Wednesday, October 26, 2011

Tips on How to Configure DNS Zones


DNS zones allow domains to be logically configured and managed in a structured way. A zone hosts all of a domain or parts of a domain and its subdomains.

Take for example, pcrepairnorthshore.com. Imagine pcrepairnorthshore.com is divided into two zones. The first zone hosts www.pcrepairnorthshore.com and ftp.pcrepairnorthshore.com.  Let’s pretend we have a site called offsite.pcrepairnorthshore.com. We delegate it to a new zone that hosts the offsite.pcrepairnorthshore.com and its subdomains ftp.offsite.pcrepairnorthshore.com and www.offsite.pcrepairnorthshore.com.

DNS Zone Types

Zones
Description
Primary
A primary zone is a read/write copy and the primary source of information about the zone. The zone data is stored in a local file or in Active Directory Domain Services. The local file name is stored in the %windir%\System32\DNS folder and the default file name is zone_name.dns.
Secondary
A secondary zone is a read-only copy and a secondary source of information about the zone. It must have network access to the remote DNS server supplying it with updated data. The secondary zone cannot be stored in Active Directory because it is only a copy of the primary zone hosted on another DNS server.
Stub
A stub zone is a copy of a zone containing only the records used to locate the name servers that are authoritative for the zone on a remote DNS server. A stub zone contains resource records of authoritative zone servers. This DNS server must have network access to the remote DNS server in order to copy the name server information. Stub zones enable a DNS server to perform recursion on the stub zone’s list of name servers, thus avoiding querying the Internet or internal root server.
Active Directory integrated
An Active Directory integrated zone is stored in Active Directory instead of a flat zone file

Forward and Reverse Lookup Zones

·         Forward Lookup zones. Resolve host names to IP addresses and hosts common resource records such as:
o   A
o   CNAMES
o   SRV
o   MX
o   SOA
o   NS
·         Reverse Lookup zones. Most DNS lookups are done with a forward lookup that resolve a host names to an IP address. 

DNS also allows for a reverse lookup where the client uses an IP address to lookup a computer name.  In order to do this, a special domain, the in-addr.arpa domain, was defined and reserved in the Internet DNS namespace to provide a reverse ordering of the numbers in the dotted-decimal notation of IP address. The reason for this is because a forward lookup would take too long.

The reverse ordering of the IP address is necessary because the IP addresses are read from left to right and the IP host address is contained in the last octets.

A reverse lookup hosts these resource records:
o   SOA
o   NS
o   PTR.  The PTR resource records map the reverse lookup zone to a named host A record in the forward lookup zone.
How does a reverse query work (IPv4 networks)?

Determine the DNS name for 192.168.1.10:
·         The client queries the DNS server for a PTR resource record that maps to 192.168.1.10. Since the query is for a PTR record, the resolver reverses the address and appends the in-addr.arpa domain on the end of the reverse address to form the FQDN (fully qualified domain name:
o     10.1.168.192.in-addr.arpa
·         When the authoritative DNS server for 10.1.168.192.in-addr.arpa is located, the server responds with the PTR resource record information that includes the DNS domain name for the host.

Demo – Steps to create a Forward Lookup Zone

1.       Start | Administrative Tools | DNS
2.       Click on the server name
3.       Highlight Forward Lookup Zones and right-click
4.       Click New Zone and the New Zone Wizard begins
5.       Next
6.       Select the Zone Type. We will select Primary zone and check the Store the zone in Active Directory (available only if DNS server is a writable domain controller) box.
7.       Next
8.       In the Active Directory Zone Replication Scope dialog box, select To all DNS servers in this domain:
9.       Next
10.   Type in the Zone Name
11.   Next
12.   For the Dynamic Update dialog box, choose Allow only secure dynamic updates (recommended for Active Directory). Option is available only for Active Directory-integrated zones.
13.   Next
14.   Finish
Go to DNS Manager and expand the zone you just created and verify it by checking the SOA and NS resource records.

Demo – Steps to create a Forward Lookup Zone from the command prompt

In this example, the server name will be svr-1 and the zone name will be OffsiteOffice.
1.       Start | cmd
2.       dnscmd  svr-1 /zoneadd OffisiteOffice /dsprimary
3.       Return
4.       You should receive a Command completed successfully message.
Go to DNS Manager and expanded the zone you just created and verify the SOA and NS resource records. Right click the OffsiteOffice zone and click Properties to see the status of the zone as Running and Type as Active Directory Integrated.

Demo – Steps to create a Reverse Lookup Zone

·         Start | Administrative Tools |DNS
·         Click on the server name
·         Highlight Reverse Lookup Zones and right-click
·         Click New Zone and the New Zone Wizard begins
·         Next
·         Select the Zone Type. We will select Primary zone and check the Store the zone in Active Directory (available only if DNS server is a writable domain controller) box.
·         Next
·         In the Active Directory Zone Replication Scope dialog box, select To all DNS servers in this domain:
·         Next
·         In the Reverse Lookup Zone Name dialog box, select IPv4 Reverse Lookup Zone.
·         Next
·         In the Reverse Lookup Zone Name dialog box, type in the network id. We will use 10.10.0. You will see in the box below this, the network id translates to 0.10.10.in-addr-arpa.
·         Next
·         For the Dynamic Update dialog box, choose Allow only secure dynamic updates (recommended for Active Directory). Option is available only for Active Directory-integrated zones.
·         Next
·         On the Completing the New Zone Wizard, you will see the Name, Type, and Lookup Type.
Name:  0.10.10.in-addr.arpa
Type: Active Directory-Integrated Primary
Lookup type: Reverse
·         Finish
Go to DNS Manager and expand the reverse lookup zone you just created and verify the SOA and NS resource records.

DNS Zone Delegation

DNS is a hierarchical system.  When you have zone delegation, it points to the next hierarchical level down.
When you divide up your DNS namespace into one or more zones, sometimes you may need to delegate a zone to be managed by another part of the namespace. 

For instance, you may want to delegate a zone to be managed by another location or department in your organization, or to distribute traffic loads to get better performance, or for fault tolerance.
Each new zone created needs delegation records pointing to the authoritative DNS servers for the new zone.
The resource records included are:
o   NS. The authoritative server for the delegated subdomain.
o   A host (A or AAAA) resource record (glue record) to resolve the name of the server to its IP address specified in the NS resource record. This is sometimes called glue chasing.

Configure DNS Zone Transfers

Zone Transfers are how DNS moves DNS zone information from one server to another.
DNS synchronizes primary and secondary DNS server zones by using zone transfers. Primary and secondary zones must be synchronized because discrepancies can cause service outages and host names that resolve incorrectly.
It is best to have DNS servers close to the organization to efficiently resolve DNS names. The organization needs to resolve the names of computers and devices that are local to them, as well as resolving names across the entire organization. This is done by transferring data from the master DNS server to a secondary DNS server.
Reload or Transfer a Stub Zone – Make sure the resource records of a stub zone are up to date, in case the sever that host the zone is offline.
Adjust the Refresh Interval for a Zone – How often to renew the zone. The default is 15 minutes.
Adjust the Retry Interval for a Zone – How often to retry a request for update of the zone when a refresh interval occurs. The default is 10 minutes.

How does DNS Notify Work?

DNS Notify permits notification to secondary servers when zone changes occur. This is useful in time-sensitive environments where data accuracy is important. When a zone has been updated the master SOA serial number is updated to indicate a new version of the zone exists and sends a notify message to the secondary servers in the master server’s notify list. The secondary server initiates a SOA-type query back to the master to see if the zone on the master is a later version. If the notified secondary server sees the SOA record is a later version, the secondary server requests an AXFR (all zone transfer) or IXFR (incremental) zone transfer.                                                                            

Securing Zone Transfers

It is important to secure zone records because the zone records contain resource records about hosts and servers, and you need to prevent zone data from being overwritten by malicious processes. This is known as DNS poisoning.
In Windows Server 2008, zone transfers are disabled, by default.
You should restrict the zone transfer traffic to specific servers. This is especially important in the case of Internet-facing DNS servers.
Zone transfer traffic can be encrypted by using a VPN or IPSEC. The best way is to use Active Directory-integrated zones so it can be replicated securely as part of the normal Active Directory replication processes.

Steps to configure Zone Transfers and Secondary Zones

In this example, the DNS server name is dnssvr-1 and the domain name is pcrepairnorthshore.com. We will configure a secondary zone for pcrepairnorthshore.com dns domain on dnssvr-2.
1.       Start | Administrative Tools | DNS
2.       Right click DNS in the console and click on Connect to DNS Server
3.       The Connect to DNS Server dialog box appears. Type in the DNS server name you want to connect to. In this case, we will use dnssvr-2.
4.       Enter.
5.       You will now be connected to dnssvr-2 and will see it in the console.
6.       Under dnssvr-2, right click Forward Lookup Zones.
7.       Click New Zone and the New Zone Wizard begins
8.       Next
9.       Select the Zone Type. We will select Secondary zone
10.   Next
11.   In the Zone Name dialog box, type in the Zone name pcrepairnorthshore2.com (example).
12.   Next
13.   In the Master DNS Servers dialog box, type in the IP Address or DNS NAME for the Master Server. We will use 10.10.0.10. You will see in the line below this, the IP Address will resolve to dnssvr-1.pcrepairnorthshore.com(this is the master dns server in our example)
14.   Next
15.   Finish
Now, we go to dnssvr-1 master server and configure zone transfers to dnssvr-2 secondary server.
1.       Highlight dnssvr-1 in the console.
2.       Under dnssvr-1, right click Forward Lookup Zones.
3.       Select pcrepairnorthshore.com zone(we will use for this example)
4.       Right click pcrepairnorthshore.com and select Properties.
5.       Go to the Zone Transfers tab.
6.       Check the Allow zone transfers box. In this case select Only to the following servers.
7.       Select the Edit button and Click here to add an IP Address of DNS Name
8.       Enter 10.10.0.24 for dns-svr2 (example).
9.       You will see in the line that appears below the entry, it should validate dns-svr2
10.   OK
11.   Now select the Notify box to notify dnssvr-2 when there have been changes to the forward lookup zone at pcrepairnorthshore.com
12.   Click here to add an IP Address of DNS Name
13.   Enter 10.10.0.24 for dns-svr2 (example).
14.   Apply
15.   Finish
Question: You have an Active Directory domain controller named DC1 running the Server Core installation of Windows Server 2008 R2. You want to convert a secondary zone that is configured on the domain controller to an Active Directory Integrated zone. What is the first thing you do?
Answer: You have to first convert the zone to a primary zone before you convert it to an Active Directory Integrated zone . Execute the following command ->
dnscmd DC1 pcrepairnorthshore.com /ZoneResetType /Primary
After you convert the zone to a primary zone, execute the following command ->
dnscmd DC1 pcrepairnorthshore.com /ZoneResetType /DSPrimary

No comments:

Post a Comment

"Comment As:" anonymous if you would rather not sign into an account!