Overview of the DNS Query ProcessQuery Types Query Types Iterative Query The DNS server returns the best answer that it can provide without help from other servers The DNS server return
Trang 1Windows Server 2003
林寶森
jeffl@ms11.hinet.net
Trang 2What Is a Domain Namespace?
sales
org net
Host: server1
Trang 3Overview of the DNS Query Process
Query Types
Query Types
Iterative Query The DNS server returns the best answer that it can provide without help from other servers The DNS server returns the best answer that it can provide without help from other servers
Recursive Query The DNS server returns a complete answer to the query, not a pointer to another DNS server The DNS server returns a complete answer to the query, not a pointer to another DNS server
Lookup Types
Forward Lookup Requires name-to-address resolution
Reverse Lookup Requires address-to-name resolution
Trang 4How Recursive Queries Work
Computer1
Recursive query for mail1.nwtraders.com
172.16.64.11
A recursive query is a query made to a DNS server, in which the DNS
client asks the DNS server to provide a complete answer to the query
A recursive query is a query made to a DNS server, in which the DNS
client asks the DNS server to provide a complete answer to the query
DNS server checks the forward lookup zone and cache for an answer to the query
DNS server checks the forward lookup zone and cache for an answer to the query
Database
Local DNS Server
Trang 5How Iterative Queries Work
An iterative query is a query made to a DNS server in which the DNS client
requests the best answer that the DNS server can provide without seeking further help from other DNS servers The result of an iterative query is often a referral to another DNS server lower in the DNS tree
An iterative query is a query made to a DNS server in which the DNS client
requests the best answer that the DNS server can provide without seeking further help from other DNS servers The result of an iterative query is often a referral to another DNS server lower in the DNS tree
wtra
ders.com
Trang 6How Root Hint Works
Root hints are DNS resource records stored on a DNS server that list
the IP addresses for the DNS root servers
Root hints are DNS resource records stored on a DNS server that list
the IP addresses for the DNS root servers
DNS Server
InterNIC Root (.) Servers InterNIC
Root (.) Servers
com
Computer1
Trang 7How Forwarders Work
A forwarder is a DNS server designated by other internal DNS servers to
forward queries for resolving external or offsite DNS domain names
A forwarder is a DNS server designated by other internal DNS servers to
forward queries for resolving external or offsite DNS domain names
Trang 8What Is a DNS Zone?
Nwtraders
West South
Support
North
Trang 9What Are DNS Zone Types?
Trang 10Selecting Zone Data Location Standard Zones
Active Directory Integrated Zones
Zone Transfer
Trang 11Configuring Standard Zones
• You can configure a DNS server to host standard primary zones, standard secondary zones, or any combination of zones
• You can designate a primary server or a secondary server as a
master server for a standard secondary zone
Primary ZoneZone Information
Trang 12What Are Resource Records and Record Types?
Record type Description
A Resolves a host name to an IP address
PTR Resolves an IP address to a host name
SOA The first record in any zone file
SRV Resolves names of servers providing services
NS Identifies the DNS server for each zone
MX The mail server
CNAME Resolves from a host name to a host name
Trang 13Zone Transfer Process
A Zone Transfer is Initiated When
– A master DNS server sends notification of zone changes to the secondary server or servers
– The secondary server queries a master DNS server for
changes to the zone file
Primary Zone Database File Secondary Zone Database File
DNS Server
Zone 1
Trang 14Configuring Zone Transfers
• Zone Transfer Types
– Full zone transfer (AXFR)
– Incremental zone transfer (IXFR)
• Configuring Zone Transfer Properties
Trang 15Configuring Zone Transfers
nwtraders.msft Properties
WINS Zone Transfers Security
General Start of Authority (SOA) Name Servers
IP address:
To specify secondary servers to be notified of zone updates, click Notify.
Add Add Remove Remove
Notify…
A zone transfer sends a copy of the zone to requesting servers.
Trang 16How DNS Notify Works
Master Server
DNS notify
Zone transfer
A DNS notify is an update to the original DNS protocol specification
that permits notification to secondary servers when zone changes occur
A DNS notify is an update to the original DNS protocol specification
that permits notification to secondary servers when zone changes occur
Source Server
2
3 4
Resource record
is updated SOA serial number
is updated
Trang 17Configuring AD Integrated Zones
• Active Directory Integrated Zone Data Is
– Stored as an Active Directory object
– Replicated as part of domain replication
Active Directory
contoso.com
DNS Server
Active Directory Integrated Zone
Active Directory Integrated Zone
Trang 18What Are Directory Partitions?
Active Directory Database
Definitions and rules for creating and manipulating objects and attributes
Information about the Active Directory structure
Information about the Active Directory structure
Information about specific objects
Information about specific objects
domain-Information about applications
Contains:
Trang 19Selecting a Partition
Forest Application
Domain Partition
Domain Application
Trang 20Configuring Dynamic Updates
• DNS Dynamic Update Protocol
– Allows clients to automatically update DNS servers
– Can be used in conjunction with DHCP
Computer1 192.168.120.133
DHCP Server
2003 clients and both resource records for other clients
DHCP updates reverse resource record for Windows 2000, XP and
2003 clients and both resource records for other clients
Trang 21Securing Dynamic Updates
nwtraders.msft Properties
WINS Zone Transfers Security General Start of Authority (SOA) Name Servers Status:
Type:
Running Active Directory-integrated
Pause Change…
Data is stored in Active Directory.
Allow dynamic updates?
Aging…
Only secure updates
To set aging/scavenging properties, click Aging
OK Cancel Apply
Secure Dynamic Updates
Secure Dynamic Updates
Active Directory
Integrated Zone
Active Directory
Integrated Zone
Trang 22Creating a Subdomain
• Create a Subdomain to Better Organize Your Namespace
• Delegate Authority of a Subdomain To
– Delegate management of portions of the namespace
– Delegate administrative tasks of maintaining one large DNS database
Trang 24How the Time-to-Live Value Works
The records in the zone are sent to other DNS servers and clients
The Time-to-Live (TTL) value is a time-out value expressed in seconds that
is included with DNS records that are returned in a DNS query
The Time-to-Live (TTL) value is a time-out value expressed in seconds that
is included with DNS records that are returned in a DNS query
Zone
TTL set
on the zone
DNS Server1 DNS Client DNS Server2 Authoritative
Authoritative DNS Server2
Cache Cache
Resource Record Resource Record
Trang 25Reducing Network Traffic by Using
Trang 26How Aging and Scavenging Works
Scavenge
No-Refresh interval
No-Refresh interval Refresh Refresh interval interval
Trang 27What Is DNS Debug Logging?
Primary DNS Server1
DNS debug logging is an optional logging tool for DNS that stores
the DNS information that you select
DNS debug logging is an optional logging tool for DNS that stores
the DNS information that you select
Secondary DNS Server2
Trang 28– Maintain their own DNS servers
• Two DNS Servers Recommended
– Primary name server
– Secondary name server
Trang 29DNS Namespace Options
Same Namespace
Same Namespace Namespace Delegated
Delegated Namespace Namespace Unique
Unique Namespace
Existing DNS Namespace
Existing DNS Namespace Existing DNS Existing DNS Namespace Namespace Existing DNS Existing DNS Namespace Namespace
nwtraders.local ad.nwtraders.com
nwtraders.com
Internal Namespace Internal
Namespace Namespace Namespace Internal Internal Namespace Namespace Internal Internal
Trang 30Connecting DNS to the Internet
Forwarding DNS Queries to Internet DNS Servers
Responding to DNS Queries from the Internet
Internet DNS Server
Firewall
Firewall
Internet
Screened Subnet
External DNS Server Internal
DNS Server
Trang 31Integrating DNS into Screened Subnets
Zones Contain Records for Public Resources
Configure Firewalls to Permit Appropriate DNS Traffic
Place Only Secondary Zones
Encrypt Replication Traffic with IPSec
public.contoso.msft
Primary DNS Zone Secondary DNS Zone
Private Network