Windows 2000 DNS
In Windows 2000, DNS is required to use Active Directory.
Domain Name Service is used to change internet domain and computer computer names into IP addresses and vice versa. DNS works at the application layer and uses TCP and UDP for transport. TCP is only used if returned data is truncated. See the DNS section in the Networking Guide for information about DNS. DNS was originally based on HOSTS files that were maintained by a centralized Network Information Center. Today of is based on a hierarchy of servers with a distributed hierarchial database throughout the network or internet.
DNS is a hierarchial naming structure with the following levels:
- Root designated by a dot (.).
- First level - This indicates country or type of organization such as "org", "com", and "net".
- Second level - Indicates the organization name and can be purchased for a yearly fee.
Notice that the highest level of the domain is listed last. An example of a domain name that you may be familiar with is:
On the client side, a DNS resolver is used to send queries to DNS servers. The resolver is normally part of a library routine or it is built into the application. DNS uses zone files to keep name and IP address database information for the internet domain or hierarchial set of domains. Zones are a storage of information in a file for a DNS domain or DNS subdomains (DNS domains are not the same as Windows domains). DNS does not yet support dynamic configuration but has been modified for Windows systems to do so. Different aliases may be created by the administrator for the same host. Three types of name servers as defined by how it relates to the zone information:
- Primary - Locally stored files exist on the name server data base. The master zone file copy is stored here.
- Secondary - Gets data called a zone transfer from another server that is the zone authority.
- Caching Only - Caches name server information and does not contain its own files.
A primary and secondary name server should be used on a network. When a zone is defined, some server must be configured to be a master name server for the zone. There can be different master name servers for different zones. The master server provides copies of the zone information to the secondary DNS server. Name servers can be configured to get information from other name servers when the information is not found in the local database. These types are forwarders and slaves. Name servers as categorized by function:
- Master - The zone authority that contains the master zone files.
- Forwarders - A name server that passes name resolution requests to other name servers. This configuration is done on a per server basis.
- Slaves - Slave name servers are configured to use forwarders.
Windows introduces additional terminalogy:
- Standard primary - The same as a primary DNS server listed above. This is a master server by function.
- Active Directory Integrated (primary) - DNS entries are stored with Active Directory data rather than a normal zone file. More than one of these Active Directory primary servers may exist due to Active directory replication. This term is used to refer to both the Active Directory Integrated zones and files that support the zone.
- Standard secondary - The same as a secondary DNS server listed above. This is a slave server by function.
- Root server - The server that has the DNS data for the root zone. The root zone is the organization internal network root zone or internet root zone. It is used when a private network is not directly on the internet (no connection or via proxy server).
If the DNS server is connected to the internet, the DNS Server Wizard will not allow the DNS server to be configured as a root server.
Query types are:
- Inverse - Getting the name from the IP address. These are used by servers as a security check.
- Iterative - Server gives its best answer. This type of inquiry is sent from one server to another.
- Recursive - Cannot refer the query to another name server.
The DNS zone file serial number is used to trach DNS changes. The notify function is used to initiate zone transfers. Zone transfer types are:
- Full - AXFR Query - Secondary server refresh interval expires and it sends an AXFR qurey.
- Incremental - IXFR query - Only new or updated entries are copied.
Possible zones include:
- Forward lookup zone - Name to IP address map.
- Reverse lookup zone - IP address to name map.
- Standard primary zone (primary zone) - A master copy of a forward or reverse lookup zone.
- Active Directory integrated zone - A copy of a standard primary or Active Directory integrated zone. The IP address and computer name is stored in Active Directory and replicated to all local domain controllers. DNS information is not replicated to domain controllers outside the domain.
- Standard secondary zone (secondary zone)
Microsoft DNS is compatible with BIND, but it is not the same. Microsoft supports RFCs 1033, 1034, 1035, 1101, 1123, 1183, 1536, 2052, and 2136. RFC 1996 addresses DNS notify issues. RFC 2065 defines DNS security extensions. Windows 2000 Server or more advanced server is required to run DNS. It will not run on Windows 2000 Professional.
Windows 2000 DHCP clients register forward lookup entries (A record) by default. The DHCP server registers forward (A) and reverse (PTR) DNS records.
Windows 2000 computers can register their IP address and names with the network DNS server that supports dynamic updates (Not all DNS servers support dynamic updates, but Windows 2000 DNS servers do). Other operating systems other than Windows 2000 can not register their IP address and names with DNS dynamically. A Windows DHCP server can be configured to register assigned IP address and host names with the DNS server which can support dynamic updates. Heres the procedure on the DHCP server:
- Run the administrative tool, "DHCP" and highlight the DHCP server.
- Select "Action" and "Properties".
- Click the DNS tab.
- Select the checkbox, "Enable updates for DNS clients that do not support dynamic update". Select the "Always update DNS" checkbox to have the DHCP server update DNS, even for Windows 2000 systems.
- Configure the computer to use a static IP address for each local area connection. In the Control Panel use the "Network and Dial-Up Connections" applet, right click on "Local Area Connections", select "Properties", "Internet Protocol (TCP/IP)", and set the IP address.
- Configure the computer to use a primary DNS suffix. Right click "My Computer", select "Properties", click the "Properties" tab, click "more" in the "Identification Changes" box and type the FQDN in the NETBIOS Computer Name and DNS Suffix boxes.
- Install the DNS Server Service by putting the Windows 2000 appropriate Server install CD in the CD-ROM drive, then open the "Add/Remove Programs" applet in the control panel. In the Windows Components Wizard, highlight "Networking Services", click "Details", check "DNS", and continue.
Configure DNS from the "DNS" selection of Administrative tools. Do the following:
- Configure the DNS server to be its own client so it can resolve other computer names and IP addresses. In the Control Panel use the "Network and Dial-Up Connections" applet, right click on "Local Area Connections", select "Properties", "Internet Protocol (TCP/IP)". Enter the IP address of the DNS server. for the preferred DNS server. Click "Advanced and "DNS" tab in the "Advanced TCP/IP Settings" box. Type the FQDN of the DNS server.
- Configure a root server (if required) if internet access is not available or the connection is through a proxy server. This is done from the "DNS" selection of "Administrative Tools". Highlight the computer, then select "Action", and "Configure the Server".
- To configure properties perform the same action as in the item above, but select "Properties" after the "Action" selection. Here the Interfaces (network cards) that will provide the DNS service can be set or limited. Also IP addresses that are allowed service can be set. Advanced Options include:
The root hints tab is used to associate internet or the organizations root servers names and IP addresses. Root hints is not configurable on a root server.
- DNS process recursion can be enabled or disabled. - This means the processes of trying to satisfy a query is repeated until a solution is found. This is enabled by default causing DNS servers to contact other servers to resolve queries.
- BIND secondaries - Zones are transferred to secondary servers from master servers. Enabled by default
- Fail on load if bad zone data - A zone with bad data is not used. This is not enabled by default.
- Enable round robin - Used to balance loads when multiple servers have the same name and configuration with different IP addresses. A different IP address can be provided to clients when the host name is requested.
- Enable netmask ordering - This is for hosts with multiple network cards and is resolved with the address that is on the same subnet of the client. This option is selected by default and if it is not selected, round robin policy is used.
- Secure cache against pollution - Normally all DNS server information due to queries is cached for further use. This option only allows the final answer to be cached.
- Name Checking - The options are Strict RFC (ANSI), Non-RFC (ANSI), and Multibyte (UTF8). Multibyte is the default.
- Load zone data on startup - Determines where data is loaded when the DNS service starts. It can be from Active Directory and registry, from file, or from the registry.
- Enable automatic scavenging of stale records - Old resource records on zones may be deleted if older than a set amount of time.
- To configure other properties select "Start", "Administrative Tools", "DNS", click the plus by the DNS server name, then click + next to the Forward or Reverse Lookup Zones. Highlight the zone to configure and select "Action" and "Properties". Tabs include:
- General - Set zone file name and allow or not allow dynamic updates. Set whether stale resource records are scavenged, no-refresh interval time, and refresh interval time. This allows old records in the zone to be deleted. The refresh interval is the amount of time to wait before scavenging the record.
- Start of Authority (SOA)
- Name Servers
- WINS - Configure DNS to use WINS.
- Zone Transfers - Sets the servers the Active Directory DNS Zone transfers are sent to.
This is done from the "DNS" selection of "Administrative Tools". Click the + next to the DNS server name, Highlight the "Forward Lookup Zones (or "Reverse Lookup Zones") folder, then select "Action", and "New Zone".
The Start of Authority (SOA) record defines the authoritative server for the DNS zone. SOA properties are:
- Serial number - If less than master's SN, the slave will get a new copy of this file from the master.
- Primary server
- Responsible person
- Refresh interval - The time in seconds between when the slave compares this file's SN with the master.
- Retry Interval - The time the server should wait before asking again if the master fails to respond to a file update (SOA request).
- Expires after - Time in seconds the slave server can respond even though it cannot get an updated zone file. Needs to be longer than the refresh interval.
- Minimum TTL - The time to live (TTL) in seconds that a resolver will use data that was received from a nameserver before it will ask for the same data again.
Select "Start", "Programs", "Administrative Tools", "DNS". Highlight the DNS server name, select "Action", "Properties" and click the Monitoring tab. Tabs include:
- Root Hints
- Logging - Used to set logging options to be sent to the file SystemRoot\system32\dns\dns.log. Options representing DNS events are Query, Notify, Update, Questions, Answers, Send, Receive, UDP, TCP, Full packets, and Write through.
- Monitoring - Select and perform tests such as a simple query to this DNS server or a recursive query to another DNS server.
The event log will also show and DNS problems. The "Event Viewer" is an administrative tool.
Zone Properties Dialog Box
- General - Sections:
- Status - The status is indicated and a "Pause" button allows DNS to be paused.
- Zone type - Has a "Change" button that allows setting the zone type to one of standard primary, standard secondary, and Active Directory integrated.
- Allow dynamic updates - Updates can be allowed from DHCP servers.
- Start of Authority (SOA) - Correspond to the SOA properties listed above.
- Serial number
- Primary server
- Responsible person
- Refresh interval
- Retry interval
- Expires after
- Minimum (default) TTL
- TTL for this record - Defines the TTL for the SOA record.
- Name Servers
- WINS - Controls whether WINS is used to resolve names in this zone.
- Zone Transfers - Determines how requests for zone transfers from other servers are handled. These are the choices:
- No zone transfers.
- Allow zone transfers only to specified servers listed in this tab.
- Allow zone transfers to servers listed in the name servers tab only.
- Allow zone transfers to any server.
Characters allowed in DNS names are:
A-Z a-z 0-9 -
The characters / . _ are illegal. Configuration keywords:
- Interfaces - Specifies interfaces to use on a multihomed host.
- Forwarders - Specifies other name servers to use as a forwarder.
- Boot Method - Display whether the boot method is through the use of the registry or data files.
DNS files are stored in:
The Hosts file at \SystemRoot\system32\drivers\etc can act as a replacement for DNS which is a file containing IP addresses and DNS names for hosts. Files in this directory include:
- Lmhosts - NetBIOS name to IP address.
- NSLOOKUP - It is run from the command prompt. Syntax:
nslookup [-options] [searchname] [-server]
To see options, "Help" can be typed at the NSLOOKUP command prompt .
The DNS Database
Below is a partial explanation of some records in the database. An example /var/named/db.mycompany.com.hosts file is listed below.
mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. (
1999112701 ; Serial number as date and two digit number YYMMDDXX
10800 ; Refresh in seconds 28800=8H
3600 ; Retry in seconds 7200=2H
604800 ; Expire 3600000=1 week
86400 ) ; Minimum TTL 86400=24Hours
mycompany.com. IN NS mymachine.mycompany.com.
mycompany.com. IN MX 10 mailmachine.mycompany.com.
mymachine.mycompany.com. IN A 10.1.0.100
mailmachine.mycompany.com. IN A 10.1.0.4
george.mycompany.com. IN A 10.1.3.16
Below are listed some of the entries with explanations:
- Serial number - If less than master's SN, the slave will get a new copy of this file from the master.
- Refresh time - Time between checks to see if the master has a new database.
- Retry Time - The time a secondary waits to try a new zone transfer
- Expiration time
- TTL - Time to live is the amount of time a DNS server may cache the entry that was received from another DNS server.
Database file storage on MIcrosoft Windows 2000 is as follows:
- Database file - zone.dns
- Cache file - Cache.dns - Used to resolve names outside the domains. Contains the addresses of root name servers.
- Reverse lookup file and Arps-127.rev
- Boot file (options) - Defines BIND startup options such as the directory DNS files are contained in. Bootfile commands:
- Cache - The cache file location. The file must exist.
- Primary - Syntax is "primary (domain) (filename)" - The domain indicates the domain that this authoritative server is in charge of. The filename indicates theresource record file for the zone.
- Secondary - Syntax is "secondary (domain) (hostlist) - The domain indicates the domain the server is authoritative for. The hostlist is a list of master servers where zone information is downloaded from.
DNS Record types:
- A - Address record allowing a computer name to be translated into an IP address. Each computer must have this record for its IP address to be located. These names are not assigned for clients that have dynamically assigned IP addresses, but are a must for locating servers with static IP addresses.
- AAAA Host resource record for IPv6 protocol.
- AFDSB - Andrew File System Database resource record
- ATMA - Asynchronous Transfer Mode resource record.
- CNAME - Canonical name allowing additional names or aliases to be used to locate a computer.
- HINFO - Host information record with CPU type and operating system.
- ISDN - Integrated Services Digital Network resource record.
- MB - Mailbox resource record.
- MG - Mail group resource record.
- MINFO - Mailbox mail list information resource record.
- MR - Mailbox renamed resource record.
- MX - Mail Exchange server record. There may be several.
- NS - Name server record. There may be several.
- PTR - Pointer resource record.
- RP - Responsible person.
- RT - Route through resource record for specifying routes for certain DNS names.
- SOA - Start of Authority record defines the authoritative server and parameters for the DNS zone. These include timeout values, name of responsible person,
- SRV - Service locator resource record to map a service to servers providing the service. Windows 2000 clients will use this record to find a domain controller.
- TXT - Test resource record for informative text.
- WKS - Well known service resource record.
- X25 - To map a host name to an X.25 address.
Country codes include:
- de - Germany
- nz - New Zealand