DNS Zones
Within an organization, a DNS server is said to be authoritative for either all or a portion of the computers in that network — that is, DNS queries for these machines are addressed to that DNS server. The portion of the network(s) for which that DNS server is authoritative is called a zone. The difference between a zone and a domain is subtle, but we’ve paraphrased the best explanation we’ve found from DNS and Bind, by Paul Albitz and Cricket Liu:
A zone contains the domain names and data that a domain contains, except for domain names and data that are delegated elsewhere. For example, the top-level domain ca (for Canada) may have the subdomains ab.ca, on.ca, and pq.ca, for the provinces Alberta, Ontario, and Quebec. Authority for the ab.ca, on.ca, and pq.ca domains may be delegated to organizations [i.e., other name servers] in each of the provinces. The domain ca contains all the data in ca plus all the data in ab.ca, on.ca, and pq.ca. But the zone ca contains only the data in ca.
In many smaller organizations, the network domain (which usually consists of one subnetwork but could consist of more) has one zone. Larger organizations may prefer to compartmentalize their networks into multiple zones, thereby distributing authority for name resolution to multiple DNS servers (also called Domain Name Servers).
Zone divisions don’t have to follow the network topology or even the geographical layout, though they usually do. For example, if you have a global network called Company.com made up of multiple TCP/IP networks in many countries, you can create a zone called Sales.Company.com consisting of selected hosts within networks located in different countries.
At least one (but usually more than one) DNS server would be authoritative for this zone, and a computer seeking to resolve a DNS query need not necessarily contact a DNS server within its own network. (This setup is not a particularly good application of zone division. For the sake of efficiency and reduction of network traffic, it’s preferable to have authoritative name servers located as close as possible to the hosts over which they have authority.)
Special Note: A DNS server on NT can be configured as a primary name server or a secondary name server. Other DNS servers consider both primary and secondary servers to be authoritative name servers for the zone. The primary server stores configuration files. The secondary server copies information from the primary server. If you are connected to the Internet, you should have at least two DNS servers, a primary server and a secondary server, for redundancy. If your Internet connection has relatively small bandwidth, you may want to use an Internet Service Provider (ISP) for your secondary DNS server and base your primary DNS server on an NT server.
Once DNS is installed from the NT CD-ROM and you’ve registered the IP addresses of any DNS server you want to administer, you can create zones to include all the computers that can be resolved by a particular DNS server. Figures 6.9 – 6.15 illustrate how to create a zone for foretell.ca, being managed by the DNS server.
To create a new zone, right-click the IP address of the DNS server in the left pane of the DNS Manager window and select New Zone... as shown in Figure 6.9. (The DNS server can be a primary or a secondary server.)
When you create a new zone, make sure that you enter a trailing period after the zone name (see Figure 6.10). Otherwise, you will have problems locating hosts because the NT 4.0 DNS Wizard appends your domain name to any host name if you don’t enter that trailing period. For example, it would show a record for activeX4.eng.foretell.ca.eng.foretell.ca instead of a record for activeX4.eng.foretell.ca.
When you create a new zone, you also need to create the appropriate resource records. (Resource records help you maintain DNS configuration information.) To view a zone’s associated resource records, select a zone from the left pane of the DNS Manager. The associated resource records appear in the right pane (Figure 6.11).
In Figure 6.11, the resource records shown in the right pane tell us that alphadev.foretell.ca is the authoritative server (type SOA — statement of authority) for zone eng.foretell.ca and that zone eng.foretell.ca uses alphadev.foretell.ca as its name server (type NS — name server).
Double-clicking the SOA record entry opens the Properties dialog box shown in Figure 6.12.
The SOA record is used to refresh the cached information in secondary and other name servers. The default values supplied by NT Server’s DNS installation are appropriate for most purposes. If you configure DNS using the DNS Manager, DNS boots from the Registry. You can also copy DNS files from an existing Unix server by keeping the files in %systemroot%\system32\dns folder.
Special Note: If you have both Unix- and NT-based DNS servers, you may want to change the serial number manually. Using the date and a number to indicate the serial number is quite popular. For example, if a new host is added to DNS on October 10, 1999, the serial number could be 1999101001. If you make some other changes to the DNS database later that day, the serial number could be changed to 1999101002. The user interface in NT’s DNS Manager automatically increments the serial number with each change. So if you make a change on a later date, say October 15, 1999, the new serial number would be 1999101003 using the NT approach. If you want to associate the serial number with when you make the change, you have to manually increment it, instead of relying on DNS Manager in NT to increment it.
Selecting Options, Preferences from the DNS Manager menu bar opens the dialog box shown in Figure 6.13.
Here, you can set the following preferences:
Auto Refresh Statistics — Don’t check this box if you will be managing a DNS server remotely because it will make your remote DNS Manager seem to flicker constantly.
Show Automatically Created Zones — This preference is not very useful because it shows automatically created zones that are of no interest to the DNS administrator (such zones as cache and root servers that the administrator never modifies).
Expose TTL — If checked, this option lets you modify how long a name server should cache specific name-to-address translations.
To add a new resource record, select New Record from the DNS menu to bring up the New Resource Record dialog box (Figure 6.14). From the list in the left pane, select the type of resource record you want to add. For example, to add a resource record for an alias or canonical name, select the CNAME record type as shown in Figure 6.14. In this case, we can use home.eng.foretell.ca instead of activex8.eng.foretell.ca.
In the example above, the zone file makes possible name-to-address translation in the eng.foretell.ca subdomain. However, many sites on the Internet check your IP address to see whether it belongs to a valid domain. To resolve addresses to names, we have to create a reverse zone. In this case, eng.foretell.ca uses the network number 204.112.23.0, so we need to create a reverse zone called 23.112.204.in-addr.arpa. To do so, follow the procedure for creating a forward zone except give the zone a name that consists of the network number in reverse order with .in-addr.arpa appended to it — for example, 23.112.204.in-addr.arpa. (Windows 2000 Dynamic DNS has an easier and more intuitive way of creating reverse zones — see on “Dynamic DNS: Theory” later in this chapter.)
Once the forward and reverse zones are established, a number of records can be entered. NT’s DNS automatically enters the resource records in both zones.
Checking the Create Associated PTR Record check box when you add a new A (address) record updates the 23.112.204.in-addr.arpa zone as well as the eng.foretell.ca zone. When you delete a record, though, you must take care to highlight the record you want to delete. It is very easy to highlight the wrong entry and delete a needed record.
Special Note: Before Service Pack 3 in NT 4.0, we experienced difficulties creating pointer records at the same time as Hosts (or address (A)) records. Sometimes the reverse zone was updated, sometimes it wasn’t. Sometimes the cache directory instead of the reverse zone was updated and sometimes neither was updated! The performance was capricious at best. Therefore, it’s best to apply Service Pack 3 (or later), unless you want to enter the pointer records manually.
Another important DNS entry is the MX record, shown in Figure 6.15, which specifies the name of the mail server. MX records are used to resolve queries about individual mail recipients. If you have more than one mail server and prefer mail delivery through one particular server — perhaps for security reasons — you can enter a preference value on the preferred mail server that is higher than the preference value for any other mail server. Using the same preference value on all servers distributes incoming mail more or less equally across different mail servers.
In Figure 6.15, we are assigning a Preference Number of 20 to mail.eng. foretell.ca. We’ve assigned another mail server, privatemail.eng.foretell.ca, a preference number of 10. The host privatemail.eng.foretell.ca can be set up so that it communicates only with mail.eng.foretell.ca. This can be done by setting up restrictions on your enterprise router or through your firewall. This configuration forces the other mail servers to use mail.eng.foretell.ca, which in turn will exchange the mail with privatemail.eng.foretell.ca, setting up a more secure configuration.
Once these preference and record changes are updated, the DNS Manager looks like that shown in Figure 6.16.
You should consider two more points when configuring DNS:
If you delete a record, the associated pointer record is not deleted.
Unless you use the Update Server Data Files menu item from the DNS Manager, the files don’t get updated immediately. They are written to disk only when a DNS server is stopped and restarted or if the DNS Manager is shut down.
Migration from Unix-based Name Servers
In some ways, using a Unix-based name server is easier than using NT’s DNS because the entries are made in text files and the process is controlled manually. However, the problems of integrating with Windows NT Directory Services and remote management make it worthwhile to consider migrating to NT-based DNS.
To use zone files from a Unix server, you must first install DNS. By default, DNS on NT uses the Registry to boot. To use the named.boot file used in Unix, delete the value EnableRegistryBoot from the Registry Key HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.
You also need to copy the Unix files to %systemroot%\system32\DNS. Rename the named.boot file to a file called boot to let NT’s DNS server use the named.boot file and related zone files. Then restart DNS.
Integration with Unix-based DNS Servers
Older versions of BIND (before version 4.9.4) may not copy zone information from NT’s DNS properly. As a result, you may not be able to have a Unix-based DNS server as a secondary server. To allow this, consider adding the value BindSecondaries (type REG_DWORD) to the Registry key HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters, and setting the value to 1.
If you are using boot files copied from a Unix computer, add the directive BindSecondaries to the Boot file. This entry allows a single resource record to be copied per message.
Enabling WINS Lookup
Even if you don’t have Windows 2000 Server’s dynamic DNS, you can make name resolution easier using DNS and WINS servers together. The main point here is that your DHCP servers may be configuring client computers with IP addresses that are not guaranteed to be in sequence — that is, computer1 assigned an IP address of 10.0.0.1 and computer2 assigned an address of 10.0.0.2 — and it is difficult to enter them manually in a DNS server.
At the same time, because WINS servers automatically get the names and IP addresses of all WINS clients, a WINS server can be used to provide information to the DNS server. As a result, host names can be resolved automatically through DNS servers, and NetBIOS names can be resolved through the WINS server.
This setup is called WINS lookup; you can configure it by right-clicking the zone, selecting Properties, switching to the WINS Lookup tab, and checking Use WINS Resolution (Figure 6.17).
Setting the zone properties as shown in Figure 6.18 results in the following sequence of events:
The DNS server looks at its resource record for a name.
If the name is not found, the WINS server is queried. If more than one WINS server is specified, they will be queried in the order listed.
The response from the WINS server is cached, and the answer provided to the DNS client.
A reverse WINS lookup is also possible to provide names for given IP addresses. Right-click the reverse zone, select Properties, switch to the WINS Lookup tab, and check Use WINS Resolution. If you perform a reverse lookup using WINS, you also have an additional record of type WINS-R in the reverse zone, as shown in Figure 6.18.
To configure the Cache Timeout Value and the Lookup Timeout Value, click Advanced on the WINS Lookup tab (Figure 6.17) to bring up the dialog box shown in Figure 6.19.
With the settings shown in Figure 6.19, the DNS server will keep the address obtained from a WINS server for 10 minutes. It also will wait for one second before giving up on a WINS server that is not responding.
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Windows IT Pro
Register
