Module 4: Resolving Host Names by Using Domain Name System

(1)

Contents

Overview 1 Multimedia: The Role of DNS in the

Network Infrastructure 2

Lesson: Installing the DNS Server

Service 3 Lesson: Configuring the DNS Server

Service 10

Lesson: Configuring DNS Zones 30

Lesson: Configuring DNS Zone Transfers 51 Lesson: Configuring a DNS Client 62 Lab: Resolving Host Names by Using DNS 69

Module 4: Resolving

Host Names by Using

Domain Name System

(2)

and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, PowerPoint, Windows, Windows Media, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

(3)

Instructor Notes

This module provides students with the knowledge and ability to configure name resolution by using DNS.

After completing this module, students will be able to:

! Describe the role of Domain Name System (DNS) in the network infrastructure.

! Install the DNS Server service. ! Configure the DNS Server service. ! Configure DNS zones.

! Configure DNS zone transfers. ! Configure a DNS client.

To teach this module, you need the following materials: ! Microsoft® Office PowerPoint® file 2277c_04.ppt

! The multimedia presentation The Role of DNS in the Network Infrastructure

It is recommended that you use Microsoft Office PowerPoint 2002 or later to display the slides for this course. If you use Microsoft PowerPoint Viewer or an earlier version of PowerPoint, some features of the slides may not be displayed correctly.

To prepare for this module:

! Read all of the materials for this module. ! Complete all practices and the lab.

! Review the multimedia presentation The Role of DNS in the Network

Infrastructure.

! Review prerequisite courses and modules. Presentation: 4 hours 15 minutes Lab: 15 minutes Required materials Important Preparation tasks

(4)

How to Teach This Module

This section contains information that will help you to teach this module.

Practices and Labs

Explain to the students how the practices and labs are designed for this course. A module includes two or more lessons. Most lessons include a practice. After completing all of the lessons for a module, students finish the module with a lab.

This module includes only one instructor demonstration topic, but you should demonstrate many of the administrative tasks as you teach them. After you have covered the contents of the topics, explain that a practice will give students a chance for hands-on learning of all the tasks discussed in the lesson.

At the end of each module, the lab enables the students to practice the tasks that are discussed and applied in the module.

Using a scenario that is relevant to the job role of the students, the lab gives a set of instructions in a two-column format. The left column provides the task (for example, “Create a group”). In the right column are specific instructions that the students will need to perform the task (for example, “From Active Directory Users and Computers, double-click the domain node”).

An answer key for each lab exercise is located on the Student Materials CD, in case the students need step-by-step instructions to complete the lab. They can also refer to the practices and How To pages in the module.

Practices

(5)

Multimedia: The Role of DNS in the Network Infrastructure

This section describes the instructional methods for teaching this multimedia presentation.

! The multimedia files are installed on the instructor computer. To open a multimedia presentation, click the animation icon on the slide for that multimedia presentation.

! Explain that this multimedia presentation provides a visual and high-level overview of DNS and the domain namespace. The details of how DNS works are provided in the topic pages.

! Estimated time required for the multimedia presentation is 7 minutes.

Lesson: Installing the DNS Server Service

This section describes the instructional methods for teaching this lesson. ! Define DNS.

! Explain the purpose of DNS.

! Explain the purpose of Internet Network Information Center (InterNIC). For more information about InterNIC, go to the InterNIC Web site at

http://www.internic.net. ! Explain the history of DNS.

! Explain the purpose of a domain namespace.

! Explain what a domain namespace, domain, root domain, top-level domain, second-level domain, and subdomain are by referring to the illustration in the slide.

! Explain what a fully qualified domain name (FQDN) is.

! Provide examples of domain namespace, domain, root domain, top-level domain, second-level domain, and subdomain.

! Explain the purpose of DNS naming standards. ! Discuss the DNS naming standards.

! Provide examples of DNS names that comply with the DNS naming standards.

! Direct the students to practice installing the DNS Server service.

! Reconvene class after all students have completed the practice and discuss the results of the practice.

Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming

Practice: Installing the DNS Server Service

(6)

Lesson: Configuring the DNS Server Service

This section describes the instructional methods for teaching this lesson. ! Describe the components of DNS, including the DNS server, DNS client,

and DNS resource records.

• Only briefly describe resource records; this content is explained in depth later in the lesson.

! Define query.

• Only briefly explain that there are two types of queries; later topics in this lesson explain recursive and iterative queries in detail.

! Describe how DNS clients and DNS servers can initiate queries for name resolution.

! Explain that a DNS server can be either authoritative or nonauthoritative for the namespace of the query.

• Describe how a DNS server will respond if it is authoritative. • Describe how a DNS server will respond if it is nonauthoritative.

! Define recursive query.

! Explain the purpose of a recursive query. ! Explain the characteristics of a recursive query.

! Describe how a recursive query works by referring to the slide.

• This topic has a detailed animated slide, so be sure to review the slide prior to class.

! Define iterative query.

! Explain the purpose of an iterative query. ! Explain the characteristics of an iterative query.

! Describe how an iterative query works by referring to the example illustrated in the slide.

! Describe how a referral works. ! Describe how recursion works. ! Define forwarders.

! Explain the purpose of forwarders.

! Describe how a forwarder works by referring to the example illustrated in the slide.

! Describe forwarder behavior, including using forwarders with or without recursion.

What Are the

Components of a DNS Solution?

What Is a DNS Query?

How Recursive Queries Work

How Iterative Queries Work

(7)

! Define conditional forwarding.

! Explain how conditional forwarding works. ! Explain when to use conditional forwarding. ! Define root hint.

! Describe the function of a root hint on the Internet and within an organization by referring to the slide.

! Define caching.

! Explain the purpose of DNS server caching.

! Describe how DNS server caching works by referring to the example illustrated in the slide.

! Describe how negative caching works. ! Explain what caching-only servers are.

! Briefly explain what DNS client-side resolver caching is.

• If students want more information about the DNS client resolver, see Module 3, “Resolving Names,” in Course 2277, Implementing,

Managing, and Maintaining a Microsoft Windows Server™₂₀₀₃

Network Infrastructure: Network Services.

Complete the following steps to demonstrate how to configure a DNS server to use forwarding and root hints. As you complete the demonstration, explain the options and explain why you would choose each option.

To update root hints on a DNS server: 1. Open the DNS console.

2. In the DNS console, select the appropriate server. 3. On the Action menu, click Properties.

4. On the Root Hints tab, you can click:

• Add to add a Name Server. Enter the FQDN and IP address of the Name Server.

• Edit to edit a Name Server. Edit the FQDN or IP address of the Name Server.

• Remove to remove a Name Server.

• Copy from Server to copy the list of Name Servers from a DNS server. 5. Click OK to close the Properties dialog box, and then close the DNS

console.

How Conditional Forwarding Works

How Root Hints Work

How DNS Server Caching Works

Demonstration: Configuring the DNS Server Service

(8)

To configure a DNS server to use a forwarder: 1. Open the DNS console.

2. In the DNS console, select the appropriate server. 3. On the Action menu, click Properties.

4. On the Forwarders tab, click New.

5. In the New Forwarder dialog box, type the name of the DNS domain that the DNS server will forward queries for, and then click OK.

6. On the Forwarders tab, in the Selected domain’s forwarder IP address list field, type the IP address of the DNS server that will act as the forwarder for queries that are in the server’s DNS domain, and then click Add.

7. On the Forwarders tab, in the Number of seconds before forward

queries time out box, type the value in seconds.

8. If required, on the Forwarders tab, select the option Do not use recursion

for this domain, and then click OK.

9. Close the DNS console.

To clear the DNS server cache by using the DNS console: 1. Open the DNS console.

2. In the DNS console, select the server. 3. On the Action menu, click Clear Cache.

To clear the DNS server cache by using the dnscmd command:

1. On the DNS server, install Support Tools from the Windows 2003 Server CD.

2. On the DNS server, at the command prompt, type dnscmd Server_Name

/clearcache (where Server_Name is the name of the DNS server). ! Discuss using a central forwarder for Internet name resolution. ! Discuss considerations for using conditional forwarding. ! Discuss when to disable recursion.

! Use the build slide to discuss DNS server configuration. As you move through each part of the build slide, discuss the reasons for choosing each type of DNS server configuration.

! Direct the students to practice configuring properties for the DNS Server service.

Best Practices for Configuring DNS

Practice: Configuring Properties for the DNS Server Service

(9)

Lesson: Configuring DNS Zones

This section describes the instructional methods for teaching this lesson. ! Define resource record, zone, and zone file.

! Describe how DNS data is stored and maintained by referring to the slide. • Only briefly describe resource records and zones; these two topics will

be covered in depth later in this lesson. ! Define resource record set.

! Explain the purpose of resource records. ! Describe the resource types.

! Provide an example of a resource record and record types.

• For example, you could create different types of resource records for the Demo.com zone.

! Provide an example of a resource record set. ! Explain the purpose of a DNS zone.

! Discuss the characteristics of a DNS zone.

! Provide examples of DNS zones, by referring to the illustration in the slide. ! Demonstrate how to create a DNS zone.

! Direct the students to practice configuring a DNS zone.

! Explain that there are four DNS zone types: primary, secondary, stub, and Active Directory® directory service integrated.

! Explain the purpose of DNS zone types.

! Explain what a primary zone is and when it is beneficial to use a primary zone.

! Explain what a secondary zone is and when it is beneficial to use a secondary zone.

! Define stub zone.

! Describe how stub zones work.

! Discuss the difference between stub zones and conditional forwarding. ! Explain the purpose of DNS forward and reverse lookup zones. ! Explain what a forward lookup and a forward lookup zone are. ! Explain what a reverse lookup and a reverse lookup zone are.

! Provide an example of a forward lookup zone and a reverse lookup zone by referring to the illustration in the slide.

How DNS Data Is Stored and Maintained

What Are Resource Records and Record Types?

What Is a DNS Zone?

Practice: Configuring a DNS Zone

What Are DNS Zone Types?

What Are Stub Zones?

What Are Forward and Reverse Lookup Zones?

(10)

! Explain when reverse lookups are used.

! Provide examples of when reverse lookups are used. ! Define zone delegation.

! Explain why delegation is used. ! Explain the delegation process.

! Explain how delegation allows for Internet name resolution.

! Discuss the problems with having more than one primary zone for the same domain name.

! Discuss using secondary zones for fault tolerance and load balancing. ! Explain when to use split DNS.

! Use the build slide to discuss DNS zone configuration. As you move through each part of the build slide, discuss the reasons for choosing each type of DNS zone configuration.

! Direct the students to practice configuring reverse lookup zones and zone delegation.

Lesson: Configuring DNS Zone Transfers

This section describes the instructional methods for teaching this lesson.

! Explain that there are two types of DNS zone transfers: full and incremental. ! Define primary DNS server, secondary server, master server, DNS zone

transfer, full zone transfer (AXFR) and incremental zone transfer (IXFR). ! Explain the purpose of a DNS zone transfer.

! Describe the DNS zone transfer process by referring to the illustration in the slide.

! Explain the incremental zone transfer process.

! Highlight instances in which AXFR is used instead of IXFR.

! Explain that Microsoft Windows NT® version 4.0 does not support IXFR. ! Define DNS notify and notify list.

! Explain the purpose of DNS notify.

! Describe the process of DNS notify, by referring to the illustration in the slide.

! This topic has a detailed animated slide, so be sure to review the slide prior to class.

Why Use Reverse Lookup Zones? What Is Delegation of a DNS Zone? Guidelines for Configuring DNS Zones Practice: Configuring Reverse Lookup Zones and Zone Delegation

How DNS Zone Transfers Work

How Incremental Zone Transfers Work

(11)

! Explain how to restrict zone transfers to other servers.

! Explain that you can use Internet Protocol Security (IPSec) or virtual private networks (VPNs) to secure zone transfers.

! Briefly explain that using Microsoft Active Directory integrated zones can further secure a zone. This topic will be covered in greater detail in the next module.

! Direct the students to read the scenario.

! Direct the students to practice configuring DNS zone transfers.

Lesson: Configuring a DNS Client

This section describes the instructional methods for teaching this lesson. ! Define preferred DNS server and alternate DNS server.

! Explain the purpose of preferred and alternate DNS servers.

! Explain the Suffix Selection option by referring to the illustration in the slide.

! Explain the connection-specific suffix by referring to the illustration in the slide.

! Describe how suffixes are applied.

! Explain the purpose of configuring suffixes.

! Describe the process of contacting preferred and alternate servers by referring to the illustration in the slide.

! Direct the students to practice configuring a DNS client.

Lab: Resolving Host Names by Using DNS

Remind the students that they can review the module for assistance in completing the lab. Tell students that a detailed answer key for each lab is provided in the Labdocs folder on the Student Materials CD.

In preparation for the lab, consider drawing a diagram on the whiteboard that shows each of the computers used in the lab. Include the IP addresses in the diagram.

As students finish the lab, use the diagram to discuss how the students configured name resolution. For each task in the lab, discuss how the name resolution configuration was modified, or how the names were resolved.

How to Secure Zone Transfers

Practice: Configuring DNS Zone Transfers

How Preferred and Alternate DNS Servers Work

How Suffixes Are Applied

Practice: Configuring a DNS Client

(12)

(13)

Overview

*****************************ILLEGAL FOR NON-TRAINER USE******************************

A network solution needs to include Domain Name System (DNS) to provide name resolution services. An important factor in connecting components is the resolution of the host names to Internet Protocol (IP) addresses. In this module, you will learn how to resolve host names by using DNS.

After completing this module, you will be able to:

! Describe the role of DNS in the network infrastructure. ! Install the DNS Server service.

! Configure the DNS Server service. ! Configure a DNS zone.

! Configure DNS zone transfers. ! Configure a DNS client. Introduction

(14)

Multimedia: The Role of DNS in the Network

Infrastructure

To start the presentation The Role of DNS in the Network Infrastructure, open the Web page on the Student Materials CD, click Multimedia, and then click the title of the presentation.

At the end of this presentation, you will be able to:

! Explain the role and benefits of DNS in the network infrastructure. ! Define the key components of DNS.

! Discuss the DNS domain namespace. ! Discuss DNS zones and zone transfer. ! Discuss DNS name servers.

! Explain how the host name resolution process works. ! Explain forward lookup queries.

! DNS is a distributed database system that can serve as the foundation for name resolution in an IP network.

! DNS is used by most internetworking software (such as electronic mail programs and Web browsers) to locate servers and to resolve, or map, a user-friendly name of a computer to its IP address.

! The domain namespace provides the structure of a DNS distributed database.

! Domains can be organized into zones, which are discrete and contiguous areas of the domain namespace.

! The name-to–IP address data for all computers located in a zone is stored in a zone database file on a DNS name server.

File location

Objectives

(15)

Lesson:

Installing the DNS Server Service

The first step in preparing to resolve host names is to install the DNS Server service.

After completing this lesson, you will be able to: ! Explain the purpose and basics of DNS. ! Explain what a domain namespace is. ! Explain the standards for DNS naming. ! Install the DNS Server service.

Introduction Lesson objectives

(16)

Overview of Domain Name System

DNS is a name resolution service. DNS resolves human-friendly addresses (such as www.microsoft.com) into IP addresses (such as 192.168.0.1).

Domain Name System (DNS) is a hierarchical distributed database that contains

mappings of DNS host names to IP addresses. DNS enables user access to Internet resources through easy-to-remember alphanumeric host names. DNS maps the alphanumeric host name to the numeric IP address. DNS also enables the system discovery of network services, such as e-mail servers and domain controllers in the Microsoft® Active Directory® directory service.

DNS is the foundation of the Internet naming scheme, and it is also the foundation of an organization’s Active Directory domain-naming scheme. Without DNS, you would have to locate the IP addresses of resources to access those resources. Because resource IP addresses can change, it would be difficult to maintain an accurate list of IP addresses and matching resources. DNS allows users to focus on alphanumeric names, which remain relatively constant in an organization, rather than on IP addresses.

With DNS, the host names reside in a database that can be distributed among multiple servers, decreasing the load on any one server and providing the ability to administer this naming system on a per-domain name basis. DNS supports hierarchical names and allows registration of various data types in addition to the host name–to–IP address mapping that is used in the Hosts files. Because the DNS database is distributed, its size is unlimited, and performance does not degrade much when servers are added.

Introduction Definition

(17)

The conceptual naming system on which DNS is based is a hierarchical and logical tree structure called the domain namespace. The Internet Network Information Center (InterNIC) manages the root, or highest level, of the domain namespace.

InterNIC is responsible for delegating administrative responsibility for portions of the domain namespace, and also for registering domain names. Domain names are managed through the use of a distributed database system of name information stored on name servers, which are located throughout the network. Each name server has database files that contain recorded information for a selected region within the domain tree hierarchy.

For more information about InterNIC, go to the InterNIC Web site at http://www.internic.net.

DNS began in the early days of the Internet, when the Internet was a small network that the United States Department of Defense established for research purposes. The host names of the computers in this network were managed by the use of a single Hosts file that was located on a centrally administered server. Each site that needed to resolve host names on the network downloaded this file.

As the Internet and the number of hosts grew, the burden of maintaining and distributing the Hosts file became unsupportable. A new system was needed to make this process manageable. The new Domain Name System was

implemented and is still in use today. DNS features scalability, decentralized administration, and support for various data types.

DNS was introduced in 1984.

InterNIC

Note

(18)

What Is a Domain Namespace?

A DNS namespace includes the root domain, top-level domains, second-level domains, and (possibly) subdomains. The DNS namespace allows display names of resources to be organized in a logical structure. The hierarchical structure of the DNS namespace simplifies organizing and locating resources. The domain namespace is a hierarchical naming tree that DNS uses to identify and locate a given host in a given domain relative to the root of the tree. The names in the DNS database establish a logical tree structure called the domain namespace. The domain name identifies a domain’s position in the name tree relative to its parent domain. In the context of using and

administering a DNS service, the domain namespace refers to any domain name tree structure in its entirety, from the root of the tree to the bottom-level branches of the tree. The tree must fit the accepted conventions for representing DNS naming. The principal convention is simply this: for each domain level, a period (.) is used to separate each subdomain descendent from its parent-level domain.

A domain, in DNS, is any tree or subtree within the overall domain namespace. Although the names for DNS domains are used to name Active Directory domains, they are not the same as and should not be confused with Active Directory domains.

The root domain is the root node of the DNS tree. It is unnamed (null). It is sometimes represented in DNS names by a trailing period (.) to designate that the name is at the root, or highest level, of the domain hierarchy. All DNS names end with a hidden trailing period and therefore are part of the root domain.

Introduction

Domain namespace

Domain

(19)

The top-level domain is the trailing (rightmost) portion of a domain name. Usually a top-level domain is stated as a two- or three-character name code that identifies either organizational or geographical status for the domain name. In the example www.microsoft.com, “.com” is the top-level domain name portion of the domain namespace. The .com top-level domain name denotes a business or commercial organization. Other examples of top-level domain names include .org, .ca, .gov, and .tv.

An internal corporate namespace, such as an Active Directory forest, does not have to end in a valid top-level domain. For internal purposes, you can use the domain corp.example.local or another namespace that is not recognized on the Internet.

A second-level domain name is a unique name of varying length that InterNIC formally registers to an individual or organization that connects to the Internet. In the example of www.microsoft.com, the second-level name is the

“.microsoft” portion of the domain name, which InterNIC registers and assigns to Microsoft Corporation.

In addition to a second-level name that is registered with InterNIC, a large organization can choose to further subdivide its registered domain name by adding subdivisions or departments that are each represented by a separate name portion. Examples of subdomain names are as follows:

! sales.microsoft.com ! finance.microsoft.com ! corp.example.local

A fully qualified domain name (FQDN) is a DNS domain name that has been stated unambiguously for the purpose of indicating with absolute certainty its location in the domain namespace tree. Together, the DNS namespace and the host name make up the FQDN.

The illustration in the slide shows the DNS namespace for a company that is Internet-connected.

The root domain and first-tier domains .net, .com, and .org represent the Internet namespace—the portion of the namespace under the administrative control of the InterNIC (the Internet governing body).

The second-tier domain nwtraders, and its subdomains west, south, east, and sales, all represent the private namespace under administrative control of the company Northwind Traders.

The FQDN for the host Server1, server1.sales.south.nwtraders.com., tells you exactly where this host resides in the namespace relative to the root of the namespace.

Top-level domain

Note

Second-level domain

Subdomain

Fully qualified domain name

(20)

Standards for DNS Naming

DNS naming standards are designed to support the consistent implementation of DNS. DNS naming standards are the global rules, so no matter who implements DNS, their implementation can interoperate with other DNS implementations.

DNS naming standards allow a limited subset of the ASCII character set for DNS. Request for Comments (RFC) 1123 specifies the following characters as valid for DNS names:

! A through Z ! a through z ! 0 through 9 ! Hyphen (-)

All invalid characters are replaced by hyphens. For example, if you use an underscore in the computer name, it will be replaced by a hyphen. Although DNS servers running Microsoft Windows® 2000 and later include support for extended ASCII and Unicode characters, it is strongly recommended that DNS names be limited to the characters specified in RFC 1123.

The underscore (_) character is reserved for special purposes in Service Locator SRV records. For more information, see RFC 2782, “A DNS RR for Specifying the Location of Services (DNS SRV).”

Purpose of DNS naming standards

DNS naming standards

(21)

Practice: Installing the DNS Server Service

In this practice, you will install the DNS Server service.

Ensure that the DEN-DC1 and DEN-SRV2 virtual machines are started.

!

Install the DNS Server service

1. Log on to DEN-SRV2 as Contoso\Administrator, with the password

Pa$$w0rd.

2. Click Start, point to Control Panel, and then click Add or Remove

Programs.

3. Click Add/Remove Windows Components.

4. In the Windows Component Wizard, select Networking Services and then click Details.

5. Select Domain Name System (DNS) and then click OK. 6. Click Next.

7. Click Finish to complete the installation. 8. Close the Add or Remove Programs window.

Objective Instructions Practice

(22)

Lesson:

Configuring the DNS Server Service

A DNS solution comprises the DNS server, DNS clients, and resources that are referenced by the resource records in DNS. After you install the DNS Server service, the next step is to properly configure the DNS server for your environment.

After completing this lesson, you will be able to: ! List the components of a DNS solution. ! Explain what a DNS query is.

! Explain how recursive queries work. ! Explain how iterative queries work. ! Explain how forwarders work.

! Explain how conditional forwarding works. ! Explain how root hints work.

! Explain how DNS server caching works. ! List the best practices for configuring DNS.

! Configure the properties for the DNS Server service. Introduction

(23)

What Are the Components of a DNS Solution?

The components of a DNS solution are described in the following table.

Component Description

DNS server • A computer running the DNS server service.

• May host a namespace or portion of a namespace (domain). • May be authoritative for a namespace or domain.

• Resolves the name resolution requests that DNS clients submit (DNS client = resolver).

DNS client • A computer running the DNS Client service. The DNS client service is fully integrated in the TCP/IP

implementation of all Microsoft operating systems. DNS resource records • Entries in the DNS database that map host names to

resources.

For the purposes of this course, the name server is referred to as a DNS server.

Components of DNS

(24)

What Is a DNS Query?

A query is a request for name resolution that is sent to a DNS server. There are two types of queries: recursive and iterative.

Recursive and iterative queries will be covered later in this lesson. The primary purpose of a DNS solution is to allow users to access resources by using alphanumeric names. A DNS query is a request sent by the DNS client resolver to the DNS server for the IP address of the supplied name. The DNS query is the way the service or application obtains the resource IP address and enables user access.

DNS clients and DNS servers both initiate queries for name resolution. A client system may issue a query to a DNS server, and that DNS server may then issue queries to other DNS servers to resolve requests on behalf of the client.

A DNS server can be either authoritative or nonauthoritative for the namespace of the query. A DNS server is authoritative when it hosts a primary or

secondary copy of a DNS zone.

If the DNS server is authoritative for the namespace of the query, the DNS server will check the zone and then will do one of the following:

! Return the requested address ! Return an authoritative “No” Definition

Note Purpose of a DNS query

How DNS queries are initiated

Authoritative and nonauthoritative DNS servers

(25)

If the local DNS server is nonauthoritative for the namespace of the query, the DNS server will do one of the following:

! Check its cache and return a cached response.

! Forward the unresolvable query to a specific server called a forwarder. ! Use well-known addresses of multiple root servers to attempt to find an

authoritative DNS server to resolve the query. This process is also called

root hints.

Forwarders and root hints are discussed later in this lesson.

(26)

How Recursive Queries Work

A recursive query is a query made to a DNS server, in which the DNS client asks the DNS server to provide a complete answer to the query. The only acceptable response to a recursive query is either the full answer or a reply that the name cannot be resolved.

A recursive query sent from the DNS client expects the DNS server to search its sources for a resolution of the host name to the IP address. The DNS client requires a full response and does not accept referrals to other DNS servers. Recursive queries can be initiated either by a DNS client or by a DNS server that is configured for forwarders. A recursive query puts the burden of delivering a final answer on the queried server.

The answer to a recursive query will always be either positive or negative, yielding one of the following responses:

! The requested data

! An error stating that data of the requested type does not exist ! A response stating that the name specified does not exist

The following steps describe how a recursive query from a client to that client’s configured DNS server works:

1. The client sends a recursive query to the local DNS server.

2. The local DNS server enumerates its zones to see if it is authoritative for the domain name and checks its cache for an answer to the query.

3. If the answer to the query is found, the DNS server returns the answer to the client.

4. If an answer is not found, the DNS server may use alternate means of resolving the name, such as issuing a recursive query to another DNS server that it has been configured to use as a forwarder or issuing an iterative query to a root server.

Definition

Purpose of a recursive query

Recursive query

How a recursive query works

(27)

In the illustration in the slide, the DNS client asks the DNS server for the IP address of the supplied display name. The DNS client then accepts the response from the DNS server.

The DNS client, using the DNS resolver service, sends a DNS query to the DNS server for the IP address of Mail1.contoso.msft. The DNS server checks the cache to locate the record. If the cache does not contain the record, the DNS server locates the authoritative DNS server for the Contoso.msft domain. If the DNS server is authoritative for the domain, it searches the zone for the resource record. If the record exists, the server returns the IP address for the queried record. If the record does not exist, the DNS server informs the client that the record was not found.

(28)

How Iterative Queries Work

An iterative query is a query made to a DNS server in which the DNS client requests the best answer that the DNS server can provide without seeking further help from other DNS servers. Iterative queries are also sometimes called nonrecursive queries. The result of an iterative query is often a referral to another DNS server lower in the DNS tree. A referral would not be an acceptable response to a recursive query.

Iterative queries allow a DNS server to locate an authoritative DNS server through the DNS hierarchy in response to a client’s request. The DNS server may query DNS servers at different levels in the domain namespace to eventually locate the authoritative DNS server.

A DNS server typically makes an iterative query to other DNS servers after it has received a recursive query from a client. In an iterative query, the queried name server returns the best answer it currently has to the requester. Answers to iterative queries can be:

! Positive answers. ! Negative answers. ! Referrals to other servers.

One local DNS server usually issues iterative queries to another DNS server elsewhere in the namespace while trying to resolve a name query on behalf of a client.

A referral is a list of target name servers that a DNS server receives from another DNS server when querying a root server or a link in the DNS namespace. The referral information is cached on the DNS server for a time period specified in the DNS configuration.

Definition Purpose of an iterative query Iterative query Note Referral

(29)

If the queried DNS server has no exact match for the query, the best possible information it can return is a referral. A referral points to a DNS server that is authoritative for a lower level of the domain namespace.

The DNS client, on the local DNS server, can then query the referred DNS server. This process continues until the local DNS server locates an authoritative DNS server for the queried name or until an error occurs or a time-out condition is met.

Recursion is a DNS server function in which one DNS server issues a series of

iterative queries to other DNS servers while responding to a recursive query that a DNS client issues.

The queried DNS servers return referrals, which the querying server follows until it receives a definitive answer. Recursion always ends when a server that owns the namespace gives either a positive or a negative reply.

In the illustration in the slide, the local DNS server has failed to resolve the requested name by using cached data and is not authoritative for the domain. So it begins the process of locating the authoritative DNS server by querying additional DNS servers. To locate the authoritative DNS server for the domain, the DNS server resolves the FQDN from the root to the host by using iterative queries. The following example illustrates this process, as shown in the illustration:

1. The local DNS server receives a recursive query from a DNS client. For example: The local DNS server receives a recursive query from Computer1 for Mail1.nwtraders.com.

2. The local DNS server sends an iterative query to the root server to obtain an authoritative name server.

3. The root server responds with a referral to a DNS server closer to the submitted domain name.

For example: The root server responds with a referral to the DNS server for .com.

4. The local DNS server makes an iterative query to the DNS server that is closer to the submitted domain name.

For example: The local DNS server makes an iterative query to the DNS server for .com.

5. The process continues until the local DNS server receives an authoritative response.

For example: The DNS server for .com responds with a referral to the DNS server for Nwtraders.com. Next, the local DNS server sends an iterative query to the DNS server for Nwtraders.com to obtain an authoritative name from the authoritative name server. The local DNS server then receives an authoritative response from the DNS server for Nwtraders.com.

6. The response is sent to the DNS client.

For example: The local DNS server sends this authoritative response to Computer1, which can then connect to Mail1.nwtraders.com by using the appropriate IP address.

Recursion

How an iterative query works

(30)

How Forwarders Work

A forwarder is a DNS server to which other internal DNS servers are

configured to forward queries. Forwarders can help other DNS servers resolve external or offsite DNS domain names.

When a DNS name server receives a query, it attempts to locate the requested information within its own zone files. If this attempt fails, either because the server is not authoritative for the domain requested or because it does not have the record cached from a previous lookup, the server must communicate with other name servers to resolve the request. On a globally connected network like the Internet, DNS queries that are outside a local zone may require interaction with DNS name servers across wide area network (WAN) links outside of the organization. Creating DNS forwarders is a way to designate specific name servers for WAN-based DNS traffic responsibility.

Specific DNS name servers can be selected to be forwarders. These servers will resolve DNS queries on behalf of other DNS servers.

In the illustration in the slide, the local DNS server has failed to resolve the requested name by using its zone files and cached data, so it forwards the request to the forwarder (another DNS server). The forwarder then attempts to resolve the name. The forwarder may respond immediately if it is authoritative for the zone, it may forward the request to another DNS server that is

configured as a forwarder, or it may issue an iterative query to one of the root servers to try to find an authoritative DNS server.

Definition

Purpose of forwarders

Process of DNS forwarders

(31)

A name server can use a forwarder in the following ways:

! If the DNS server is configured to use recursion and the forwarder is unable to resolve the query, the DNS server that received the original query can issue iterative queries to root servers to resolve the name.

! If the DNS server is configured not to use recursion and the forwarder is unable to resolve the request, the DNS server that received the original query will not issue iterative queries to root servers to resolve the name. These DNS servers make no attempt to resolve the query on their own if the forwarder is unable to satisfy the request.

DNS servers may be configured with the IP address of one or more forwarders. If a DNS server is configured to use more than one forwarder, the request will be forwarded to the first server in the list. If the query is answered authoritatively by the first forwarder, the response is passed back to the client, and the name resolution process ends. If the first forwarder fails to successfully resolve the request, the DNS server can forward the request to another

forwarder. This process will continue until a forwarder successfully resolves the query or the list of configured forwarders is exhausted. After all forwarders have been queried, root hints may be used.

(32)

How Conditional Forwarding Works

Conditional forwarding allows a DNS server to forward requests to other

DNS servers using a specific domain name. This type of forwarding improves conventional forwarding by adding a second condition to the forwarding process.

In standard forwarding, if a DNS server is unable to resolve the name locally, it forwards all requests to its configured forwarder. This process may be unsuitable in an environment that has multiple domain names that are hosted on multiple DNS servers.

Conditional forwarding adds another layer of logic to the forwarding process, allowing a DNS server to selectively forward requests to other DNS servers using a domain name condition. When you configure conditional forwarding, you can configure the DNS servers to forward request to DNS servers that are authoritative for specific domains.

A DNS server can be configured with multiple conditional forwarders for different domain names.

As illustrated in the slide, if the client computer issues a query to its local DNS server for www.contoso.msft, the process is as follows:

1. The local DNS server enumerates its zones to search for a zone for Contoso.msft.

2. The local DNS server checks its cache to see if the name has recently been resolved.

3. Because the local DNS is configured with a conditional forwarder for Contoso.msft, the server issues a recursive query to the Contoso.msft DNS server to resolve the name www.contoso.com.

Introduction

How conditional forwarding works

(33)

If the client computer issues a query to the local DNS server for www.microsoft.com, the process is as follows:

1. The local DNS server enumerates its zones to search for a zone for Microsoft.com.

2. The local DNS server checks its cache to see if the name has recently been resolved.

3. The local DNS server issues a recursive query to the Internet service provider (ISP) DNS server to resolve the name www.microsoft.com. If your internal network has no private root and your users need access to other namespaces, such as a domain names belonging to a partner company, use conditional forwarding to enable servers to query for names in other namespaces. Conditional forwarding in Microsoft Windows Server™ 2003 DNS may eliminate the need for secondary zones by configuring DNS servers to forward queries to different servers using the domain name condition.

When to use conditional forwarding

(34)

How Root Hints Work

Root hints are DNS resource records stored on a DNS server that list the IP

addresses for the DNS root servers.

When the DNS server receives a DNS query, it checks the cache to see if the name has recently been resolved. If the name is not in the cache, the DNS server attempts to locate the authoritative DNS server for the queried domain. If the DNS server does not have the IP address of the authoritative DNS server for that domain, and if the DNS server is configured with the root hints IP addresses, the DNS server will query a root server for a list of name servers that are authoritative for the appropriate top-level domain.

The DNS root server then returns the IP address of the authoritative name servers for the appropriate top-level domain. The DNS server continues along the FQDN until it locates a name server that is authoritative for the domain name.

Root hints are stored in the file Cache.dns, which is located in the

%Systemroot%\System32\Dns folder.

Under normal circumstances, root hints list the IP addresses for the DNS root servers that InterNIC maintains on the Internet. Root hints can also point to a local DNS server. If the root hints point to a local server, the only names that will be available for resolution are those to which the local DNS server can refer (normally local addresses only). This configuration, limiting resolution to local domains, is sometimes used for security purposes. This configuration may also be implemented in environments where clients do not need to resolve Internet names directly. An example would be users who connect to the Internet through a proxy server.

You can configure an internal DNS server to host the root zone by creating a zone named “.”. A server hosting a root zone will be unable to use forwarders or other root hints to resolve names.

Definition

Function of a root hint

Function of root hints within the organization

(35)

How DNS Server Caching Works

DNS caching provides faster query responses and reduces DNS network traffic. By caching DNS responses, the DNS server can resolve future queries for recently resolved record from the cache. Caching greatly reduces response time and eliminates the network traffic caused by sending the query out to another DNS server.

When a server is processing a recursive query, it might be required to send out several queries to find the definitive answer. In a worst-case scenario for resolving a name, the local name server starts at the top of the DNS tree with one of the root name servers and works its way down until the requested data is found.

The server caches all of the information that it receives during this process and deletes it after a specified time. The unit of measurement for this specified period is seconds, and the period is referred to as Time to Live (TTL). The server administrator for the primary zone that contains the data decides on the TTL for the data. Smaller TTL values help ensure that information about the domain is consistent across the network, in the event that this data changes often. However, a smaller TTL increases the load on the name servers that contain the name, and it also increases Internet traffic. Because data is cached, changes made in resource records might not be immediately available to the entire Internet.

After a DNS server caches data, the TTL starts to count down so that the DNS server can determine when to delete the data from its cache. When the DNS server answers a query by using its cached data, it includes the remaining TTL for the data. The client’s resolver then caches this data and uses the TTL that the server sends.

Introduction

Process for DNS server caching

(36)

Whereas all DNS name servers cache queries that they have resolved, caching-only servers are DNS name servers whose caching-only job is to perform queries, cache the answers, and return the results. They are not authoritative for any domains, and they contain only information that they have cached while resolving queries. Caching-only servers have no primary or secondary zones. A DNS server running Windows Server 2003 in its initial installation configuration has no zones. With the help of root hints, it becomes a caching-only server in its initial state.

To view the DNS cache on a Windows Server 2003 DNS server, you need to enable the Advanced view option in the DNS console. In the DNS console, click the View menu and then click Advanced. In the DNS console tree, a cached lookup node will appear.

The DNS client resolver also caches resolved host-to-IP-address mapping data. The DNS client first checks the local cache before contacting the DNS server. DNS clients can also perform negative caching.

For more information about the DNS client resolver, see Module 3, “Resolving Names,” in Course 2277, Implementing, Managing, and

Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services.

In the illustration in the slide, you can see that the first time Client1 sends a query for ServerA.contoso.msft, the DNS server must use iterative queries to locate the resource. When the authoritative response is sent to the local DNS server, the DNS server caches the resource with a TTL value. (The TTL is provided by the authoritative DNS server that supplies the response.) The DNS client also caches the record in its local DNS resolver cache by using the TTL that the DNS server provides.

When Client2 queries for ServerA.contoso.msft, the DNS server can respond from the cached response for this resource, provided that the data is still in the cache. This means that the DNS server can respond faster to the query because the local DNS server does not have to query DNS servers outside the

organization. This eliminates the network traffic that would be required to resolve the query if it had not been in the cache. DNS caching is also beneficial in a scenario where a branch office has a slow connection to a main office. Over time, the DNS server in the branch office will accumulate a cache of DNS entries. Caching-only server Note DNS client—side resolver caching Note Example

(37)

Demonstration: Configuring the DNS Server Service

(38)

Best Practices for Configuring DNS

When configuring your DNS environment, consider the following best practices:

! Use a central forwarder for Internet name resolution.

In an environment that includes many DNS servers, it may be beneficial to configure your DNS servers to forward requests to a central forwarder. This central forwarder can be configured to use the root hints to resolve queries for Internet-based hosts. The advantage of this configuration is that the central forwarder will be able to amass a large cache. It can in turn respond more quickly to resolution requests, reducing the need to generate traffic over the Internet WAN links for previously cached lookups. This

configuration can also help increase security by allowing only one system to perform DNS queries on the Internet.

! Use conditional forwarders if you have multiple internal namespaces. If you have multiple DNS servers internally hosting different domain names, link the name servers together by using conditional forwarding. This ensures that name requests from internal DNS servers are forwarded to appropriate name servers without attempting to use name servers on the Internet.

! Consider disabling recursion for specific domains.

If you use a central forwarder, you may want to select the option Do not use

recursion for this domain on the Forwarders tab on all other DNS

servers. If a DNS server forwards a request to a central forwarder and receives a negative response, it may use root hints to attempt to resolve the name on the Internet. If the central forwarder has already attempted to do this, the result is the same. By disabling recursion for the domains, you rely on the central forwarder as the only server to resolve Internet names, thus reducing unnecessary name resolution queries over your Internet WAN links.

(39)

You can also disable recursion on the Advanced tab of the DNS server properties. If you enable this option, the server will not use recursion or forwarders to resolve DNS names. If you enable this option, the DNS server will not be able to resolve Internet host names.

(40)

Practice: Configuring Properties for the DNS Server Service

In this practice, you will configure a DNS server to use a forwarder. Ensure that the DEN-DC1 and DEN-SRV2 virtual machines are started.

!

Prepare for this practice

1. If necessary, log on to DEN-SRV2 as Contoso\Administrator, with a password of Pa$$w0rd.

2. Click Start, point to Control Panel, point to Network Connections, and then click Local Area Connection.

3. Click Properties.

4. Select Internet Protocol (TCP/IP) and then click Properties.

5. In the Preferred DNS Server field, enter the value 10.10.0.11 (the IP address of DEN-SRV2) and then click OK.

6. Click Close and then click Close again.

!

Configure DEN-SRV2 to use a forwarder

1. On DEN-SRV2, click Start, point to All Programs, point to Accessories, and then click Command Prompt.

2. At the command prompt, type ipconfig /flushdns and then press ENTER. 3. Type ping den-dc1.contoso.msft and then press ENTER. Was

DEN-DC1.contoso.msft successfully resolved to an IP address?

No

____________________________________________________________

Objective Instructions Practice

(41)

4. Click Start, point to Administrative Tools, and then click DNS.

5. In the console tree, click DEN-SRV2, click the Action menu, and then click

Properties.

6. Click the Forwarders tab.

7. In the Selected domain’s forwarder IP address list field, type 10.10.0.2 (the IP address of DEN-DC1), click Add, and then click OK.

8. At the command prompt, type ipconfig /flushdns and then press ENTER. 9. Type ping den-dc1.contoso.msft and then press ENTER. Was

DEN-DC1.contoso.msft successfully resolved to an IP address?

Yes

____________________________________________________________ 10. Close all open windows.

(42)

Lesson:

Configuring DNS Zones

After you have created DNS zones, and when the DNS zones are populated with resource records, the DNS service will be able to support host name resolution.

After completing this lesson, you will be able to: ! Describe how data is stored and maintained. ! Explain what resource records and record types are. ! Explain what a DNS zone is.

! Configure a DNS zone.

! Explain what DNS zone types are. ! Explain what a stub zone is.

! Explain what forward lookup zones and reverse lookup zones are. ! Explain why reverse lookup zones are used.

! Explain what delegation of a DNS zone is.

! Explain the guidelines for configuring DNS zones.

! Configure forward lookup zones and reverse lookup zones. Introduction

(43)

How DNS Data Is Stored and Maintained

Resource records (RR) are contained within a DNS database. Each resource

record identifies a particular resource within the DNS database, such as a name server, mail server, or host.

A zone is a portion of the DNS database that contains the resource records that belong to the contiguous portion of the DNS namespace.

A zone file is the file on the DNS server’s local hard drive that contains all of the configuration information for a zone and the resource records contained therein.

After you have installed the DNS Server service and configured the properties of the DNS service, you are ready to complete the DNS service configuration by adding host name–to–IP address mappings. These mappings are referred to as resource records in DNS. There are many types of resource records. Which resource records you store in your DNS will depend on your DNS needs. Before you can add resource records, you must configure a DNS structure to hold them. In DNS, the containers for these records are called zones. Zones are files that store the zone properties and the resource records.

After you have created DNS zones, and when the DNS zones are populated with resource records, the DNS service will be able to support host name resolution for a portion of the DNS namespace.

Definitions

(44)

What Are Resource Records and Record Types?

Clients can directly query or indirectly query for resource records. Examples of the use of DNS resource records include the following:

! When a user enters a URL in a Web browser, a forward lookup query is sent to a DNS server.

! When a user logs on to a computer in a domain, the logon process locates a domain controller by querying a DNS server.

Different record types represent different types of data stored within the DNS database. The following table lists record types, along with a description and an example for each type. The resource records listed in the examples are shown in the preceding slide.

Record type Description Example

Host (A) • An A record represents a computer or device on the network.

• A records are the most common and most frequently used DNS records.

• An A record resolves a host name to an IP address.

Web1.nwtraders.msft resolves to 10.10.0.51

Pointer (PTR) • A PTR record is used to find the DNS name that corresponds to an IP address.

• The PTR record is found only in a reverse lookup zone.

• PTR records resolve an IP address to a host name. 10.10.0.51 resolves to Web1.nwtraders.msft Purpose of resource records Resource types

(45)

(continued)

Record type Description Example

Start of Authority (SOA) • An SOA resource record is the first record in any zone file.

• An SOA resource record identifies the primary DNS name server for the zone.

• An SOA resource record identifies the e-mail address for the administrator in charge of the zone. • An SOA resource record specifies the information

required for replication (such as the serial number, the refresh interval, the retry interval, and the expiry values for the zone).

• An SOA resource record resolves from a domain name (which is the same as the parent folder) to a host name.

NWTraders.msft resolves to den-dc1.contoso.msft

Service Locator (SRV) • An SRV resource record indicates a network service that a host offers.

• SRV records are used in an Active Directory environment to locate domain controllers. • An SRV resource record resolves from a service

name to a host name and port.

_tcp._ldap.nwtraders.msft resolves to

den-dc1.nwtraders.msft

Name Server (NS) • An NS record facilitates delegation by identifying DNS servers for each zone.

• An NS record appears in all forward and reverse lookup zones.

• Whenever a DNS server needs to send a query to a delegated domain, it refers to the NS resource record for DNS servers in the target zone.

• An NS record resolves from a domain name (which is the same as the parent folder) to a host name.

NWTraders.msft resolves to den-dc1.contoso.msft

Mail Exchanger (MX) • An MX resource record indicates the presence of a Simple Mail Transfer Protocol (SMTP) e-mail server.

• An MX resource record resolves to a host name. • A mail server priority can be set if multiple MX

records exist for a zone.

Mail server for

NWTraders.msft resolves to Mail.nwtraders.msft

Alias (CNAME) • A CNAME resource record is a host name that refers to another host name.

• A CNAME resource record resolves from a host name to another host name.

• Multiple CNAME records can all point to the same A record. If you need to update the IP address for the record, you need to update only the A record.

www.nwtraders.msft resolves to

(46)

What Is a DNS Zone?

A zone can hold the resource records for one or more contiguous domain names, connected by a direct parent-child relationship.

A zone is also the physical representative of a DNS domain or domains. For example, if you have a DNS domain namespace of North.contoso.msft, you could create a zone on a DNS server called North.contoso.msft. This zone would contain all resource records for the North.contoso.msft domain as well as for the Training subdomain.

DNS allows a DNS namespace to be divided into zones. For each DNS domain name included in a zone, the zone becomes the authoritative source for

information about that domain.

Zone files are maintained on DNS servers. You can configure a single DNS server to host zero, one, or multiple zones. Characteristics of a zone include the following:

! A zone is a collection of resource records for a contiguous portion of the DNS namespace.

! Zone data is maintained on a DNS server and is stored in one of two ways: • As a flat zone file containing lists of mappings

• In an Active Directory database

! A DNS server is authoritative for a zone if it hosts the resource records for the names and addresses that the clients request in the zone file.

A DNS zone is:

! A primary, secondary, or stub zone type. ! Either a forward or a reverse lookup zone. Purpose of a DNS zone

(47)

Zone types and lookup zones are covered in detail later in this lesson. Three zones are highlighted in the illustration in the slide:

! North.contoso.msft ! Sales.north.contoso.msft ! Support.north.contoso.msft

The first zone (North.contoso.msft) is authoritative for two contiguous domains (North.nwtraders.com and Training.north.nwtraders.com), whereas the other two zones (Sales.north.nwtraders.com and Support.north.nwtraders.com) each represent a single domain.

Note Example

(48)

Practice: Configuring a DNS Zone

In this practice, you will:

! Create a forward lookup zone. ! Create resource records.

Ensure that the DEN-DC1 and DEN-SRV2 virtual machines are started.

!

Create a forward lookup zone

1. If necessary, log on to DEN-SRV2 as Contoso\Administrator, with a password of Pa$$w0rd.

2. Click Start, point to Administrative Tools, and then click DNS. 3. In the console tree, right-click DEN-SRV2 and then click New Zone. 4. On the New Zone Wizard page, click Next.

5. Ensure that Primary Zone is selected and then click Next.

6. Ensure that Forward Lookup Zone is selected and then click Next. 7. In the Zone Name field, type nwtraders.msft and then click Next. 8. In the Create a new file with this file name field, ensure that

nwtraders.msft.dns is entered and then click Next.

9. Click Next and then click Finish.

Objective

Instructions Practice