Transcript 6435A_07
Module 7:
Designing Advanced
Name Resolution
Module Overview
• Optimizing DNS Servers
• Designing DNS for High Availability and Security
• Designing a WINS Name Resolution Strategy
• Designing WINS Replication
Lesson 1: Optimizing DNS Servers
• Disabling Recursion
• Deleting and Modifying Root Hints
• Optimizing DNS Server Response
• Optimizing DNS Server Functionality
• Optimizing Active Directory Integrated Zones
• DNS Troubleshooting Tools
Disabling Recursion
• Disable recursion to limit name resolution to a specific
server, or as a failover for another DNS server
• Benefit: You will reduce the load on the DNS server
• Consequence: You will not be able to resolve names
outside of your own zone
Deleting and Modifying Root Hints
• Delete root hints on servers that do not need to
communicate with DNS servers that are authoritative
for the root domain
• Modify root hints if the root domain is internal
• Update root hints when DNS servers that are
authoritative for the root domain change
Optimizing DNS Server Response
To improve DNS server response time:
• Disable Local Subnet Prioritization
Used when multiple records match a request
Arranges the query response, so that the records
closest to the client subnet are first
• Disable Round-robin rotation
Used when multiple records match a request
Rotates the order of responses for load balancing
• Install sufficient memory to cache all DNS zones
in memory
Optimizing DNS Server Functionality
To optimize zone transfer:
• Modify depending on how often your DNS data changes
• Modify if more frequent updates are not required
• Use incremental zone transfers
To reduce network traffic, use caching-only servers:
• Use caching-only servers if you have a slow WAN link
• Configure caching-only servers to perform
recursive queries
Optimizing Active Directory Integrated Zones
Select an appropriate application partition:
• ForestDNSZones replicates to all domains
• DomainDNSZones replicates within a domain
• _msdcs subdomain is in ForestDNSZones by default
To optimize AD integrated zones:
• Optimize Active Directory performance
• Use Active Directory sites
• Place logs and the Active Directory database on
dedicated partitions
DNS Troubleshooting Tools
DNS troubleshooting tools are:
• NSLookup
• DNScmd
• DNSLint
Lesson 2: Designing DNS for High Availability and
Security
• Using Load Balancing for DNS Servers
• DNS Security Risks
• DNS Security Policies
Using Load Balancing for DNS Servers
Load Balancing:
• Provides availability and scalability for DNS resolution
• Requires all DNS servers on the same subnet
• Does not protect against failed network links
• Is suitable for a centralized implementation of DNS
DNS Security Risks
DNS Attack
Footprinting
Denial-of-service
Data modification
Redirection
Description
• Building a diagram of DNS infrastructure by
capturing data such as computer names
and IP addresses
• Flooding a DNS server with queries to make
it unavailable for normal use
• Falsifying records in DNS to falsify servers
or redirect email messages
• Supplying false responses to external
queries by a DNS server to corrupt the
cache with false information
DNS Security Policies
Security level
Description
• Default configuration
Low
• Use when there is no concern about DNS data
• Typically used when there is no external
connectivity
• Disables dynamic update and limits zone
transfers
Medium
• Available without running on domain controllers
• Internet resolution is performed through a
proxy
• Includes medium level security measures
High
• Must run on domain controllers to use ADintegrated zones and secure dynamic updates
Lesson 3: Designing a WINS Name Resolution
Strategy
• Options for NetBIOS Name Resolution
• Scenarios Requiring Multiple WINS Servers
• WINS Fault Tolerance
• DNS GlobalNames Zone
Options for NetBIOS Name Resolution
Broadcast
Suitable only for a single subnet
LMHOSTS
Suitable for small environments
Reduces broadcast traffic
Requires static IP addresses
WINS
Suitable for organizations of all sizes
Reduces broadcast traffic
Does not require static IP addresses
WINS Fault Tolerance
Plan for fault tolerance:
• Determine the maximum allowable downtime of the
WINS server
• Use a secondary WINS server for redundancy
Configure clients for fault tolerance:
• Clients should point to the local WINS server
• Clients should point to the secondary WINS hub for
redundancy
Lesson 4: Designing WINS Replication and
Integration
• Selecting a WINS Replication Type
• Selecting a Partner Replication Method
Selecting a WINS Replication Type
Push replication:
• Replicates after a specified number of changes
• Batching reduces network traffic
Pull replication:
• Replicates after a specified period of time
• Ensures that all changes are replicated
Selecting a Partner Replication Method
Automatic partner configuration:
• Uses multicasts to automatically configure replication
partners
• Is best suited to three WINS servers or less
Manual partner configuration:
• Allows complete flexibility in design
• Results in better scalability