Naturally, the preceding example will vary: The IP address and DNS name of the default DNS server will be your own. The > symbol is your command prompt; you are free to enter in any of the parameters listed for noninteractive mode. However, you do not have to preface the parameters with the ‘-’; instead, many of the parameters should be prefaced with set. For example, to turn on the debug option and perform a lookup for www.microsoft.com and www.netscape.com, use the following commands:
NSLOOKUP
set debug
www.microsoft.com
www.netscape.com
EXAMPLE: FUN WITH NSLOOKUP
Have some extra disk space? Try retrieving a list of hostnames within a specific domain with the ls command. To do this, type these commands, where “ispname.net” is a domain name:
NSLOOKUP
ls ispname.net
Chances are good you will get an error message returned, indicating that the name servers have restricted that type of query. However, if you are successful in retrieving a list (hint: try dialing into your ISP and using its domain name), you will get some insight into the mind of a systems administrator.
LOOKING AT THE FUTURE OF DNS
DNS, unlike WINS, is here to stay. Long after we have all forgotten what a “NetBIOS name” is, we will still be working with domains and DNS records. In fact, chances are good that it will not change much over the next ten years, though it will be improved.
Microsoft has resisted DNS as long as it can. “If you can’t beat ‘em, join ‘em,” though, and Microsoft is doing just that. With the release of Windows NT 5.0, you will have the ability to rely entirely on DNS for all directory services and name resolutions, removing the burden NetBIOS names placed on administrators. If you are designing the DNS architecture for your domain now, you will save yourself headaches in the future if you design it specifically for the Enhanced Directory Services. For those of you simply administering an existing domain structure, it is a good idea to look ahead and find out what Microsoft has in mind, so you can assure you won’t be left behind.
Dynamic DNS
I am not a fan of Dynamic Host Configuration Protocol (DHCP), but many in the industry are. In fact, a good number of the Microsoft networks in existence are based on a DHCP infrastructure. I really blame Microsoft for this odd phenomenon–much of their documentation touts DHCP as being the “be-all and end-all” of IP address assignment. In the future, I feel (hope?) that DHCP will go the way of NetBEUI and WINS; dropped from common use in favor of something that makes sense.
Now, DNS and DHCP do not traditionally mix well, because DNS is a static, manually updated method of name resolution. DHCP dynamically assigns IP addresses to systems, so without some sort of communication between the two protocols, it would be impossible for DNS servers to resolve IP addresses to DHCP clients.
To resolve this problem, Microsoft stepped in and integrated WINS and DNS together. Because the WINS database is built dynamically as computers start up and claim their DHCP-assigned IP address, it has no problem with name resolution of dynamic hosts. Microsoft’s modifications simply allow the DNS server to query the WINS server if it cannot resolve a particular name.
There are a few problems with their implementation. First, they just thought up the whole idea and stuck it into the software, without bothering to wait for any kind of official standards to be put into place. In Microsoft’s defense, they did write a proposal for a standard, but the IETF is still working on finalizing a method for allowing DNS servers to resolve names and IP addresses using a WINS server.
Second, it allows only Windows-based systems to register with the WINS server (and in turn, to be resolved by the DNS server). UNIX boxes that may use DHCP do not speak NetBIOS and so will not bother to register themselves with a WINS server.
Third, it works only with Windows NT-based DNS servers. Naturally, one or two organizations out there have to rebel against Microsoft’s homogenous Windows model and throw a UNIX box in as a DNS server. Those wild enough to try this will find that the dynamic DNS updates provided for by Windows NT 4.0 just won’t work.
Now that I’ve told you some great reasons not to use WINS and DNS together, what can we do about it? Microsoft has submitted some suggestions to the IETF, but for now we will just have to wait. The fact of the matter is that organizations will never have to worry about it, because the NT domain model will disappear before any viable method of dynamic DNS updates happens.
IPng/IPv6
Everyone is talking about version 6 of the Internet Protocol, otherwise known as IP: The Next Generation. I’ve mentioned it here and there throughout this book; it’s a new version of the network-layer protocol used on the Internet that has been designed to reduce many of the problems users currently experience.
Because the IP address format changes for IPng, DNS is going to have to adjust as well. Already, an RFC has been written on the topic. This RFC can be found at http://ds2.internic.net/rfc/rfc1886.txt. It defines several changes to the existing DNS structure.
First, a new record type is added to accommodate the 128-bit addresses in IPng. This record type is AAAA, which, by definition, stores a single IPng address encoded from most-significant bit to least-significant bit.
To allow clients to look up this new record type, a AAAA query is defined as well. It works in the same way a normal lookup does, returning all records associated with a particular name.
Finally, a domain is added to facilitate reverse-DNS lookups of IPng addresses. While the reverse-lookup domain for version 4 of IP was called .IN-ADDR.ARPA, the newer version is referred to as .IP6.INT, which makes only slightly more sense. The new version gives the following reverse-lookup records as an example:
Not to be too pessimistic, we are still several years away from implementing version 6 of the IP network protocol. Fortunately, it will not be too difficult to migrate DNS when the time comes.
Security
DNS servers have always been a popular point for malicious attackers to begin an assault on an organization. The fact is, DNS has very little security built into the protocol itself. As we look to the increased usage of DNS on the public Internet, one of the items on our wish list has to be security.
A couple of standards have been proposed with the intent of providing an increased level of security for DNS. The most popular area of focus seems to be name server–to–name server communications, providing functionality such as authentication of zone transfers. Until these standards are given the stamp of approval by the IETF, refrain from implementing a vendor-specific solution unless absolutely necessary. Otherwise, it is likely that you will end up redoing all of your work in a year to conform to more widely accepted standards of DNS security.
Migration
It is hard to predict the future, but this one is for sure: It will involve a lot of migrating. As new standards develop, administrators and engineers will spend many hours playing catch-up. However, there are some things you can do that will save you time and headaches in the future.
The first DNS-related migration we are all looking forward to is to adopt Microsoft’s Enhanced Directory Services. This will be a blessing in the long run, but the initial migration will be painful for most. The first guideline to ease future migrations is to latch onto Internet standards, not vendor standards. If you are still using IPX and/or NetBEUI somewhere on your network, immediately get rid of it! This is so important that I have to recommend putting a sniffer such as Network Monitor on each subnet and monitoring the traffic for any occurrence of these protocols. Any reliance on these archaic standards will cause you tons of problems in the future!
Another rule of thumb that Microsoft recommends is to place a secondary DNS server at each remote site. If you do not make heavy use of DNS servers now, you sure will when they replace all of your WINS servers! Enhanced DS will use DNS servers to locate domain controllers, whereas for most tasks NetBIOS name resolution has traditionally handled that by broadcast or by WINS.
SUMMARY
This chapter has given you the framework to implement, expand, and fix DNS services within your internetwork. It has provided a detailed description of the current implementation of DNS, as well as its history and future.
You have learned the following:
DNS services are used to provide resolution of IP addresses to hostnames from a central server. DNS will continue to evolve as the Internet grows, and it is already being adapted for IPv6.
Windows NT natively supports both client- and server-side DNS functions. Though Windows NT is not yet commonly used for name services, it provides advantages that are not available from more traditional UNIX-based DNS servers, such as WINS integration.
DNS is managed by the InterNIC. Domain names that are used on the public Internet must be registered for a fee, which ensures that no two organizations can claim the same name.
DNS is very hierarchical. Primary servers hold the definitive zone files, listings of DNS records with names and IP addresses. Secondary servers maintain copies of this zone file and can be queried by clients for redundancy and load balancing.
The most useful tool for troubleshooting DNS problems is NSLOOKUP. NSLOOKUP allows you to query a DNS server in many different ways, allowing you to quickly pinpoint errors.
In the next chapter, you’ll learn about Routing and Remote Access Service, Microsoft’s add-on for Windows NT that replaces RAS and supplements routing capabilities.
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Virtualization Congress Oct. 14-16 in London Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.
Windows IT Pro
Register
