Key Concepts of DNS
1
Key Concepts of DNS When you implement Domain Name System (DNS) on your network, there are several steps involved in configuring a DNS name server. These steps can include: Configuring a root DNS name server. When the DNS Server service is installed, the Cache.dns file is created and stored in systemroot\System32\DNS on a DNS name server. This file contains the Internet Protocol (IP) address of the root-level DNS name servers for the Internet. When an iterative query is performed, the DNS name server contacts one of the root-level DNS name servers. If the DNS name server is operating behind a proxy server or on an intranet, it must be configured as the root-level DNS name server for the internal network. Creating a subdomain in an existing zone. For large networks, you may want to distribute the administrative workload and the query workload among multiple DNS name servers. To do this, you create subdomains and delegate authority to the DNS name servers for those subdomains. Creating a zone database file. The information that is used to perform name resolution is stored in a zone database file. Zone database files are used to resolve, or translate, a host name to an IP address, or to resolve IP addresses to host names. The entries that are used to perform the different types of name resolution are stored in two different types of zone database files: forward lookup zone database files and reverse lookup zone database files. The entries that are stored in a database file are called resource records. Configuring standard zones. After the DNS Server service is installed, you can create a standard primary or standard secondary zone. The type of zone that you create determines whether a DNS name server is a primary or secondary DNS name server for a zone database file. Multiple copies of a zone database file can be placed on multiple DNS name servers to provide redundancy and to distribute workload. The primary DNS name server maintains a zone database file and the secondary DNS name server receives a copy of a zone database file. After you create either a primary or a secondary zone, you select whether the zone will be used for forward or reverse lookups. Forward lookup zones are used to resolve host names to IP addresses, and reverse lookup zones are used to resolve IP addresses to host names. To distribute the workload of updating secondary DNS name servers, a secondary DNS name server can be configured to receive updates to the zone database file from either a primary or secondary DNS name server. The server that provides the updated information to the secondary DNS name server is called a master server. A single DNS name server can be configured to act as a primary DNS name server for one zone, a secondary DNS name server for a different zone, and a master server for any zone.
2
Key Concepts of DNS
Configuring a caching-only server. The DNS Server service can be installed on a DNS name server without creating a zone database file, which limits the amount of traffic over a network that is generated to update zone database files. This type of DNS name server is called a caching-only server. The caching-only server can be configured to perform recursive queries and store name resolution information in its cache, which is then used to help resolve queries from DNS clients. The amount of traffic over a network is reduced because both the client and the caching-only server perform recursive queries. Configuring DNS clients. Transmission Control Protocol/Internet Protocol (TCP/IP) properties on a client computer must be configured to enable queries to a specific DNS name server. Unlike the iterative query that a DNS name server performs, the client computer performs a recursive query to the DNS name server that is specified in the TCP/IP properties of the client computer.
Key Concepts of DNS
3
Configuring a Root DNS Name Server Configure a Root Name Server When Your intranet will not be connected to the Internet You are using a proxy service to gain access to the Internet Root Name Server
“.”
org. org.
com. com.
... ... contoso. contoso. ... ...
org. org. com. com. edu. edu. au. au.
edu. edu.
contoso.com.
The root DNS name server contains the resource records for all of the top-level DNS name servers in the domain namespace (for example, the com domain). The top-level DNS name servers contain the resource records for the secondlevel DNS name servers (for example, the contoso.com domain). It is necessary for you to configure a root DNS name server if: Your intranet will not be connected to the Internet. Therefore, the root-level domain is for the intranet only. You are using a proxy service to gain access to the Internet. Create the root of your local DNS namespace, and the proxy service will perform the necessary translations and connections for Internet access. Note The root DNS name servers on the Internet are listed in the Cache.dns file on the root DNS name server that you configure. There are two methods available for configuring the root DNS name server. When you open the DNS console for the first time, the DNS Server Configuration wizard will prompt you to configure the server as a root DNS name server, and it will guide you through the process of configuring a DNS name server. After initial configuration of a DNS name server, you can change the server to a root DNS name server (that will be the root of the tree for the Internet) by creating a new standard primary forward lookup zone that is represented by a period (.).
4
Key Concepts of DNS
Creating a Subdomain in an Existing Zone Create a Subdomain to Better Organize Your Namespace Delegate Authority of a Subdomain to Delegate management of portions of the namespace Distribute the load among multiple name servers Allow for organizational affiliation of hosts “.” “.” org. org.
com. com.
edu. edu.
au. au.
contoso.com. training.contoso.com.
training.contoso.com. Subdomain Subdomain
Second-Level Second-Level Domain Domain
Top-Level Top-Level Domain Domain
Root Root
A subdomain is a domain contained within a domain. You can create subdomains to better organize and provide structure to your namespace. Subdividing your namespace to include subdomains can be compared to creating folders and subfolders on a hard disk. Subdomains are generally based on departmental or geographic divisions within an organization. To create a subdomain, open the DNS console, and expand the Forward Lookup Zones or Reverse Lookup Zones folder. Click the name of the zone in which you want to create a subdomain. Right-click the zone name, point to New, and then click Domain. Type the name of the subdomain in the New Domain dialog box, and then click OK. After you have created a subdomain, you can delegate authority of the subdomain to a different DNS name server that you want to manage that portion of your DNS namespace. Delegation allows you to: Delegate management of a DNS domain to a number of departments within an organization (subdomains). Distribute the load of maintaining one large DNS database among multiple DNS name servers to improve name resolution performance and create a fault-tolerant environment. Allow for organizational affiliation of hosts by including them in the appropriate domains. NS (name server) resource records facilitate delegation by identifying the DNS name servers for each zone. NS resource records for all of the DNS name servers in your namespace appear in all forward and reverse lookup zones. Whenever a DNS name server needs to query DNS name servers in a different zone, it will refer to the NS resource records to find a DNS name server in the target zone.
Key Concepts of DNS
To delegate authority for a subdomain, open the DNS console and expand the Forward Lookup Zones or Reverse Lookup Zones folder. Click the name of the domain for which you want to delegate authority. Right-click the domain name, point to New, and then click Delegation. The Add New Delegation wizard will guide you through the process of specifying the name of the domain to which you are delegating authority, and adding the names and IP address of the server or servers that will host the delegated zone.
5
6
Key Concepts of DNS
Zone Database File Resource Records in a Zone Database File Can Contain a Computer’s FQDN Record Record IP address @ @ NS NS casablanca.africa1.contoso.com. casablanca.africa1.contoso.com. Alias casablanca casablanca AA 192.168.11.1 192.168.11.1 marrakech marrakech CNAME CNAME casablanca.africa1.contoso.com. casablanca.africa1.contoso.com. 11.1.168.192 PTR casablanca.africa1.contoso.com. 11.1.168.192 PTR casablanca.africa1.contoso.com.
Name Server
Zone Zone Database Database File File
Zone
A zone database file contains the name resolution data for a zone, including resource records that contain information for answering DNS queries. Resource records contain various attributes, such as the fully qualified domain name (FQDN) of a computer, an IP address, or an alias. There are various resource record types that are defined for the DNS database. The following table lists some of the more common types of resource records. Resource record
Purpose
SOA (start of authority)
Identifies the DNS name server that is the authoritative source of information for data within a domain.
NS (name server)
Provides a list of DNS name servers that are assigned to a domain.
A (host)
Resolves a host name to an IP address.
PTR (pointer)
Resolves an IP address to a host name.
CNAME (canonical name)
Creates an alias for a specified host name.
SRV (service)
Locates servers that host a particular service. For example, if a client must find a server to validate logon requests, it can send a query to a DNS name server that supports the use of SRV resource records to obtain a list of domain controllers and associated IP addresses.
Note SRV resource records are new in the DNS Server service in Microsoft® Windows 2000®. For more information on SRV resource records, see RFC 2052 under Additional Reading on the Web page on the Student Materials compact disc.
Key Concepts of DNS
7
The zone database file name is the zone name with a .dns extension (for example, Contoso.com.dns). To migrate a zone from another server, you can import the existing zone database file. You must place the existing file in the systemroot\System32\DNS folder on the target computer before you create the new zone. Note Traditionally, zone database files are stored on DNS name servers. In Microsoft Windows 2000, zone data can be stored in the Active Directory™ directory service rather than in a zone database file on a name server. In this case, the zone is called an Active Directory integrated zone. Zone database files contain the necessary information that a DNS name server uses to perform two different tasks: resolving host names to IP addresses or resolving IP addresses to host names. The zone lookup types that are associated with these tasks are: Forward lookup zones. Contain records that resolve a host name to an IP address. The forward lookup zone answers forward lookup queries that request the IP address of a server. You enable forward lookup queries when you add a forward lookup zone. The A resource record is the most common type of record that is used for DNS forward lookup zones. Reverse lookup zones. Contain records that resolve an IP address to a host name. The reverse lookup zone answers reverse lookup queries that request the server name that is associated with a particular IP address. You enable reverse lookup queries when you add a reverse lookup zone. Reverse lookup zones use PTR resource records to register hosts by IP address.
8
Key Concepts of DNS
Configuring Standard Zones You can configure a DNS name server to host standard primary zones, standard secondary zones, or any combination of zones You can designate a primary server or a secondary server as a master server for a standard secondary zone Name Server
Zone A Primary (master)
Name Server
Zone A Secondary (master)
Zone B Secondary
Zone Transfer
Zone Transfer Zone B Primary (master)
Zone Transfer Name Server
Zone Transfer
Zone A
Zone B
Secondary
Secondary
Computers that are running the DNS Server service can host standard primary and standard secondary zones. You can configure DNS name servers to host: One or more standard primary zones. One or more standard secondary zones. Any combination of standard primary and standard secondary zones. For each zone, the server that maintains the standard primary zone database files is called the primary server, and the servers that host the standard secondary zone database files are called secondary servers. A DNS name server can host the standard primary zone database file (as the primary server) for one zone and the standard secondary zone database file (as the secondary server) for another zone. If you are creating a new zone, a standard primary zone must be created before creating a standard secondary zone. To create a zone, open the DNS console, right-click the name of the server to which you want to add the zone, and then click Create a new Zone to start the Create New Zone wizard. The wizard prompts you to select a zone type—either standard primary or standard secondary—and specify the domain name for the zone.
Configuring Lookup Zones After you have determined whether a DNS name server will act as a primary or secondary DNS name server for the zone, you must select whether the zone will be used for forward lookups or reverse lookups.
Forward Lookup Zones To configure a forward lookup zone, click Forward lookup on the Select the Zone Lookup Type page of the Create New Zone wizard. The wizard then guides you through the process of naming the zone and the zone database file. The wizard then automatically creates the zone, the zone database file, and the SOA, NS, and A resource records.
Key Concepts of DNS
9
Reverse Lookup Zones To configure a reverse lookup zone, click Reverse lookup on the Select the Zone Lookup Type page of the Create New Zone wizard. The wizard then guides you through the process of specifying network identification and a subnet mask, and verifying the name of the zone database file. The wizard then automatically creates the zone, the zone database file, and the SOA, NS, and A resource records. Note To comply with RFC standards, the reverse lookup zone name requires the in-addr.arpa domain suffix, which is a reserved domain to support reverse lookup. For example, if the network uses the class B network ID of 172.16.0.0, the reverse lookup zone name becomes 16.172.in-addr.arpa. For more information on the in-addr.arpa domain suffix, see RFC 2317 under Additional Reading on the Web page on the Student Materials compact disc.
Specifying a Master Server When you add a standard secondary zone, you must designate a DNS name server from which to obtain the zone information. The designated server is referred to as a master server. A master server transfers zone information to the secondary DNS name server. You can designate a primary server or another secondary server as a master server for a standard secondary zone. To specify a master server, on the Master Servers page of the Create New Zone wizard, type the IP address of the master server in the Master server IP addresses box, and then click Add. To specify more than one master server, add any additional master server IP addresses to the list. You can sort the list in the order in which you want the master servers to be contacted by clicking an IP address, and then clicking Up or Down. When you are finished adding IP addresses to the list, click Next, and then click Finish.
Creating Resource Records You can manually populate the zone database file with resource records for the other computers within the zone that you created. Create the following resource records on the primary DNS name server for the zone: The A resource record. In the DNS console, right-click the name of the zone to which you want to add the A resource record, point to New, and then click Host. In the New Host dialog box, type the host name and IP address, and then click Add Host. The PTR resource record. In the DNS console, right-click the name of the zone to which you want to add the PTR resource record, point to New, and then click Pointer. In the Create New Record dialog box, type the host name and IP address, and then click OK. Note You can automatically populate a reverse lookup zone when adding an A resource record. To automatically populate a reverse lookup zone, select the Create associated PTR record check box in the New Host dialog box.
10
Key Concepts of DNS
Configuring Additional Zone Properties You can configure and modify additional zone properties in the Properties dialog box for the zone. You can modify zone properties to: Change a zone from standard primary to standard secondary or from standard secondary to standard primary by clicking Change on the General tab. Configure a forward lookup zone to use the Windows Internet Name Service (WINS) for name resolution by selecting the Use WINS resolution check box and specifying the IP address for the WINS server on the WINS tab. A WINS resource record is then placed at the top of the zone database file. Configure a reverse lookup zone to use WINS for name resolution by selecting the Use WINS reverse lookup check box and specifying a domain name on the WINS-R tab. A WINS-R resource record is then placed at the top of the zone database file.
Configuring Zone Transfer Properties Zone transfers occur when names and IP address mappings change within your domain. You configure standard primary and standard secondary zones with the information that is necessary to initiate and request zone transfers. To do this, use the Start of Authority (SOA) and Zone Transfer tabs in the Properties dialog box for the zone. You configure how often a zone transfer occurs by modifying settings on the Start of Authority (SOA) tab. The following values affect zone transfer: Serial number. Tracks updates to the zone database file. Each time a zone database file is modified, the serial number is increased by a value of one, which indicates a new version of the zone database file. DNS name servers compare serial numbers during zone refresh requests to determine if a zone transfer is necessary. Refresh interval. Controls how often a secondary server will query its master server for new data. Retry interval. Controls how often a server will retry a refresh. If a secondary server cannot contact its master server, the retry interval determines how long the secondary server will wait before attempting to contact its master server again. Expire interval. Controls the length of time that a secondary server will use its current zone data to answer queries if it cannot contact its master server. At the end of the expire interval, if the secondary server cannot contact its master server, it will stop performing name resolution. Minimum TTL. Specifies the Time to Live (TTL) interval, or the minimum amount of time for which a response to a query is valid. The DNS name server that performs the name resolution sets this value.
Key Concepts of DNS
11
Configuring DNS Notify You can configure a master server to include a list of one or more secondary servers that should be notified when changes to the zone database file are made. If a secondary server receives notification from its master server that changes have been made to the zone database file, it can initiate a zone transfer to ensure that its records are up-to-date. The notification process can help improve the consistency of zone data among secondary servers. DNS Notify allows you to configure a master server to notify one or more secondary servers whenever changes to the zone database file occur. The secondary servers then determine if they need to initiate a zone transfer. The following information describes the order of the notification process: 1. When the zone database file is updated on the hard disk on a master server, the serial number is updated to indicate that the zone database file has been changed. 2. The master server then sends a notify message to the secondary DNS name servers that are included in its notify list. 3. All secondary servers that receive the notify message respond by initiating an SOA refresh to their master server in order to start the replication process. Note For more information on DNS Notify, see RFC 1996 under Additional Reading on the Web page on the Student Materials compact disc.
Configuring the Notify List To configure the notify list, open the Properties dialog box for the zone, click the Zone Transfers tab, and then click the Notify button. Click Notify these servers only, type the IP address of the secondary server to notify when the zone is updated, and then click Add. Repeat this process to add more than one secondary server to the notify list. The notify list can also be used to restrict access to secondary servers that attempt to request zone updates. On the Zone Transfers tab, click Allow only from this list to limit requests for zone update transfers to only those servers that are included in the Notify dialog box.
12
Key Concepts of DNS
Configuring a Caching-Only Server Caching-Only Servers Perform name resolution on behalf of clients and cache the results Can be used to reduce DNS-related traffic across a WAN
Query
Result Name Server Result Name Server
Cache
Caching-only servers perform name resolution on behalf of clients and then cache, or store, the results. They are not configured to be authoritative for a zone, so they do not store standard primary or standard secondary zones. The cache is populated with the most frequently requested names, and these names and their associated IP addresses are available from the cache for answering subsequent client queries. To configure a caching-only server, install the DNS Server service on a computer running Windows 2000 Server and do not configure any forward or reverse lookup zones. Caching-only servers help to reduce traffic across a wide area network (WAN) in the following ways: A caching-only server will first attempt to locate information in its cache to resolve client requests. If the required information is not in its cache, the caching-only server will perform a query across the WAN to locate the necessary information and update its cache. The greater the amount of information that is stored in its cache, the less likely it is that the caching-only server will need to perform a query, thus reducing traffic across the WAN. Entries that are stored in cache are purged when the TTL interval for that record expires. A caching-only server does not maintain or store a copy of a zone database file, as does a primary or secondary DNS name server. Therefore, no zone transfer traffic is generated.
Key Concepts of DNS
13
You can change the type of queries that a caching-only server performs to further reduce network traffic. There are two types of queries that can be performed in DNS: Iterative. A query made to a DNS name server, in which the requester instructs the name server to return the best answer it can give based on its cache or zone data. If the queried name server does not have an exact match for the request, the best information it can provide is a pointer to an authoritative name server in a lower level of the domain namespace. The requester can then query the authoritative name server it was referred to. The requester continues this process until it locates a name server that is authoritative for the requested name, or until an error or time-out condition is met. Recursive. A query made to a DNS name server, in which the requester asks the name server to assume the full workload and responsibility for providing a complete answer to the query. The server will then perform separate iterative queries to other servers (on behalf of the requester) to assist in answering the recursive query. When a remote office has a limited amount of available bandwidth for connecting to a corporate office, a caching-only server should be configured at the remote office to send recursive queries to a DNS name server at the corporate office. The DNS name server at the corporate office has a greater amount of available bandwidth for connecting to the Internet or an intranet. You can configure a caching-only server to perform recursive rather than iterative queries by configuring it to use forwarders. A forwarder is a DNS name server that is designated by other DNS name servers to forward queries for resolving external domain names. This reduces the amount of traffic across the WAN for performing name resolution. To forward queries to another server, open the DNS console and open the Properties dialog box for the server on which you want to configure forwarding. On the Forwarders tab, select the Enable Forwarder(s) check box. Type the IP address of the server that you want to forward to, click Add, and then click OK.
14
Key Concepts of DNS
Configuring DNS Clients Internet Protocol (TCP/IP) Settings General You can get IP setting assigned automatically if your network supports this capability. Otherwise, you need to ask your network administrator for the appropriate IP settings. Obtain an IP address automatically Use the following IP address: IP address:
192 . 168 . 2 . 15
Subnet mask:
255 . 255 . 255 . 0
Default gateway:
Provided Provided by by DHCP DHCP or or Manually Manually Configured Configured
Obtain DNS server address automatically Use the following DNS server address: Preferred DNS server:
192 . 168 . 1 . 2
Alternate DNS server:
Advanced...
OK
Cancel
A DNS client (sometimes called a resolver) uses a DNS name server to resolve queries and locate resources on TCP/IP networks. In Windows 2000, configuring a computer as a DNS client involves only one configuration parameter: the IP address of the DNS name server. To configure a client to use a DNS name server for host name resolution, open the Properties dialog box for the connection, and then open the Internet Protocol (TCP/IP) Properties dialog box: If you want DNS name server addresses to be provided by a DHCP server, click Obtain DNS server address automatically. If you want to manually configure an IP address for a DNS name server, click Use the following DNS server addresses. Type the IP address of the primary server in the Preferred DNS server box. If you are configuring a second DNS name server, type the IP address of the additional DNS name server in Alternate DNS server box.