Resource Page   CIS 2153 Syllabus    Chapter Lesson Notes: 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

Chapter 3 Lesson Notes

Installing, Configuring, and Troubleshooting DNS

1. How Host Names are Resolved
1. Winsock requires the IP address of the destination host to establish a session.
1. Numbers are harder to remember than names, so people use host name resolution to match up IP addresses to known host names.
2. Resolver software on the DNS client issues query statements sent to the DNS server.
1. Programs that use resolver software include:

• Like knowing someone’s telephone number but not knowing his name

1. Reverse lookups query reverse lookup zones.
2. The primary index for the Domain Name System is the domain name.

• The DNS is rather like the phone book, which is organized by last name, not by the telephone number.

1. The in-addr-arpa Domain uses Network IDs as the index value.

• allows you to search by IDs

1. Reverse lookup zones go from specific to general when moving from left to right, just as forward lookup zones do.

• A Network ID of 21.18.189.0’s entry in the in-addr.arpa subdomain is 189.18.21.in-addr.arpa.

1. The iterative and recursive query process works the same when performing reverse lookups as it does when performing forward lookups.
2. Perform Exercise 3-2 on page 130 in your main text: Looking up a host name from an IP address.

II.  Windows 2000 DNS Server Roles

1. Primary DNS Server
1. Characteristics:
1. Contains the only copy of the zone database that can be changed
2. Is authoritative for the domain(s) contained in its zone files
1. Those domains respond directly to DNS queries
2. Characteristics shared with all DNS servers:
1. The zone database information is stored in the %systemroot%>\system32\dns directory.
2. They have the ability to boot from either the registry or a boot file
3. They have the ability to cache resolved queries.
4. They have a cache.dns file (or "root hints" file) that contains host name to IP address mappings for the Internet DNS Root servers.
3. Configuring the DNS Server via the Boot File and DNS Management Console
1. Server configuration is done through the DNS Management console, which is the default and preferred setting.
2. You may also configure the DNS server through the BOOT file, which UNIX Administrators are accustomed to.
3. You can choose to boot from the Registry, the BOOT file, or Active Directory.
4. Microsoft recommends that you "pick your poison" and stick with it.

• Do not switch between the use of the BOOT file and the DNS Management Console.

                4.   DNS Server Caching

1. The cache.dns file (the "root hints" file) contains host name and IP address mappings for the Root Internet DNS servers.

• If a DNS server receives a recursive query for a domain for which it is not authoritative, it must complete recursion by issuing iterative queries.

1. The cache.dns file is located in the same directory as the zone files.
2. Internet Root server mappings change periodically.

• Download the most recent mappings from ftp://ftp.rs.internic.net/domain/root.zone.gz    

                5.   DNS servers can be authoritative for multiple domains.

1. A Primary DNS server can be a Secondary DNS server for another zone.
2. A Primary DNS server that receives zone transfers from another Primary server acts in the role of Secondary for that zone.
3. Any DNS server can contain either or both Primary or Secondary zone files.
4. The Primary zone file is read/write and the Secondary zone file is read-only.

        B.  Secondary DNS Servers

                1.   Functions:

1. Fault tolerance: if the Primary DNS server is disabled, the Secondary can answer requests for the zone
2. Load balancing: by distributing the query load, the Primary server is not as affected by large volumes of query traffic

        2.  Bandwidth conservation: Secondary servers can be placed in remote locations, reducing the need to traverse a WAN for name resolution

C.  Caching-Only Servers

1. All DNS servers have a cache.dns file that contains the IP addresses of all Internet Root servers. The caching-only server uses this list to begin building its cache. It then adds to the cache as it issues iterative queries when responding to client requests. (See Figure 3-4 on page 137)
2. Traits of caching-only servers:

• Do not generate zone transfer traffic
• Can be placed on the far side of a slow WAN link and provide name resolution services for remote offices that do not require a high level of host name resolution support
• Can be configured as secure DNS forwarders
• Do not require expert administration, so they can be placed in off-site locations where there is no DNS administrator
• Are secure because there is no risk of an intruder obtaining zone information from a caching-only server

D.  DNS Forwarders and Slave Servers

1. DNS Forwarding and Forwarder Servers
1. The DNS server receiving the forwarding server’s query is the forwarder.
2. The process of forwarding a DNS query involves both a forwarding DNS server and a forwarder DNS server.
2. Host Name Lookup Using Forwarders
1. The forwarder begins to resolve the host name in the query by doing one of the following:

• retrieving the information from its cache
• retrieving the information from a zone file
• issuing a series of iterative queries

See Figure 3-5 on page 139.

1. If the forwarder cannot resolve the host name to an IP address, it will return to the forwarding DNS server a "host not found" error.
2. The Preferred DNS server (the forwarding server) will then attempt to resolve the host name itself.
1. Forwarders and Firewalls
1. The slave server/caching-only forwarder duo protects your intranet zone data from Internet intruders.
2. Firewalls keep users on the outside from accessing information on internal DNS servers

Figure 3-6 on page 141 illustrates the forwarder and slave setup and how it protects internal zone records.

E.  Dynamic DNS Servers (DDNS)

• Windows 2000 server has the ability to dynamically update the information contained in its zone databases.
• This is the one main difference between the Windows 2000 DNS server and previous versions of Microsoft DNS.
• Note: Because DNS zone database files were designed to be static, any updates that need to be made to the zone contents must be done manually by the DNS administrator.

1. DNS Update Protocol
1. Windows 2000 DNS server supports the Dynamic DNS update protocol.
1. Windows 2000 clients use the DHCP client service to update a Dynamic DNS server with their host name and IP address information.
2. The DNS client information is dynamically updated on a Primary DNS server, regardless of whether Active Directory or Standard zone types has been employed.
1. If the Preferred DNS server is a Secondary, then the client will query the Secondary for the Start Of Authority (SOA) record for the zone.
1. When the Windows 2000 client obtains the name of a Primary server for the zone, it will attempt to update its Host (A) and Pointer (PTR) records, depending on how you have configured dynamic updates to occur.
2. A Windows 2000 machine with a static IP address always updates both its A and PTR records itself.
3. By default, a Windows 2000 DHCP client updates its own A record, and the DHCP server updates the PTR record; however, this behavior can be altered.
4. A downlevel client cannot directly update its own information directly with a Dynamic DNS server but can do so using a Windows 2000 DHCP server as a "proxy."
5. RAS clients and dynamic update
1. RAS clients always register their own information directly with the DNS server and never interact with a DHCP server.
2. The RAS client registers both its A and PTR records itself.
1. Name Collisions
1. A name collision occurs when a machine tries to update its name in the zone database and finds that its name already exists with a different IP address.
2. By default, the DNS client will overwrite the existing record with its own information, which can pose security risks. To avoid this, you can:

• Disable the client’s ability to overwrite the existing record by adding the DisableReplaceAddressesInConflicts entry with a value of 1 to the following registry subkey:

|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters

• Enable secure dynamic updates, which can only be done with Active Directory integrated zones

1. Perform Exercise 3-3 on page 144: Enabling Dynamic Updates on a Windows 2000 DNS Server.

 

III. Integrating Windows 2000 DNS Server with Active Directory

1. Advantages
• Active Directory integrated zones use the Active Directory replication engine, so there is no need to create separate DNS and Active Directory replication topologies.
• Rather than transferring the entire record, per property zone transfers are available when the zone is Active Directory integrated.
• All Active Directory integrated DNS zones are Primary zones, which offer more fault tolerance when DNS clients need to dynamically update their records on a Dynamic DNS server.
• Secure dynamic updates of the DNS zone database prevents rogue machines from taking over another machine’s mapping.
1. Active Directory domain names are also DNS domain names.
1. Secure Dynamic Updates
1. Dynamic updates are made through the Generic Security Service API (GSS-API).
• Windows 2000 does not support other common update methods such as System Security Extensions and Secure Domain Name System Dynamic Update.
1. The GSS-API uses Kerberos to establish a secure connection. Two types of resource records are used to establish the secure context:
• TKEY: Used to transfer security tokens between the DNS client and server. It establishes the secret key that will be used with the TSIG resource record.
• TSIG: Used to send and verify messages that have been signed with a hash algorithm.

 

Insider Information

Why do they call it Kerberos?

In Greek mythology, Kerberos was the name of the three-headed dog that guarded the entrance to Hades. Those who know their Greek mythology may remember that the dog who guarded the entrance was called Cerberus, not Kerberos. Cerberus is the Latin spelling of the Greek Kerberos. In Latin, the letter 'c' is always hard, and the letter ‘u’ in Cerberus is also different—instead of being a long ‘u’ sound, it is something between 'oos' and 'ous,' so Cerberus is pronounced 'Ker-ber-ous.' I find it interesting that the industry chose Kerberos (who guards hell) instead of the Angel Gabriel (who guards heaven). I suppose it’s all a matter of perspective.



1. Negotiating a Secure Context
1. Through the exchange of Keys (short for Public Key Infrastructure [PKI]), DNS clients can send update requests to the DNS server. This prevents machines from pirating the name of another legitimate machine on the network.
2. Figure 3-7 on page 149 shows the Secure dynamic update negotiation in progress.
1. DnsUpdateProxy
1. Only the owner of the record can update a resource record, and this can cause problems.
2. Examine the problem given on page 149 and discuss the solution provided on page 150, using Figure 3-8 on page 151 as a reference.
2. Domain Controllers in the DnsUpdateProxy Group
1. Because of potential security problems, Microsoft recommends that you not implement DHCP servers on domain controllers.
2. Perform Exercise 3-4 on page 152: Adding a DHCP Server to the DnsUpdateProxy Group.
1. Active Directory Integrated Zone Replication
1. All Active Directory integrated zones are Primary.
1. No single point of failure
2. The Active Directory allows for multimaster replication using the Active Directory replication engine.
1. Because of this, a single "downed" Primary DNS Server will not prevent zone transfers and zone updates.
2. SRV Records in Windows 2000 DNS
1. SRV Records replace the "hidden" 16^th character.
1. For WINS clients, the client could query the WINS database for the desired service by examining the 16^th character service identifiers recorded in the WINS database.
2. Manually Adding SRV Records
1. To view the SRV resource records created by a domain controller, open and view the netlogon.dns file (created when Active Directory was installed).

• netlogon.dns file can be found in %systemroot%\System32\Config\Netlogon.dns

1. When creating a new SRV record for a domain controller, be sure that the record is placed in the correct container object in the Active Directory as specified by the path in the netlogon.dns file.
2. Perform Exercise 3-5 on page 155: Adding a SRV Record Manually to the DNS.

IV. Integrating Windows 2000 DNS Server with DHCP

1. The Windows 2000 DHCP server can deliver host name and IP addressing information to a Windows 2000 DNS Server so downlevel clients can take advantage of the services available via a Dynamic DNS Server.
2. After assigning a DHCP client an IP address, the Windows 2000 DHCP server interacts with a Windows 2000 DNS Server in one of three ways:
• It will update the DNS server by providing information to create a Host (A) resource record and PTR (Pointer) record.
• The DHCP server will update both the Address and the Pointer record, regardless of the client request.
• The DHCP server will never register information about the DHCP client, but the client itself may contact the Dynamic DNS server directly with this information. Figure 3-9 on page 161 shows these interactions.
1. Perform the Exercise 3-6 on Page 162: Enabling Dynamic Updates for Downlevel DNS/DHCP Clients.
5. Managing the Windows 2000 DNS Server
1. Configuring Server Properties
1. Open the DNS console and right-click the name of the server you wish to configure. You should see what appears in Figure 3-10 on page 164.
2. Discuss the options on the various tabs:
1. The DNS Server Properties Interfaces tab (page 163; Figure 3-10, page 164)
2. The DNS Server Properties Forwarders tab (page 164; Figure 3-11, page 165)
3. The DNS Server Properties Advanced tab (page 164; Figure 3-12, page 165)
4. The Root Hints tab (page 167; Figure 3-13, page 167)
2. Configuring Zone Properties
1. Once the server is configured, you need to configure the zones you have created on the server. Each zone is configured separately. Right-click the zone of choice and then click the Properties command on the context menu. (See Figure 3-14 on page 169)
2. Discuss the options on the various tabs:
1. The Start of Authority (SOA) tab (page 169; Figure 3-15, page 170)
2. The Name Servers tab (page 171; Figure 3-16, page 171)
3. The WINS tab (page 171; Figure 3-17; page 172)

• The WINS TAB looks different for reverse lookup zones. Right-click one of your reverse lookup zones and click Properties. Now click the WINS-R tab, and you will see Figure 3-18 on page 173.

1. Configuring Windows 2000 DNS Clients
1. Manually Configuring DNS Client Settings:
1. You must be sitting at the local machine to perform manual configuration. Right-click the My Network Places icon on the desktop and select Properties. Now double-click Local Area Connection and then click Properties to bring up the Local Area Connection Properties dialog box.
2. Scroll down the list of network components, find the Internet Protocol (TCP/IP) option, and click Properties.
3. Go to the General Tab. This will bring you to the Advanced TCP/IP Settings dialog box. Click the DNS tab and you will see what appears in Figure 3-19 on page 174.
2. Configuring DNS Clients Using DHCP

To avoid unnecessary administrative tasks, you can use a DHCP server to assign DNS configuration and information to your Windows 2000 DHCP clients.

1. Create a scope on the DHCP server.
1. Define the 006 DNS Servers option for the scope.
2. Figure 3-21 on page 176 shows the Scope Options dialog box on a DHCP server.
3. Perform Exercise 3-7 on page 177: Disabling Replication of WINS-Specific Resource Record Data.

VI.  Monitoring and Troubleshooting DNS

1. IPCONFIG

IPConfig has been improved in Windows 2000 over Windows NT 4.0. It includes new switches that help with DNS management.

• Ipconfig /flushdns: Allows you to clear the local machine’s DNS cache
• Ipconfig /displaydns: Prints out the local DNS cache
• Ipconfig /registerdns: Renews a DHCP client’s lease and re-registers the DNS client’s address information with a DNS server
1. NSLookup
1. Command-line utility used to test and query your DNS server’s zone databases
2. Works in two modes: interactive and command
3. Table 3-1 on page 180 shows a list of "set" commands used in Interactive mode.
4. Perform Exercise 3-8 on page 180: Using the Nslookup Utility.
1. Using the System Monitor
1. Windows 2000 DNS Server has a large number of DNS-related counters that are placed into the System Monitor application upon installation.
2. New counters have been added to the Windows 2000 DNS Object counter list, as shown in Table 3-2 on pages 182 through 185.
2. Using Event Viewer
1. The Event Viewer provides information:
1. when zone transfers have occurred
2. on whether there was a problem with a zone transfer
3. when changes have taken place within the zone
4. on excessive numbers of changes that have been made to the zone for a specific period of time
2. You can install a help file (from the Windows 2000 Server Resource Kit), which has a list of event codes and their meanings.
3. Using Trace Logs
1. To get extremely detailed information about the DNS server’s activities, enable trace logging through the graphical user interface.
1. To enable trace logging, right-click the server name in the DNS Management Console and click Properties. You will see a box similar to that shown in Figure 3-22 on Page 186.
2. The log file can be found at %system_root%\system32\dns\dns.log
4. Network Monitor
1. Out-of-box version of Network Monitor for Windows 2000 Server allows you to analyze packets coming to or leaving the server.
1. If you want a full-featured version of Network Monitor, you can purchase Microsoft Systems Management Server 2.0, which lets you listen to all traffic on the segment.
2. Figure 3-23 on page 187 shows the Network Monitor.
5. The Monitoring Tab
1. After completing configuration of DNS server, check to see if the server can successfully perform simple and recursive queries.
2. Right-click the name of the server, select Properties, then click the Monitoring Tab. You can perform the following:
• A simple query against the DNS server
• A recursive query to other DNS servers