Transcript DNS Server - Microsoft

Windows Server 2003
DNS 安裝設定與管理維護
林寶森
[email protected]
What Is a Domain Namespace?
Root Domain
Top-Level Domain
net
org
nwtraders
Second-Level Domain
Subdomains
com
west
FQDN:
server1.sales.south.nwtraders.com
south
sales
east
Host: server1
Overview of the DNS Query Process
Query Types
Iterative Query
The DNS server returns the best answer that it can
provide without help from other servers
Recursive Query
The DNS server returns a complete answer to the
query, not a pointer to another DNS server
Lookup Types
Forward Lookup
Requires name-to-address resolution
Reverse Lookup
Requires address-to-name resolution
How Recursive Queries Work
A recursive query is a query made to a DNS server, in which the DNS
client asks the DNS server to provide a complete answer to the query
DNS server checks the forward lookup
zone and cache for an answer to the query
Recursive query for
mail1.nwtraders.com
172.16.64.11
Computer1
Database
Local DNS Server
How Iterative Queries Work
An iterative query is a query made to a DNS server in which the DNS client
requests the best answer that the DNS server can provide without seeking
further help from other DNS servers. The result of an iterative query is often a
referral to another DNS server lower in the DNS tree
Iterative Query
Local
DNS Server
Ask .com
Root Hint (.)
.com
Computer1
nwtraders.com
How Root Hint Works
Root hints are DNS resource records stored on a DNS server that list
the IP addresses for the DNS root servers
Corp. or ISP
DNS Servers
InterNIC
Root (.) Servers
Root Hints
Local
DNS Server
Computer1
com
microsoft
How Forwarders Work
A forwarder is a DNS server designated by other internal DNS servers to
forward queries for resolving external or offsite DNS domain names
Iterative Query
Forwarder
Ask .com
Root Hint (.)
.com
Local
DNS Server
nwtraders.com
Computer1
What Is a DNS Zone?
Nwtraders
South
North
West
Sales
Support
Training
What Are DNS Zone Types?
Zones
Read/Write
Description
Read/write copy of a DNS database
Primary
Read-Only
Read-only copy of a DNS database
Secondary
Copy of
limited
records
Stub
Copy of a zone containing limited records
Selecting Zone Data Location
Standard Zones
Zone Transfer
Change
Primary Zone
Active Directory Integrated Zones
Change
Change
Secondary Zone
Zone Transfer
Change
Configuring Standard Zones
• You can configure a DNS server to host standard primary zones,
standard secondary zones, or any combination of zones
• You can designate a primary server or a secondary server as a
master server for a standard secondary zone
DNS Server A
DNS Server B
B
A
Primary Zone
Zone
Information
Secondary Zone
(Master DNS Server =
DNS Server A)
Secondary Zone
(Master DNS Server =
DNS Server A)
DNS Server C
C
What Are Resource Records and Record Types?
Record type
Description
A
Resolves a host name to an IP address
PTR
Resolves an IP address to a host name
SOA
The first record in any zone file
SRV
Resolves names of servers providing services
NS
Identifies the DNS server for each zone
MX
The mail server
CNAME
Resolves from a host name to a host name
Zone Transfer Process
A Zone Transfer is Initiated When
– A master DNS server sends notification of zone changes to
the secondary server or servers
– The secondary server queries a master DNS server for
changes to the zone file
DNS
Server
DNS
Server
(Master)
Primary Zone
Database File
nwtraders
Secondary Zone
Database File
training
support
Zone 1
Configuring Zone Transfers
• Zone Transfer Types
– Full zone transfer (AXFR)
– Incremental zone transfer (IXFR)
• Configuring Zone Transfer Properties
Serial number:
Increment
2
Refresh interval:
Retry interval:
Expires after:
15
10
1
Minimum (default) TTL: 0
• Configuring DNS Notify
minutes
minutes
days
:1
:0 :0
Configuring Zone Transfers
nwtraders.msft Properties
WINS
General
Zone Transfers
Start of Authority (SOA)
Serial number:
28
Primary server:
london.contoso.com
Security
nwtraders.msft Properties
Name Servers
General
Start of Authority (SOA)
Name Servers
Zone
Transfers
WINS
Security
Increment
A zone transfer sends a copy of the zone to requesting
servers.
Allow zone transfers
Browse…
To any server
Responsible person:
Browse…
admin.contoso.com
Refresh interval:
15
minutes
Retry interval:
10
minutes
Expires after:
1
days
:1
:0
:0
TTL for this record:
:1
:0
:0
OK
Only to the following servers
IP address:
Add
Remove
Minimum [default] TTL: 0
0
Only to servers listed on the Name Servers tab
To specify secondary servers to be notified of zone
updates, click Notify.
Cancel
Notify…
Apply
OK
Cancel
Apply
How DNS Notify Works
A DNS notify is an update to the original DNS protocol specification
that permits notification to secondary servers when zone changes
occur
1
Destination Server
2
Secondary Server
Resource record
is updated
SOA serial number
is updated
3
DNS notify
4
Zone transfer
Source Server
Primary and
Master Server
Configuring AD Integrated Zones
• Active Directory Integrated Zone Data Is
– Stored as an Active Directory object
– Replicated as part of domain replication
Active Directory
Integrated Zone
Active Directory
contoso.com
DNS Server
What Are Directory Partitions?
Contains:
Definitions and rules for
creating and manipulating
objects and attributes
Forest
Schema
Information about the Active
Directory structure
Configuration
Domain
<Domain>
Configurable
replication
<Application>
Active Directory Database
Information about domainspecific objects
Information about applications
Selecting a Partition
Forest Application
Domain
Application
Domain Partition
Configuring Dynamic Updates
• DNS Dynamic Update Protocol
– Allows clients to automatically update DNS servers
– Can be used in conjunction with DHCP
1 Request for IP address
DHCP
Server
Assign IP address 2
DHCP updates reverse
of 192.168.120.133
resource record for
Windows 2000, XP and
2003 clients and both
resource records for
other clients
Computer1
Windows client
updates forward
resource record
on DNS server
192.168.120.133
DNS Server
Zone Database
Securing Dynamic Updates
nwtraders.msft. Properties
WINS
General
Active Directory
Integrated Zone
Zone Transfers
Start of Authority (SOA)
Status:
Running
Type:
Active Directory-integrated
Security
Name Servers
Pause
Change…
Data is stored in Active Directory.
Allow dynamic updates?
Secure
Dynamic Updates
Only secure updates
To set aging/scavenging properties,
click Aging
OK
Aging…
Cancel
Apply
Creating a Subdomain
• Create a Subdomain to Better Organize Your Namespace
• Delegate Authority of a Subdomain To
– Delegate management of portions of the namespace
– Delegate administrative tasks of maintaining one large DNS
database
“.”
com.
org.
edu.
tw.
microsoft.com.
training.microsoft.com.
Subdomain
Second-Level Domain
Top-Level Domain
Root
DNS Server Roles
Role
Situation
Caching-only
servers
A remote office has a limited amount of available bandwidth
Non-recursive
servers
You have Internet-facing DNS that are authoritative for one or
more zones
Forward-only
servers
You want to manage the DNS traffic between your network and
the Internet
Conditional
forwarders
You want DNS clients in separate networks to resolve each
others’ names without having to query the DNS server on the
Internet
How the Time-to-Live Value Works
The Time-to-Live (TTL) value is a time-out value expressed in seconds that
is included with DNS records that are returned in a DNS query
Resource Record
Cache
DNS Client
Resource Record
Cache
DNS Server1
Zone
Authoritative
DNS Server2
TTL set
on the zone
1
The records in the zone are sent to other DNS servers and clients
in response to queries
2
DNS servers and DNS clients that store the record in their cache
hold the record for the TTL period supplied in the record
3
When the TTL expires, the record is removed from the cache
Reducing Network Traffic by Using
Caching-Only Servers
Caching-Only Servers
– Perform name resolution on behalf of client computers and cache
the results
– Can be used to reduce DNS-related traffic across a WAN
Remote Office
Client
Caching-Only
DNS Server
Slow WAN Link
DNS Server
Client
Corporate Headquarters
Client
How Aging and Scavenging Works
7-days
Jan 1
Time
stamped
7-days
Jan 8
Jan 15
Refresh
interval
No-Refresh
interval
Aging
Scavenge
What Is DNS Debug Logging?
DNS debug logging is an optional logging tool for DNS that stores
the DNS information that you select
Primary DNS Server1
Secondary DNS Server2
Planning a DNS Implementation
• Small Companies
– Can use ISP DNS servers for queries and to
store company domain names
• Larger Companies
– Maintain their own DNS servers
• Two DNS Servers Recommended
– Primary name server
– Secondary name server
DNS Namespace Options
Same
Namespace
Existing DNS
Namespace
nwtraders.com
Internal
Namespace
nwtraders.com
Delegated
Namespace
Existing DNS
Namespace
nwtraders.com
Internal
Namespace
ad.nwtraders.com
Unique
Namespace
Existing DNS
Namespace
nwtraders.com
Internal
Namespace
nwtraders.local
Connecting DNS to the Internet
Internal
DNS Server
External
DNS Server
Firewall
Internet
Firewall
Screened
Subnet
 Forwarding DNS Queries to Internet DNS Servers
 Responding to DNS Queries from the Internet
Internet
DNS Server
Integrating DNS into Screened Subnets
public.contoso.msft
Primary DNS Zone
public.contoso.msft
Secondary DNS Zone
Firewall
Private
Network
Internet
Firewall
Screened
Subnet

Zones Contain Records for Public Resources

Configure Firewalls to Permit Appropriate DNS Traffic

Place Only Secondary Zones

Encrypt Replication Traffic with IPSec