Managing Name Resolution
Chapter 3: Managing Name Resolution
Terms you'll need to understand:
- Domain Name System (DNS)
- Recursive and iterative queries
- Primary, secondary, and stub zones
- Dynamic update
- Caching-only server
- Root name server
- Resource records
Techniques you'll need to master:
- Installing and configuring the DNS Server service
- Configuring zones
- Understanding a caching-only server
- Understanding DNS zone types
- Managing zones and resource records
- Implementing a delegated zone for DNS
- Monitoring a DNS server
Each machine on a computer network is assigned a unique network address. Computers communicate with each other across networks by connecting to these network addresses. These numbers, also known as Internet Protocol (IP) addresses, consist of four groups of numbers, or octets, and can be difficult for people to remember. To solve this dilemma, a system was developed whereby people can use "friendly" names that are then translated automatically into IP addresses that computers use to locate each other and to communicate. These friendly names are called hostnames, and each machine is assigned one. Groups of these hosts form a domain. The software that translates these names to network addresses is called the Domain Name System (DNS).
Before the advent of DNS, HOSTS files were used for name resolution, but as the Internet quickly grew in size and popularity, HOSTS files became impossible to maintain and keep current. When the Internet community realized there was a need for a more manageable, scalable, and efficient name-resolution system, DNS was created. Since that time, DNS servers have been used on the Internet almost exclusively.
Before the introduction of Windows 2000, Network Basic Input/Output System (NetBIOS) names were used to identify computers, services, and other resources on Windows-based machines. In the early days of Windows networks, LMHOSTS files were used for NetBIOS name resolution. Later, these names were often resolved to IP addresses using a NetBIOS Name Server (NBNS). Microsoft's version of the NBNS was called Windows Internet Naming Service (WINS). With Windows 2000 and now Windows Server 2003, hostnames are used instead of NetBIOS names. In a Windows Server 2003 domain, DNS is used to resolve hostnames and locate resources such as network services.
This chapter introduces the Windows Server 2003 implementation of DNS. You'll learn how to install and configure a DNS server, as well as how to maintain and monitor it. Having a thorough understanding of the topics presented here is important to both the exam and on-the-job success.
Installing and Configuring the DNS Server Service
At one time or another, most of us have typed a universal resource locator (URL) to get to one of our favorite Web sites. Before you can view the Web site stored on a Web server, that URL you typed must be resolved to an IP address, and this is where DNS servers come into play.
You might have also heard the term fully qualified domain name (FQDN). An FQDN contains both the hostname and a domain name. It uniquely identifies a host within a DNS hierarchy. For example, http://www.bayside.net is an FQDN. Every FQDN is broken down into different levels, each separated by a period. In the preceding example, .net is the top-level domain and bayside is the second-level domain. The top-level domain normally identifies the type of organization, such as a government organization (gov) or an educational organization (edu). The second-level domain indicates a specific domain within that top-level namespace, whereas the third level might indicate a specific host within that domain. In all cases, DNS servers are used to resolve FQDNs to IP addresses.
DNS can use two different processes to resolve queries: recursive and iterative. With a recursive query, the DNS client requires the DNS server to respond with the IP address of the request or an error message that the requested name does not exist. The DNS server cannot refer the client to another DNS server if it cannot map the request to an IP address. When a DNS server receives a recursive request, it queries other DNS servers until it finds the information or until the query fails.
With an iterative query, the DNS server uses zone information and its cache to return the best possible answer to the client. If the DNS server does not have the requested information, it can refer the client to another DNS server.
For example, when a DNS client enters http://www.bayside.net into a browser, the following process occurs:
A DNS request is sent to the local DNS server. This can be a DNS server on the client's local network or a DNS server at the client's Internet service provider (ISP).
Before forwarding the request to a root server, the DNS server checks its local cache to determine whether the name has recently been resolved. If there is an entry in the local cache, the IP address is returned to the client.
If no entry exists in the cache for the hostname, the request is sent by the DNS server to a root name server.
The root name server refers the DNS server to a name server responsible for the first-level domain within the hostname. For example, the root name server would refer the request to the bayside.net DNS server.
The original DNS server is referred to second-level DNS servers, and then third-level DNS servers, until one of them can resolve the hostname to an IP address and return the results back to the client.
Now that you have a general idea what happens when a DNS client attempts to connect to another computer using a hostname, let's take a look at the types of roles that can be assigned to Windows Server 2003 DNS.
Implementing Windows 2003 DNS Server Roles
You can configure a DNS server in one of three possible roles. The role the server plays depends on the configuration of zone files and how they are maintained. The zone files contain configuration information for the zone as well as the resource records.
A zone file contains the resource records for a portion of the DNS namespace. Resource records map hostnames to IP addresses. Both of these topics are covered later in this chapter, in the section "Creating Resource Records."
The three possible DNS server configuration roles are as follows:
Keep in mind when you are planning DNS server roles that a single DNS server can perform multiple roles. For example, a DNS server can be the primary server for one zone and at the same time be a secondary server for another DNS zone.
All DNS servers maintain a cache.dns file that contains a list of all Internet root servers. Any time a DNS server resolves a hostname to an IP address, the information is added to the cache file. The next time a DNS client needs to resolve that hostname, the information can be retrieved from the cache instead of the Internet.
Caching-only servers do not contain any zone information, which is the main difference between them and primary and secondary DNS servers. The main purpose of a caching-only server (other than providing name resolution) is to build the cache file as names are resolved. They resolve hostnames, cache the information, and return the results to the client. Because these servers hold no zone information, either hostnames are resolved from the cache or else another DNS server is required to resolve them.
Caching-only servers are useful when you need to reduce network traffic. Again, because there is no zone information, no zone transfer traffic is generated (meaning that no information is replicated between DNS servers). Hostname traffic is also reduced as the cache file is built up because names can be resolved locally using the contents of the local DNS server's cache
It's important to understand when caching-only servers should be implemented. Caching-only servers are useful when there are remote locations that have slow WAN links. Configuring a caching-only server in these locations can reduce WAN traffic that would normally be generated between primary and secondary DNS servers, and can speed up hostname resolution after the cache file has been established.
A primary DNS server hosts the working (writable) copy of a zone file. If you need to make changes to the zone file, it must be done from the server that is designated as the primary server for that zone. For those of you who are familiar with Windows NT 4.0, this is similar to how the primary domain controller (PDC) maintains the working copy of the directory database. After a server has been configured as a primary DNS server for a zone, it is said to be authoritative for that domain. Also, a single DNS server can be the primary DNS server for multiple zones.
A secondary server gets all its zone information from a master DNS server. The secondary DNS server hosts a read-only copy of the zone file, which it gets from the primary server or another secondary DNS server. Through a process known as a zone transfer, the master DNS server sends a copy of the zone file to the secondary server.
PreWindows 2000 implementations of DNS supported only full transfers, in which an update to the zone file resulted in the entire zone database being transferred to the secondary servers. Windows Server 2003 (as well as Windows 2000 DNS) supports incremental zone transfers, so the secondary servers can synchronize their zone files by pulling only the changes. This results in less network traffic.
For example, if Server2 is configured as a secondary server for bayside.net, Server2 would get all of its zone information from Server1, the primary DNS server for the zone. Any changes that need to be made to the zone file would have to be done on Server1. The changes would then be copied to Server2. As already mentioned, a DNS server can be both a primary and a secondary server at the same time. Using this example, Server2 could also be configured as the primary server for riverside.net, and, to provide fault tolerance for the zone file, Server1 could be configured as a secondary server for this zone.
Secondary DNS servers provide the following benefits:
Fault toleranceBecause the secondary server has a copy of the zone file, name resolution can continue if the primary DNS server becomes unavailable.
Reduction in name-resolution trafficSecondary servers can be placed in remote locations with a large number of users. Clients can then resolve hostnames locally instead of having to contact a primary DNS using a WAN link.
Load balancingName-resolution services for a zone can be provided by the secondary server as well, thereby reducing the load placed on the primary DNS server.
DNS can be installed in several ways. It can be added during the installation of Windows Server 2003, after installation using the Configure Your Server Wizard, or through the Add or Remove Programs applet in the Control Panel. DNS can also be installed when promoting a server to a domain controller using the DCPROMO command.
The only real requirement for installing DNS is Windows Server 2003 Server. It cannot be installed on a computer running Windows XP. Also, if you are using Dynamic Host Configuration Protocol (DHCP) on the network to assign IP addresses, it's generally a good idea to configure the DNS server with a static IP address that is outside the range of addresses included in the DHCP scope.
To install the DNS Server service using the Add or Remove Programs applet within the Control Panel, perform the following steps:
Click Start, point to Control Panel, and click Add or Remove Programs.
Click Add/Remove Windows Components.
Highlight Networking Services from the Components list and click the Details button.
From the list of components, select Domain Name System (DNS). Click OK and then click Next.
After the necessary files are copied, click Finish.
Close the Add or Remove Programs applet.
Configuring DNS Server Options
When DNS is installed, the DNS management console is added to the Administrative Tools menu. From the management console, you can manage all aspects of a DNS server, from configuring zones to performing management tasks.
A number of options can be configured for a DNS server. By right-clicking the DNS server within the management console and selecting the Properties option, the Properties window for the server is displayed (see Figure 3.1).Figure 3.1 After installing the DNS service, you can configure DNS server options through the server's Properties dialog box.
The available tabs from the DNS server Properties sheet and their uses are summarized as follows:
InterfacesUsing this tab, you can configure the interfaces on which the DNS server will listen for DNS queries.
ForwardersFrom this tab, you can configure where a DNS server can forward DNS queries that it cannot resolve.
AdvancedThis tab allows you to configure advanced options, determine the method of name checking, determine the location from which zone data is loaded, and enable automatic scavenging of stale records.
Root HintsThis tab enables you to configure root name servers that the DNS server can use and refer to when resolving queries.
Debug LoggingFrom this property tab, you can enable debugging. When this option is enabled, packets sent and received by the DNS server are recorded in a log file. You can also configure the type of information to record in the file.
Event LoggingThe Event Logging tab enables you to configure the type of events that should be written to the DNS event log. You can log errors, warnings, and all events. You can also turn off logging by selecting No Events.
MonitoringThe Monitoring tab can be used to test and verify the configuration by manually sending queries against the server. You can perform a simple query that uses the DNS client on the local server to query the DNS service to return the best possible answer. You can also perform a recursive query in which the local DNS server can query other DNS servers to resolve the query.
SecurityThis tab enables you to assign permissions to users and groups for the DNS server.
Configuring DNS Zone Options
After you have installed the DNS Server service, your next step is to create and configure zones (unless the DNS server is not authoritative for any zones).
A zone is basically an administrative entity. A zone is nothing more than a portion of the DNS database that is administered as a single unit. A zone can contain a single domain or span multiple domains. The DNS server that is authoritative for a zone is ultimately responsible for resolving any requests for that particular zone. The zone file maintains all of the configuration information for the zone and contains the resource records for the domains in the zone.
Each new zone consists of a forward lookup zone and an optional reverse lookup zone. A forward lookup zone maps hostnames to IP addresses. When a client needs the IP address for a hostname, the information is retrieved from the forward lookup zone. A reverse lookup zone does the opposite. It allows for reverse queries, or mapping of an IP address back to a hostname. Reverse queries are often used when troubleshooting with the NSLookup command.
Windows Server 2003 supports four types of zones:
Standard primary zoneThis type of zone maintains the master writable copy of the zone in a text file. An update to the zone must be performed from the primary zone.
Standard secondary zoneThis zone type stores a copy of an existing zone in a read-only text file. To create a secondary zone, the primary zone must already exist, and you must specify a master name server. This is the server from which the zone information is copied.
Active Directoryintegrated zoneThis zone type stores zone information within Active Directory. This enables you to take advantage of additional features, such as secure dynamic updates and replication. Active Directoryintegrated zones can be configured on Windows Server 2003 domain controllers running DNS. Each domain controller maintains a writable copy of the zone information, which is stored in the Active Directory database.
Stub zoneThis type of zone is new in Windows Server 2003. A stub zone maintains only a list of authoritative name servers for a particular zone. The purpose of a stub zone is to ensure that DNS servers hosting a parent zone are aware of authoritative DNS servers for its child zones. One of the advantages of stub zones is that they create a dynamic relationship between the parent and child. Compared to delegation, which points to a single IP address, stub zones allow much more flexibility for the administrator because changes in the child zone are automatically reflected in the stub without making changes to the configuration.
Windows Server 2003 now includes a fourth type of DNS zone known as a stub zone. Because this is a new feature of Windows Server 2003, be prepared to encounter exam questions related to this topic.
After the DNS service is installed, you can manage it using the DNS management console. From this management console, you can begin configuring a DNS server by creating zones. To create a new zone, follow these steps:
Click Start, point to Administrative Tools, and click DNS. This opens the DNS management console.
Right-click the DNS server and click New Zone. The New Zone Wizard opens. Click Next.
Select the type of zone you want to create: primary zone, secondary zone, or stub zone. You also have the option of storing the zone within Active Directory, if it is available. (The option to store information within Active Directory is available only if Active Directory is installed on the local machine.) Click Next.
Select the type of zone you want to create: a forward lookup zone or a reverse lookup zone. Click Next.
If you select a forward lookup zone, the Zone Name page appears. Type the name for the zone, such as bayside.net. Click Next.
If you selected to create a reverse lookup zone, type the network ID (see Figure 3.2). This is used to create the in-addra.arpa domain, with subdomains named using the network ID of the IP address. DNS uses the reverse lookup zone for performing address to name translations. For example, a network ID of 192.168.1 would be translated into 1.168.192.in-addra.arpa. Click Next.
In the Zone File screen, select whether to create a new zone file or to use an existing one (see Figure 3.3). This option appears when creating a forward or reverse lookup zone. Click Next.
Specify how the DNS zone will receive updates from DNS client computers. Three options are available, as shown in Figure 3.4. If the zone is Active Directory integrated, you can allow secure updates only. You can allow both nonsecure and secure updates, or you can turn off dynamic updates so that the resource records must be manually updated. Dynamic updates are covered in more detail later in the chapter in the section "Dynamic Updates."
Figure 3.2 If you are creating a reverse lookup zone, you must supply the network ID.
Figure 3.3 You must provide a filename for the zone file or select an existing file.
Creating Resource Records
After a zone has been created, it can be populated with resource records. Remember, if your clients are all running Windows Server 2003, Windows XP, or Windows 2000 and the zone is configured for dynamic updates, the clients can add and update their own resource records. You can also manually add resource records to a zone file through the DNS management console. A number of resource records can be created. To view all of the resource records supported by Windows Server 2003 DNS, right-click a zone and select Other New Records (see Figure 3.5).
Figure 3.4 You must configure how the DNS zone will receive dynamic updates.
Figure 3.5 The next step in zone creation is populating the zone with DNS resource records.
The following list summarizes some of the more common resource records you might encounter:
Host Address (A) recordMaps a DNS name to an IP address.
Mail Exchanger (MX) recordRoutes messages to a specified mail exchanger for a specified DNS domain name.
Pointer (PTR) recordPoints to a location in the DNS namespace. PTR records are normally used for reverse lookups.
Alias (CNAME) recordSpecifies another DNS domain name for a name that is already referenced in another resource record.
As already mentioned, resource records can be created using the DNS management console. To create a new host record, simply right-click the zone in which you want to create the record and select the New Host (A) option. In the New Host dialog box, type the name and IP address for the host. To automatically create a pointer record, select the Create Associated Pointer (PTR) Record check box (see Figure 3.6).Figure 3.6 You can add a new host record via the DNS management console.
To create additional resource records, simply select the type of record you want to create and fill in the required information.
The NSLookup command can be used to determine the hostname associated with a specific IP address. To use the NSLookup command, PTR records must exist.
Configuring DNS Simple Forwarding
DNS servers often must communicate with DNS servers outside of the local network. A forwarder is an entry that is used when a DNS server receives DNS queries that it cannot resolve locally. It then forwards those requests to external DNS servers for resolution.
By configuring forwarders, you can specify which DNS servers are responsible for handling external traffic. Otherwise, all DNS servers can send queries outside of the local network, possibly exposing DNS information to untrusted hosts on the Internet. Configuring forwarding adds another level of security to the network because only servers identified as forwarders are permitted to forward queries outside the local network.
Additionally, if all DNS servers were allowed to forward queries outside the network, the result could be a large amount of unnecessary network traffic. This can become an important issue if the Internet connection is slow, costly, or already heavily utilized. Because a forwarder receives queries from local DNS servers, it builds up a large amount of cache information. This means that many of the queries received by the forwarder can be resolved from the cache instead of forwarding the requests outside the local network. This is obviously more efficient in terms of network traffic.
When a DNS server configured to use forwarding receives a DNS query from a DNS client, the following process occurs:
When a DNS server receives a DNS query, it first attempts to resolve the request using its zone information and information within its local cache.
If the request cannot be resolved locally, the DNS server sends a recursive query to the DNS server designated as the forwarder.
The forwarder attempts to resolve the query. If the forwarder does not respond, the DNS server attempts to resolve the request by contacting the appropriate DNS server, as specified in the root hints. (Root hints list authoritative root servers for the Internet.)
A DNS server can be configured to send all queries that it cannot resolve locally to a forwarder, and you can also configure conditional forwarders. With conditional forwarders, DNS servers are configured to forward requests to different servers based on the DNS name within the query. When configuring conditional forwarding, you must specify the following information:
The domain name for which queries will be forwarded
The IP address of the DNS server for which unresolved queries for a specified domain should be forwarded
To configure DNS forwarders, follow these steps:
Within the DNS management console, right-click the DNS server and click Properties.
From the Properties window for the DNS server, click the Forwarders tab.
Under DNS Name, select a domain name. To add a new domain name, click the Add button.
Under the Selected Domain's Forwarder IP Address list, type the IP address of the forwarder and click Add.