Confguring Domain Name Service

TOPIC 8:
CONFIGURING DOMAIN NAME S
ERVICE (DNS)
ITP4112 Network and Virtualized Systems
Administration Project

VTC 2012
 LESSON INTENDED LEARNING OUTCOMES
On completion of the lesson, students are expected to:
Know how to install the Domain Name Service.

Confguring Domain Name Service

Know how to configure the Domain Name Service.

VTC 2012
 OVERVIEW
DNS provides a hierarchical and distributed name-resolutio
n strategy for resolving a Fully Qualified Domain Name (FQ
DN), hostnames, and other service-related names to IP add

Confguring Domain Name Service

resses.
With each network really responsible for the local mapping
of friendly names to IP addresses (meaning the network m
ust deploy its own DNS servers), the DNS database is a distr
ibuted database. Each organization maintains its part of th
e overall DNS database.
Windows Server 2008 is outfitted with the newer Dynamic
DNS server standard (DDNS), the administrative chores rela
ted to maintaining the DNS database are greatly reduced,
with the database being built dynamically by the server and 3
the DNS clients.
VTC 2012
 OVERVIEW
DDNS provides for dynamic updates, which allows n
etwork clients using the DNS service to automaticall
y update their client resource records in the DNS dat

Confguring Domain Name Service

abase.
Microsofts DDNS also allows for integration with th

e AD DS, which means that the DNS database is repli

cated among all the domain controllers within the d
omain (domain controllers that also serve as DNS se
rvers).
DNS is also integrated with the Windows Server 200

8 implementation of DHCP; the DNS server can work

with DHCP to synchronize mappings from hostname 4
to IP address for the hosts on the network.
VTC 2012
 DOMAIN NAME SYSTEM (DNS)
To identify an entity, TCP/IP protocols use the IP ad
dress, which uniquely identifies the connection of
a host to the Internet
People prefer to use names instead of numeric ad
dresses
we need a system that can map a name to an addr
ess or an address to a name
i.e. DNS is a supporting program that is used by ot
her programs such as e-mail.

VTC 2012
 EXAMPLE
A user of an e-mail program may know the e-ma
il address of the recipient;
however, the IP protocol needs the IP address.
The DNS client program sends a request to a DN
S server to map the e-mail address to the corres
ponding IP address

VTC 2012
 25.1 NAME SPACE
To be unambiguous, the names assigned to machines m
ust be carefully selected from a name space with compl
ete control over the binding between the names and IP
addresses. i.e. names must be unique
Flat Name Space name is assigned to an address witho
ut structure
Cons : it can not be used in a large system such as Internet beca
use it must be centrally controlled to avoid duplciation
Hierarchical Name Space names are made of several p
arts. E.g. nature, name and departmentetc. of an orga
nization
Pros: A central authority can assign the name and nature to an o
rganization, the organization will be responsible for the internal
assignment of names 7

VTC 2012
 25.2 DOMAIN NAME SPACE
Design to achieve a hierarchical name space
names are defined in an inverted-tree structure
with the root at the top
The tree can have only 128 levels: level 0 (root) t
o level 127

VTC 2012
 DOMAIN NAMES AND LABELS
Each node has a label (max 63 chars).
Root label is a null string.

Each node has a

Domain Name. A full
domain name is a
sequence of labels
separated by dots(.).
It ends in a null label,
i.e. a dot
9

VTC 2012
 FQDN AND PQDM
Fully Qualified Domain Name (FQDN)
labelterminated by a null string
Contains full name of a host
Partially Qualified Domain Name (PQDM)
Label is not terminate by a null string
Starts from a node, but does not reach the root
It is used when the address is resolved for local LAN

10

VTC 2012
 DOMAIN
A subtree of the domain name space
Name of the domain is the domain of the topmost
node of the subtree

11

VTC 2012
 25.3 DISTRIBUTION OF NAME SPACE
The information contained in the domain name sp
ace must be stored
However, it is very inefficient and also unreliable t
o have just one computer store such a huge amou
nt of information

Hierarchy of Name Servers

Zone
Root Server
12
Primary and Secondary Servers

VTC 2012
 HIERARCHY OF NAME SERVERS (1)
To distribute the information among many comput
ers call DNS servers
divide the whole space into many domains (subtre
es) based on the first level. As these domains are v
ery large, it an be divided further into subdomains.
Each server can be responsible (authoritative) for a
domain/subdomain

13

VTC 2012
 HIERARCHY OF NAME SERVERS (2)

14

VTC 2012
 ZONE
A contiguous part of the entire tree
Area that is responsible by a server (a server has a
uthority over this area)

E.g a server divides

its domain into
subdomains and
delegates part of its
authority to other
servers 15

VTC 2012
 ROOT, PRIMARY AND SECONDARY SERVERS
Root server
Server whose zone consists of the whole tree
Usually does not store any info about domains but dele
gates its authority to other servers, keeping references t
o those servers
Primary server
Stores a file about the zone for which it is an authority
Responsible for creating, maintaining and updating the
zone file
Stores the zone file on a local disk
Secondary server
loads all information from the primary/secondary serve
r
Neither create nor updates the zone files
Zone transfer - When the secondary downloads informa
tion from the primary 16

VTC 2012
 25.4 DNS IN THE INTERNET
In the Internet, the domain name space is divided i
nto 3 different sections:
generic domains
country domains
inverse domain

17

VTC 2012
 GENERIC DOMAINS (1)
Define registered hosts according to their generic behavi
or
Each host defines a

domain

18

VTC 2012
 GENERIC DOMAINS (2)

19

VTC 2012
 COUNTRY DOMAINS
Uses 2-char country abbreviations

20

VTC 2012
 INVERSE DOMAIN (1)
To map an address to a name
Example
A server has a file that contains a list of authorized clients (names
only)
when a server received a request from a client, extracted from re
ceived IP packet, the IP address of the client is known
the server has to ask the DNS server to map an address to a nam
e to determine if the client is on the authorized list
Inverse or pointer (PTR) query

21

VTC 2012
 INVERSE DOMAIN
Inverse domain is added with the first-level node call arpa

the second level

named in-addr
the rest of the
domain defines IP
address

22

VTC 2012
 25.5 NAME-ADDRESS RESOLUTION
Mapping a name to an address or an address to a name
Resolver
A host that needs name-address resolution calls a DNS client
(resolver)
The resolver accesses the closest DNS server with a mapping
request.
If the server has the info., it satisfies the resolver
Otherwise, it either refers the resolver to other servers or ask
s other servers to provide the information

23

VTC 2012
 RECURSIVE RESOLUTION (1)
The resolver expects the server to supply the final answe
r
If the server is the authority for the domain, it checks its
database and responds
Otherwise, it sends the request to another server (the pa
rent usually) and wait for the response
Process repeats until the query is final resolved, the resp
onse travels back until it finally reach the requesting clie
nt

24

VTC 2012
 RECURSIVE RESOLUTION (2)

25

VTC 2012
 ITERATIVE RESOLUTION (1)
If the server is the authority for the domain, it checks its
database and responds
Otherwise, it returns, to the client, the IP address of the
server that it thinks can resolve the query
The client repeats the same query to multiple servers

26

VTC 2012
 ITERATIVE RESOLUTION (2)

27

VTC 2012
 CACHING
A server receives a query for a name that is not i
n its domain needs to search the database for a
server IP address. In order to reduce this search
time, caching is used.
When a server asks for a mapping from another
server and receives the response, it stores this i
nformation its cache memory before sending it t
o the client.
If the same mapping is requested, it can retrieve
the mapping from the cache.
Such response is unauthoritative as it is not com
28
e from an authoritative source.
VTC 2012
 25.6 DNS MESSAGES
DNS has 2 types of messages
Query message
consists of a header and question records
Response message
consists of a header, question records, answer records, autho
ritative records, and additional records.

29

VTC 2012
 HEADER(1)
12 bytes

Identification used by the client to match the res

ponse with the query, different id number for each
query
Flag define the type of the message, type of answ
er requested, type of desired resolution (recursive/
iterative)etc

30

VTC 2012
 HEADER(2)
Number of question records no. of queries in qu
estion section
Number of answer/authoritative/additional record
s no of answer/authoritative/ additional records i
n the corresponding section of the response mess
age, all 0s in query message

31

VTC 2012
 HEADER(3)
1. Question section 1 or more question rec
ords, present on query/response message
2. Answer section includes answer from ser
ver to the resolver
3. Authoritative section gives info (domain n
ame) about one or more authoritative serv
ers for the query. E.g domain name
4. Additional information Section provides a
ditional info that may help the resolver. E.g
IP addressof the authoritative server 2+3+4
consisting of 1 or more resource records, p
resent only on response message 32

VTC 2012
 25.7 TYPES OF RECORDS
Question records
Used by the client to get information from a server
Contains the domain name
Resource records
The server database consists of resource records
result returned by the server to the client

33

VTC 2012
 25.8 REGISTRARS
a commercial entity accredited by ICANN
To allow new domains added to DNS

A registrar first verifies that the requested domain

name is unique and then enters it into the DNS dat
abase. A fee is charged
Names and addresses of registrars
http://www.intenic.net

34

VTC 2012
 25.9 DYNAMIC DOMAIN NAME SYSTE
M (DDNS)
To cater the large amount of changes requires a lot
of manual updates to the DNS master file, which is
not feasible for todays Internet
DDNS allow DNS master file to be updated dynami
cally
In DDNS, when a binding between a name and an
address is determined, the information is sent, usu
ally by DHCP to a primary DNS server. The primary
server updates the zone. The secondary servers ar
e notified either actively or passively
DDNS provides security and prevent unauthorized
changes in the DNS records, an authentication mec
hanism can be used 35

VTC 2012
 25.10 ENCAPSULATION
DNS can use either UDP or TCP (port 53)
UDP is used when the size of the response messag
e is less than 512 bytes because most UDP package
s have a 512-byte packet size limit.
TCP is used if the size of the response message is
more than 512 bytes. E.g zone transfer between se
condary and primary server

36

VTC 2012
 SUMMARY (1)
Domain Name System (DNS) is a client/server application tha
t identifies each host on the Internet with a unique user-frien
dly name.
DNS organizes the name space in a hierarchical structure to d
ecentralize the responsibilities involved in naming.
DNS can be pictured as an inverted hierarchical tree structur
e with one root node at the top and a maximum of 128 levels
.
Each node in the tree has a domain name.
A domain is defined as any sub-tree of the domain name spa
ce.
A fully qualified doman name (FQDN) is a domain name consi
sting of labels beginning with the host and going back throug
h each level to the root node.
A partially qualified domain name (PQDN) is a domain name 37
that does not include all the levels between the host and the
root node.
VTC 2012
 SUMMARY (2)
The name space information is distributed among DNS serve
rs. Each server has jurisdiction over its zone.
A root server's zone is the entire DNS tree.
A primary server creates, maintains, and updates information
about its zone.
A secondary server gets its information from a primary serve
r.
The domain name space in the Internet is divided into three s
ections: generic domains, country domains, and inverse dom
ains.
There are 14 generic labels, each specifying an organization t
ype. Recently some new labels have been added.
Each country domain specifies a country.
The inverse domain finds a domain name for a given IP addr
ess. This is called address-to-name resolution. 38
Name servers, computers that run the DNS server program, a
re organized in a hierarchy.
VTC 2012
 SUMMARY (3)

The DNS client, called a resolver, maps a name to an address

or an address to a name.
In recursive resolution, the client may send its request to a se
rver that eventually returns a response.
In iterative resolution, the client may send its request to mult
iple servers before getting an answer.
There are 2 types of DNS messages: queries and responses.
There are 2 types of DNS records: question records and reso
urce records.
Dynamic DNS (DDNS) automatically updates the DNS master
file.
DNS uses the services of UDP for messages of less than 512 b
ytes; otherwise, TCP is used.
39

VTC 2012
 AD DS AND DNS
DNS is tightly wound with the Active Directory Domain Ser
vices (AD DS). Ideally, your DNS and AD DS structure will
mirror each other.
The integration of DNS and AD DS enables you to take adv

Confguring Domain Name Service

antage of DNS features that directly relate to AD DS, such
as AD DS replication.
DNS is necessary for the location of domain controllers on
the network (by DNS clients), and that the Netlogon servic
e uses DNS for the registration of domain controllers.
When you install DNS as part of the process of creating a
new domain or adding a domain controller to an existing
domain, the DNS namespace is derived from the Active Di
rectory namespace. This means that the AD DS domain hi
40
erarchy is incorporated in the DNS zone hierarchy.

VTC 2012
 INSTALL DNS
To add the DNS role to a server running Windows S
erver 2008, use the Add Roles Wizard, which can b
e started via the Server Manager.

Confguring Domain Name Service

Before installing DNS on a server, you must config
ure the computer with a static IP address.

41

VTC 2012
 Confguring Domain Name Service
42
INSTALL DNS

VTC 2012
 CONFIGURE THE DNS SERVER
DNS is managed through the DNS snap-in in the Server Ma
nager by expanding the Roles and DNS Server nodes.
The snap-in also monitors the DNS service by showing even
ts being logged that are related to DNS.

Confguring Domain Name Service

43

VTC 2012
 CREATE A FORWARD LOOKUP ZONE
For DNS to work on the network, at least one forwa
rd lookup zone is required.

Confguring Domain Name Service

Right click the Forward Lookup Zone folder and sel
ect New Zone.

44

VTC 2012
 CREATE A FORWARD LOOKUP ZONE
You are provided with three options for creating different
types of forward lookup zones:
Primary zone uses a master copy of the DNS database. It is a

Confguring Domain Name Service

dministered on the server where the zone was created (i.e. the
server is an authoritative DNS server).
Secondary zone uses a database file that is a read-only replic
a of an existing zone; the server helps the primary DNS server
handle the name resolution.
Stub zone contains only the records necessary to specify the
authoritative DNS server (or servers) for a particular zone. The
stub zone basically points at the servers that manage the prima
ry zone.
To bring up the first DNS server onto the network, you ne
45
ed to create the primary zone.

VTC 2012
 CREATE A FORWARD LOOKUP ZONE
To store the DNS zone in the Active Directory means that the
zone (along with the Active Directory) is replicated to other d
omain controllers on the network that are also running DNS.
To do this, you need to install the Active Directory Domain S
ervice first.

Confguring Domain Name Service

46

VTC 2012
 CREATE A FORWARD LOOKUP ZONE
Next, you are provided with options related to the
replication of the DNS data for the new zone.

Confguring Domain Name Service

To all DNS servers in this forest all the DNS servers in
the forest share and replicate their DNS database. This
means that all the DNS servers have access to the sam
e zones and records.
To all DNS servers in this domain all the domain DNS
servers (DNS servers in the domain named) share their
zones and records through replication.
To all domain controllers in this domain this option is
useful if you are running DNS on your domain controll
ers. The DNS database is stored as part of the Active Di
rectory and is replicated among the domain controllers 47
/DNS servers.
VTC 2012
 CREATE A FORWARD LOOKUP ZONE

Confguring Domain Name Service

48

VTC 2012
 CREATE A FORWARD LOOKUP ZONE
You are asked for a name for the new forward look
up zone. The name is the same as the DNS domain
name for the portion of your network for which thi
s DNS server is authoritative (which can be the sa

Confguring Domain Name Service

me as your AD DS domain name).

49

VTC 2012
 CREATE A FORWARD LOOKUP ZONE
Then, you are provided with options related to dynamic u
pdates of your host computers as they register (and updat
e) their records with the DNS server.

Confguring Domain Name Service

The secure dynamic
update option provides
the greatest security,
but it also requires the
DNS server be running
Active Directory, i.e. the
DNS server will also be
serving as domain
controller. This option
also means that only
domain members can
create and update their 50
own resource records.

VTC 2012
 CREATE A REVERSE LOOKUP ZONE
You dont have to configure a reverse lookup zone o
n your DNS server for it to work. Remember at least
one forward lookup zone is required.

Confguring Domain Name Service

But reverse lookup zones are useful. For example, if
you want to enable Internet Information Service to r
ecord hostnames as well as IP addresses in its log fil
e, you need to configure your DNS server with a reve
rse lookup zone.

51

VTC 2012
 MANAGE DNS
You use the DNS snap-in to both manage DNS and reconfi
gure it.
Right-click a zone in the snap-in tree to create different re
source records for the zone.

Confguring Domain Name Service

52

VTC 2012