Wednesday, October 19, 2011

Configure the DNS Server Role

Components of a DNS Solution
  • DNS Clients. Windows, Unix, Linux, Macs operating systems. Windows systems also maintain a local DNS Resolver cache.
  • DNS Servers. Host a distributed heirarchical database of resource records stored by the DNS zone and include:
    • SOA. Start of Authority Identifies the primary Name Server for a DNS zone. In other words, the DNS Name Server is in charge of that particular zone.
    • A. Host Record that gives you name to IP address mapping for host computers on the network. Host records can be workstations, a network device, or a server.
    • CNAME. Canonomical name/Alias Record. For example, www.microsoft.com is a cname of the A record for the domain microsoft.com.
    • MX. Mail Exchange Record to indicate where mail should be sent to for authoritative SMTP domains.
    • SRV. Service Resources Service Locator records that indicate which servers in Active Directory are hosting some of the Active Directory roles.
    • NS. Name Servers identifies the DNS servers. 
    • AAAA. Ipv6 DNS Record
    • PTR. Allows you to look up an IP address to get the domain name that is associated with the IP address. To support reverse lookups, add a PTR record to the IP6.ARPA domain.
  • DNS Servers on the Internet. There are 13 root servers the Internet Assigned Numbers Authority (IANA) maintains, top-level domain servers such as .com and .net.
DNS Defined
DNS Server Role
DNS Reference Information
DNS Server Root Hints Configuration


Root Hints
Root hints contain a list of IP addresses for the 13 DNS root servers that manage the internet. These root servers are used by our internal DNS server if it cannot resolve a DNS query in its own database, or if it does not have a forwarder that can resolve the name to IP address mapping. The DNS server will look at its own cache and the root hints. The root hints IP address list is configured when you install the DNS Server Role and is copied to the cache.dns file and written to %system32%\system32\dns. The file contains the NS and A resource records for the Internet root servers.

Note: We can add additional root hints to our DNS server for non-contiguous domains in a forest if we need to perform lookups to external domains. When a DNS server talks to a root hint server, it only uses an iterative query. If we select Do not use recursion for this domain when we set up the DNS Server, the server will not be able to perform queries on the root hints. If you have configured a forwarder, the server will use the forwarder and then give up the query for the host.

Attackers sometimes use recursion to deny the DNS Server service. You may not want a DNS server in your network to receive recursive queries. If so, you should disable rescursion on that server.

DNS Query
A DNS query is a request for name resolution and is directed to a DNS server. Queries can be authoritative or nonauthoritative. DNS servers can act as clients and send queries out to other DNS servers.
  • Queries are recursive or iterative
  • DNS clients and DNS servers initiate queries
  • DNS servers are authoritative or nonauthoritative for a namespace
  • Authoritative DNS server returns:
    • The IP address
or
    • An authoritative “No”
  • Nonauthoritative DNS server will:
    • Check its cache 
or
    • Use forwarders
or
    • Root hints
For example, the DNS server at your work place is nonauthoritative for www.pcrepairnorthshore.com. The DNS server will check its cache, use forwarders (its ISP’s DNS server), or use its root hints to query Internet root servers to resolve the query. Your DNS Server at your job is authoritative for your internal DNS. It is nonauthoritative for www.pcrepairnorthshore.com.

Recursive Query
A recursive query requires an answer from a DNS server. 
  • The DNS server will either return the IP address of the requested host
 Or
  • The DNS server will not be able to resolve the IP address and return an error message. 
If you have recursive queries disabled on the DNS serve for security reasons, the server will not attempt to forward any requests on to another server. This might be useful if you want to keep a DNS server from communicating outside of its local network.

Iterative Queries
An iterative query is returned the best possible answer from a DNS server, which could be a full answer or a referral to another name server. An iterative query to a DNS server may be answered with a referral to another DNS server in conjunction with recursive queries. 
  • A client server issues a recursive query to a local DNS server for mail.pcrepairnorthshore.com and the local DNS server is unable to resolve the query because it is not authoritative for the domain name.
  • If the local DNS server is configured with root hints, the local DNS server will issue an iterative query to the root servers and ask for the IP addresses of the .com top-level domain servers.
  • After the IP address of the .com servers are obtained, the IP addresses of the .com servers are entered into the local DNS server’s local cache.
  • The local DNS server will then issue an iterative query to the .com name servers for an authoritative server for pcrepairnorthshore.com
  • The.com name server will be cached and the local DNS server will issue a query out to pcrepairnorthshore.com. Pcrepairnorthshore.com is authoritative for mail.pcrepairnorthshore.com and will reply back to the local DNS server with an authoritative response. 
  • The local DNS server now completes its recursive query and replies back to the client with the IP address for mail.pcrepairnorthshore.com.

How DNS query works
What is a Forwarder? A forwarder is a DNS server on a private network designated to resolve external DNS domain names.
  • A client server issues a recursive query to a local DNS server for mail.pcrepairnorthshore.com and the local DNS server is unable to resolve the query because it is not authoritative for the domain name.
  • If the local DNS server is configured with a forwarder, it will send a recursive query to the forwarder for mail.pcrepairnorthshore.com.
  • The forwarder uses iterative queries to the root servers to get the IP addresses of the .com name servers from the root servers.
  • The forwarder uses iterative queries to the .com servers for pcrepairnorthshore.com and is given the IP address for the authoritative server for pcrepairnorthshore.com.
  • The forwarder now completes its recursive query to the local DNS server.
  • The local DNS server now completes its recursive query to the client by returning the IP address of mail.pcrepairnorthshore.com.


Conditional Forwarder
A conditional forwarder on a network is a DNS server that forwards DNS queries based on the query’s particular DNS domain name.
  • A client computer issues a query to a local DNS server for www.pcrepairnorthshore.com and the local DNS server is unable to resolve the query because it is not authoritative for the domain name.
  • If the local DNS server is configured with a conditional forwarder, it looks to see if it is configured with an entry for www.pcrepairnorthshore.com and the entry says to pass it straight to the pcrepairnorthshore.com DNS server.
  • An authoritative response is passed back to the local DNS server and onto the client computer.
If the conditional forwarder is configured as a standard forwarder, it will pass all other request for DNS domains to the root hints or ISP DNS servers.



DNS Caching
DNS caching decreases the time to perform DNS lookups. Once an internal DNS server caches the IP address, the information can be obtained directly from the cache, thus, bypassing an external lookup.
Overtime, the cache builds up a cache of domain names and IP addresses.

We can deploy caching-only DNS servers and the DNS server does not store any DNS zone data. The DNS server will only answer a lookup for DNS clients. It can be used as a forwarder. The DNS client cache held on each machine is sometimes known as a local resolver.


DNS server cache:
Host name
IP address
TTL
Tech.pcrepairnorthshore.com
192.168.1.1
26 seconds


Configure the DNS Server Role 


  • To access the DNS Manager console: Start | All Programs | Administrative Tools | DNS

  • Highlight the server name and double-click Root Hints for a list of the root hints
or
  • You could also right-click the server itself and select Properties and then Root Hints
Remember root hints are the Internet root servers. There are thirteen groups of these servers and each share a common IP address.

When would you want to modify root hints?
  • If you want to prevent the server from doing internet lookups, remove the root hint entries. 
  • Sometimes you receive information from ICANN and you need to modify a root server.
Microsoft usually makes the ICANN changes in the hot fixes. However, if you need to change it manually, you can. Imagine the ICANN Blog indicates the m.root.servers.net IP address should be changed:
  • Start | All Programs | Administrative Tools | DNS
  • Highlight the server name and double-click Root Hints for a list of the root hints.
  • Highlight the m.root.servers.net
  • Click Edit
  • Click here to add an IP Address. Click Enter to validate the IP address. (You will see an error on the old IP address because the old IP address has been decommissioned. Highlight and delete the old address.
  • Click OK
How to set up a forwarder?
  • Start | All Programs | Administrative Tools | DNS
  • Highlight the server name and double-click Forwarders.
  • Click Edit
  • Click here to add an IP Address or DNS NameAdd an IP Address or DNS Name for the external DNS server we would like to forward our DNS requests.
  • Click OK
Note: on the same display, is Number of seconds before forward queries time out:  3
In this example, we will use 3. Our server will try to resolve the client request internally for three seconds and if it is unable to resolve it in three seconds, it will pass it to the forwarder. If the forwarder is unavailable, it will Use root hints if no forwarders are available because it is checked.
  • Click Apply
  • Click OK
How to clear the cache using the DNS console?
  • Right click the Server.
  • Select Clear Cache
How to clear the cache using command prompt?
  • Click Start | cmd
  • The command prompt displays.
  • Type dnscmd /? For help
  • Dnscmd /clearcache
  • Press return

How to restrict DNS to servicing specific DNS requests by specifying which IP addresses listen for and service DNS requests:

  • dnscmd [Servername] resetlistenaddresses [listenaddress]
Example: dnscmd DNS1 resetlistenaddresses 192.168.10.1

No comments:

Post a Comment

"Comment As:" anonymous if you would rather not sign into an account!