Thursday 1 March 2012

Introduction of Windows Server 2008 DNS

What is DNS:
DNS provides name registration and name to address resolution capabilities. And DNS drastically lowers the need to remember numeric IP addresses when accessing hosts on the Internet or any other TCP/IP-based network.
Before DNS, the practice of mapping friendly host or computer names to IP addresses was handled via host files. Host files are easy to understand. These are static ASCII text files that simply map a host name to an IP address in a table-like format. Windows ships with a HOSTS file in the \winnt\system32\drivers\etc subdirectory
The fundamental problem with the host files was that these files were labor intensive. A host file is manually modified, and it is typically centrally administrated.
The DNS system consists of three components: DNS data (called resource records), servers (called name servers), and Internet protocols for fetching data from the servers.
What is DNS namespace?
A DNS name consists of two or more parts separated by periods, or "dots" (.). The last (rightmost) part of the name is called the top-level domain (TLD). Other parts of the name are subdomains of the TLD or another subdomain. The names of the TLDs are either functional or geographical. Subdomains usually refer to the organization that owns the domain name.
clip_image001

Functional TLDTypically used by …
.comCommercial entities, such as corporations, to register DNS domain names
.eduEducational institutions, such as colleges, and public and private schools
.govGovernment entities, such as federal, state, and local governments
.netOrganizations that provide Internet services, such as Internet service providers (ISPs)
.orgPrivate, nonprofit organizations

How DNS resolves a host name to IP address:
DNS clients called resolvers submit queries to DNS servers to be resolved into IP addresses. Assuming, for example, that you want to connect to www.microsoft.com, www is the host name (or an alias to a different host name), and Microsoft.com is the domain name. The resolver on your client computer prepares a DNS query for www.microsoft.com and submits it to the DNS server identified in your client computer’s TCP/IP settings, which in this case we assume is a DNS server on your LAN. The DNS server checks its local cache (which stores results of previous queries) and database and finds that it has no records for www.microsoft.com. Therefore, the DNS server submits a query to the root server for the .com domain. The root server looks up the Microsoft.com domain and responds with the IP address(es) of the name servers for the domain. Your DNS server then submits a query to the specified DNS server for Microsoft.com, which responds with the IP address of the host www. Your DNS server in turn provides this information to your resolver, which passes the data to your client application (in this case, a Web browser), and suddenly the www.microsoft.com site pops up on your browser. Mapping a host name or alias to its address in this way is called forward lookup.
image
What is a Zone:
In most cases, a given name server manages all the records for some portion of the DNS namespace called a zone. The terms ‘‘zone’’ and ‘‘domain’’ are generally synonymous, but not always. A zone comprises all the data for a domain, with the exception of parts of the domain delegated to other name servers.  A zone is the part of the domain hosted on a particular name server. The domain comprises the whole of the domain, wherever its components reside. Whenever the entire domain resides on a single name server, zone and domain are synonymous.
Each zone contains records that define hosts and other elements of the domain or a portion of the domain contained within the zone. These records are stored collectively in a zone file on the DNS server. A zone file is a text file that uses a special format to store DNS records. The default name for a zone file is domain.dns, where domain is the name of the domain hosted by the zone, such as mcity.us.dns. Windows Server 2008 stores zone files in
%systemroot%\System32\Dns and provides an MMC console to enable you to manage the contents of the zone files with a graphical interface.
What is Authoritative Server:
A name server that has full information about a given zone is said to be authoritative or has authority for the zone. A given name server can be authoritative for any number of zones and can be both authoritative for some and nonauthoritative for others.
What are DNS Zone types:
Each DNS server provides for several different types of zones, including primary, secondary, stub, and Active Directory–integrated. You can have forward and reverse lookup zones in each of these zone types. A forward lookup zone resolves a computer’s fully qualified domain name (FQDN) to its IP address, whereas a reverse lookup zone resolves an IP address to the corresponding FQDN.
Primary Zones
A name server can be either a primary master or a secondary master. A primary master maintains locally the records for those domains for which it is authoritative. The system administrator for a primary master can add new records, modify existing records, and so on, on the primary master.
A primary zone is a master copy of zone data hosted on a DNS server that is the primary source of information for records found in this zone. This server is considered to be authoritative for this zone, and you can update zone data directly on this server. It is also known as a master server. If the zone data is not integrated with AD DS, the server holds this data in a local file named <zone_name.dns> that is located in the %systemroot%\system32\DNS folder.
Secondary Zones
A secondary master for a zone pulls its records for the zone from a primary master through a process called a zone transfer. The secondary master maintains the zone records as a read-only copy and periodically performs zone transfers to refresh the data from the primary master. You control the frequency of the zone transfers according to the requirements of the domain
Active Directory–Integrated Zones
An Active Directory–integrated zone stores its data in one or more application directory partitions that are replicated along with other AD DS directory partitions. This helps to ensure that zone data remains up-to-date on all domain controllers hosting DNS in the domain. Using Active Directory–integrated zones also provides the following benefits:
  • It promotes fault tolerance because data is always available and can always be updated even if one of the servers fails. If a DNS server hosting a primary zone outside of AD DS fails, it is not possible to update its data because no mechanism exists for promoting a secondary DNS zone to primary.
  • Each writable domain controller on which DNS is installed acts as a master server and allows updates to the zones in which they are authoritative; no separate DNS zone transfer topology is needed.
  • Security is enhanced because you can configure dynamic updates to be secured; by contrast, zone data not integrated with AD DS is stored in plain-text files that unauthorized users could access, modify, or delete. Either primary or stub zones can be integrated with AD DS. It is not possible to create an Active Directory–integrated secondary zone.
Stub Zone – A stub zone is a copy of the primary zone that only contains resource records for the authoritative DNS servers for that zone. A server hosting a stub zone must download the zone data and ongoing updates to the data from another server hosting the same zone. When properly implemented stub zones can improve name resolution efficiency by allowing DNS servers to complete recursive queries without having to query the Internet or internal root servers. Stub zones also tend to be less processor intensive than conditional forwarding.
A stub zone consists of:

The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.

What are DNS Resolvers:
A DNS resolver is a service that uses the DNS protocol to query for information from DNS servers. DNS resolvers communicate with either remote DNS servers or the DNS server program running on the local computer. In Windows Server 2003, the function of the DNS resolver is performed by the DNS Client service. Besides acting as a DNS resolver, the DNS Client service provides the added function of caching DNS mappings.

What are Resource Records:
Resource records are DNS database entries that are used to answer DNS client queries. Each DNS server contains the resource records it needs to answer queries for its portion of the DNS namespace. Resource records are each described as a specific record type, such as host address (A), alias (CNAME), and mail exchanger (MX).
  • Host (A) resource records: this type of record maps a hostname to a 32-bit IPv4 address.
  • AAAA resource records: these map a hostname to a 128-bit IPv6 address.
  • Name Service (NS) records: this kind of record maps a domain name to a list of DNS servers authoritative for the domain.
  • Service location (SRV) resource records: this type maps a DNS domain name to a list of computers that provide a service, for example, an SRV RR is required for computers to locate Active Directory domain controllers.
  • Mail exchange (MX) resource records: this kind of record maps a DNS domain name to the name of a mail exchange computer for the domain.
  • Alias (CNAME) resource records: also called canonical name records, these allow you to configure multiple DNS names to resolve to a single host.
  • Pointer (PTR) resource records: this type of record is used for the reverse lookup process
What is Reverse Lookup zone:
Forward lookup maps names to addresses, enabling a resolver to query a name server with a host name and receive an address in response. A reverse query, also called reverse lookup, does just the opposite — it maps an IP address to a name. The client knows the IP address but needs to know the host name associated with that IP address. Reverse lookup is most commonly used to apply security based on the connecting host name, but it is also useful if you’re working with a range of IP addresses and gathering information about them.
What is  Recursion:
If the queried name does not find a matched answer at its preferred server—either from its cache or zone information—the query process continues in a manner dependent on the DNS server configuration. In the default configuration, the DNS server performs recursion to resolve the name. In general, recursion in DNS refers to the process of a DNS server querying other DNS servers on behalf of an original querying client. This process, in effect, turns the original DNS server into a DNS client.
If recursion is disabled on the DNS server, the client performs iterative queries by using root hint referrals from the DNS server. Iteration refers to the process of a DNS client making repeated queries to different DNS servers.

What is Server Forwarding:

A forwarder is a DNS queries for external DNS names to DNS servers outside of the network. You use forwarders to manage DNS traffic sent from your internal network to the Internet. Conditional forwarders forward queries for specific domain names do certain servers, for example, you may want to configure conditional forwarding to more quickly resolve hostnames for your organization’s most important business partners.
To configure forwarders you configure the network’s firewalls to block outbound DNS traffic from all DNS servers except the forwarders. Then you specify the IP addresses of the forwarders on the other DNS servers in your network. You define the list of forwarders in DNS Manager from the Forwarders tab in the Properties dialog box for the DNS server by clicking Edit and entering the list of IP address in the Edit Forwarders dialog box. To define a conditional forwarder select a DNS domain name before entering the IP address of the DNS server.

What are Root Hints:

As discussed previously, DNS servers use the list of root hint servers to located authoritative name servers for domains at a higher level or in other subtrees of the DNS namespace. When you add the DNS server role a file called cache.dns is written to %systemroot%\System32\dns, this file includes the NS and A resource records for the Internet’s root servers. If you are using DNS in  a network that is not connected to the Internet you may wish to replace this list of root hints with your own. You can modify the list in DNS Manager by doing the following:
  1. Right-click on the server and select Properties.
  2. Click the Root Hints tab.
  3. Modify the list as appropriate, as shown in figure 10:
    1. Click Add… to create a new record.
    2. Select a record and click Edit… to modify an existing record.
    3. Select a record and click Remove to delete an existing record.
    4. Click Copy from Server and then specify the IP address to retrieve the list of root hints from another DNS server. This action will not overwrite any existing root hints.
clip_image002
In next article we will discuss step by step installation and configuration of DNS in Windows Server 2008.

No comments:

Post a Comment