Zone TransferHow does the information contained in the zone database file on thePrimary DNS server find its way to its Secondary DNS servers?. Secondary DNS server has a copy of a zone d
Trang 1But it does solve the problem When an internal user connects tonews.tacteam.net, a DNS query is sent to the internal DNS server, and isresolved to the IP address of the internal news server A user connecting
to news.tacteam.net via the Internet contacts the DNS server outside thefirewall, and receives the IP address of the Internet-located news server
At no time do your internal resources become threatened or touched byInternet users
Figure 7.10 displays a simplified network layout of this configuration.Note the two DNS servers, one internal and one external Each of theDNS servers will have different zone databases, and they most definitelywill not participate in zone transfer with each other
This is the most common scenario you’ll encounter because mostorganizations already have a domain name and are wary of change.However, if you are blessed enough to be working with a new networkinstallation, or an unusually flexible company, the second approach is alot easier, and more flexible
Figure 7.10 Network layout with same internal and external domain name.
Internal Web Internal Mail Internal News
ExternalServers External to the Firewall are directly exposed.
TACTEAM.NET
TACTEAM.NET
Trang 2Different Intranet and Internet Domain Names
The best way to go is with different domain names representing yourintranet and Internet resources In this case, we could have two domainnames, taccorp.net and tacteam.net The former is used for internalresources, and the latter for Internet resources The internal serverswould be www.taccorp.net, mail.taccorp.net, and news.taccorp.net TheInternet servers would be www.tacteam.net, news.tacteam.net, andmail.tacteam.net
The DNS server on the intranet is authoritative for the taccorp.netzone so that all DNS requests for internal resources can be answered bythe intranet DNS server All DNS queries for Internet resources areanswered by the external DNS server, which is authoritative for thetacteam.net zone
Advantages of Using Different Internal and External Domain Names
While each zone still has to be maintained separately, with this solutionyou don’t have to keep track of two different IP addresses for servers withthe same name You also won’t have to duplicate external resources oninternal servers, since the internal clients can access the Internet serversvia the proxy through the firewall, as they would contact any other server
on the Internet (See Figure 7.11)
Proxy Configuration
The proxy server should be configured to use an internal DNS server that
is configured as a slave server The slave will send the DNS request to itsforwarder for Internet host name resolution The firewall should be config-ured to allow DNS queries and responses via UDP and TCP Port 53
Normally, DNS queries and responses use UDP Port 53, but if theresponse won’t fit into a single UDP segment (i.e., the response has been
“truncated”), then the DNS server will “fall back” to TCP to accommodatethe message
Corporate Mergers and Domain Management
If you read the business section of your local newspapers regularly, youare aware that corporate mergers are a frequent phenomenon Mergingcompanies are likely to each have its own network, and someone has thejob of making them work together as a new integrated intranet
Let’s look at an example that builds on what we’ve done so far to seehow we handle the integration of two networks that have both an Internetpresence and corporate intranets
Trang 3The Problem: Corporate Merger
The first company is TACteam, the one that we’ve been working with inthe previous sections TACteam uses different domain names to identifyits intranet versus Internet resources TACteam’s intranet resources useprivate IP addresses and access Internet resources via a proxy server Theinternal domain is taccorp.net, and the Internet domain is tacteam.net.TACteam has merged with Shinder, Inc Shinder, Inc maintains a sin-gle domain name for both internal and Internet resources They mirrortheir Internet resources on their intranet, and maintain separate and dis-tinct shinder.net zones for their intranet and Internet DNS servers Theshinder.net DNS administrators keep track of the different IP addressesfor machines with the same name between the intranet and the Internet.Shinder.net is an old company and has been connected to the Internet forseveral years; therefore, they are using public IP addresses for their
Figure 7.11 Different internal and external domain names.
Internal Web Internal Mail Internal News
Resolve internal - forwards external requests
ExternalExternal DNS Server Resolves Internet Resources- Acts as forwarder for internal DNS
TACCORP.NET
TACTEAM.NET
Trang 4internal network They do not use a proxy server, but do use a firewall toprotect the intranet from Internet intruders.
Your job is to redesign the network so that all users from bothdomains will be able to access both the internal and Internet resources ofboth companies The long-term goal is to migrate the shinder.net
resources over to tacteam.net and taccorp.net but long experience tates that this is going to take a long time You need to get the two net-works interacting as soon as possible
dic-Proposed Solution
Starting at TACteam, you would configure the proxy server to include thepublic network IDs that are in use at shinder.net so that they are recog-nized as internal resources By configuring them as internal addresses,you ensure that DNS requests for these resources will be referred to inter-nal DNS servers at taccorp.net, and not sent to the proxy server for reso-lution
On the taccorp.net internal DNS server, create a delegation for
shin-der.net and include a host A resource record for the internal DNS server
ed leased lines, but that is a very expensive proposition A much morecost-effective solution is to create a Virtual Private Network (VPN) over theInternet to connect the two companies
We would then install a VPN server at the taccorp.net site and ure the VPN server to use Network Address Translation (NAT) We thenconfigure our routers to direct all traffic destined for the shinder.net net-work IDs to our VPN server, which will itself route traffic to shinder.net touse the VPN connection The VPN connection will terminate at the VPN
config-NOTE
Trang 5server at shinder.net Since both taccorp.net and shinder.net lie behindfirewalls, the firewalls will be configured to pass VPN traffic to and fromboth companies.
Over on the shinder.net side, we configure their intranet DNS serverwith a delegation for taccorp.net and the IP address of the taccorp.netDNS server Then, we configure the routers at shinder.net to direct trafficdestined for the taccorp.net network IDs to be sent to the VPN server onthe shinder.net side NAT is not required on the shinder.net side and ishandled on the other side’s VPN (See Figure 7.12.)
Testing the Solution
Let’s see what happens when some DNS queries are issued
Scenario 1
A client on the taccorp.net domain wants to access the Web server for theshinder.net domain A DNS query is issued to the taccorp.net internalDNS server, which contains a referral for the shinder.net domain The tac-corp.net DNS server queries the shinder.net DNS server through the VPNfor the IP address of www.shinder.net and receives a reply, which is sent
to the DNS client in the taccorp.com The taccorp.net client then connects
to the shinder.net internal Web servers at www.shinder.net via the VPNbecause the IP address is recognized as internal
Scenario 2
A DNS client on the shinder.net side wishes to connect to the InternetWeb server for tacteam.net A DNS query is sent to the shinder.net inter-nal DNS server The shinder.net internal DNS server is not authoritativefor the tacteam.net domain, and forwards the request to the externalshinder.net DNS server The external shinder.net DNS is not authoritative,and therefore will complete recursion by issuing iterative requests untilthe host name is resolved Once the IP address is received, the externalDNS server returns it to the internal DNS server, which in turn returns it
to the DNS client on the shinder.net side The shinder.net DNS client thenconnects to the tacteam.net via the Internet connection that is not theVPN connection, since tacteam.net is dedicated to Internet resources only.This is only one possible way you could solve this problem, but it doesgive you the general idea of what the potential problems are, and someways you can address them
Trang 6Figure 7.12 The joys of corporate mergers.
Web Server Server Mail News Server
Trang 7DNS Zone Design and Troubleshooting
DNS domains are conceptual entities They exist in a conceptual work we know as the Domain Name System, but the actual resourcerecords, such as the IP address to host name mappings, are contained
frame-within a “physical” file known as a zone file A single zone can contain
multiple contiguous domains For example, a single zone can containmicrosoft.com, dev.microsoft.com, and west.dev.microsoft.com Thesedomains are contiguous, meaning they lie next to each other You couldnot include msn.com in the same zone, because it is not contiguous withthe other domains Figure 7.13 shows this domain arrangement
Figure 7.13 Example of contiguous and noncontiguous domains.
Root DNS
.net DNS .com DNS
microsoft DNS msn DNS
mail dev DNS
west DNS
Microsoft Domains are not contiguous with the MSN domains
microsoft.com zone
msn.com zone
Zone planning and configuration are especially important when wework with standard DNS zones rather than Active Directory integratedzones We will talk more about Active Directory integrated zones later, but
be aware that the situation we discuss here is a little different with theintroduction of the Active Directory integration
The actual management of domain resources is done via adding andupdating records in a DNS zone database This database is created when
Trang 8you make a new zone in the Windows 2000 DNS server Creating a newzone is easy with the Windows 2000 DNS server because a wizard guidesyou through the process There’s not much of a chance of making a mis-take when you use the wizard.
The zone database file is a text file that is located at:
%systemroot%\system32\dns\<zone_name>.dns
An example of the contents of the zone file appears in Figure 7.14
Figure 7.14 Example zone database file for blah.com.
The zone database file is compatible with BIND (Berkeley InternetName Domain) zone database files used by many UNIX-based DNS
servers In fact, you can use the DNS management console or directly edit
the zone file to manage your DNS zones
We highly recommend that you use the DNS management console to avoidproblems related to “clumsy fingers.”
A zone is named by the topmost domain represented in a particularzone file For example, if our zone contains the microsoft.com and the
TIP
Trang 9dev.microsoft.com domains, then the name of the zone is the
microsoft.com zone, since microsoft.com is the topmost member of thezone If we had another zone that consisted of marketing.microsoft.comand west.marketing.microsoft.com, the name of the zone would be themarketing.microsoft.com zone, because marketing.microsoft.com is thetopmost member of the zone
Standard Zones
Standard zones are categorized as either Primary or Secondary When youfirst create a new zone in the Windows 2000 DNS management console,you will be configuring a Primary zone
A Primary zone is the only read/write copy of the zone database Becausethere is only one read/write copy of the zone database file, the Primaryzone DNS server becomes a single point of failure if updates need to bemade to the zone database
DNS was designed to have at least two DNS servers configured foreach zone This is for fault tolerance reasons When a copy of a zone ismaintained on another DNS server, that server is known as a SecondaryDNS server The Secondary DNS server houses a read-only copy of thezone database file You cannot directly edit the copy of the zone databasefile on a Secondary DNS server
You can easily create a new zone by using the New Zone Wizardincluded with the Windows 2000 DNS server After installing the DNSservice on your computer, open the DNS management console Right-click
on the name of your server, and select New Zone, as seen in Figure 7.15.Just answer the wizard’s questions, and you’ve got yourself a new zone.Zones are populated with resource records There are a number of dif-ferent resource record types The most common resource record is thehost, or A, record This host record supplies the host name and IP
address mapping for a computer within the zone To add a new host,right-click on your new zone, select New Host, and then enter the hostname and the IP address as shown in Figure 7.16
Other common resource record types you will encounter include the
NS (name server), MX (Mail Exchanger), and CNAME (canonical name)records
The NS record is used to define the host names of the servers that areauthoritative for a zone This can be a Primary or Secondary DNS server
NOTE
Trang 10for the zone The NS record informs machines that send DNS queries tothe DNS server that “I know what is true regarding this zone, and thebuck stops here.” Figure 7.17 shows the Name Servers tab that appears
in the domain’s Properties sheet You can find this by right-clicking thename of one of your domains, selecting Properties, and then clicking theName Servers tab
You can add the name and IP address of another DNS server that will
be authoritative for the domain by clicking ADD Be sure that you’ve figured the machine that you’re adding here as a Secondary DNS serverfor the zone, so that it can act as an authority for the zone
con-Did you notice that ADD is grayed out in Figure 7.17? That is because
we took this screen shot from a machine that is a Secondary for thetacteam.net zone
Figure 7.15 Creating a new zone in the DNS management console.
Trang 11You can only define NS records for Secondary name servers on the PrimaryDNS server for the zone.
The MX record is used to identify the name of the server that is theintended destination for e-mail for a given zone For example, mail sent toanyone for tacteam.net, such as deb@tacteam.net, would be send to theserver identified in DNS with an MX record Figure 7.18 show the NewResource Record MX dialog box
Note that the “Host or domain” text box is empty This record defines
a Mail Exchanger for the tacteam.net domain, and this record is beingcreated in the tacteam.net domain By leaving this text box empty, it willidentify this record as applying to the parent domain, which is listed atthe top of the dialog box
Figure 7.16 Adding a New Host Address record in the newly created domain.
TIP
Trang 12Enter the name of the mail server that will handle the mail, and thenthe “Mail server priority.” This is a number from 0 to 65535 that is used
to determine an order of “priority” if there are multiple MX records for thedomain
Lower numbers have priority over higher numbers If two MX records forthe same domain have the same priority number, one will be chosen atrandom Mail is routed to the machine with the highest priority (lowestpriority number) If the machine doesn’t respond, the next highest prioritymachine is sent the mail
Notice that we enter the FQDN in the “Mail server” text box Theremust be a host record for that machine in order for the MX record toproperly route the mail to the destination Mail Exchanger
The CNAME record allows you to create aliases for computers thatalready have host records in the DNS database The most common use ofthe CNAME record is to allow you to use “standard” names for serversoffering services on the Internet or intranet Servers are often named
Figure 7.17 The Name Servers tab in the domain Properties sheet.
TIP
Trang 13based on the services they provide, such as “ftp,” “www,” and “mail” for
an FTP server, Web server, and Mail server, respectively
Figure 7.19 shows the add CNAME record Properties sheet
In this example, EXETER is a machine on the tacteam.net network
We really don’t want our users to have to remember the host names of allthe machines on the network, so we can create a CNAME record for eachmachine based on the type of service it provides When a DNS clientissues a query for mail.tacteam.net, it will be connected to EXETER Annslookup reveals the following:
185.1.168.192.in-addr.arpa, type = PTR, class = IN ANSWERS:
-> 185.1.168.192.in-addr.arpa
name = constellation.tacteam.net
Figure 7.18 The New Resource Record MX dialog box.
Trang 14ttl = 3600 (1 hour)
——————
Server: constellation.tacteam.net Address: 192.168.1.185
-> exeter.tacteam.net internet address = 192.168.1.186 ttl = 1200 (20 mins)
——————
Name: exeter.tacteam.net Address: 192.168.1.186 Aliases: mail.tacteam.net
The nslookup confirms that mail.tacteam.net is indeed EXETER Youcan confirm that the alias is functional by pinging the host by its CNAMEalias Be very careful when you enter the “Fully qualified name for targethost” in the provided text box If you include a period at the end of theFQDN to truly fully qualify the record, it will not work Try it both ways toconfirm that this is true
Ever wonder why they call it a canonical record? Here are some definitionsthat will explain things: Canonical: Music Having the form of a canon
Canon: Music A composition or passage in which the same melody isrepeated by one or more voices, overlapping in time in the same or arelated key So, a CNAME record allows multiple host names to “sing” forthe same computer!
TIP
Trang 15Zone Transfer
How does the information contained in the zone database file on thePrimary DNS server find its way to its Secondary DNS servers? This shar-
ing of information is done via a mechanism know as a zone transfer (see
Figure 7.20) For standard zones, this is merely copying the zone base resource records from the Primary DNS server to its designatedSecondaries
data-A vocabulary lesson is in order here The Primary DNS server that istransferring the zone database to its Secondary is typically referred to as a
“Master” server The other side of the Master—that is, the machinereceiving the zone database entries—is sometimes referred to as a “slave”server, a Secondary, or the DNS server receiving a copy of the zone entries
We prefer to stay away from using the term slave, since “slave DNS server”has a very specific meaning, and its not related to zone transfer Just keepthis in mind when you’re reading various references about zone transfers
Be aware that a Secondary DNS server can be a Master DNS server toanother Secondary DNS server Confusing, huh? Here’s how it works: A
Figure 7.19 The add CNAME record Properties sheet.
NOTE
Trang 16Secondary DNS server has a copy of a zone database that it received from
a Primary DNS server This Secondary DNS server can transfer the only copy that it has to another Secondary DNS server, in which case itbecomes a Secondary Master Also, a Primary DNS server for one zone,such as shinder.net, can become a secondary server DNS server foranother zone, such as microsoft.com Try this: Configure your DNS server
read-at home as a Primary DNS server for your local domain Then connect toyour ISP in the usual way, and see if you can become a Secondary toyour ISP’s DNS server (of course, you won’t really be a Secondary becausethere is no NS record for your computer, although you could make one onyour server if you wish)
You now have a read-only copy of your ISP’s publicly available DNSrecords, and your DNS server is both a Primary and a Secondary DNSserver
Figure 7.20 Zone transfers between Primary and Secondary DNS servers.
dns.tacteam.net
dns.shinder.net dns1.shinder.net
dns.shinder.net is Primary for shinder.net Zone transfer takes place between shinder.net Primary (master) and dns1.shinder.net which is Secondary for the shinder.net zone
Zone Transfer
In this example, the shinder.net zone Primary DNS server is the master server during a zone transfer to its Secondary, dns1.shinder.net When the shinder.net zone is transferred to the tacteam.net Primary, dns.shinder.netbecomes a master server This displays how Secondary DNS servers become master servers, and how Primary's can become
"slaves"
dns1.shinder.net becomes a master DNS server as it transfers the shinder.net zone to the Primary DNS server for the tacteam.net zone, dns.tacteam.net
Trang 17Several things can trigger a zone transfer from a Primary DNS to aSecondary, including:
■ The refresh interval has expired
■ The Secondary server has booted up
■ The Primary DNS server is configured to notify Secondarieswhen changes take place
Refresh Interval
The refresh interval is the period the Secondary DNS server waits between
requests for a zone transfer from the Primary This value is part of theStart of Authority (SOA) resource record, which is the first record createdfor a new domain You can view the values contained in the SOA recordfor a domain by double-clicking the SOA record in the domain You willsee a dialog box similar to the one in Figure 7.21
Figure 7.21 The Start of Authority record for the tacteam.net domain.
By default, the refresh interval is 15 minutes If the Primary serverdoes not respond when the Secondary tries to contact it, it will try againbased on the value in the “Retry interval” text box If the Secondary is notable to contact the Primary at all for the period of time defined in the
“Expires after” text box, the Secondary will no longer respond to queriesfor that domain
Trang 18Once the Secondary is able to contact the Primary again, it will start
to answer queries again for the domain This is to ensure that invalid andoutdated information isn’t passed to DNS clients making queries for thatzone
DNS Notify
A Windows 2000 DNS server supports DNS Notify, which allows thePrimary DNS server to initiate the zone transfer, rather than theSecondary In a sense, this is a “push” mechanism for zone transfer This
is a very handy feature to ensure that your servers have an up-to-datecopy of the zone information contained on the Primary DNS server Eachtime a change is made to the zone database, the Primary will either con-tact all its Secondary DNS servers, as they are defined on the NameServers tab, or you can create a customized list of servers to which theupdates will be sent Figure 7.22 shows the Zone Transfers tab on thetaccorp.net domain Properties sheet The Notify dialog box appears afteryou click NOTIFYon the Zone Transfers tab
Figure 7.22 The Zone Transfers tab and the Notify dialog box.
Trang 19Request for Information Query
When a Secondary DNS server requests a zone transfer, either from ating the request itself, or after having been “reminded” to make therequest after a notify message, it will issue a query for the SOA record onthe Primary DNS server The Secondary DNS server will examine the “seri-
initi-al number” on the Primary DNS server’s SOA record If the seriiniti-al number
on the Primary is higher than the one on its own SOA record for the zone,
it will request, via another query, transfer of zone database information.This request for information query can be either a request for theentire zone database file, or for just those records that have changedsince the last time it received a zone transfer The AXFR query transfersthe entire zone database file, and is the only type of transfer mechanismavailable to downlevel DNS servers, such as Windows NT 4.0 Windows
2000 DNS servers support the IXFR query, where only the records thathave changed are sent to the Secondary DNS server The IXFR query isclearly less bandwidth intensive than the AXFR query
Fast Transfer
Another mechanism that Windows 2000 uses to lessen bandwidth
requirements of zone transfers is to use a “compressed” form of resource
record transfer sometimes known as a fast transfer.
If you use BIND DNS servers version 4.x or lower, they will not be able toaccept fast transfers, and the zone transfer will fail If you have problemswith zone transfers to BIND Secondaries, you can disable fast transfers
Be aware that this is a feature that applies to all zones configured on
a single server, and suppression of fast transfers cannot be done on agranular basis Figure 7.23 shows the Advanced tab on the DNS server’sProperties sheet You can get there by right-clicking the server name itself
in the DNS management console, and clicking Properties
Your primary problems related to zone transfers when you implementyour Windows 2000 DNS solution will usually be related to compatibilityissues with downlevel (all other) DNS servers Keep this in mind whentroubleshooting zone transfer difficulties
WARNING
Trang 20Reverse Lookup Zones
The type of queries we’ve been dealing with up to this point are often
referred to as forward lookups A forward lookup is when you send the
name of the destination host in order to obtain the IP address associated
with that name The opposite is known as a reverse lookup When you do
a reverse lookup, you already know the IP address, and you want toobtain the host name associated with that IP address
Reverse lookups are not something that can be easily accomplishedusing forward lookup zones Think of forward lookup zones as somethingsimilar to a phone book A phone book is indexed using people’s lastnames If you want to find a telephone number quickly, you just go to theletter of the alphabet for the last name, and then go down the alphabeti-cal list until you find the name The phone number is right next to theperson’s name What if we already knew the phone number, and wanted
to find out whose name goes with that phone number? Since the phonebook is indexed using names, our only alternative would be to look at
every phone number in the book and hope to be lucky and find that it’s
one in the front of the book (assuming that we start looking in the frontfirst)
Figure 7.23 The Advanced tab on the DNS server’s Properties sheet.
Trang 21This clearly isn’t a very efficient method to search the IP address
namespace At one time, inverse lookups were used to trawl the IP
addresses namespace, but these were very limited because they searchedforward lookup zones As we have seen, that is very time consuming andinefficient
The in-addr.arpa Domain
To solve the problem, a new domain was created, the in-addr.arpa
domain The in-addr.arpa domain indexes host names based on IP
addresses, and makes reverse lookups much more efficient and speedy.You can create reverse lookup zones easily using the Windows 2000DNS management console Just right-click your computer name in theconsole, and select New Zone That will start the New Zone Wizard thatwalks you through the process of creating new zones, either forward orreverse lookup The wizard will ask what type of zone you want to create,and you will select Reverse Lookup Zone rather than forward The wizardwill ask for the network ID and automatically create a zone database filebased on your answers
Note the construction of the reverse lookup zone database file Thename of the file is the network ID in reverse, so if you created a reverselookup zone for 192.168.1.0, the name of the reverse lookup zone would
be 1.168.192.in-addr.arpa This is because queries are examined and cuted from right to left, just as they are with forward lookup zones
exe-Pointer Records
A pointer record (PTR) is created for each computer included in the reverse
lookup zone The pointer record can be created when a new host record isentered, or you can create one separately
Our experience is that the PTR records are not always created whenentering a new host address, so you will want to check the PTR records forall hosts you create on the DNS server One problem that we’ve run into isthat the dynamic update information sent to the DNS server doesn’t alwaysupdate the PTR record reliably Therefore, if you are having problems withreverse lookups, check to make sure the PTR record is correct
The following is an example of the contents of a reverse lookup zonedatabase file:
TIP
Trang 22er is located, and then creating a PTR record for the DNS server itself
Trang 23Although you are not required to create reverse lookup zones, you mightfind queries execute faster once you’ve put one in place If you are runningany type of security or IP diagnostic software, reverse lookup zones are amust.
Active Directory Integrated Zones
The standard zone file is stored in a dedicated text-based file on the DNSserver Windows 2000 DNS servers allow you the option of “integrating”your zone database files into the Active Directory There are several
advantages to integrating your DNS zones into the Active Directory,
including:
■ Taking advantage of the Active Directory Replication Engine
■ Per Property zone transfer mechanism
■ Secure zone transfers and updates
■ Multimaster DNS topologyOne of the major design issues and problems you have to deal withrelates to where you place your DNS servers When working with stan-dard DNS zones, you have to consider the optimal placement of both yourdomain controllers and your DNS servers When you integrate your DNSzones, they are stored on domain controllers, and you no longer have toplan separate placement and replication topologies for DNS and domaincontrollers
All DNS servers that use directory integrated zones are Primary DNSservers This solves the problem wherein the standard Primary DNS zoneserver is a single point of failure This is especially important when work-ing with Dynamic DNS update Standard DNS zones that experience afailure of the Primary DNS server for the zone will not be able to completedynamic updates, which can lead to disintegration of name services
integrity Therefore, directory integrated DNS zones are multimaster Each
DNS server for a directory integrated zone is a Master DNS server, andreplicates its DNS database information to other domain controllers based
on your Active Directory replication design
Common Problems with Integrated DNS Zones
You might incur some problems when working with Active Directory grated DNS zones
inte-NOTE
Trang 24“Loose Consistency”
Since every DNS server is a Primary, two different administrators couldmake changes on the same record The same machine could have addressrecords pointing to two different IP addresses, or a CNAME record forwww could point to two different address records The zone becomes frac-tionated at this point, or what Microsoft refers to as “loosely consistent.”
The name conflict will resolve itself by accepting the resource recordwith the most recent timestamp as valid But until then, you will havesome incongruities in your name resolution scheme The optimal solution
is to limit manual updates to the zone to a single administrator The ignated administrator can be located anywhere, because he can open anyzone from any location using the DNS management console
des-Advantages of Active Directory Integration
There are several advantages to integrating the DNS zones with ActiveDirectory
Reduction of Network Traffic
Zone transfer traffic is decreased by using Active Directory integratedzones because the entire record is not replicated during transfer; only thechanged properties are sent to other AD integrated zone If you have largezones, and zone transfer traffic is eating up a significant amount of yourbandwidth, consider integrating it with the Active Directory
You do not need to include DNS notify for the Active Directory grated zones The DNS server will poll the Active Directory every 15 min-utes for changes to the zone
inte-Enhanced Security
Another major advantage of Active Directory enabled zones is improvedsecurity Standard zones allow you to set up a modicum of security byconfiguring the IP addresses of machines that are allowed to request azone transfer Typically, this list includes the machines you have placed
in the DNS server list in the zone’s Properties sheet, although you canadd other IP addresses if you wish If you enable the zone to acceptdynamic updates, any machine will be allowed to update a host andpointer record in the zone
The Active Directory enabled zone allows for secure dynamic updates.
Windows 2000 DNS clients can update their own addresses and pointerrecords on either a standard Windows 2000 zone or a Directory integratedzone
Trang 25The resource records are not secure in a standard zone, and any computerclaiming a name can update a resource record for a particular DNS client.Active Directory enabled zones employ Kerberos authentication mechanisms
to prevent “outlaw” DNS clients from falsely updating a legitimate resourcerecord
Ownership Disputes
With secure DNS zone updates, only the “owner” of the record can update
a resource record This improves overall security, but it can cause someproblems you might have to deal with
For example, let’s say that you are using a DHCP server to assign IPaddresses to Windows 2000 clients The default behavior for Windows
2000 DNS clients is to update their own address records and to allow theDHCP server to update the pointer record The DNS client therefore
“owns” the address record, and the DHCP server “owns” the pointer
record
Now let’s suppose the DHCP server that you have been using crashes.You have a backup DHCP server, so you might not worry about it toomuch However, when the backup DHCP server tries to update the pointerrecord for the DNS client, it won’t be able to—because it doesn’t own thatpointer record!
Another situation where you might run into problems is when you areworking with downlevel clients Suppose that you have a Windows NT 4.0computer that has been receiving its IP addressing information from aWindows 2000 DHCP server The Windows 2000 DHCP server has beenacting as a “proxy” for the downlevel client and has been registering thedownlevel DNS client’s address record and pointer record for it
What happens after you upgrade the downlevel client to Windows2000? The Windows 2000 DNS client is now capable of updating its ownDNS information Unfortunately, when the upgraded client tries to dothis, it will not be able to, since the DHCP server that originally registeredits address and pointer records owns them
The solution to these problems is to place the DHCP servers into aspecial group known as the DnsUpdateProxy group When a DHCP servercreates an entry for a machine in DNS that is a member of this group, nosecurity information is attached to the record For example, let’s say aDHCP server creates an address record and a pointer record for a
NOTE
Trang 26machine by the name of daedalus.tacteam.net Normally, the DHCP
serv-er would become the ownserv-er of this record, but if the DHCP sserv-ervserv-er is amember of the DnsUpdateProxy group, no one will be registered as theowner of the resource records it records
Now we have another problem: We’ve just eliminated secure dynamicupdates for DHCP clients! Any machine can be brought online and claimthe name of a machine that has been legitimately registered by a DHCPserver What we really want to do is allow the Windows 2000 DNS client
to update both its address and pointer records, and not allow the DCHP
server the update the clients’ records
Domain Controllers in the DnsUpdateProxy Group
The most significant issue relating to membership in theDnsUpdateProxy group is that of a domain controller If the DHCP server
is on a domain controller, it will register the domain controller’s tion in a nonsecure context That means that any machine can comearound and register itself with the same name as the domain controller inquestion, and replace the legitimate IP address with a bogus one—all ofwhich represents a tremendous security breech For this reason, we high-
informa-ly recommend that you not implement DHCP servers on domain trollers
con-Zone Delegations
Zone Delegations allow you to distribute the responsibility for name lution to other servers For example, you are the DNS administrator sta-tioned in Dallas for tacteam.net A new operation is starting up in SanFrancisco, and the personnel in San Francisco will be maintaining thezone You do not want to be responsible for maintaining records for theSan Francisco domain, which will be called west.tacteam.net You do,however, want DNS clients that point to your DNS server in Dallas, con-stellation.tacteam.net, to be able to resolve host names in the
reso-west.tacteam.net domain Well, here’s how you do it:
1 In Dallas, we go to the DNS server at constellation.tacteam.netand open the DNS management console (Actually, we could dothis from anywhere, as long as we open the host
constellation.tacteam.net in the DNS management console.)
2 Right-click the tacteam.net domain, and select New Delegation
3 When going through the Delegation Wizard, assign the Domain
to the delegated DNS server in San Francisco
Trang 274 In San Francisco, open the DNS server that will be housing theresource records for west.tacteam.net in the managementconsole Create a New Primary or Directory integrated zonecalled “west.tacteam.net.” Add resource records.
Troubleshooting Delegation Problems
This all seems pretty straightforward, and it is However, if your tion doesn’t work, here are some things to check out:
delega-1 Make sure you have configured reverse lookup zones for allnetwork IDs involved on both servers
2 Make sure there is a host record for the new DNS server on thatDNS server
3 Make sure that there is a pointer record for the new DNS server
on both DNS servers
These are the most common reasons for delegation failures
Learning Zone Delegation
Zone delegation has not been traditionally included in Microsoft’s working training and documentation, and it is certainly not an intuitiveprocess We recommend you practice by creating a DNS server on yourtest network, and creating some delegations To get an idea of how this isdone, pretend that you are the DNS administrator for the com domain.Then do the following:
net-1 Perform an nslookup –ds for the following domains:
syngress.comosborne.commicrosoft.com
2 Write down the IP address for each of the authoritative DNSserver IP addresses that were returned to you when you did thenslookup The microsoft.com domain probably gave you aboutseven addresses—just use the first one
3 Open the DNS management console and create a new primaryzone for the com domain
4 After the com domain is created, right-click it and select NewDelegation Add Syngress, Osborne, and Microsoft domains Forthe authoritative servers, include the IP addresses of the
machines you received when you did your nslookup lookups forthe authoritative DNS servers for each domain
Trang 285 To test this, go into your network properties and make yourmachine its own preferred DNS server Flush the DNS cache byissuing the ipconfig /flushdns command from the commandprompt Now ping www.microsoft.com, ftp.microsoft.com,www.osborne.com, and www.syngress.com You should be able
to successfully resolve the names of those sites, althoughMicrosoft won’t let you ping them Now try to ping
www.ibm.com You should not be able to resolve the name,because your machine is now authoritative for the com domain,and you do not have a delegation for the ibm.com domain
6 After completing the exercise, go back into the NetworkProperties sheet and return your Preferred DNS server to what itwas Go back into the DNS management console and delete thecom domain you created Finally, return to the commandprompt and perform another ipconfig /flushdns command Youshould be able to resolve domain names correctly again
Congratulations! You are ready to be the DNS administrator for thecom domain (almost) Please write to us if you have problems with thisexercise It should give you a lot of insight into how delegations work, andwill allow you to be successful in creating and troubleshooting your ownorganization’s delegations
Special Troubleshooting Issues with Windows 2000 DDNS Servers
In this section, we’ll examine various issues that can pose some problemsfor you when implementing your Windows 2000 DNS solutions We’llexamine problems related to DNS server security, WINS clients that seem
to appear in more than one domain, and zone scavenging We’ll alsoexplore the arcane meanings of the options in the Advanced tab of theDNS server Properties sheet
DNS Security and Internet Intruders
The situation: You’ve had a good weekend, and come into work onMonday in a good mood Part of your usual routine is to get a cup of cof-fee, open your e-mail, and see what’s been happening over the weekend
Since not much happens over the weekend, you expect to see the usualamount of spam, and maybe some good e-mails from the
WIN2000now@onelist.com mailing list you’re subscribed to
Trang 29You almost jump out of your chair when you see a message from JoeHacker In the e-mail message, he lists all of the server names and IPaddresses that your internal network clients have accessed over the pastmonth, and he also included a complete listing of all the resource records
in your DNS zone databases!
Right after you check your blood pressure to make sure you’re nothaving a stroke, you try to figure out what happened How did Joe Hackerget this information? What might be the security problem with the DNSserver, and most importantly, how can you fix it?
Tracking Down the Problem
Recall what happens when a DNS client sends a recursive DNS query toits Preferred server First, the DNS server checks to see if it is authorita-tive for the zone in the request If it is not, it checks its cache to see if theinformation is located there If the data is not in cache, it will completerecursion by issuing a series of iterative queries to other DNS servers Inthe process of completing recursion, it will likely need to contact DNSservers on the Internet When the internal DNS server makes a requestfrom an Internet DNS server, the IP datagram includes the source anddestination IP address, along with the information contained in the DNSquery itself When the Internet DNS servers reply, they include theirsource and destination IP address and their responses to the DNS
queries
So, you suspect that Joe Hacker has been listening in on your DNSqueries “But wait a minute,” you say, “I have a firewall in place!” True,but in order to allow your internal DNS server to contact the InternetDNS servers for name resolution of Internet hosts, the firewall must have,
at least, UDP Port 53 open on the outbound side, and a number of portsopen on the receive side to allow the internal DNS server (typically 1024-5000) to send and receive DNS messages Joe Hacker knew what theopen ports were on the receive side because that information was includ-
ed in the return datagram from the Internet DNS server
How do you fix this problem before he gets even more adventurous?
By implementing a combination of DNS forwarders and slaves
The Solution: Forwarders and Slaves
A DNS forwarder is a DNS server that accepts recursive queries from
another DNS server, typically a DNS server on the inside of a firewall Theforwarder will complete recursion for the DNS server that sent the
request, and then send the results back to the requesting DNS server.The forwarding DNS server then returns the results, sent by the for-warder, to the client that issued the initial DNS query
Trang 30A slave DNS server is one that is not able to complete recursion.
When recursion is disabled, the computer is only able to answer DNSqueries with information contained in its own zone databases If the slave
is not authoritative for the zone in question, it cannot honor the DNSclient’s request for recursion, and returns a failure message However, ifyou configure the slave server to use forwarders, it can offload theresponsibility for recursion to the forwarder It then becomes the for-warder’s job to complete recursion by issuing a series of iterative queries
to Internet DNS servers
A DNS server that is not a slave server can still use forwarders But, ifthe forwarder fails to resolve the query successfully, the forwarding com-puter then will attempt recursion, and issue its own series of iterativequeries to Internet DNS servers This is exactly what we want to prevent.Our security scheme will include an internal DNS server that is con-figured as a slave server This internal server can contain our DNS zonedata because it no longer has any need to contact servers on the Internet.The slave is configured to use a forwarder located on the outside of the
firewall The forwarder will be a caching-only DNS server A caching-only
DNS server does not contain any zone database files, and uses the roothints file that contains the Internet root servers and its local DNS cache
to answer queries for the slave server The firewall itself will be configured
to allow outbound DNS communications only from the slave DNS server,and inbound DNS communication from the forwarder
Now, if Joe Hacker tries to obtain information from the forwarder, he’ll
be disappointed because there is no zone information After implementingthis security scheme, you won’t have to worry about getting another DNShack from Joe Hacker next Monday
Solving WINS Client Ambiguity with WINS Lookup Zones
You may be in the unenviable position of supporting a heterogeneousDNS network that includes Microsoft DNS servers and BIND-basedservers The majority of your network clients are Windows clients Some
of those Windows clients use Windows 2000 DNS servers as their ferred server, and others use the Windows 2000 DNS server as their pre-ferred server
pre-When the DNS clients of the Windows 2000 DNS servers attempt toresolve a NetBIOS name not included in the DNS zone database, theWindows 2000 DNS server can query a WINS server in an attempt toresolve the NetBIOS name However, the DNS clients of the BIND servercannot resolve a name that is not included in its configured zones, andthe query will fail without checking WINS
Trang 31While there are a number of solutions to this problem, such asupgrading the computer running the BIND DNS server, a particularly ele-gant one is to use a dedicated zone that will be used for WINS serverreferrals.
Setting Up a Dedicated Zone for WINS Referrals
For example, our domain tacteam.net uses Windows 2000 DNS serverand BSD DNS servers The BSD server cannot forward requests to aWINS server for name resolution What we can do is create a new domain,such as wins.tacteam.net, and configure that domain to be the one thatperforms all WINS server referrals
On the Windows 2000 DNS server, we create the new zonewins.tacteam.net and enable it to perform WINS lookups as shown inFigure 7.25 On the BIND server, we create the wins.tacteam.net zone andthen create a delegation so that the requests for wins.tacteam.net aresent to the Windows 2000 DNS server
DNS Client
Forwarding DNS server (Slave)
Firewall
Forwarder root dns com dns microsoft dns
Forwarders and Slaves
DNS client sends query to forwarding DNS Server Forwarding server sends DNS request to forwarder on outside of firewall
Forwarder makes direct contact with Internet DNS Servers
Forwarder sends query result to Forwarding DNS server, which sends the result to the DNS Client.
Internet Figure 7.24 DNS slave and forwarder protecting the internal DNS zone
information
Trang 32To make this work, we need to configure the DNS clients correctly.
The procedure is a little different, depending on whether you use
Windows 9x, Windows NT, or Windows 2000 DNS clients The goal here is
to configure a list of domain names that are appended to unqualified DNSrequests Figure 7.26 shows how we configure the list in our present situ-ation on a Windows 2000 DNS client
The key is to put the wins.tacteam.net “WINS resolution zone” at thebottom of the list This allows you to search for clients with a legitimateresource record in a number of domains first before querying a WINSserver
When a DNS client in the tacteam.net domain sends an unqualifiedquery to its Preferred DNS server, it will likely append the tacteam.netdomain suffix to the end of the request So, if the request was forExcalibur, the request would be made fully qualified by sending it forExcalibur.tacteam.net If Excalibur were not in the zone database, theDNS server would send the request to WINS for resolution and return theanswers as Excalibur.tacteam.net
If another client in west.tacteam.net sent the same query to itsPreferred DNS server, and that server successfully performed a WINSreferral, the returned answer would be Excalibur.west.tacteam.net
Figure 7.25 Configuring the wins.tacteam.net zone to perform WINS referrals.
Trang 33By disabling WINS lookups from all zones except the wins.tacteam.netzone, all queries that are resolved via a WINS lookup will be resolved aswins.tacteam.net This eliminates the ambiguity of how the name wasresolved, and its domain membership.
To make this solution work best, you should disable WINS lookups for allother domains Only the WINS lookup domain should be capable ofquerying a WINS server
Interoperability Problems
The Windows 2000 DNS Server is a powerful, standards-based DNS
serv-er solution both for Windows 2000-only networks and for hetserv-erogeneousnetworks that contain downlevel clients and DNS servers However, if youare running a mixed environment, you need to be aware of some limita-tions and issues that can crop up
Figure 7.26 DNS client configuration of DNS suffixes appended to unqualified
requests
NOTE
Trang 34WINS and WINS-R Incompatibility with BIND Servers
If you have zones that employ WINS and WINS-R resolution, you mayhave problems with zone transfer to DNS servers that do not support theWINS and WINS-R resource records BIND DNS servers do not supportthese resource records and may choke during a zone transfer from aWindows 2000 or Windows NT DNS server You can prevent problems byconfiguring the Windows DNS server not to replicate the WINS records, asseen in Figure 7.27 You get to this dialog box by right-clicking the zone
of interest, and then clicking the WINS tab
Figure 7.27 Preventing the replication of the WINS resource records.
To prevent the replication of a WINS-R record, you need to knowwhere the WINS-R record is located That’s right, it is located in thereverse lookup zone Right-click the reverse lookup that is participating inthe zone transfer, click Properties, and click the WINS-R tab, as seen inFigure 7.28
For both the WINS and the WINS-R record, you must place a mark in the check box for “Do not replicate this record” to prevent repli-cation of the record during a zone transfer
check-While we’re here, did you notice something interesting in Figure 7.28?There is a text box that allows you to configure the domain name
returned when you issue reverse lookups If you have a WINS referraldomain configured, you should enter the name of that domain in the textbox
Trang 35As we mentioned earlier, if you have BIND Secondaries, they will not
be able to support the fast transfer method of zone transfer This can bedone via the Advanced tab in the zone’s Properties sheet
A DNS server must be able to support SRV records in order to participate in
a Windows 2000 DNS solution This is because the domain locator usesDNS to identify the location of the domain controllers on the network.BIND versions earlier than 8.x do not support SRV records, and thereforeshould be upgraded to a later version of BIND—or better, upgraded toWindows 2000 DNS servers
If your DNS server does not support dynamic updates, such as
Windows NT 4.0 DNS or BIND 4.x, you must include SRV records that are
needed to support the use of Active Directory You can find these records,which you must manually enter into the downlevel DNS server, at:
%system_root%\system32\config\netlogon.dns
Figure 7.28 The WINS-R tab in the reverse lookup zones Properties sheet
NOTE
Trang 36This contents of the file look like this:
tacteam.net 600 IN A 192.168.1.185 _ldap._tcp.tacteam.net 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net.
_ldap._tcp.pdc._msdcs.tacteam.net 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net.
_ldap._tcp.a8601abf-4067-4919-8c0b-df02d9f90a6d.domains._msdcs.tacteam.net 600
IN SRV 0 100 389 CONSTELLATION.tacteam.net.
dee92009-f0b8-42a8-9e0d-7b063b6a2e43._msdcs.tacteam.net 600 IN CNAME CONSTELLATION.tacteam.net.
_kerberos._tcp.dc._msdcs.tacteam.net 600 IN SRV 0 100 88 CONSTELLATION.tacteam.net.
_ldap._tcp.dc._msdcs.tacteam.net 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.tacteam.net 600 IN SRV 0 100 88 CONSTELLATION.tacteam.net.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.tacteam.net 600 IN SRV 0
100 389 CONSTELLATION.tacteam.net.
_kerberos._tcp.Default-First-Site-Name._sites.tacteam.net 600 IN SRV 0 100 88 CONSTELLATION.tacteam.net.
_ldap._tcp.gc._msdcs.tacteam.net 600 IN SRV 0 100 3268 CONSTELLATION.tacteam.net.
gc._msdcs.tacteam.net 600 IN A 192.168.1.185 _gc._tcp.tacteam.net 600 IN SRV 0 100 3268 CONSTELLATION.tacteam.net.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.tacteam.net 600 IN SRV 0
100 3268 CONSTELLATION.tacteam.net.
_gc._tcp.Default-First-Site-Name._sites.tacteam.net 600 IN SRV 0 100 3268 CONSTELLATION.tacteam.net.
A Windows NT 4.0 DNS server with Service Pack 4 will support SRVrecords However, we recommend upgrading to Windows 2000 rather thanmanually configuring the downlevel DNS server
DHCP and Resource Record Updates
If you are using a mixed environment of Windows 2000 and downlevelDHCP servers, be aware that the non-Windows 2000 DHCP server will notupdate address records on the Windows 2000 DNS server If you have a
Trang 37mix of Windows 2000 and downlevel DHCP servers, this can create aproblem whereby some of the DHCP clients will have their resource
records updated for them, while others will not be included in the DNSzone database The Windows 2000 DNS clients can update their ownresource records, but if you have downlevel DNS clients assigned IPaddressing information from a downlevel DHCP server, there is no mecha-nism to allow these clients to update their DNS address information The only solution to this problem is to update either the DNS clients
nslookup
The nslookup utility allows you to test and query your DNS server’s zonedatabases Nslookup actually works in two modes: interactive and com-mand mode Command mode is used when you only want to do a singlequery For example, if I type the command:
nslookup at the command prompt; your output should look like this:
C:\>nslookup
Default Server: constellation.tacteam.net
Address: 192.168.1.185
>