When you install the DNS server role on a Windows Server 2008 or Windows Server 2008 R2 computer, the DNS Manager Microsoft Management Console (MMC) snap-in is automatically installed, providing you with all the tools required to manage and administer DNS. When you install AD DS the DNS zones needed for administering DNS in the AD DS domain are added to your DNS installation. This section introduces you to server-specific settings that you can configure
from the DNS server’s Properties dialog box.
From the DNS Manager snap-in, right-click the DNS server and choose Properties to display the dialog box shown in image below. This dialog box enables you to configure a comprehensive range of server-specific properties. The more important properties are discussed in this section.
Forwarding
The act of forwarding refers to the relaying of a DNS request from one server to another one when the first server is unable to process the request. This is especially useful in resolving Internet names to their associated IP addresses. By using a forwarder, the internal DNS server passes off the act of locating an external resource, thereby reducing its processing load and network bandwidth. The use of forwarding is also helpful for protecting internal DNS servers from access by unauthorized Internet users. It works in the following manner:
Step 1. A client issues a request for a fully qualified domain name (FQDN) on a zone for which its preferred DNS) server is not authoritative (for example, an Internet domain such as http://www.google.com).
Step 2. The local DNS server receives this request but has zone information only for the internal local domain and checks its list of forwarders.
Step 3. Finding the IP address of an external DNS server (such as one hosted by the company’s ISP), it forwards the request to the external server (forwarder).
Step 4. The forwarder attempts to resolve the required FQDN. Should it not be able to resolve this FQDN, it forwards the request to another forwarder.
Step 5. When the forwarder is able to resolve the FQDN, it returns the result to the internal DNS server by way of any intermediate forwarders, which then returns the result to the requesting client.
You can specify forwarders from the Forwarders tab of the DNS server’s Properties dialog box, as shown in Figure 4-2. Click Edit to open the Edit Forwarders dialog box shown in Figure 4-3. In the space provided, specify the IP address of a forwarder and click OK or press Enter. The server will resolve this IP address to its FQDN and display these in the Forwarders tab. You can also modify the sequence in which the forwarding servers are contacted by using the Up and Down command buttons, or you can remove a forwarding server by selecting it and clicking Delete.
You can also specify forwarders from the command line by using the dnscmd command. Open an administrative command prompt and use the following command syntax:
dnscmd ServerName /ResetForwarders MasterIPaddress … [/TimeOut Time] [/Slave]
The parameters of this command are as follows:
■ ServerName: Specifies the DNS hostname of the DNS server. You must include this parameter; use a period to specify the local computer.
■ /ResetForwarders: Indicates that you are configuring a forwarder.
■ MasterIPaddress …: Specifies a space-separated list of one or more IP addresses of DNS servers to which queries are forwarded.
■ /TimeOut: Specifies a timeout setting in seconds.
■ /Slave: Determines whether the DNS server uses recursion when querying for the domain name specified by ZoneName.
Conditional Forwarders
You can configure a DNS server as a conditional forwarder. This is a DNS server that handles name resolution for specified domains only. In other words, the local DNS server will forward all the queries that it receives for names ending with a specific domain name to the conditional forwarder. This is especially useful in situations where users in your company need access to resources in another company with a separate AD DS forest and DNS zones, such as a partner company. In such a case, specify a conditional forwarder that directs such queries to the DNS server in the partner company while other queries are forwarded to the Internet. Doing so reduces the need for adding secondary zones for partner companies on your DNS servers.
The DNS snap-in provides a Conditional Forwarders node where you can specify forwarding information. Use the following procedure to specify conditional forwarders:
Step 1. Right-click the Conditional Forwarders node and choose New Conditional Forwarder
Step 2. Type the DNS domain that the conditional forwarder will resolve and the IP address of the server that will handle queries for the specified domain.
Step 3. If you want to store the conditional forwarder information in AD DS, select the check box provided and choose an option in the drop-down list that specifies the DNS servers in your domain or forest that will receive the conditional forwarder information. Then click OK.
Information for the conditional forwarder you have configured is added beneath the Conditional Forwarders node in the DNS Manager snap-in. Name queries for the specified DNS domain will now be forwarded directly to this server.
Root Hints
Whenever a DNS server is unable to resolve a name directly from its own database or with the aid of a forwarder, it sends the query to a server that is authoritative for the DNS root zone. Recall from Chapter 2 that the root is the topmost level in the DNS hierarchy. The server must have the names and addresses of these servers stored in its database to perform such a query. These names and addresses are known as root hints, and they are stored in the cache.dns file, which is found at %systemroot%system32dns. This is a text file that contains NS and A records for every available root server.
When you first install DNS on a server connected to the Internet, it should download the latest set of root hints automatically. You can verify that this has occurred by checking the Root Hints tab of the server’s Properties dialog box. You should see a series of FQDNs with their corresponding IP addresses.
If your internal DNS server does not provide access to Internet name resolution, you can improve network security by configuring the root hints of the internal DNS servers to point to the DNS servers that host your root domain and not to Internet root domain DNS servers. To modify the configuration on this tab, perform one or more of the following actions:
■ Click Add to display the New Name Server Record dialog box, from which you can manually type the FQDNs and IP addresses of one or more authoritative name servers.
■ Select an entry and click Edit to display the Edit Name Server Record dialog box, which enables you to modify it or add an additional IP address to an existing record.
■ Select an entry and click Remove to remove a record.
■ Click Copy from Server to copy a list of root hints from another DNS server. Type the DNS name or IP address in the dialog box that appears. This action is useful if your server was not connected to the Internet at the time DNS was installed.
■ Although this is not a recommended action, you can also edit the cache.dns file using a text editor such as Notepad.
NOTE: You can also use the Configure a DNS Server Wizard to configure root hints for your server. Right-click your server in the console tree of the DNS Manager snap-in and choose Configure a DNS Server. Then select the Configure root hints only (recommended for advanced users only) option from the Select Configuration Action page of the wizard.
Configuring Zone Delegation
As you have seen, you can divide your DNS namespace into a series of zones. You can delegate management of these zones to another location or workgroup within your company by delegating the management of the respective zone. Configuring zone delegation involves creating delegation records in other zones that point to the authoritative DNS servers for the zone being delegated. Doing so enables you to transfer authority as well as providing correct referral to other DNS servers and clients utilizing these servers for name resolution.
The Zone Delegation benefits:
■ You can delegate the administration of a portion of your DNS namespace to another office or department in your company.
■ You can subdivide your zone into smaller zones for load balancing of DNS traffic among multiple servers. This also enables improved DNS name resolution performance and fault tolerance.
■ You can extend the namespace by adding additional subdomains for purposes such as adding new branch offices or sites.
You can use the New Delegation Wizard to create a zone delegation. The wizard uses the information you supplied to create name server (NS) and host (A or AAAA) resource records for the delegated subdomain. Perform the following procedure:
Step 1. Right-click the parent zone in the console tree of DNS Manager and
choose New Delegation. This starts the New Delegation Wizard.
Step 2. Click Next and then enter the name of the delegated subdomain.
Step 3. As shown in next screenshot, the wizard appends the parent zone name to form the FQDN of the domain being delegated. Click Next and then click Add.
Step 4. In the New Name Server Record dialog box, type the FQDN and IP address of the DNS server that is authoritative for the subdomain and then click OK. Repeat if necessary to add additional authoritative DNS servers.
Step 5. The servers you’ve added are displayed on the Name Servers page of the wizard. When finished, click Next and then click Finish.
You can also use the dnscmd utility to perform zone delegation from the command line. Open an administrative command prompt and use the following command:
dnscmd ServerName /RecordAdd ZoneName NodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}
Debug Logging
The DNS server also supports debug logging of packets sent to and from the DNS server to a text file named dns.log. This file is stored in the %systemroot%system32dns folder. To configure logging, right-click the server in the DNS Manager snap-in and choose Properties. Click the Debug Logging tab to receive the dialog box.
By default, no logging is configured. Select the Log packets for debugging check box, which makes all other check boxes available.
To view the DNS log, first stop the DNS service by right-clicking the DNS server in DNS Manager and choosing All Tasks > Stop. Then open the log in either Notepad or WordPad. When you are finished, restart the DNS service by right clicking the DNS server and choosing All Tasks > Start.
Event Logging
The Event Logging tab of the DNS server’s Properties dialog box enables you to control how much information is logged to the DNS log, which appears in Event Viewer. You can choose from one of the following options:
■ No events: Suppresses all event logging (not recommended).
■ Errors only: Logs error events only.
■ Errors and warnings: Logs errors and warnings only.
■ All events: Logs informational events, errors, and warnings. This is the default. Choosing either the Errors only or Errors and warnings option might be useful to reduce the amount of information recorded to the DNS event log.
DNS Security Extensions
DNS in itself is vulnerable to certain types of intrusions such as spoofing, man-in-the-middle, and cache-poisoning attacks. Because of this, DNS Security Extensions (DNSSEC) was developed to add additional security to the DNS protocol. Outlined in Requests for Comments (RFCs) 4033, 4034, and 4035, DNSSEC is a suite of DNS extensions that adds security to the DNS protocol by providing origin authority, data integrity, and authenticated denial of existence. Although an older form of DNSSEC was used in Windows Server 2003 and the first iteration of Windows Server 2008, DNSSEC has been updated completely according to the specifications in the just-mentioned RFCs. The newest form of DNSSEC is available for Windows Server 2008 R2 and Windows 7 only.
DNSSEC enables DNS servers to use digital signatures to validate responses from other servers and resolvers. Signatures are stored in a new type of resource record called DNSKEY within the DNS zone. On resolving a name query, the DNS server includes the appropriate digital signature with the response, and the signature is validated by means of a preconfigured trust anchor. A trust anchor is a preconfigured public key associated with a specific zone. The validating server is configured with one or more trust anchors. Besides DNSKEY, DNSSEC adds RRSIG, NSEC, and DS resource records to DNS. You can view zones that are signed with DNSSEC in the DNS Manager tool, and you can view the trust anchors from the Trust Anchors tab of the DNS server’s Properties dialog box.
To specify a trust anchor, click Add. Provide the information requested in the New Trust Anchor dialog box, including its name and public key value, and then click OK. The public key value must be formatted as a Base64 encoding value; for more information on the public key, refer to http://www.rfc-archive.org/getrfc.php?rfc=4034 Doing so adds the trust anchor to the Trust Anchors tab and enables its use for signing DNS query responses.
Advanced Server Options
The Advanced tab of the DNS server’s Properties dialog box contains a series of options that you should be familiar with.
Server Options
The Server options section of this dialog box contains the following six options, the last three of which are selected by default:
■ Disable recursion: Prevents the DNS server from forwarding queries to other DNS servers, as described later in this section. Select this check box on a DNS server that provides resolution services only to other DNS servers because unauthorized users can use recursion to overload a DNS server’s resources and thereby deny the DNS Server service to legitimate users.
■ BIND secondaries: During zone transfer, DNS servers normally utilize a fast transfer method that involves compression. If UNIX servers running a version of Berkeley Internet Name Domain (BIND) prior to 4.9.4 are present, zone transfers will not work. These servers use a slower uncompressed data transfer method. To enable zone transfer to these servers, select this check box.
■ Fail on load if bad zone data: When selected, DNS servers will not load zone data that contains certain types of errors. The DNS service checks name data using the method selected in the Name Checking drop-down list on this tab.
■ Enable round robin: Enables round robin, as described later in this section.
■ Enable netmask ordering: Prioritizes local subnets so that when a client queries for a hostname mapped to multiple IP addresses, the DNS server preferentially returns an IP address located on the same subnet as the requesting client.
■ Secure cache against pollution: Cache pollution takes place when DNS query responses contain malicious items received from nonauthoritative servers. This option prevents attackers from adding such resource records to the DNS cache. The DNS servers ignore resource records for domain names outside the domain to which the query was originally directed. For example, if you sent a query for que.com and a referral provided a name such as windows-scripting.info, the latter name would not be cached when this option is enabled.
Round Robin
Round robin is a load-balancing mechanism used by DNS servers to distribute name resolution activity among all available DNS servers. If multiple A or AAAA resource records are found in a DNS query (for example, on a multihomed computer), round robin sequences these resource records randomly in repeated queries for the same computer. An example in which round robin is useful is a situation where you have multiple terminal servers in a server farm that users access for running applications. DNS uses round robin to randomize the sequence in which users accessing the terminal servers reach given servers.
By default, round robin is enabled on Windows Server 2008 R2 DNS servers. You can verify or modify this setting from the Advanced tab of the DNS server’s Properties dialog box already shown in Figure 4-10. Select or clear the check box labeled Enable round robin as required.