Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Module – Planning a DNS Name Resolution Module – Planning a DNS Name Resolution StrategyStrategy
IntroductionDNS is the most commonly used name resolution method. Internet names are assigned based on the DNS. A DNS plan involves various stages that includes determining requirements for DNS servers, zones and security. The module covers the following 8 lessons:
Lesson 1 Determining Name Resolution Requirements – explains the different names that can be resolved. It also explains the DNS requirements for a network.Lesson 2 Planning a DNS Server Implementation – explains the activities involved in creating a plan for installing DNS servers in the network.Lesson 3 Planning a Server Implementation – explains the components of a namespace plan and the best practices and guidelines for creating the namespace plan.Lesson 4 Planning Zones – explains the different types of zones and zone locations. It also explains the zone security considerations and guidelines for planning a zone.
Contd..
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Module – Planning a DNS Name Resolution Module – Planning a DNS Name Resolution StrategyStrategy
Overview (contd.)Lesson 5 Planning Zone Replication and Delegation – explains the reasons for creating secondary zones and the principles involved in planning a zone transfer and delegation.Lesson 6 Integrating DNS and WINS – explains the principles of integrating WINS and DNS and the best practices that are used for WINS integration.Lesson 7 Planning DNS Security – explains the threats that can affect DNS and the tools provided by Windows Server 2003 to secure the DNS service. Lesson 8 Troubleshooting Name Resolution – explains the methods to optimize DNS performance. It also explains troubleshooting name resolution problems in DNS.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Lesson 1 – Determining Name Resolution Lesson 1 – Determining Name Resolution RequirementsRequirements
Introduction
Name resolution is a very important function for Internet communications. When you are planning your network infrastructure, you should plan the name resolution methods for the network. In this lesson, you will learn about :
Defining Name ResolutionTypes of Names to be ResolvedDetermining DNS RequirementsNetBIOS Names Local Host Name Resolution
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 – Defining Name ResolutionTopic 1 – Defining Name Resolution
Name resolution is a process of converting a computer name to an address.
Example of a name resolution • IIHT Web site address is www.iiht.com and its IP address is 172.68.1.1.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 2 – Types of Names to be ResolvedTopic 2 – Types of Names to be Resolved
Before planning a name resolution strategy, the types of names that are to be installed should be determined. This topic explains the types of names to be resolved.
Name types that require resolution• Network Basic Input/ Output (NetBIOS) names• Domain Name System (DNS) names
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 3 – Determining DNS RequirementsTopic 3 – Determining DNS Requirements
DNS requirements depend on the applications and domains hosted on a network. The following are the thumb rules to determining DNS requirements:
Either use DNS servers provided by ISP or install your own DNS servers for the network.If you host an Internet domain on the network, you will have to configure the domain with a second-level name. If you host a Web server on the network, you will have to register a first-level name. If you are running Active Directory services on the network, you will have to install a DNS server on the network
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 4 – NetBIOS NamesTopic 4 – NetBIOS Names
NetBIOS names are used by computers that run on Windows operating systems released before Windows 2000. The following are traits of NetBIOS names:
Used by computers that run on Windows operating systems released before Windows 2000. Not hierarchical in its design.
Intended for private networks and not for Internet
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 5 – Local Host Name ResolutionTopic 5 – Local Host Name Resolution
The Lmhosts and Hosts files is a standby method for resolving local host names
The Lmhosts and Hosts files are created on a computer to store important name resolution information.This method is rarely used.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Lesson 2 – Planning a DNS Server ImplementationLesson 2 – Planning a DNS Server ImplementationIntroductionAfter determining the DNS requirements, you must plan the DNS server requirements. Planning a DNS server involves a list of activities. In this lesson, you will learn about :
Planning DNS Server CapacityDNS Server RequirementsPlacing DNS Servers in the NetworkDetermining the Number of DNS Servers
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 – Planning DNS Server CapacityTopic 1 – Planning DNS Server Capacity
This topic lists the factors to be considered in planning a DNS server capacity. These are:
Number of zones in the networkSize of the zone. The size of the zone can be computed based on the size of the zone file or the number of resource records that are used in the zoneNumber of IP address assigned for the DNS serverNumber of clients that have to be serviced by a DNS server
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 2 – DNS Server RequirementsTopic 2 – DNS Server Requirements
This topic explains methods of arriving at DNS server requirements. These are:
Review sample DNS server performance test results -Developments and testing teams for Windows Server 2003 DNS provide these result. Use Windows Server 2003 monitoring tools.- DNS server-related counters provides performance measurements for the DNS servers
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 3 – Placing DNS Servers in the NetworkTopic 3 – Placing DNS Servers in the Network
This topic explains the factors to be considered in placing DNS servers in the network. These factors are:
Client accessNumber of subnets in the networkMaking available an alternate DNS server as a backupEnsuring that if DNS servers on a particular subnet fail, DNS requests of the subnet clients are routed to a DNS server on a different subnetEnsuring that a DNS server installed to support Active Directory can also service other DNS functions of the network.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 4 – Determining the Number of DNS ServersTopic 4 – Determining the Number of DNS Servers
This topic explains the factors to be considered in determining the number of DNS servers to be placed on the network. These factors include
Traffic load on the DNS server Number of subdomains in the network namespace Use of Active Directory Service Requirement for backup servers Balancing network traffic
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Lesson 3 – Planning a Namespace StrategyLesson 3 – Planning a Namespace StrategyIntroductionA namespace plan includes selecting names for the computers on the network. The functioning of the internal and external network must be taken into account when creating the namespace plan. In this lesson, you will learn about :
Selecting a domain name Options available for DNS NamespaceBest practices for namespace planningGuidelines for planning a namespace
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 – Selecting a Domain Name Topic 1 – Selecting a Domain Name This topic explains the types of domains and the factors to be considered in creating a domain.
Domain Types• External Domain• Internal DomainThumb rules for setting up external domain names• Register multiple second level domains• Register a single second level domain and create multiple sub-domains
under itThumb rules for setting up internal domain names• Keep domain names short, avoid names that are difficult to spell• Do not have a number of domain levels• Avoid abbreviations that cannot be easily understood• Design a proper DNS name that you do not have to change. Replacing
existing DNS names is a difficult task.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 2 – Options Available for DNS NamespaceTopic 2 – Options Available for DNS Namespace
There are different ways by which you can create a DNS namespace for your internal and external networks. This topic explains the following options which are available for creating a DNS namespace:
Using the same DNS NamespaceUsing separate domain namesUsing a subdomain for the internal network
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 3 – Best Practices for Namespace PlanningTopic 3 – Best Practices for Namespace Planning
This topic explains the best practices for planning a namespace. These include:
Use unique names throughout the organization namespaceDo not overlap internal and external domainsCreate Active Directory–compatible namespace, if the network uses Active Directory features or plans to use in the future
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 4 – Guidelines for Planning a NamespaceTopic 4 – Guidelines for Planning a Namespace
This topic provides the guidelines for planning a namespace for a network. These are:
Select a DNS namespace for your domainCreate separate namespaces for internal and external useInstall separate servers for internal and external namespace
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Lesson 4 – Planning ZonesLesson 4 – Planning ZonesIntroduction
In a DNS plan, it is necessary that you decide the creation of zones in the environment. Decisions have to be taken for the type of zones and also their storage locations. These decisions will influence the placement of DNS servers in the network. In this lesson, you will learn about :
Selecting Zone TypesSelecting a Zone Data LocationConsiderations for Zone SecurityGuidelines for Zone Planning
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 – Selecting Zone TypesTopic 1 – Selecting Zone Types
This topic explains the different zone types that are used to synchronize zone information located in different servers.Zone types:
Primary Zone – this is the first zone created by the user to store DNS records.Secondary Zone – this is the second zone which copies records from the primary zone.Stub Zone – this zone is created to store the name server records, that is, the IP address of the DNS server
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 2 – Selecting a Zone Data LocationTopic 2 – Selecting a Zone Data Location
This topic explains the factors to be considered in selecting a zone data location. Location options and their advantages are:
Active Directory-integrated DNS server - allows you to make updates in the DNS records on any server. Changes are reflected in all servers Traditional DNS server - mainly used to integrate with an already existing system
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 3 – Considerations for Zone SecurityTopic 3 – Considerations for Zone Security
After planning zone type and storage location for the network, you will have to plan the security for the zones. This topic explains the measures to be adopted for zone security. To ensure security, you can
Allow only DHCP servers to update DNS server recordsSecure dynamic updates by using the Active Directory security features. Assign of zone permissions to users or groups in the Active Directory
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 4 – Guidelines for Zone PlanningTopic 4 – Guidelines for Zone Planning
This topic explains the guidelines to be followed when planning zones for DNS service on the network. Before zone planning, determine:
Type of zone for the DNSStorage location for the zone dataIntegration process of DNS with WINS, if requiredSecurity requirements for the zone
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Lesson 5 – Planning Zone Replication and Lesson 5 – Planning Zone Replication and DelegationDelegation
Introduction
DNS is a service that is mostly required by all network users. To make the service available to all network users, you have to install multiple servers on the network. The DNS namespace is then managed by creating zones. In this lesson, you will learn about :
Creating a secondary zoneTransfer and replication of zonesSecurity measures for zone transfersDelegating zonesGuidelines for zone replication and delegation
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 – Creating a Secondary ZoneTopic 1 – Creating a Secondary Zone
This topic explains reasons for creating a secondary zone in the network. Reasons for creating a secondary zone:
Providing a backup for the DNS service Reducing network traffic
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 2 – Transferring and Replication of ZonesTopic 2 – Transferring and Replication of Zones
This topic explains the difference between zone transfer and zone replication. The differences are:
Zone transfers occur in traditional DNS zones.In zone transfers, only the primary zone can enable changes to the DNS database. Zone replication occurs in Active Directory-integrated zones. In zone replication, any DNS server can make changes to the DNS database.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 3 – Security Measures for Zone TransferTopic 3 – Security Measures for Zone Transfer
This topic explains how to secure data during zone transfers. The following guidelines apply:
Restrict zone transfers to only specific servers. The servers should be specified by their IP addressesUse IPSec protocol for protecting the dataUse a VPN tunnel for transferring the data from one server to another
Use Active Directory for transferring the data.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 4 – Delegating ZonesTopic 4 – Delegating Zones
This topic explains the concept of delegating zones and its advantages.
Definition of zone delegation• Zone delegation is the process of assigning responsibility of a sub-
domain a zoneAdvantages• Delegation helps in better management of the namespace• Enlarges the namespace by adding more subdomains• Helps distribute network traffic among different zone
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 5 – Guidelines for Zone Replication and Topic 5 – Guidelines for Zone Replication and DelegationDelegation
This topic provides the guidelines for zone replication and delegation. The guidelines are:
Decide when to create additional zonesDecide whether to use zone transfers or zone replicationDecide security requirements for the DNS environmentDecide whether you need zone delegation in your environment
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Lesson 6 – Integrating DNS and WINSLesson 6 – Integrating DNS and WINSIntroduction
Before DNS was used as a communications standard, Microsoft networks relied on WINS to resolve the name resolution. WINS operated on NetBIOS names. Even at present, there are computers that use NetBIOS names and as a result require WINS. In this lesson, you will learn about :
WINS IntegrationModification of Cache Timeout SettingsBest Practices of WINS Integration
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 – WINS IntegrationTopic 1 – WINS Integration
This topic explains the need for integrating DNS with WINS and the process of WINS integration. WINS integration is required when a network has clients with NetBIOS names and a standard DNS serverIntegration requirements
Standard DNS servers cannot process NetBIOS names. The network should contain both DNS and WINS servers. A DNS zone that includes WINS must be created.
Contd..
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 - WINS IntegrationTopic 1 - WINS Integration
Integration options Integrating WINS on DNS server
• Disadvantages: A request is processed by both services leading to more processor utilization and system degradation
Separate DNS and WINS Servers• Disadvantages: Increase in network traffic between both servers
Integrating DNS on WINS• Request is first processed by DNS. If the name does not match the database
record for WINS, it is forwarded to wins for resolution.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 2 – Modification of Cache Timeout SettingsTopic 2 – Modification of Cache Timeout Settings
This topic explains the DNS server cache and the procedure to modify the cache timeout value for a DNS zone. Characteristics of DNS cache
Information received by a DNS server is stored in its cacheTime for which the information is stored is called Time To Live (TTL)When WINS server data does not change frequently, data stored in the cache can remain for a longer timeResults in a faster response and also lesser traffic exchanged between the DNS server and the WINS server
Setting cache timeout value in the DNS console
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 3 – Best Practices of WINS IntegrationTopic 3 – Best Practices of WINS Integration
There are many best practices for integrating WINS with DNS. The most important of these are:
Create a subdomain for the WINS serverTransfer unresolved DNS queries to a WINS server on the network Configure WINS in the DNS zone
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Lesson 7 – Planning DNS SecurityLesson 7 – Planning DNS SecurityIntroductionProviding security to the DNS service is a component of the DNS name resolution strategy. There is a risk involved if the data from the DNS server is intercepted by unauthorized users. The enterprise functioning will be affected if DNS service fails. In this lesson, you will learn about :
Identifying DNS Security ThreatsSecuring the DNS Server
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 – Identifying DNS Security ThreatsTopic 1 – Identifying DNS Security Threats
This topic explains the threats against which the DNS system should be protected.Critical DNS threats include
DNS service interruption• Denial-of-Service (DoS). • IP Spoofing
Unauthorized access to DNS data• Redirection • Footprinting
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 2 – Securing the DNS ServerTopic 2 – Securing the DNS Server
A DNS server has to be protected against all possible threats. The following measures help to protect your DNS server and prevent service interruptions:
Installing backup DNS serversUsing Active Directory-integrated DNSSecuring DNS server cacheSecuring Dynamic UpdatesLimiting DNS network interfaces
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Lesson 8 – Troubleshooting Name ResolutionLesson 8 – Troubleshooting Name ResolutionIntroductionIt is important that the DNS server that is installed performs to optimum capacity and problems in name resolution are effectively resolved. In this lesson, you will learn about :
Optimization of DNS ServersTroubleshooting Name Resolution
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 1 – Optimization of DNS ServersTopic 1 – Optimization of DNS Servers
There are several methods to optimize DNS Servers. These include:
Disabling recursion option in Windows Server 2003Update to the root hintsDisabling round robin DNSDisabling priority based IP addressesModifying cache timeout settingsUsing caching-only serversUsing Extension Mechanisms for DNS (EDNSO) protocol
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
Topic 2 – Troubleshooting Name ResolutionTopic 2 – Troubleshooting Name ResolutionTroubleshooting name resolution requires problem identification. The steps in troubleshooting such problems:
First, isolate the problem to the DNS Server. Problems with connectivity could also arise due to other causes such as network connectivity.Check if client is able to ping the serverCheck whether DNS Service activatedIf the client computer is able to connect to the DNS server for name resolution, but the resolved names are incorrect, problems could be:• Incorrect resource records• Failed Dynamic Updates • Failed Zone transfers If the DNS server is able to resolve names in its domain and cannot resolve names outside the domain, the problem could be recursion failure.
Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy
© 2006 IIHT Limited
ConclusionConclusion
Summary of the module• NetBIOS and DNS are the two types of names that are to be resolved• DNS server capacity depends on the number of clients, zones and IP
addresses assigned to the DNS server• Domains are categorized as internal and external domains• Types of zone: Primary zone, Secondary zone and Stub zone• Active Directory-integrated DNS service offers a more efficient and secure
zone than a traditional DNS server• Secondary zones provide zone redundancy and lesser network traffic• DNS server is secured by providing DNS server redundancy; using Active
Directory services; securing DNS server cache; securing dynamic updates; limiting network interface
• Possible errors of the DNS server are: Incorrect TCP/IP configurations, problems with the resource records and recursion failures
Question and Answer Session