PowerPoint Presentation

DNS Zones

DNS Zones

•DNS records kept in zones

•DNS server is authoritative for a domain if ithosts the zone for that domain

•Sub-domains can be kept in same zone as longas they are contiguous

–Example: west.Company.com can be kept inthe same zone as Company.com.

DNS Zones Continued

•Zones are either “Forward Lookup”or “Reverse Lookup”

–“Forward Lookup” zones resolve FQDNs toIP addresses

–“Reverse Lookup” zones resolve IPaddresses to FQDNs

FQDNs vs IP Addresses

$C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\j0285750.wmf$

Client1.company.com

192.168.1.10/24

Tips

•“Reverse Lookup” zones are writtenbackwards.

This zone would provide IP to FQDN name resolutionfor the 192.168.1.0 network.

Tips Continued

•The DNS server in an nslookup command islisted as “UnKnown” unless you create areverse lookup zone.

DNS Zones Continued

•There are two main types of zones that can becreated:

–Standard zones

–Active Directory Integrated zones

Recap

•DNS Records kept in zones

•“Forward lookup:” Name to IP

•“Reverse lookup:” IP to name

–Written backwards

•Each can have either Standard orActive Directory Integrated (ADI) zones

Standard Zones

Standard Zones

•Standard zones kept in text files in%systemroot%\system32\dns nameddomain name.dns.

Standard Zones Continued

•Two types of Standard zones:

–Standard Primary: only read/write copy ofthe zone

–Standard Secondary: read-only, used forfault tolerance and load balancing.

Standard Zones Continued

•Modifications to Standard zones must bemade on the Primary

•Clients can only update records by contactingthe Primary

•Updates to the Primary are sent to theSecondary using zone transfers

Zone Transfers

•Two triggers for zone transfers:

–Refresh Interval

–DNS Notify

•Zone transfers:

–Require permission

–Always initiated by the Secondary zone

Zone Transfers Continued

Zone Transfers Continued

Zone Transfers Continued

Zone Transfers Continued

•Best security: “Allow zone transfers:” “Only tothe following servers”

•Second choice: “Allow zone transfers:” “Onlyto servers listed on the Name Servers tab”

•Avoid “Allow zone transfers:” “To any server”

Zone Transfers Continued

•The “Name Servers” tab lists authoritativeDNS servers

Zone Transfers Continued

1.Secondary requests a copy of Primary’s “Startof Authority” (SOA) record

–“Serial number:” starts at 1 and incrementsto infinity

2.If “Serial number:” on Primary is higher thanSecondary’s, Secondary initiates zone transfer

Zone Transfers Continued

Zone Transfers Continued

•Zone transfers are in clear text.

•The only way to secure them would be a“Connection Security Rule” (IPSec)

Recap

•Standard Primary – only read/write

•Standard Secondary – read only

•Primary transfers changes to Secondary usingzone transfers:

–Need permission for copy of zone

–Initiated by Secondary server

–Not secure

Active Directory Integrated Zones

ADI

Active Directory Integrated Zones (ADI)

•ADI zones store DNS in Active Directory

–Only created on Domain Controllers

–Changes exchanged through AD replication

–No permission needed

•Three main benefits:

–Multi-master

–Secure “zone transfers”

–Secure dynamic updates

ADI Continued

ADI Continued

Tips

•Active Directory is a multi-master database:all copies of zone accept updates

•Any time clients must update records at morethan one location requires ADI

ADI Continued

•DNS info transferred using replication, which isencrypted.

•“Zone transfers” automatically secure

ADI Continued

•Dynamic updates allow clients to update DNSrecords

•Secure Dynamic Updates record the SID of theclient on the DNS record

–Only that client can update record

•Secure Dynamic Updates can only be enforcedon ADI zones

•To limit Dynamic Updates to domainmembers, allow only Secure Dynamic Updates

ADI Continued

ADI Continued

•Four replication scopes:

–“To all DNS servers running on domaincontrollers in this forest.”

–“To all DNS servers running on domaincontrollers in this domain.”

–“To all domain controllers in this domain.”

–“To all domain controllers in the scope ofthis directory partition.”

Tips

•DNS info must be stored on less than all ofDCs in domain, create a directory partition

–Can also be created using ntdsutil

ADI Continued

ADI Continued

•Replication scope of “To all domain controllersin the scope of this directory partition,” mustcreate new partition in AD

•Then, select which Domain Controllers receivea copy

ADI Continued

•Create partition:dnscmd /createdirectorypartition

•Specify which DCS have a copy:dnscmd /enlistdirectorypartition

ADI Continued

Recap

•ADI zones store DNS in Active Directory

–Only created on Domain Controllers

–Changes exchanged through AD replication

–No permission needed

•Three main benefits:

–Multi-master

–Secure “zone transfers”

–Secure dynamic updates

Recap Continued

•Four replication scopes:

–“To all DNS servers running on domaincontrollers in this forest.”

–“To all DNS servers running on domaincontrollers in this domain.”

–“To all domain controllers in this domain.”

–“To all domain controllers in the scope ofthis directory partition.”

•Less than all DCs in Domain