Ayman . B

ابراهيم العديني.أ

When you install the DNS service on a Windows Server 2012 server, a list of the Internet root servers is preloaded by default. These servers are known as the root hints; I will talk more about them later.

Let’s follow the process of how this DNS server would handle name resolution queries from client computers and other devices.

A user types something like www.google.com or clicks on a hyperlink for google.com on a browser.If the local DNS server does not know the IP address of www.google.com, it queries a root DNS server

asking for the location of the .com DNS servers.After getting a response from a root DNS server, the local DNS server queries a .com DNS server

requesting the location of the google.com DNS servers.Once the .com DNS server has responded, the local DNS server contacts the google.com DNS server

asking for the IP address of www.google.com.After the google.com DNS server provides that information, the local DNS server

returns www.google.com’s IP address back to the user computer to make it possible for that computer to complete a connection to www.google.com.

Not every name resolution query to a DNS server will follow the preceding steps. Caching and forwarding configuration can change how DNS servers handle the process.

Caching – Let’s say that a local DNS server goes through these 5 steps to resolve a new name to an IP address. Once the local DNS server learns that information, it caches the results for a few hours. From that point on, any new name resolution query for the same name will be served off the DNS server cache. This speeds up the name resolution process.

Forwarding – When forwarding is configured, a DNS server will forward name resolution requests to another DNS server instead of querying the root servers on the Internet. It is possible to configure conditional forwarding; a conditional forwarder is a DNS server that forwards DNS queries according to the domain name included in the query.

The DNS data is kept in a database that can be stored in a text file or in the active directory database when the DNS service is configured on a domain controller.

The DNS data is organized into zones; each zone is a specific portion of DNS namespace that is stored in a separate file or as a unit of replication when stored in active directory. DNS servers can host one or more zones of a particular domain. When creating an active directory domain, a corresponding DNS zone with the same name as the new domain must exist or be created during the process to ensure proper functionality of the directory services.

DNS zones contain different resource records. Resource records specify a resource type, and the IP address to locate the resource. DNS zones can resolve names to IP addresses or IP addresses to names for devices running the TCP/IP protocol like workstations, servers, routers, switches, etc.

Forward lookup zones resolve host names to IP addresses, and they answer to name queries by replying with the corresponding IP addresses that match the names in those queries.

Forward lookup zones host common resource records including IPV4 host (A), IPv6 host (AAAA), alias (CNAME), service (SRV), mail exchanger (MX), start of authority (SOA), and name server (NS) resource records. Both IPv4 and IPv6 host names can be included in the same forward lookup zone on Windows Server 2012.

Reverse lookup zones resolve IP addresses to domain names. When an IP address is part of the query, the reverse lookup zone returns the corresponding host name. Reverse lookup zones host SOA, NS, and pointer (PTR) resource records. Separate reverse lookup zones must be created for IPv4 and IPv6 on Windows Server 2012. It is possible to run a DNS infrastructure without configuring reverse lookup zones, but some important functionalities will be missing as a result and the service will generate numerous warnings and error messages.

Reverse lookup zones can be used to fight spam. Spammers use open relays (SMTP servers) on the internet to send their massive unsolicited emails and hide their identity. A mail server can perform reverse lookups to try to detect open relays; this would allow the application of traffic filtering from those open relays which can prevent or minimize unwelcome spam.

Earlier I mentioned that when installing DNS on Windows Server 2012 a list of Internet root server addresses (root hints) is preloaded by default. These root hints point to the top level DNS servers on the internet. These servers hold intelligence about the top level domains like .com, .org, .net, .edu, etc. When installing the DNS service, this information is copied from the cache.dns file which is by default located on the %windir%\system32\dns directory.

Besides the forward and reverse lookup zones that we reviewed in our previous DNS article, there are four different zone types that can be configured on a Windows Server 2012 DNS server.Primary zone. A DNS server can read and write data on a primary zone. This is possible because the DNS server stores the master copy of the zone data either in a text file or in the Active Directory database if the DNS is installed on a domain controller. If a local file is used, the file is named with the same name as the zone using a .dns extension like zone_name.dns. The zone file is saved to the %windir%\system32\dns directory by default.When a file is used, the primary DNS server is the only one that has a writable copy of the database.A DNS server is authoritative for the records that it holds on a primary zone. That means if the DNS server receives a name resolution query that includes the domain name on the primary zone, the DNS server will respond with a yes or no answer. The authoritative DNS will not forward that name resolution query to any other DNS server.Secondary zone. A DNS server can read, but not write data on a secondary zone. A secondary zone is a copy of a primary zone that another DNS server hosts. The information on the secondary zone is obtained and updated via zone transfers from another server. A read-only text file is used to store the information locally; secondary zones cannot be store in the active directory database. A DNS server is authoritative for the records that it holds on a secondary zone.Stub zone. A stub zone is a limited copy of a zone that consists of the following records: start of authority (SOA) resource records, name server (NS) records, and host name (A) records. These records are used to identify the zone’s authoritative DNS servers. The DNS server holding the stub zone is not authoritative for that zone. When this DNS server receives a name resolution query, it needs to ask one of the authoritative DNS servers from the stub zone.

There are several benefits of using active directory integrated zones, among them:Secure dynamic updates. Dynamic updates allow DNS clients to register their resource records in the DNS database automatically without manual intervention. This feature is available on standard primary zones; however, only active directory integrated DNS zones can be configured for secure dynamic updates. This means that you can set permissions on the zone to allow only authorized computers to register in the DNS database.Secure replication topology. There is no need to configure zone transfer on Active Directory integrated zones the way you have to do it with standard primary zones and secondary zones. With Active Directory integrated zones, the DNS data is transferred

by default.encryptedautomatically as part of the active directory replication. All AD replication isIncrease resilience. There is no single point of failure when you have multiple domain controllers holding active directory integrated zones. Each domain controller has a read/write copy of the DNS zone; this allows changes and automatic updates performed on any domain controller to be replicated across the domain or the forest using the powerful active directory replication engine.Security permissions. Like any other active directory object, you can delegate administration and apply individual permissions to zones, and resource records by modifying the access control list (ACL) on the zone. See below the security tab on the propertiesof an active directory integrated zone:

Now, let’s sign a DNS zone with DNSSEC to verify how this output changes. Here are the steps to sign the zone:

1. Open the DNS Manager, right-click on the DNS zone and select DNSSEC – Sign the Zone.

2. On the DNS Security Extensions (DNSSEC) page, click Next.

3. On the Signing Options page, select Use default settings to sign the zone, and click Next.

4. On the DNS Security Extensions (DNSSEC) page, click Next.

5. On the Signing the Zone page, click Finish.

Thanks for watching