DNS Tutorial

Recall that DNS is a hierarchical namespace used to identify computers on large TCP/IP networks such as the Internet. Each part of this namespace is called a zone and DNS servers contain all computer information for a zone. More specifically, DNS servers resolve FQDN (Fully Qualified Domain Names) to IP addresses (called a forward lookup) or IP addresses to FQDNs (called a reverse lookup). DNS servers also contain SRV records used to locate services related to Active Directory and the DNS hierarchical namespace is paralleled by Active Directory as well. The primary purpose, however, for DNS is for name resolution on the Internet. When you contact a web server on the Internet such as www.trios.com, the FQDN of www.trios.com must be resolved by a DNS server, or series of DNS servers. The whole process is illustrated below:

2 1 DNS Client (resolver) 4 local DNS Server

.com DNS Server

.trios.com DNS Server 3 5

www.trios.com Web Server

jason.eckert@trios.com

1. Your client web browser (i.e. Internet Explorer) requests to resolve the FQDN www.trios.com on your local DNS Server. This DNS Server is the one that is configured in your network interface properties discussed in Chapter 2 and is typically located at your Internet Service Provider (ISP), Bell Canada for example. 2. If the local DNS Server has recently resolved the FQDN and placed the result in its local DNS cache, you will get the response immediately (called an iterative query), however, the local DNS Server normally contacts the DNS Server for the .com zone and repeats the query (called a recursive query). The .com DNS server will not likely contain the result, but will reply with the IP address of the DNS server for the trios.com zone. NOTE: All DNS servers contain a DNS cache file that contains the IP addresses of DNS servers that hold top-level DNS zones (.com, .ca, .org, etc.). The entries in this cache file are sometimes called root hints. 3. Your local DNS server will then contact the DNS server for the trios.com zone and request to resolve the FQDN www.trios.com (another recursive query). The DNS server for the trios.com domain will then resolve the name and return the IP address to the local DNS server. 4. The local DNS server then returns the result to the client web browser. 5. The client web browser then uses the IP address to connect to the remote web server.

jason.eckert@trios.com

Configuring DNS
To configure a DNS server, you must configure a server with the name of the zone that they will manage. Each DNS server may contain several zones provided that they are for different parts of the DNS namespace. There are several types of zones that may be created. Standard Primary Forward Lookup Zone a zone that contains forward lookup records (FQDN IP) for a section of the DNS namespace. This is the most common zone on the Internet and is configured on the first DNS server in a zone. Standard Primary Reverse Lookup Zone a zone that contains reverse lookup records (IP FQDN) for a section of the DNS namespace. It is configured on the first DNS server in a zone. Standard Secondary Forward Lookup Zone an extra zone that you may configure on a DNS server; it will receive information from the DNS server that holds the Standard Primary Forward Lookup Zone via replication (called a zone transfer). These zones may resolve FQDNs for DNS clients to relieve the load on the DNS server that holds the Standard Primary Forward Lookup Zone. Standard Secondary Reverse Lookup Zone an extra zone that you may configure on a DNS server; it will receive information from the DNS server that holds the Standard Primary Reverse Lookup Zone via zone transfer. These zones may resolve IP addressess for DNS clients to relieve the load on the DNS server that holds the Standard Primary Reverse Lookup Zone. NOTE: DNS servers that hold secondary zones may receive zone transfers from other secondary or primary DNS servers; however records may only be changed on the DNS server that holds primary zone, and there is only one DNS server that may hold the primary zone. NOTE: Information for a standard DNS zone is stored in the %windir %\system32\dns folder on Windows 2000/2003/2008 computers. Active Directory Integrated Zone a forward or reverse lookup zone that stores its information in the Active Directory database on a domain controller; this information is then replicated alongside normal Active Directory replication for fault tolerance and load balancing. It may also
jason.eckert@trios.com

participate in secure dynamic updates. However, Active Directory Integrated Zones are ill-suited for use on the Internet; their primary use is on intranets that use Active Directory.

jason.eckert@trios.com

To configure a DNS server, you may perform the following steps: Step 1: Install DNS Server Service (your computer must have a static IP) using the Add/Remove Windows Components tab of Add/Remove Programs in Control Panel. Create zone(s) on your DNS server using the New Zone wizard in the DNS utility (Start Programs Administrative Tools DNS). If the DNS service is installed on a domain controller, you must you must be a member of the Domain Admins, Enterprise Admins or DNSAdmins group. Otherwise you must be a member of the Adminsitrators group.

Step 2:

By default, the DNS utility displays two folders that hold forward and reverse lookup zones by default; simply right-click one of these folders choose New Zone to open the New Zone wizard:

The New Zone wizard prompts you for different information depending on the type of zone that you are creating. For example, you must specify the location of the zone files

jason.eckert@trios.com

(usually in %windir%\system32\dns\ folder) for a Standard Primary or Standard Secondary zone, but you are not prompted for this when creating an Active Directory Integrated Zone since the information is stored in Active Directory.

jason.eckert@trios.com

When a new zone has been created, a folder will be created for it in the DNS utility as shown below:

Step 3:

Create record(s) in your zones (also called resource records) by right-clicking your zone and selecting the appropriate entry from the menu.

Some common records include: Label A CNAME MX NS PTR SRV Name in DNS Manager host alias mail exchanger name server reverse lookup (IP) service record Description used to resolve a FQDN to an IP address an alias to an A record points to the email server for a zone used to identify DNS servers used to resolve an IP address to a FQDN used to identify Active Directory services

Alternatively, you may use the dynamic update feature of DNS to allow Windows 2000+ clients to create and update their information in the DNS database. As shown in the diagram above, there are a few records that are created by default:

jason.eckert@trios.com

A name server record for the local computer (since it is a DNS server) A host record for the local computer A SOA (Start of Authority) record for the zone

The SOA record is a special resource record that contains the name of the person in charge of the domain, the name of the DNS server that holds the Standard Primary zone, and zone transfer parameters (frequency, etc.); the DNS server that holds a Standard Primary zone have a read-write copy of the SOA record, whereas DNS servers that hold a Standard Secondary zone have a read only copy of the SOA that is replicated from the DNS server that holds the Standard Primary zone. Since Active Directory Integrated Zones store their information in Active Directory and use Active Directory information, the SOA record is not used to specify zone transfer parameters. Step 4: Configure client computers to use DNS server(s) for name resolution. You may do this manually or using the 006 option in DHCP if your clients are DHCP-enabled.

Once your zone(s) have been configured properly and resource records created, you may right-click the zone in the DNS utility and choose Properties to change your zone type, enable dynamic update, etc:

jason.eckert@trios.com

jason.eckert@trios.com

NOTE: You may also configure your DNS server to forward requests to other DNS servers. This is called a Forwarder or Caching-Only DNS Server since the DNS server will forward requests to other DNS servers and cache the results of DNS queries such that they may respond to future DNS queries. Simply right-click your server in the DNS utility, select Properties, highlight the Forwarders tab and enter the IP address of another DNS server. NOTE: You may also configure your DNS server to forward requests to a WINS server if the name cannot be resolved; simply enter the IP address of a WINS server in the WINS tab of your zones properties.

Troubleshooting DNS
Similar to the DHCP service, the DNS service logs information to a log file (%windir%\system32\dns\dns.log) provided it is enabled first. To configure logging, right-click your server in the DNS utility, choose Properties and select the Logging tab. There are several utilities that can be used to test name resolution; the default utility provided on Windows 2003 is the nslookup utility. Simply pass the name or IP address of a computer as an argument to the nslookup command and it will attempt to resolve the name (forward lookup) or IP address (reverse lookup) using the DNS server configured in the properties of your network interface. NOTE: The Monitoring tab of your server properties in the DNS utility can also be used to test simple (iterative) and recursive DNS queries. To avoid unnecessary DNS queries, your computer caches DNS query results in case there is a future request for the same query. If the records in DNS change (i.e. due to dynamic update), your DNS cache may contain incorrect entries. To solve this, simply use the ipconfig /flushdns command to clear your DNS cache. As well, if you do not see records in your DNS zone as a result of dynamic update, you may manually run the command ipconfig /registerdns on client computers to force them to register their information in the DNS database. NOTE: The DNS service logs information to the Event Viewer NOTE: Often, stopping and starting the DNS service will fix DNS problems.

jason.eckert@trios.com

NOTE: The System Monitor also has counters specific to the DNS service that may be used to identify DNS problems.

jason.eckert@trios.com