6435A_07

Download Report

Transcript 6435A_07 

Module 7:
Designing Advanced
Name Resolution
Module Overview
• Optimizing DNS Servers
• Designing DNS for High Availability and Security
• Designing a WINS Name Resolution Strategy
• Designing WINS Replication
Lesson 1: Optimizing DNS Servers
• Disabling Recursion
• Deleting and Modifying Root Hints
• Optimizing DNS Server Response
• Optimizing DNS Server Functionality
• Optimizing Active Directory Integrated Zones
• DNS Troubleshooting Tools
Disabling Recursion
• Disable recursion to limit name resolution to a specific
server, or as a failover for another DNS server
• Benefit: You will reduce the load on the DNS server
• Consequence: You will not be able to resolve names
outside of your own zone
Deleting and Modifying Root Hints
• Delete root hints on servers that do not need to
communicate with DNS servers that are authoritative
for the root domain
• Modify root hints if the root domain is internal
• Update root hints when DNS servers that are
authoritative for the root domain change
Optimizing DNS Server Response
To improve DNS server response time:
• Disable Local Subnet Prioritization
 Used when multiple records match a request
 Arranges the query response, so that the records
closest to the client subnet are first
• Disable Round-robin rotation
 Used when multiple records match a request
 Rotates the order of responses for load balancing
• Install sufficient memory to cache all DNS zones
in memory
Optimizing DNS Server Functionality
To optimize zone transfer:
• Modify depending on how often your DNS data changes
• Modify if more frequent updates are not required
• Use incremental zone transfers
To reduce network traffic, use caching-only servers:
• Use caching-only servers if you have a slow WAN link
• Configure caching-only servers to perform
recursive queries
Optimizing Active Directory Integrated Zones
Select an appropriate application partition:
• ForestDNSZones replicates to all domains
• DomainDNSZones replicates within a domain
• _msdcs subdomain is in ForestDNSZones by default
To optimize AD integrated zones:
• Optimize Active Directory performance
• Use Active Directory sites
• Place logs and the Active Directory database on
dedicated partitions
DNS Troubleshooting Tools
DNS troubleshooting tools are:
• NSLookup
• DNScmd
• DNSLint
Lesson 2: Designing DNS for High Availability and
Security
• Using Load Balancing for DNS Servers
• DNS Security Risks
• DNS Security Policies
Using Load Balancing for DNS Servers
Load Balancing:
• Provides availability and scalability for DNS resolution
• Requires all DNS servers on the same subnet
• Does not protect against failed network links
• Is suitable for a centralized implementation of DNS
DNS Security Risks
DNS Attack
Footprinting
Denial-of-service
Data modification
Redirection
Description
• Building a diagram of DNS infrastructure by
capturing data such as computer names
and IP addresses
• Flooding a DNS server with queries to make
it unavailable for normal use
• Falsifying records in DNS to falsify servers
or redirect email messages
• Supplying false responses to external
queries by a DNS server to corrupt the
cache with false information
DNS Security Policies
Security level
Description
• Default configuration
Low
• Use when there is no concern about DNS data
• Typically used when there is no external
connectivity
• Disables dynamic update and limits zone
transfers
Medium
• Available without running on domain controllers
• Internet resolution is performed through a
proxy
• Includes medium level security measures
High
• Must run on domain controllers to use ADintegrated zones and secure dynamic updates
Lesson 3: Designing a WINS Name Resolution
Strategy
• Options for NetBIOS Name Resolution
• Scenarios Requiring Multiple WINS Servers
• WINS Fault Tolerance
• DNS GlobalNames Zone
Options for NetBIOS Name Resolution
Broadcast
 Suitable only for a single subnet
LMHOSTS
 Suitable for small environments
 Reduces broadcast traffic
 Requires static IP addresses
WINS
 Suitable for organizations of all sizes
 Reduces broadcast traffic
 Does not require static IP addresses
WINS Fault Tolerance
Plan for fault tolerance:
• Determine the maximum allowable downtime of the
WINS server
• Use a secondary WINS server for redundancy
Configure clients for fault tolerance:
• Clients should point to the local WINS server
• Clients should point to the secondary WINS hub for
redundancy
Lesson 4: Designing WINS Replication and
Integration
• Selecting a WINS Replication Type
• Selecting a Partner Replication Method
Selecting a WINS Replication Type
Push replication:
• Replicates after a specified number of changes
• Batching reduces network traffic
Pull replication:
• Replicates after a specified period of time
• Ensures that all changes are replicated
Selecting a Partner Replication Method
Automatic partner configuration:
• Uses multicasts to automatically configure replication
partners
• Is best suited to three WINS servers or less
Manual partner configuration:
• Allows complete flexibility in design
• Results in better scalability