BACK

AD LAYER 3: DNS

Domain Name System- DNS

DNS is a Hierarchical distributed database of Fully Qualified Domain Names (FQDN) to IP mappings.

Returns IPs to answer queries presenting FQDNs
Returns IPs to answer queries presenting DNS hostnames (in the DNS server's name space)
Returns IPs to answer queries presenting partial FQDNs (in the DNS server's name space or up the DNS tree)
Returns FQDNs to answer queries presenting IPs - when reverse lookup (in-arpa) zones (PTR records) exist

DNS can be thought of of a sort of the evolved descendent of the /etc/hosts file, but vastly more manageable and scalable.

FQDN (Fully Qualified Domain Name) = hostname and full DNS suffix; FQDNs are unique in the DNS namespace. (If in an AD containing a DNS root, they are unique within that space, if in the public DNS namespace they are unique globally within that namespace.)

RFC 1034 "DOMAIN NAMES - CONCEPTS AND FACILITIES," November 1987, is an introduction to DNS <http://www.ietf.org/rfc/rfc1034.txt>

DNS domains are NOT equal to Microsoft domains. Microsoft marketing co-opted the term domain back with NT4, before adopting the later de-facto standard TCP/IP), presumably as an attempt to gain market share against UNIX and the Internet. This caused confusion then, and continues to do so now. However, now, with AD being built on DNS, usually the Microsoft domain trees parallel exactly DNS domains.

DNS defined with history and some nice pix and references - http://en.wikipedia.org/wiki/Domain_Name_System

DNS names are alpha-numeric and include the hyphen and the reserved character"." Domain names must start (and end ?) with a letter. MS DNS supports the underscore character too. Internet DNS names are limited to 255 bytes. AD DNS names are limited to 155 bytes, 63 bytes per level - this is due to the additional overhead of the DNS structures in the _msdcs zone.

One should be familiar with ccTLDs (country code Top Level Domains), gTLDs (generic Top Level Domains), and ARPA's (Advanced Research Projects Agency) role in the public DNS namespace.

DNS Zones

• Delegation boundary
• Replication boundary
• Can contain contiguous sub-domains

FORWARD ZONES

• Used by clients to resolve FQDNs to IPs
• Primary and Secondary zones are forward lookup zones

REVERSE ZONES

• Special zone populated with PTR RRs
• Used by clients to resolve IPs to FQDNs
• Must manually check create reverse zone too when creating the forward zone, same with A and PTR records, there is a check box for this too. Some more on PTR updates here .

Primary zone

• Master in a single master DNS replication model
• Write-able zone file

Secondary zone

• Slave in a single master DNS replication model
• Read-only zone file
• You can create a secondary zone on a DNS server where the primary zone it mirrors is an ADI zone

Zone transfers

• zone transfers from single primary to multiple secondary zones are the replication method in the single master DNS replication model
• AXFR - full or All zone transfer (ls command in nslookup does this !)
• IXFR - Incremental zone transfer

Authoritative DNS servers

• Resolve for a DNS zone
• If they don't know the answer to a query, there is none
• Delegated to from above
• An authoritative DNS service is NOT necessarily a primary DNS server

Stub zone

• New feature to 2003 ?
• Like a secondary zone which holds only glue records for a zone
• Glue records are the RRs that hold DNS together - the NS RRs
• The stub zone functions just like a conditional forward - except where the conditional forward goes to a single server, the stub zone functionality uses recursive DNS resolution against all the listed NS RRs
• The stub zone can automatically accommodate some changes to NS server IPs too
• http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

DNS Forwarder

• One or more DNS servers to which the DNS server configured with DNS forwarding directs DNS queries when it can not answer the request in question
• DNS either answers authoritatively, or from a local secondary zone, or from cache - if it doesn't know the answer, the request goes to a forwarder

DNS Conditional Forwarder

• New feature to 2003
• A granular forwarder; forwards to another DNS server only queries to limited areas of the global DNS hierarchy
• Used to save a few DNS hops to get to a known part of the DNS namespace
• Used to get to a known part of the DNS namespace if there is no other path available
• Used to workaround some DNS namespace overlap issues
• Can be multiple conditional forwards

Dynamic DNS (DDNS)

• Records being manually added would be manual or non-dynamic
• DDNS aware and configured clients pointing at a DDNS server can register their own records in DNS. Workstation clients do A and PRT RRs. Servers can do SRV RRs for AD KRB.
• AD DHCP servers can register DNS records on behalf or their DHCP clients (see the ADI DHCP DDNS section of this site for less vague detail)
• ISP users with DHCP addresses can use DDNS to automatically keep a registered FQDN pointed properly even though the IP changes. (This is not an AD thing but an non-AD example of DDNS.) In this case with the register has a SOA RR pointing to the DDNS host-er, which then in turn points to the DHCP address.

Recursive DNS Queries

• Default
• Provides an answer or an error
• Does work on behalf of a client (client is often another DNS server)
• A Recursive DNS server can recursively issue iterative queries to other DNS servers on behalf of a client

Iterative DNS Queries

• AKA Non-Recursive
• Provides an answer or an error or a referral (ie: go ask server bla - it might know)
• Does not ask another DNS server for the answer (ie does not recurce)

DNS Caching

• All MS DNS servers are caching servers, by default
• All queries are cached, a repeat query is resolved from cache instead of from a new lookup
• Clients also cache DNS, and avoid using DNS at all as appropriate (but the DNS server accessed by multiple clients is more efficient in reducing WAN traffic and speeding DNS resolution for common queries.)

DNS Suffixes

• Primary
• Connection Specific
• Appended

Non-Recursive (AKA DNS Slave) Server: You configure this DNS server role by selecting the option "Do not use recursion for this domain" on the Forwarders tab. This server is one that contacts another DNS server (the forwardee) to resolve any queries for which it cannot provide an response from data that is cached on it or (authoritivly) from records in its local zones. Configuring the server as a Non-Recursive / slave server / exclusive mode, forces the server to send queries to a forwarder and not try to resolve the query if the forwarder cannot provide an answer. This eliminates the traffic that would be generated if the DNS server tried to then resolve the query on its own by contacting a root name server.

The root zone "." is represented by a dot or period. A computer that hosts a root zone cannot be configured to use a forwarder because the computer is considered to be at the top of the DNS namespace. If your network is not connected to the Internet or if your network uses a proxy server to connect to the Internet, you should have a root zone on at least one DNS server on your network. When you install the DNS Server service on a server running Windows Server 2003 and the DNS service cannot contact a root name server, the service creates a root zone on the computer. Usually this is undesirable and results in problems and troubleshooting. You can delete this zone if you do not want the server to host the/a root zone.

DNS ports

• UDP 53 used for DNS queries
• TCP 53 used for DNS zone transfers
• TCP 53 also used in a particular case where queries start out as UDP then change over to TCP when the query answer data payload is over a certain size. Default size is _____

DNS scavenging

• More info in the DHCP and DDNS section
• Off by default
• Automatic way to clean out obsolete or stale dynamic records
• Has a two part threshold, but parts default to seven days
• ??? There is a cli scavenging tool too ???

ADI-DNS:

• ADI-DDNS runs on DCs only
• Active Directory Integrated DNS uses the directory (AD) for the storage and replication of DNS zone databases.
• Do not need to set up a separate DNS replication topology (zone transfers) - AD multi-master replication replaces traditional DNS zone transfers.
• The forest level replicating DNS zone _msdcs is created with AD forest creation and contains AD service locating records, (SRV RRs.)

AD Service Locators

AD Service locators. How Microsoft extended DNS SRV records to leverage DDNS to provide a IP based method (vs the 16th char NetBIOS method) for client/server clients to locate (full IP and port socket) AD services like DCs, GCs, KDCs, domains, sites, etc.. PPT made from a informative website's page on AD SRV records.

NETLOGON Service registers dynamic SRV RRs for:

• Domain - an A RR without the hostname
• DC in a domain
• DC in a site
• KRB
• PDCE
• GC for forest
• KRB password change
• LDAP

DNS DELEGATIONS

EXAMPLE: A DNS zone can contain host and other zones. For example ex.net could have a record hq.ex.net which is a host named hq. (And?)/Or hq could be a sub-domain with it's own records, like cio.hq.ex.net. These sub-zones or children or sub-domains or child domains can all be hosted by the ex.net DNS zone. Maybe ns1.ex.net and ns2.ex.net are authoritative for ex.net and everything under it. Now hq.ex.net want to control its own DNS and be authoritative for it, via perhaps ns1.hq.ex.net and ns2.hq.ex.net. From ex.net, hq.ex.net is delegated to the hq.ex.net DNS servers. In the ex.net zone NS records are added for hq.ex.net. A client looking for cio.hq.ex.net gets ex.net from the whatever.net server, then hq.ex.net from ns1.ex.net, then cio.hq.ex.net from ns1.hq.ex.net - one "walks down the DNS tree" via NS delegation records.

Question: How do clients walk UP the DNS tree?

• nsx.hq.ex.net hosts/serves a SECONDARY ZONE DNS for ex.net
• nsx.hq.ex.net FORWARDS all to nsx.ex.net
• nsx.hq.ex.net CONDITIONALLY FORWARDS *.ex.net (wildcard for descriptive text only, does not go in GUI, rather "ex.net" would be entered) requests to nsx.ex.net - very useful to get to a private namespace (that has a publicly routable IP address)
• nsx.hq.ex.net hosts/serves a STUB ZONE DNS for ex.net
• They don't walk up, they go out to the root or an ISP DNS server and find their way down - however this does NOT work if the DNS namespace is not publicly accessible

How to Enable Active Directory Integrated DNS (Optional--Recommended) http://support.microsoft.com/?kbid=237675

1. In DNS Manager, expand the DNS Server object.
2. Expand the Forward Lookup Zones folder.
3. Right-click the zone you created, and then click Properties.
4. On the General tab, the Zone Type value is set to Primary. Click Change to change the zone type.
5. In the Change Zone Type dialog box, click DS Integrated Primary, and then click OK.
6. The DNS server writes the zone database into Active Directory.
7. Right-click the zone named ".", and then click Properties.
8. On the General tab, the Zone Type value is set to Primary. Click Change to change the zone type.
9. In the Change Zone Type dialog box, DS Integrated Primary, and then click OK.

BIND and Microsoft Windows DNS

• BIND = Berkeley Internet Name Domain / Daemon
• BIND is the de facto DNS standard (at least except in AD)
• AD DNS requires support for SRV records, ixfr, DDNS, thus BIND version 4.9.7 is okay, BIND >= 8.2.2 is recommended
• Windows DNS can output to a .dns file for use by a BIND server
• Windows DNS can input from a .dns file, sort of
• cache.dns is the root hints file used by Windows DNS
• BIND can by used to support AD - but it is not recommended or pretty
• On the exams ADI-DDNS is usually the right answer

There are at least thirteen DNS root servers.

There are alternate DNS systems in place - point to them and get a whole 'nother perspective on the 'net!

See also the Name Resolution section of this site

Nice Link: Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS - support.microsoft.com/kb/291382

BACK