNS zones in
Active Directory and use the secure dynamic update feature.
Dynamic DNS updatesfrom DHCP
DNS client dynamicupdates
-
8/13/2019 Planning DNS
44/70
38 Module 5: Planning a DNS Strategy
The DACL on the DNS zones that is stored in Active Directory allows you to
control the permissions for the Active Directory users and groups that maycontrol the DNS zones.
The following table lists the default group or user names and permissions forDNS zones that are stored in Active Directory.
Group or user names Permissions
AdministratorsAllow: Read, Write, Create All Child
objects, and Special Permissions
Authenticated Users Allow: Create All Child objects
Creator Owner Special Permissions
DnsAdmins
Allow: Full Control, Read, Write, Create
All Child objects, Delete Child objects,
and Special Permissions
Domain Admins
Allow: Full Control, Read, Write, Create
All Child objects, and Delete Child
objects
Enterprise Admins
Allow: Full Control, Read, Write, Create
All Child objects, and Delete Child
objects
Enterprise Domain Controllers
Allow: Full Control, Read, Write, Create
All Child objects, Delete Child objects,
and Special Permissions
Everyone Allow: Read and Special Permissions
Pre-Windows 2000 Compatible Access Allow: Special Permissions
System
Allow: Full Control, Read, Write, Create
All Child objects, and Delete Child
objects
Zone permissions
-
8/13/2019 Planning DNS
45/70
-
8/13/2019 Planning DNS
46/70
40 Module 5: Planning a DNS Strategy
Practice: Planning Zones
*****************************ILLEGAL FOR NON-TRAINER USE******************************
In this practice, you will determine the zone type, zone storage location, andzone security that you will implement based on the provided scenario.
The objective of this practice is to plan a DNS zone.
1. Read the scenario.
2. Prepare to discuss the challenges of this task in a post-practice discussion.
You are the systems engineer for Contoso, Ltd, a rapidly growing customautomobile parts distributor and manufacturer. The company is currently
planning its DNS zones. You examine the design document and find thefollowing information:
A new branch office is being opened that will have a local Active Directory
domain controller.
The branch office will have a T1 link back to the main corporate office.
There will be two Active Directory domain controllers on the corporate
network.
The internal namespace (and Active Directory root) will be
Contoso-corp01.com.
Introduction
Objective
Instructions
Scenario
-
8/13/2019 Planning DNS
47/70
-
8/13/2019 Planning DNS
48/70
42 Module 5: Planning a DNS Strategy
Lesson: Planning Zone Replication and Delegation
*****************************ILLEGAL FOR NON-TRAINER USE******************************
This lesson discusses the central principles of planning zone replication. Theseprinciples include identifying server configurations, zone delegation, and fault-
tolerance requirements.
After completing this lesson, you will be able to:
Determine DNS server configuration.
Determine if a zone should be delegated to improve performance.
Identify fault-tolerance requirements.
Introduction
Objectives
-
8/13/2019 Planning DNS
49/70
Module 5: Planning a DNS Strategy 43
When to Create a Secondary Zone
*****************************ILLEGAL FOR NON-TRAINER USE******************************
You need to address several considerations when determining the placement ofa secondary zone. Although some of these considerations might not apply to
your particular environment, you will need to plan for a zone transfer and azone replication.
Adding DNS servers provides zone redundancy, enabling the resolution of DNS
names in the zone for clients if a primary server for the zone stops responding.The more servers you have that are authoritative for a particular zone, the less
likely it is that queries will go unanswered for resources in that zone.
Carefully planned placement of additional DNS servers can significantly reduceDNS network traffic. For example, adding a DNS server to the opposite side of
a low-speed WAN link can be useful in managing and reducing network traffic.If you place servers close to large client populations or close to isolated
networks, you can reduce the amount of query traffic that has to flow acrosspotentially costly and slow WAN links.
You can use additional secondary servers to reduce loads on a primary serverfor a zone. For example, you can direct clients to secondary servers that service
queries from local clients only, not clients from across the entire enterprise.
Zone replication and zone transfers occur when you implement a secondaryserver. For security reasons, you should only allow zone transfers with hosts
that you specifically configure.
Introduction
Provide zoneredundancy
Reduce network traffic
Reduces loads onprimary server
Zone transfer andreplication requirements
-
8/13/2019 Planning DNS
50/70
44 Module 5: Planning a DNS Strategy
Zone Transfers and Replication
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Because of the essential role that zones play in DNS, it is important that they beavailable from more than one DNS server on the network to provide availability
and fault tolerance when resolving name queries. Your implementation of DNSzones determine if you will use zone transfer or replication. Zone transfers
occur in a traditional DNS zone. Zone replication occurs in an ActiveDirectoryintegrated zone.
Zone transfers are always initiated at a zones secondary server and then sent to
the configured master servers that act as their zones source. Master servers canbe any other DNS server that loads the zone, such as the primary server for the
zone or another secondary server. When the master server receives the requestfor the zone, it can reply with either a partial or full transfer of the zone to thesecondary server.
In earlier DNS implementations, any request for an update of zone data requireda full transfer of the entire zone database. In current DNS implementations, an
incremental transfer allows the secondary server to pull only those zonechanges it needs to synchronize its copy of the zone with its source, which iseither a primary or secondary copy of the zone maintained by another DNS
server.
When incremental transfers are supported by both a DNS server acting as thesource for a zone and any servers that copy the zone from it, it provides a more
efficient method of propagating zone changes and updates. Because theincremental transfer process requires substantially less network traffic, zonetransfers are completed much more quickly.
Introduction
Zone transfers fortraditional DNS zones
-
8/13/2019 Planning DNS
51/70
Module 5: Planning a DNS Strategy 45
Active Directory replication provides an advantage over standard DNS
replication. With standard DNS replication, only the primary server for a zonecan modify the zone. With Active Directory replication, all domain controllers
for the domain can modify the zone and then replicate the changes to otherdomain controllers. This replication process is known as multimaster
replicationbecause multiple domain controllers, or masters, can update the
zone.Replication processing is performed on a per-property basis, which means that
only relevant changes are propagated. Replication processing differs from DNSfull zone transfers, in which the entire zone is propagated. Replication
processing also differs from incremental zone transfers, in which the servertransfers all changes made since the last change. With Active Directory
replication, however, only the final result of all changes to a record is sent.
The DNS zones that are used to support an Active Directory domain are storedin the domain or application directory partitions of the Active Directory.
Replication for ActiveDirectoryintegratedzones
-
8/13/2019 Planning DNS
52/70
46 Module 5: Planning a DNS Strategy
Zone Transfer Security Measures
*****************************ILLEGAL FOR NON-TRAINER USE******************************
After you have identified the replication process that you will use, you mustsecure the zone transfers. You can secure your zone transfers in several
different ways.
By default, the Windows Server 2003 DNS Server service only allows zoneinformation to be transferred to servers listed in a zones NS resource records.
Although this is a secure configuration, for increased security you shouldchange this setting to allow zone transfers to specified IP addresses. Your
network security specialists still need to protect your network against IPspoofing, in case an attacker attempts to impersonate one of your specified IP
addresses. Be aware that changing this setting to allow zone transfers to anyserver might expose your DNS data to an attacker who is attempting tofootprint your network.
With the increasing use of virtual private networks (VPNs), DNS zonereplication can occur across public networks, such as the Internet. It is
important to protect the names and IP addresses replicated over these publicnetworks against unauthorized access. You can protect the replication data byusing IP Security (IPSec), VPN tunnels, or Active Directory.
For your security, you need to encrypt all replication traffic that is sent over
public networks. If you encrypt replication traffic by using IPSec or VPNtunnels, you should consider using:
The strongest level of encryption and VPN tunnel authentication.
Routing found in the Routing and Remote Access feature of Windows 2000
to provide the IPSec or VPN tunnels.
Introduction
Restricting zonetransfers
Zone replication security
Encryption using IPSecand VPN tunnels
-
8/13/2019 Planning DNS
53/70
Module 5: Planning a DNS Strategy 47
You can protect replication traffic by using Active Directoryintegrated zones.
Because these zones are based on Active Directory, they provide inherentsecurity by:
Exclusively replicating between DNS servers that have Active Directory
integrated zones.
Requiring all DNS servers that have Active Directoryintegrated zones tobe registered with Active Directory.
Encrypting all replication traffic between DNS servers.
You can reduce the impact of DNS replication traffic on overused networksegments to improve data transmission rates for other network traffic.
To improve the performance of replication traffic, consider:
Using fast zone transfers to compress the zone replication data in a standard
DNS infrastructure. Note that older versions of BIND do not support fast
zone transfers.
Modifying the replication schedule of secondary zones to replicate during
non-peak hours of operation.
Performing incremental zone replication instead of complete zonereplication when possible.
Incremental zone replication requires BIND version 8.2.1 and later.
The Windows NT 4.0 DNS service performs only complete zone transfers.
Encryption andauthentication usingActive Directory
Reducing the impact ofreplication
Note
-
8/13/2019 Planning DNS
54/70
-
8/13/2019 Planning DNS
55/70
-
8/13/2019 Planning DNS
56/70
50 Module 5: Planning a DNS Strategy
Guidelines for Planning Zone Replication and Delegation
*****************************ILLEGAL FOR NON-TRAINER USE******************************
The following are the recommended guidelines for planning zone replicationand delegation.
You may have the need for additional secondary zones. There are two primaryreasons why you would create an additional zone; they are:
To achieve zone redundancy.
To reduce network traffic and the load on the primary server.
If you use Active Directory, you must use zone replication. If you use the
traditional DNS zone structure, you must use zone transfers.
You can use a variety of methods to implement security. Your choice of whichmethod to employ depends on your replication requirements of your
environment.
You need to determine if you will need to delegate the management of one ormore of your zones. Reasons to do so include extending the namespace,
distributing the load among several servers, and delegating zone management toanother individual or group.
Introduction
Identify when to createadditional zones
Determine replication
methodology
Determine replicationsecurity requirements
Determine the need fordelegating a zone
-
8/13/2019 Planning DNS
57/70
Module 5: Planning a DNS Strategy 51
Practice: Planning Zone Replication and Delegation
.
*****************************ILLEGAL FOR NON-TRAINER USE******************************
In this practice, you will plan the zone replication and delegation for a newlyacquired company.
The objective of this practice is to plan zone replication and delegation.
1. Read the scenario.
2. Prepare to discuss the challenges of this task in a post-practice discussion.
You are a systems engineer for Contoso, Ltd, a rapidly growing custom
automobile parts distributor and manufacturer that has recently acquired aresearch and development firm, Fabrikam, Inc.
Fabrikam, Inc. has five BIND version 8.3.3 departmental DNS servers in its
primarily UNIX network environment. Contoso, Ltd plans to place a WindowsServer 2003 domain controller with DNS installed in the Fabrikam, Inc.
environment and establish a VPN between the two companies to share data andbegin merging the two data infrastructures.
There will be a large number of file shares on the Windows Server 2003computer, and client/server traffic between the two companies will steadily
increase. Fabrikam, Inc. wants to reduce the DNS load on the Windows Server2003 server by using the existing BIND servers.
Introduction
Objective
Instructions
Scenario
-
8/13/2019 Planning DNS
58/70
52 Module 5: Planning a DNS Strategy
How can you use the BIND servers to reduce the load on the Windows Server
2003 server for queries for names in the Contoso, Ltd zone?
You can create secondary zones on the BIND servers to allow each of the
departmental DNS servers to resolve names in the Contoso, Ltd zone.
________________________________________________________________
________________________________________________________________
What should you do to allow zone transfers between the Windows Server 2003
DNS server and the departmental BIND servers?
The IP address of each of the BIND secondary servers should be specified
to allow for zone transfer with the Windows Server 2003 DNS server.
________________________________________________________________
________________________________________________________________
In the future, Fabrikam, Inc. might adopt the Contoso, Ltd name. What can you
do with the Fabrikam, Inc. namespace to allow Fabrikam, Inc. to maintain somedegree of autonomy over the DNS data in its organization?
A Fabrikam, Inc. subdomain can be created in the Contoso, Ltd zone and
delegated to the Fabrikam, Inc. DNS servers so that Fabrikam, Inc. can
administer its own zone information.
________________________________________________________________
________________________________________________________________
Practice
-
8/13/2019 Planning DNS
59/70
Module 5: Planning a DNS Strategy 53
Lesson: Integrating DNS and WINS
*****************************ILLEGAL FOR NON-TRAINER USE******************************
This lesson discusses the integration of DNS and WINS in an environment thatuses NetBIOS and host name resolution.
After completing this lesson, you will be able to:
Determine when to configure DNS servers to use WINS for host name
resolution.
Explain how to designate a subdomain for WINS resolution.
Introduction
Enabling objectives
-
8/13/2019 Planning DNS
60/70
54 Module 5: Planning a DNS Strategy
Multimedia: Integrating DNS and WINS
*****************************ILLEGAL FOR NON-TRAINER USE******************************
The objective of this presentation is to explain the name resolution processwhen a DNS zone is configured for WINS forward lookup.
You will learn how to:
Explain how a DNS server can use WINS to resolve host names.
Explain why the authoritative DNS server requires WINS records.
When viewing this presentation, you should consider the following questions:
Can a DNS server resolve NetBIOS names? Which DNS server needs to be configured for WINS lookup?
Introduction
Objectives
Key questions
-
8/13/2019 Planning DNS
61/70
Module 5: Planning a DNS Strategy 55
WINS Integration
*****************************ILLEGAL FOR NON-TRAINER USE******************************
The DNS Server service provides you the ability to use WINS servers to lookup names not found in the DNS domain namespace by checking the NetBIOS
namespace managed by WINS. Two special resource record types, the WINSand WINS-R records, are used to integrate DNS and WINS.
A typical reason to use this feature would be in a heterogeneous computing
environment in which you have hosts that do not have the ability to query andregister with WINS themselves (for example, a UNIX host) combined with
hosts that can only dynamically register NetBIOS names with WINS (forexample, Windows NT 4.0 or Windows 95 hosts). Using WINS integration, the
UNIX hosts would be able to resolve the Windows hosts names by using DNS.
You use a WINS forward lookup resource record to provide further resolutionof DNS queries for names that were not found in a zone by using a name query
to WINS servers configured and listed with this record. If used, the WINSrecord applies only to the topmost level within a zone and not for subdomains
used in the zone.
Introduction
WINS resource records
-
8/13/2019 Planning DNS
62/70
56 Module 5: Planning a DNS Strategy
The following table describes the various fields that are used with the WINS
resource record.
Field Description
Owner Indicates the owner domain for this record. This field should
always be set to @ to indicate that the current domain is the
same as the zone origin.
Class Indicates the class for this record. This field should always be set
to IN because the Internetclass is the only supported class for
DNS servers running Windows Server 2003.
Local Indicates that the WINS resource record is only to be used locally
at the DNS server and is not to be included during zone
replication with other DNS servers. This field corresponds to the
Do not replicate this record check box that is selected or cleared
during the process of configuring WINS lookup in the DNS
console. If the check box was cleared, this field will not be
included when the record is written to the zone.
lookup_timeout Is the timeout value that is applied for this record.
Cache_timeout Is the cache timeout value that is applied for this record.
Wins_ip_addresses Is used to specify one or more IP addresses of WINS servers. At
least one IP address of a valid WINS server is required.
owner class WINS [LOCAL] [Lookup_timeout] [Cache_timeout] wins_ip
_addresses
@ IN WINS 10.0.0.1
@ IN WINS LOCAL L1 C10 10.10.10.1 10.10.10.2
10.10.10.3
In the provided WINS resource record examples, the zone root isassumed to be the current origin.
You use a WINS-R resource record in a reverse lookup zone to provide further
resolution for reverse queries that were not found in the zone. When using thisrecord, you need to specify the parent domain to be appended to a NetBIOS
computer name when a successful reverse lookup occurs. Other fields used inthe WINS-R resource record have a similar description and purpose, as
previously described for their use in the WINS forward lookup record.
WINS-R resource record syntaxowner class WINS [LOCAL] [Lookup_timeout] [Cache_timeout] Domain
_to_append_to_returned_NetBIOS_names
Syntax
Examples
Note
WINS-R resourcerecords
-
8/13/2019 Planning DNS
63/70
Module 5: Planning a DNS Strategy 57
@ IN WINS-R LOCAL L1 C10 example.microsoft.com.
@ IN WINS-R wins.example.microsoft.com.
In the provided WINS-R resource record examples, the zone root is
assumed to be the current origin.
Because the WINS database is not indexed by IP address, the DNS service
cannot send a reverse name lookup to the WINS service to get the name of acomputer based on its IP address. The DNS service instead sends a nodeadapter status request directly to the IP address implied in the DNS reverse
query. When the DNS server gets the NetBIOS name from the node statusresponse, it appends the DNS domain name back onto the NetBIOS name
provided in the node status response and forwards the result to the requestingclient.
WINS-R resource recordexamples
Note
WINS reverse lookup
-
8/13/2019 Planning DNS
64/70
58 Module 5: Planning a DNS Strategy
Modifying Cache Timeout Settings
*****************************ILLEGAL FOR NON-TRAINER USE******************************
DNS servers cache all information they receive for a time period specified inthe returned data. This amount of time is referred to as the Time to Live(TTL).
As the name server administrator of the zone, you decide the length of the TTLfor the data. Smaller TTL values will help to ensure that data about your
domain is more consistent across the network, if this data changes often.However, you should be aware that this will also increase the load on yourname server.
Cache timeout settings indicate to a DNS server how long it should cache anyof the information returned in a WINS lookup. By default, this value is set to 15
minutes.
After a DNS server caches the data, it must start decreasing the length of theTTL from its original value so that it knows when to flush the data from its
cache. If a query arrives that can be satisfied by this cached data, the TTL thatis returned with the data is the current amount of time left before the data is
flushed from the DNS server cache. Client resolvers also have data caches andhonor the TTL value so that they know when the data should expire.
You configure the Cache timeoutparameter by using the Advancedbutton inthe Zone Properties dialog box when you configure the zone. This button
appears on either the WINSor WINSRtab, depending on whether the zoneyou are configuring is being used for forward or reverse lookup.
Introduction
Cache timeout settings
-
8/13/2019 Planning DNS
65/70
Module 5: Planning a DNS Strategy 59
If you are using either a WINS or WINS Reverse Lookup resource record, be
aware that the minimum TTL set in the start of authority record for the zone isnot the default TTL used with these records. Instead, when either an IP address
or a host name gets resolved with WINS lookup, the information is cached onthe DNS server for the amount of time configured for the WINS cache timeout
value. If this address is subsequently forwarded to another DNS server, it will
be sent with the WINS cache timeout value TTL.If you have data in WINS that rarely changes, you might be able to lengthen the
amount time this data is cached to more than the default 15 minutes. Thisreduces the number of queries between a DNS server and a WINS server
because the DNS server is able to answer queries out of its cache more often.
Why change cachetimeout settings?
-
8/13/2019 Planning DNS
66/70
60 Module 5: Planning a DNS Strategy
WINS Integration Best Practices
*****************************ILLEGAL FOR NON-TRAINER USE******************************
You can allow DNS clients to resolve host names found in the WINS service.This eliminates the need to create DNS zone entries for all of the computers in
your organization. You can resolve host names found in the WINS service byforwarding unresolved DNS queries to a WINS server. You can establish the
forwarding of these queries on a zone-by-zone basis.
To integrate a WINS resolution into your DNS design, you designate asubdomain within the organizations namespace that you will use as a
placeholder for the WINS names. You need to specify that the subdomaincontains no entries except for the WINS and WINS-R resource records.
For organizations that have separate private and public namespaces, you create
the subdomain for WINS under the private namespace. For organizations thathave the same namespace for private and public name resolution, you create the
subdomain for WINS at a level beneath the root of the organization.
For domain names that are within the organizations namespace, if you want to:
Resolve names within the WINS service prior to other domains, specify that
the DNS queries be forwarded to a delegated subdomain for WINS first.
Resolve names within other domains prior to resolving them within WINS,
specify that the DNS queries be forwarded to a delegated subdomain for
WINS last.
Introduction
Designate a subdomainfor WINS resolution
Delegate unresolvedDNS queries to asubdomain
-
8/13/2019 Planning DNS
67/70
-
8/13/2019 Planning DNS
68/70
62 Module 5: Planning a DNS Strategy
Lab A: Planning a DNS Strategy
*****************************ILLEGAL FOR NON-TRAINER USE******************************
In this lab, you will plan a DNS strategy.
After completing this lab, you will be able to plan the configuration of DNS
servers to support an internal and external namespace.
You are a systems engineer for Northwind Traders. You have been asked toplan the configuration of DNS servers for the public Web presence and the
internal namespace used in the corporate offices.
Northwind Traders maintains eight separate Web servers that are used for
Internet-based access by customers. The Web servers are configured as:
Two Network Load Balancing clusters of three servers, each supporting
http://www.nwtraders.com by using round-robin DNS records.
A single Network Load Balancing cluster of two servers supporting
b2b.nwtraders.com.
The internal namespace, corp.nwtraders.com, uses Active Directoryintegratedzones configured on the domain controll