MMicrosoft Windows Server

Windows Server: Deep Dive on DNS Architecture

0
Shares

Introduction

What is DNS ?
 Role of the DNS server is to translate Full qualified domain name into IP addresses and IP addresses into Full qualified domain name
 For example : www.microsoft.com into IP address and vice versa.

You can also use DNS to create Query Service Records.
 For example : You can locate services such as mail servers, Name servers or Domain controllers.
 You do a query of the type MX = Mail server You initiate it to the DNS server, and it will return the records of the host.

  • QUERY Resolution
  • Caching
  • DNS Registration
  • DNS Server Placement
  • DNS Client Tools

FQDN and Zones

You can have 3 general elements in a DNS,

  1. Top Level Domain
  2. Domain Name
  3. Host Name

www is an individual host that have IP address resolve to the individual domain

Zones

Zones are collection of resource records.
Zone contain the IP and name data, MX records and other service records. They also contain glue data that connects them to the other DNS servers.

Zone can contain pointers to a sub-domain.
for examples : srilanka.microsoft.com is a subdomain of microsoft.com

DNS Query Resolution

On this PC I’m going to run www.microsoft.com

  1. It’s going to request www.microsoft.com from your OWN / ISP DNS Server.
  2. Now if the Client’s DNS server doesn’t have any information regarding that domain in its cache.
  3. Then the client DNS server does is, it goes off and ask the root server
  • Client DNS server will say, I want to know about this top-level domain .com
  • And the root server will reply with an address, pointing the top-level domain name server for the .com zone
  • Client will say okay and ask the Top-level domain (TLD)name server about the microsoft.com IP address
  • The TLD name server will point out the Authoritative Name Server to ask about the .com
  • Client DNS server will ask the Authoritative Name Server the IP address of www.microsoft.com
  • Authoritative Name Server will provide the IP address of the www.microsoft.com
  • Client then sends a query to that and ask the IP address of www.microsoft.com
  • And microsof.com will reply with IP address

Caching

When a DNS server performs a query on behalf of a client, it can cache the result. which means the www.microsoft.com will be stored in the cache, for the next time search.

Usually, a PC has a small cache stored for DNS
When a DNS server performs a query on behalf of a client, it can cache the result.

Cache information includes,

  • Resource record queried
  • Information about DNS servers used to resolve that resource record

Cache information is stored based on the TTL (Time to Live) of each record.

DNS Registration

That is for a zone to be owned by someone, it needs to be registered with an official DNS registrar.
DNS name space has been partitioned up and assigned to separate organizations, with each organization responsible for different area of name space.

Requires that you specify two name servers to host the zone.

Many registrars offer DNS zone hosting.

DNS Server Placement

Public DNS

  1. Accessible to clients on the internet
  2. Hosts important public records

* NS records = Name server records
 * MX records = if you’re accepting mail at microsoft.com
 * Web server record = if you have a web server for www
 * CA record = if you’re running your own certificate authority
 
Internal DNS
This means it’s a private DNS server that holds all the record inside a network.
for example : you don’t want everyone on the internet to see your file server are or etc.….

  • Only Accessible to clients on internal network
  • Hosts all records, including sensitive records

DNS TOOLS

Nslookup
 — Traditional cmd.exe utility
 — Nslookup www.microsoft.com
 — Nslookup 118.214.55.248

Resolve-DNSName
 — PowerShell DNS utility
 — Resolve-DNSName www.microsoft.com
 — Resolve-DNSName 118.214.55.248

PRIMARY DNS ZONES

Primary server processes updates to the zone, and all the secondary servers will be updated with the zone files.

Uses zone files

Can be deployed on,

  • Domain controller
  • Member server
  • Standalone controller

Active Directory Integrated Zones

Multi-master zone

  • Any domain controller can process zone updates

Can replicate to:

  • All domain controllers in the domain
  • All domain controllers in the forest
  • All domain controllers in a specific active directory partition
     dnscmd . /CreateDirectoryPartition FQDN

Secure dynamic updates

  • Client can perform update
  • DHCP can perform update

Non-secure and secure dynamic updates

Do not allow dynamic updates

SECONDARY DNS ZONES

Read only replica of primary zone

Needs Permission to transfer zone from primary

Can transfer zone data from primary zone or other secondar zone

Stub Zones

Contains only name server records of another zone

Can update unlike forwarder when name servers in target zone change

Useful for relationships with partner organizations where you don’t want to replicate entire zone

Reverse Lookup Zones

Used for IP to FQDN lookups

Cons configure IPv4 or IPv6 reverse lookup zones

Reverse lookup zones for public IP address space often looked after by ISPs

Used in anti-spam checks to verify ownership of SMTP server IP address

Global Names Zones

Provides single label name resolutions

Replacement for WINS servers

Preparation requirements:

  • Primary zone must be created with zone name Global Names
  • Enable Global Names zone support on each server that hosts zone
     dnscmd <servername> /config/enableglobalnamesupport 1
  • Add CNAME records to zone

Delegation

Delegation points at sub domain of an existing domain

Can be hosted on same DNS server or another DNS server

Must create sub domain zone prior to performing delegation

Zone Scavenging

Allows for automatic removal of resource records that are no longer in use

Primarily useful for zones with transient entries

Can be set at the server or zone level

Disabled by default

Can force scavenging from interface or PowerShell

Zone Transfer Policies

Determines whether secondary zones can be configured

Zone transfer options:

  • Any server
  • Servers configured on the Name Servers tab
  • Specified name servers

Quick start PowerShell in DNS

Get-DNSServerZone

Add-DNSServerPrimaryZone
Set-DNSServerPrimaryZone

Add-DNSServerSecondaryZone
Set-DNSServerSecondaryZone

Add-DNSServerStubZone
Set-DNSServerStubZone

Add-DNSServerZoneDelegation
Set-DNSServerZoneDelegation

Add-DNSServerZoneTransferPolicy
Set-DNSServerZoneTransferPolicy

ConvertTo-DNSServerPrimaryZone
ConvertTo-DNSServerSecondaryZone

Get-DNSServerGlobalNameZone

Get-DNSServerScavenging
Remove=DNSServerZone
Start-DNSServerScavenging

Forwarders

Forwards queries from the DNS server to another DNS server

Target DNS server resolves the query and returns the result to the forwarding DNS server

Forward queries to DNS server on perimeter network or ISP’s DNS server

Alternative to having DNS recursion occur across internet from inside internal network

Conditional Forwarders

Forwards queries for specific zones to specific DNS servers

DNS server checks query target zone

  1. If query target zone has conditional forwarder, query to specified DNS server
  2. if no conditional forwarder configured for query target zone, query resolved normally

Root Hints

List of DNS root servers on the internet

Both IPv4 and IPv6 addresses contained

Can manually edit root servers

Root server list occasionally updated through software updates

Recursion

Disabling recursion

  • DNS server will no longer resolved entire query
  • Provides client with address of next DNS server to query in DNS resolution chain
  • Reduces workload on DNS server and is useful if DNS server is under DDOS attack

Disabling recursion disabled forwarders

PowerShell commands,

Add-DNSServerConditionalForwarderZone
Set-DNSServerConditionalForwarderZone

Add-DNSServerForwarder
Get-DNSServerForwarder

Set-DNSServerForwarder
Remove-DNSServerForwarder

Add-DNSServerRootHint
Get-DNSServerRootHint
Set-DNSServerRootHint
Remove-DNSServerRootHint
Import-DNSServerRoothint

Get-DNSServerRecursion
Set-DNSServerRecursion

Conclusion

In conclusion, the Microsoft DNS Server plays a crucial role in translating domain names to IP addresses and vice versa. It supports various record types such as A, AAAA, CNAME, PTR, and more, allowing efficient DNS resolution and management. DNS query resolution involves caching, registration, and server placement, ensuring fast and reliable name resolution. DNS tools like nslookup and Resolve-DNSName aid in troubleshooting and querying DNS records. Primary and secondary DNS zones provide replication and fault tolerance, while reverse lookup and global names zones serve specific lookup needs. Zone transfer policies, delegation, zone scavenging, forwarders, and root hints enhance DNS functionality and performance. With PowerShell commands, administrators can easily configure and manage DNS records and settings. Overall, the Microsoft DNS Server offers a comprehensive solution for effective and secure DNS infrastructure.

Tweet
Share
Share
Share

Tech Enthusiastic!

1 comment
Leave a Reply
— Previous article

Windows Server: Managing User and Computers

Next article —

Windows Server: What is DNS Records?

You May Also Like