Installing DNS On Windows 2003
This tutorial will cover the installation of DNS on a Windows 2003 system. By reading through this tutorial you will learn about caveats that need to be noted when installing one of the most important services on a Windows network. • Published: Apr 08, 2004 • Updated: Jul 16, 2004 • Section: Articles & Tutorials :: Windows 2003 • Author: Ricky M. Magalhaes • Printable Version • Adjust font size: • Rating: 2.7/5 - 563 Votes
• • • • •
1 2 3 4 5
Key points will be highlighted that will help to make the installation of DNS on Windows 2003 effective. This article will have a security slant to it as security is a compelling part of any well built network. Planning of the DNS installation is beyond the scope of this article and will be covered in later articles. The installation of DNS in itself is not at all complicated but mitigating aspects and considerations need to be addressed so that security is taken into account as well as planning and redundancy has been factored in to allow for normal operational downtime without disruption to the clients. Specific rules like where to place such a server and how to secure it needs to be taken into consideration and adequate planning will result in successful role out of the service. TCP/IP uses an IP addresses to locate and connect to hosts, people are not partial to remembering numbers and prefer friendly names and thus the need for DNS (Domain Name Service). For example, users prefer the friendly name www.windowsecurity.com, instead of its IP address, 69.20.*.*. DNS is defined in RFCs 1034 and 1035, is used to provide a typical naming convention for locating IP-based computers.
Historically files located on the local machine were used these files were known as host files and need to be maintained and updated by an administrator on every machine so that the resolution of names could be easily facilitated. Imagine maintaining the hosts file for all of the internet domain names and sub domains today. Hence the birth of a distributed database that is around today called DNS, a wonderful service run by a myriad of ISP’s and internet authorities that facilitate the resolution of IP addresses into friendly names that users can type into their browsers or connect to resources with. For more information on the process refer to RFCs 1034 and 1035.
Windows 2003 DNS dependency. If you are running Windows 2003 you will soon realize that a vital service that the active directory can not function without is DNS. The reason for this is that instead of using alternate methods like WINS (Windows Internet Naming Service) DNS is used as it is more versatile and platform independent. DNS is necessary as you already know to resolve names and the interoperation of active directory and other services and applications have come to rely if not take DNS for granted.
Securing your single point of failure. DNS is very useful and necessary in all functional active directory networks for this reason it is recommended that the server computer where DNS is installed is secured and isolated from radical change. To insure that the server is always available be certain that no one makes changes to the server without testing and backing up the configuration. In most cases a successful backup strategy ensures that in the event of a minor mishap or disaster the configuration can be restored on an alternate system. Do not overlook DNS as complex configurations can be difficult to restore without documentation and prior knowledge of destroyed systems. It is always a good idea to mitigate your risk but splitting the DNS function onto two servers’ one primary and one secondary so that if the one goes down DNS has not lost availability. In terms of integrity you need to ensure that no one but authorized users have access and control over the DNS sever this is important as you do not want your resources abused and miss-configured by intruders that have other plans for you vital naming service. If you are in a high security environment it is essential that this server be locked down as it is an easy target for intruders that want to cause a denial of service on you active directory. It may be a good idea to only let LAN users that are part of the domain to query your DNS server to ensure confidentiality of your naming conventions and other sensitive information. By adding these additional layers to your DNS server you can be assured of.
DNS and firewalls. DNS uses TCP and UDP port 53 for lookups and transfers. This needs to be opened on the firewall if you need to use your internal DNS for lookups. Note: this decision will be defined in the planning phase and should be carefully calculated. From a security perspective only publish services to the public domain if it is necessary. If you would like to administer the DNS server remotely you will need to open RCP port 135 only do this is it is necessary and if you have
secured the server. If you are using ISA there are predefined protocol filters that have been define that you can enable.
Server preparation. Most network professionals use DHCP when assigning dynamic IP addresses. In this exercise only use DHCP to assign the DNS server address dynamically to the client but do not assign the server a DHCP address, this will not only break your DNS configuration but will also render your DNS server non functional as the clients will be confused, and will not know where to find the DNS server as the address keeps changing.
Standard configuration Please make sure that all of the Windows updates are done and the latest drivers and Rom packs have been loaded on the server and applied to the hardware this is essential as you do not want to be applying these changes at a later stage when the machine goes into production. Skipping this step will cause unnecessary down time in future. Please make sure that the static IP address is assigned to the server before beginning the installation process. After the entire preamble we are now ready to start installing DNS on our newly configured and prepared server. Ensure that you have Windows Server 2003 Std is installed and that a static IP address has been assigned. Figure 1.1 depicts how DNS should be configured and under the advanced TCP/IP settings. In the DNS settings you must point the server to itself for DNS resolution. If external internet names need to be resolved you can configure a forwarder so that the requests are sent to the DNS server of the ISP or an external DNS server. Selecting a DNS server that is consistently up is paramount as external name resolution rests on this resource.
Figure 1.1
Install Microsoft DNS Server Click on Start, Control Panel, Add or Remove Programs and then on Add or Remove Windows Components. Then click on Components list, then click on Networking Services and then click Details, select the Domain Name System (DNS) check box, and then click OK. Follow the below figure 1.2 for guidance.
Figure 1.2 After installing DNS you will need to test if the installation was successful and if you are able to resolve names. Nslookup is a built-in utility that can be used to test if the service has been installed and configured correctly. Remember to test both internal and external names before concluding your tests. After typing Nslookup it connects to the configured server within your TCP/IP properties or if you run this command form a client it will connect to the DNS server handed out by DHCP. You will then be able to type in the name you want to lookup i.e. www.google.com or machine.localdomain.net it will then resolve the name to an IP address if this happens you have installed and configured DNS correctly. C:\>nslookup *** Default servers are not available Default Server: UnKnown Address: 127.0.0.1 help Commands: (identifiers are shown in uppercase, [] means optional) NAME NAME1 NAME2 help or ? set OPTION All [no]debug [no]d2
-
print info about the host/domain NAME using default server as above, but use NAME2 as server print info on common commands set an option print options, current server and host print debugging information print exhaustive debugging information
[no]defname [no]recurse [no]search [no]vc domain=NAME srchlist=N1[/N2/.../N6] root=NAME retry=X timeout=X type=X querytype=X class=X [no]msxfr ixfrver=X server NAME lserver NAME finger [USER] root ls [opt] DOMAIN [> FILE] -a -d -t TYPE view FILE exit
-
append domain name to each query ask for recursive answer to query use domain search list always use a virtual circuit set default domain name to NAME set domain to N1 and search list to N1,N2, etc. set root server to NAME set number of retries to X set initial time-out interval to X seconds set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV) same as type set query class (ex. IN (Internet), ANY) use MS fast zone transfer current version to use in IXFR transfer request set default server to NAME, using current default server set default server to NAME, using initial server finger the optional NAME at the current default host set current default server to the root list addresses in DOMAIN (optional: output to FILE) list canonical names and aliases list all records list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.) sort an 'ls' output file and view it with pg exit the program.
If all is well when you type in nslookup in a command prompt you will be connected to the DNS configured either by DHCP or statically.
Summary In this article I covered important stages of DNS installation and basic recommendations relating to security and architecture. It is important to understand these processes before installing DNS and to take the security recommendations into consideration before installing DNS. Remember that DNS is your central point of failure as it is the naming system that Windows uses.
About Ricky M. Magalhaes Ricky M. Magalhaes is a security specialist that has worked as a consultant and IT technical specialist for the past 8 years. He has been primarily responsible for implementation and design of Security, network architecture, communications, network infrastructure and Security R&D for many South African organizations that he works with. He is a windows 9x product specialist and has been working with the windows product since version win 3.11.
Receive all the latest articles by email! Get all articles delivered directly to your mailbox as and when they are released on WindowsNetworking.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the WindowsNetworking.com Monthly Newsletter, written by Dr. Tom Shinder, containing news, the
hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
• • •
Real-Time Article Update (click for sample) Monthly Article Update (click for sample) Monthly Newsletter (click for sample)
Latest articles by Ricky M. Magalhaes • • • • •
A fully featured free IP PBX & SIP Server – 3CX Phone System Product Review Product Review: Desktop Authority Upgrading Windows NT/2000 to Windows 2003 (Part 1) Session Initiation Protocol (SIP) and Its Functions Installing and configuring virtual PC (Part 2)
Related links • • • • •
DNS Conditional Forwarding in Windows Server 2003 DNS Stub Zones in Windows Server 2003 Configuring Windows Server 2003 to act as a NAT router Setting up a DHCP server in Windows 2003 Understanding Advanced TCP/IP Settings in Windows 2003
Featured Links* It's New - SpamTitan Virtual Email Appliance, runs on VMware - Includes Kaspersky AV! 99% spam protection, anti phishing, in/out bound scanning, disclaimers, end user quarantine, reporting suite, simple installation, all from $500-100 users - 30 day free trial! Automatic Event Log Monitoring Let GFI EventsManager do the dirty work - Have event logs monitored automatically and get warned about critical events! Get a free Windows SIP Server / IP PBX IP Telefonanlage, VOIP Telefooncentrale, Centralino Telefonico IP, PABX-IP, Centralita Telefonica VOIP, Centrala Telefoniczna, Telefonni system, IP telefonvaxel, Central Telefonica IP, VOIP Telefonsentral, IP telefonanlaeg, IP Puhelinvaihde, Telefon Sistemi, IP PBX (Russian), IP PBX (Greek), IP PBX (Japanese), IP PBX (Korean), IP PBX (Simplified Chinese), IP PBX
(Traditional Chinese), IP PBX (Arabic) ManageEngine OpManager - The Complete Network Monitoring Software Monitor WAN infrastructure, LAN, Servers, Switches, Routers, Services, Apps, CPU, Memory, AD, URL, Logs, Printers. Satisfies your entire Network infrastructure Management needs. Printing and printer management headaches with Terminal Services/Remote Desktop Services? Try UniPrint! UniPrint universal printer driver eliminates printer driver incompatibility, enables consistently fast printing, saves bandwidth, and simplifies printer management.
Receive all the latest articles by email! Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below! Click for Real-Time sample & Monthly sample
Become a WindowsNetworking.com member! Discuss your network issues with thousands of other network administrators. Click here to join!