CHAPTER 7
IMPLEMENTING DOMAIN NAME SYSTEM (DNS)
Lesson 1:
Introducing DNS
DNS is similar to a telephone book. Each computer on the Internet has both a host name and an
Internet Protocol IP Address. Typically, when you want to connect to another computer, you must
enter a host name. Your computer then contacts a DNS server that cross-references the host name
you provided to the actual IP address. This IP address is then used to connect to the remote
computer.
DNS Origins
Before the implementation of DNS, the creation of user-friendly computer names was done using
HOSTS files that contained a list of names and associated IP addresses. On the internet, the file
was centrally administered and each location would periodically download a new copy. As the
number of computers on the Internet grew, this became an unmanageable solution.
DNS and Windows 2000
In addition to providing traditional Internet name resolution, DNS is the primary name service of
Windows 2000. It is by design, a highly reliable, hierarchical, distributed, and scalable database.
Windows 2000 clients use DNS for name resolution and service location, including domain
controllers for logon. DNS in Windows 2000 provides a unique DNS Server implementation that
is fully interoperable with other standards-based implementations of DNS Server.
How DNS Works
The purpose of the DNS database is to translate computer names into IP addresses. In the DNS,
the clients are called resolvers and the servers are called name servers. DNS works using three
main components: resolvers, name servers, and the domain name space. With basic DNS
communication, a resolver sends queries to a name server. The name server returns the requested
information, a pointer to another name server, or a failure message, if the request cannot be satisfied.
=====================================================================
wininf7.html PAGE
2 2002/03/21
DNS maps to the application layer and uses User Datagram Protocol (UDP) and Transmission
Control Protocol (TCP) as the underlying protocols. For performance reasons, resolvers send
UDP queries to servers first, then resort to TCP if truncation of the returned data occurs.
Resolvers
A resolver provides clients with address information about other computers on the network. The
function of the resolvers is to pass name request between applications and name servers. The name
request contains a query, such as the IP address of a Web site. Resolvers first send UDP queries to
servers for increased performance and resort to TCP only if truncation of the returned data occurs.
Name Servers
A name server contains address information about other computers on the network. This information
can be given to client computers that make a request to the name server. If the name server is not able
to resolve the request, it can forward the request to a different name server.
The Structure of DNS
Root-Level Domains
Domains define different levels of authority in a hierarchical structure. The top of the hierarchy is called
the root domain. References to the root domain are expressed by a period (.).
Top-Level Domains
The following are the present top-level domains:
com Commercial organizations
edu Educational institutions and universities
org Not-for-profit organizations
net Networks (the backbone of the Internet)
gov Nonmilitary government organizations
mil Military government organizations
num Phone numbers
arpa Reverse DNS
xx Two-letter country codes
=====================================================================
wininf7.html PAGE
3 2002/03/21
Top-level domains can contain second-level domains and hosts.
NOTE: An Internet Society committee is planning several additional top-level domains such as
firm and web.
Second-Level Domains
Second-level domains can contain both hosts and other domains, called subdomains. For example,
the Microsoft domain, Microsoft.com can contain computers such as ftp.microsoft.com and
subdomains such as dev.Microsoft.com.
Host names
The domain name is used with the host name to create a fully qualified domain name (FQDN) for
the computer. The FQDN is the host name followed by a period.
Zones
The administrative unit for DNS is the zone. A zone is a subtree of the DNS database that is
administered as a single, separate entity.
Zones of Authority
A zone of authority is the portion of the domain name space for which a particular name server is
responsible. The name server stores all address mappings for the domain name space within the
one and answers client queries for those names. You can also have a secondary DNS server that
can copy domain information across the network from the primary DNS server that has authority
over at least one zone. This is called zone transfer.
Breaking up domains across multiple zone files may be necessary for distributing management of
the domain to different groups or for data replication efficiency.
Name Server Roles
DNS name servers can be configured in different roles, affecting how they store and maintain their
database of names. A Microsoft DNS server can be either a primary or secondary DNS server to
another Microsoft DNS server, or to a DNS server running under another operating system such
as UNIX.
=====================================================================
wininf7.html PAGE
4 2002/03/21
Primary Name Servers
A primary name server is a DNS server that gets the data for its zones from the local DNS database
file. When a change is made to the zone data, such as delegation a portion of the zone to another
DNS server or adding hosts in the zone, the change must be made on the primary DNS server so
that the new information is entered in the local zone file.
Secondary Name Servers
A secondary name server gets its zone data file from the primary DNS server that is authoritative
for that zone. The primary DNS server sends a copy of the zone file to the secondary DNS server
in a process referred to as a zone transfer.
There are three reasons to have secondary name servers:
secondary name servers prevents these clients from communicating across slow links for name
resolution.
Master Name Servers
When you define a zone on a name server as a secondary zone, you must designate another name
server from which to obtain the zone information. The source of zone information for a secondary
name server in a DNS hierarchy is referred to as a master name server. A master name server
can be either a primary or secondary name server for the requested zone
Caching-Only Servers.
Although all DNS name servers cache queries that they have resolved, caching-only servers are
DNS name servers that only perform queries, cache the answers, and return the results.
When trying to determine when to use such a server, keep in mind that when the server is initially
started, it has no cached information and must built this information up over time as it services
requests.
=====================================================================
wininf7.html PAGE
5 2002/03/21
Lesson Summary:
DNS was created. In DNS, a client (called a resolver) sends queries to a name server. Name
servers then take name requests and resolve computer names to IP addresses. The domain name
space is a hierarchical grouping of root-level domains, top-level domains, second-level domains,
and host names.
Lesson 2:
Name Resolution and DNS Files
There are three types of queries that a client (resolver) can make to a DNS server: recursive,
iterative, and inverse. These servers store their DNS information in four possible files: database,
reverse lookup, cache, and boot files.
Recursive Queries
In a recursive query, the queried name server is petitioned to respond with the requested data, or
which an error stating that data of the requested type does not exists or that the domain name
specified does not exist.
Iterative Queries
The queried name server gives the best answer it currently has back to the requester. This answer
may be the resolved name or a referral to another name server that may be able to answer the
client’s original request.
address of www.microsoft.com.
requested domain name.
of a name server for the com top-level domain.
name server.
Microsoft.com domain.
=====================================================================
wininf7.html PAGE
6 2002/03/21
Microsoft.com name server.
original resolver.
Inverse Queries
In an inverse query, the resolver sends a request to a name server to resolve the host name
associated with a known IP address.
To prevent an exhaustive search of all domains for an inverse query, a special domain called
in-addr-arpa was created. Nodes in the in-addr-arpa domain are named after the numbers
in the dotted-decimal representation of IP addresses.
Once the in-addr.arpa domain is built, special resource records called pointer (PTR) records
are added to associate the IP addresses and the corresponding host name. For example, to
find a host name for the IP address 157.55.200.51, the resolver queries the DNS server for
a PTR record for 51.200.55.157.in-addr.arpa.
The PTR record found contains the host names and corresponding IP address 157.55.200.51.
Caching and Time to Live
When a name server is processing a recursive query, it may be required to send out several
queries to find the answer. The name server caches all of the information that it receives
during this process for a time that is specified in the returned data.
Smaller TTL values help ensure that data about the domain is more consistent across the
network if this data changes often. However, this also increases the load on name servers.
Once data is cached by a DNS server, it must start decreasing the TTL from its original value
so that it will know when to flush the data from its cache. If a query comes in that can be
satisfied by this cached data, the TTL that is returned with the data is the current amount of
time left before the data is flushed from the DNS server cache.
=====================================================================
wininf7.html PAGE
7 2002/03/21
DNS Configuration Files
The DNS is a hierarchical, distributed database. The database itself consists of resource
records, which primarily consists of a DNS name, a record type, and data values that are
associated with that record type.
To resolve names, servers consult their zones (also called DNS database files, or simply,
db files). The zones contain resource records (RRs) that make up the resource information
associated with the DNS domain. For example, some RRs map friendly names of IP
addresses, and others map IP addresses to friendly names.
Start of Authority Record
The first record in any database file must be the start of authority (SOA) record. The SOA
defines the general parameters for the DNS zone. The following is an example of an SOA
record:
**** See page 160
****
The following rules apply to all SOA records:
The at symbol @ in a database file indicates “this server”.
IN indicates the Internet record.
Any host name not terminated with a period (.) will be appended with the root domain.
The @ symbol is replaced by a period (.) in the e-mail address of the administrator.
Parentheses () must enclose line breaks that span more than one line.
Name Servers Record
The name server (NS) record lists the additional name servers. A database file may contain
more than one NS record. The following is an example of an NS record:
@ IN NS nameserver2.Microsoft.com
=====================================================================
wininf7.html PAGE
8 2002/03/21
Host Record
A host address resource record (A) statically associates a host name to its IP address.
Host records will comprise most of the database file and will list all hosts within the zone.
The following are examples of host records:
Rhino IN A 157.55.200.143
Localhost IN A 127.0.0.1 (loopback)
CNAME Record
A canonical name (CNAME) record enables you to associate more than one host name
with an IP address. This is something referred to as aliasing. The following is an example
of a CNAME record:
FileServer1 CNAME rhino
www CNAME rhino
ftp CNAME rhino
The Reverse Lookup File
The reverse lookup file (z.y.x.w.in-addr.arpa) allows a resolver to provide an IP address
and request a matching host name. A reverse lookup file is named like a zone file according
to the in-addr.arpa zone for which it is providing reverse lookups.
This DNS reverse lookup capability is important because some applications provide the
capabilities to implement security based on the connection host names. For instance, if a
browser sends a request to an Internet Information Server (IIS) Web server with this
security arrangement, the Web server would contact the DNS server and do a reverse
name lookup on the client’s IP address. If the host name returned by the DNS server is
not in the access list for the Web site or it the host name was not found by DNS, then the
request would be denied.
NOTE: Windows 2000 does not require reverse lookup zones to be configured. Reverse-
lookup zones might be necessary for other applications or for administrative convenience.
The PTR Record
PTR records provide an address-to-name mapping with a reverse lookup zone. IP numbers
are written in backward order in “in-addr.arpa” is appended to the end to create this PTR
record. As an example, look up the name for 157.55.200.51 requires a PTR query for the
name 51.200.55.157.in-addr.arpa.
=====================================================================
wininf7.html PAGE
9 2002/03/21
The Cache File
The CACHE.DNS file contains the records of the root domain servers. The cache file is
essentially the same on all name servers and must be present.
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET 3600000 A 198.41.0.4
The cache file contains host information that is needed to resolve names outside of authoritative
domains, and also contains names and addresses of root name servers. The default file provided
with the Windows 2000 DNS Server has the current records for all of the root servers on the
Internet, and is stored in the %SystemRoot%\System32\Dns folder. For installations not
connected to the Internet, the file should be replaced to contain the name server’s authoritative
domains for the root of the private network.
The Boot File
The boot file is the startup configuration file on the Berkeley Internet Name Daemon-specific
implementation of DNS. Commands must start at the beginning of a line and no spaces can
precede commands.
======================================================================
Command Description
======================================================================
Directory Specifies a directory where other files referred to in the
Command boot file can be found.
Cache Specifies a file used to help the DNS service contact name
Command servers for the root domain. This command and the file it
refers to must be present. A cache file suitable for use
on the Internet is provided with Windows 2000.
Primary Specifies a domain for which this name server is author-
Command itative and a database file that contains the resource
Records for that domain (that is, the zone file). Multiple
Primary command records can exist in the boot file.
Secondary Specifies a domain for which this name server is
Command authoritative and a list of master server IP addresses
from which to attempt to download the zone infor-
mation, rather than reading it from a file. It also
defines the name of the local file for caching this
zone. Multiple secondary command records could
exist in the boot file.
=====================================================================
wininf7.html PAGE
10 2002/03/21
Examples of Boot File Commands
Syntax Example
directory [directory] directory C:\sinnt\system32\dns
cache.[file_name] cache.cache
primary [domain] [file_name] primary Microsoft.com.Microsoft.dns
Primary dev.Microsoft.com dev.dns
secondary [domain] [hostlist] [local_file_name] secondary test.Microsoft.com
157.55.200.100 text.dns
Lesson Summary:
queries to DNS servers: recursive, iterative, or inverse.
or provide the client with an alternative DNS server that will provide the correct information.
sent to the DNS server.
lookup, cache, and boot files.
Lesson 3:
Planning a DNS Implementation
The configuration of your DNS servers depends on factors such as the size of your organization,
organization locations, and fault-tolerance requirements.
=====================================================================
wininf7.html PAGE
11 2002/03/21
DNS Considerations
Although Windows 2000 and its name resolution require a DNS server, the DNS server itself
does not have to reside on a server running Windows 2000.
For reliability and redundancy, Microsoft recommends that at least two DNS servers be configured
per domain, a primary and a secondary name server. The primary maintains the database of
information, which is replicated to the secondary name server. This replication allows name queries
to be serviced even if one of the name servers is unavailable. The replication schedule can be
configured depending on how often names change in the domain.
Registering with the
Parent Domain
Once you have the DNS installed, you need to register it. The parent system needs the names and
addresses of your name servers and may require other information, such as the date that the domain
becomes available and the names and mailing addresses of contact people.
*** See the practice domain page 165 ***
Lesson Summary:
DNS for your site.
Lesson 4:
Installing DNS
Microsoft DNS is an RFC-compliant DNS server, as a result, it creates and uses standard DNS
one files and supports all standard resource record types. It is inoperable with other DNS servers
and includes the DNs diagnostic utility NSLOOKUP.
Before installing the Microsoft Windows 2000 DNS Server service, it is important that the
Windows 2000 server’s TCP/IP protocol be configured correctly. The DNS Server service
obtains the default settings for the host name and domain name through the Microsoft TCP/IP
Properties dialog box.
** Do some of the exercises on page 173 ***
=====================================================================
wininf7.html PAGE
12 2002/03/21
Troubleshooting DNS with NSLOOKUP
NSLOOKUP is a useful tool for troubleshooting DNS problems such as host name resolution. When
you start NSLOOKUP, it shows the host name and IP address of the DNS server that is configured
for the local system, and then displays a command prompt for further queries.
NSLOOKUP Modes
NSLOOKUP has two modes: interactive and noninteractive. If a single piece of data is needed,
use noninteractive or command-line mode. If more than one piece of data is needed, interactive
mode can be used.
Lesson Summary:
Microsoft DNS is interoperable with other DNS servers. Before installing the DNS Server service,
you should make sure that the Windows 2000 server’s TCP/IP protocol is configured correctly.
The NSLOOKUP utility is the primary diagnostic tool for DNS. It lets you display resource records
on DNS servers.
Lesson 5:
Configuring DNS
There are two ways to administrate the Microsoft DNS server: use the DNS Manager or manually
edit the DNS configuration files.
Configuring DNS Server Properties
The primary tool that you use to manage Windows 2000 DNS servers is the DNS console. Because
DNs server has no initial information about a user’s network, the DNs server installs as a caching-only
name server for the Internet. This means that the DNS server contains only information on the Internet
Root server.
To configure DNS
Active Directory-integrated. Active Directory-integrated DNS enables Active Directory storage and
replication of DNS zone databases. Zone data is stored as an Active Directory object and is replicated
as part of domain replication.
=====================================================================
wininf7.html PAGE
13 2002/03/21
Standard primary. Standard primary zones are required to create and manage zones in your DNS name
space if you are not using Active Directory.
Standard secondary. Standard secondary zones help balance the processing load of primary servers and
provide fault tolerance.
Manually Configuring DNS
The DNS server can be configured manually by editing files in the default installation path \system_root\
System32\Dns. Administration is identical to administration of traditional DNS. The DNS service must
then be stopped and restarted.
Adding DNS Domains and Zones
The first step in configuring the DNS server is to determine the hierarchy for your DNS domains and
zones. Once the domain and zone information has been determined, this information must be entered
into the DNS configuration using the DNS console.
Adding Primary and Secondary Zones
Add primary and secondary zones through the DNS console.
DNS Manager will then construct a default zone file name, and if the zone already exists, it will import
these records.
A primary zone stores name-to-address mappings locally. When you configure a primary zone, you
need no information other than the zone name.
Secondary zones obtain name-to-address mappings from a master server by zone transfer.
Once all zones have been added to the server, subdomains under the zones can be added.
There is a key written to the DNS registry entry for each zone for which the DNS will be authoritative.
The keys are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
DNS\Zones.
Configuring zone Properties
After you have added a zone you must configure the properties:
=====================================================================
wininf7.html PAGE
14 2002/03/21
General. Configure the zone file in which the resource records are stored and specifies whether this
s a primary or secondary name server.
SOA record. Configures zone transfer information and the name server administrator mailbox.
Notify. Specifies the secondary servers to be alerted when the primary server database changes.
WINS lookup. Enables the name server to query WINS to resolve names. A list of WINS servers
can be configured in this dialog.
Adding Resource Records:
Once the zones and subdomains are configured, resource records can be added. To create a new
host, right-click a zone or subdomain and then click New Host.
Configuring Reverse Lookup
To find a host name, given the host’s IP address, a reverse lookup zone must be created for each
network on which hosts in the DNs database reside.
Adding a reverse lookup is the same as a forward, as far as the steps. For example, if a host has
an address of 198.231.25.89 it would be represented in the in-addr.arpa domain as
89.25.231.198.in-addr.arpa.
Lesson Summary:
name, given this host’s IP address, a reverse lookup zone must be created for each network on
which hosts in the DNS database reside.
CLASSROOM EXERCISES:
SOA records use these rules: The at symbol @ in a database file indicates “this server”. IN indicates
an Internet record. Any host name not terminated with a period (.) will be appended with the root
domain. The @ symbol is replaced by a period (.) in the e-mail address of the administrator.
Parentheses () must enclose line breaks that span more than one line.
CNAME is the aliasing
Pointer record is important, you must have it for reverse lookup to work.
BOOT-FILE: RFC Compliant “request for comments”.
DNS servers store their name and configuration information in four files: database, reverse lookup,
cache, and boot files.
=====================================================================
wininf7.html PAGE
15 2002/03/21
Page 164. Do you want to run it or do you want a secondary server to run it or an external company.
You could be at their mercy if they go offline, and they may not give you any notice.
DNS Internal/External: Better Security, routers easier to setup.
Internally. 2 DNS servers for redundancy, and integrate into Active Directory.
*** NSLOOKUP page
174, on the exam, and certification.
*** DO THE VIDEO ALSO
***