1. DNS server & Client, part one of two
Objectives
to learn how to setup dns servers
Contents
The history of DNS
An Introduction to DNS system
Forward and Reverse name lookup
Zonefiles
Cahce, Primary & Secondary DNS
Stub and Delegation DNS
DNS security
Installing chache only DNS
Installing primary DNS
Micrsosoft dnsmgmt console
What Is DNS?
As explained on the introduction to networking concepts chapter, the Domain Name System (DNS) is the way in which a website like is converted to an IP address.
What's a Domain?
Everyone in the world has a first name and a last or "family" name, DNS is similar. Domains can be simply described as the name given to a family of websites. For example the domain my-site.com has a number of children such as and mail.my-site.com and ns.my-site.com
What Is BIND?
BIND is an acronym for the "Berkeley Internet Name Domain" project which maintains the DNS related software suite that runs under Linux. The most well known program in BIND is "named", the daemon that responds to DNS queries from remote machines.
What's A DNS Client?
A DNS client doesn't store DNS information; it always has to refer to a DNS server to get it..
What's An Authoritative DNS Server?
These are the servers that provide the definitive information for your DNS domain such as the names of servers and websites in it.
How DNS Servers Find Out Your Site Information?
There are ~thirteen "root" (super duper) authoritative DNS servers which all DNS servers query first. These servers know all the authoritative DNS servers for all the main domains such as ".com", ".net" etc. These servers keep track of all the sub domains beneath them.
When To Use A DNS Caching Name Server?
Most servers don't ask authoritative servers for DNS directly, they usually ask a caching DNS server to do it on their behalf. The caching DNS servers then store (or cache), the most frequently requested information to reduce the lookup overhead of subsequent queries.
If you want to advertise your website to the rest of the world, then a regular DNS server is what you require. Setting up a caching DNS server is fairly straightforward and will work whether or not your ISP provides you with a static or dynamic Internet IP address.
Once you have set up your caching DNS server you will then have to configure each of your home network PCs to use it as their DNS server. If your home PCs get their IP addresses using DHCP, then you will have to configure your DHCP server to make it aware of the IP address of your new DNS server so that it can advertise it to its PC clients. Off the shelf router/firewall appliances used in most home networks will usually act as both the caching DNS and DHCP server. In this case a separate DNS server is unnecessary.
When To Use A Static DNS Server?
If your ISP provides you with a "fixed" or "static" IP address, and you want to host your own website then a regular authoritative DNS server would be the way to go. A caching DNS name server is only used as a reference, regular name servers are used as the authoritative source of information for your website's domain.
Note: Regular name servers are also caching name servers by default.

2. DNS History HOSTS.TXT file
Through the 1970’s ARPanet was a community of some 200 to 300 computers
A single file contained name to address mapping for all computers connected to arpanet
SRI-NIC maintained the single file
All computers needed to download the file once a week, then twice a week
The hosts.txt file is still used locally in all computers for important servers only.
Finally maintaining the hosts.txt file broke down
Load and inconsisty in the hosts.txt file constantly changing forced another solution. A distributed solution
1984 the DNS was born, described in RFC 882/883
Todays DNS RFC is 1034 and 1035
SRI is the Stanford Research Institute in Menlo Park.
RFC is request for comments, used by developers to build dns systems and for engineers in troubleshooting at high level.

3. What is DNS good for ? IP addresses are hard to remember
To build the logical name based infrastructure
Logical name to ip address
Ip address to logical name
Form logical name spheres, so called domains
Logical name spheres are essential for practical delivery
Form Windows Acrtive Directory domain tree
Annonce Server Resource Locations
Tell others where mailservers for domains sit
Tell others where the nameserver for domains sit
Tell others where domain controllants sit
And many other resources records
The DNS of today is worlds most common distributed database.
Public DNS:es does not permit all Server Resource Locators, only these is allowed:
SOA Start of Authority
MX Mail Exchanger (Any mailsystem that talks SMTP or ESMTP)
NS Name Server
A Address
IN A Interner Address
CNAME Canonical name (Also known as)
Trying others can cause big problem for outside namerserves, and are often stripped off when leaving you local site.

4. DNS structure DNS Tree(simplified) Namespace is organized like this:
The single dot ”.” equals a root name. It represents the root name server.
com, edu, se, biz, eu, uk, ro represents top domain names.
domain levels is my-site, ing-steen, microsoft
delegation or sub domains are like admin.my-site, masters.ing-steen, sales.microsoft
It is impractical to have more than four levels.
Root name servers work like caching nameservers, they dont have any regular zonefiles!

5. Server 2003 static host file
In C:\Windows\System32\Drivers\Etc\hosts
Is important for the nameserver at startup, to find itself and other important servers. You manage with only localhost but it is practical to have one or two important servers here.
The hosts file has higher priority than dns
Beware of differences in hosts file and dns!
More than 40 names in hosts file is not practical
It can be replicated in small isolated communities
localhost
router router.my-site.com
ns ns.my-site.com
mail mail.my-site.com
The hosts file is practical for the computer private local name resolution before dns is activated or if it is unreachable.

6. NETBIOS names Windows classic networking
Used to locate resources in windows domains and workgroups
Printers
Shared folders
Computers
RPC
Based on broadcast
Limited to 15 characters
Stored in C:\Windows\System32\Drivers\Etc\lmhosts
Can be shared
Wins server for NetBios name resolution
Wins is now replaced with DNS
Works almost like DNS
Problem with routers
The DNS can act as Wins resolver if names are shorter than 15 characters. Try to migrate your networks to DNS.

7. DNS name resolution
Name resolution with DNS is Client Server activities
These are the steps in name resolution (simplified):
Client application search for (Forward name resolution question)
Client first look in its local name cache, if there it try to make contact
Client looks in its hosts file, if there it updates the local cache and try to contact
Client look in registry for default DNS and send a query to its IP address
Name server try to rekognize my-site.com in local zonefiles, if it is found an answer is sent to client, if not(first found will be sent to client):
5a. Nameserver look in its name resolution cache, if it is there an answer is sent to client
5b. Nameserver consult the root name servers trying to find who have
5c. Nameserver send recursion question if allowed to many other nameservers
5d. Nameserver updates its name resolution cache.
How DNS query works
When a DNS client needs to look up a name used in a program, it queries DNS servers to resolve the name. Each query message the client sends contains three pieces of information, specifying a question for the server to answer:
• A specified DNS domain name, stated as a fully qualified domain name (FQDN)
• A specified query type, which can either specify a resource record by type or a specialized type of query operation
• A specified class for the DNS domain name.
In general, the DNS query process occurs in two parts
• A name query begins at a client computer and is passed to a resolver, the DNS Client service, for resolution.
• When the query cannot be resolved locally, DNS servers can be queried as needed to resolve the name.

8. The local resolver
Resolving a FQDN, forward lookup I have name want IP address:
Q1: Browser try ask DNS client service for IP address of
DNS client service consult local HOSTS file for name
A1: Reply back from DNS client service, IP address of is…..
Q2: DNS client service consult local domain registered nameserver for IP address of
A2: DNS server service checks its zonefiles and DNS server cache, if found it is sent to client
Q3: DNS server service ask root name servers for IP address of
A3: Root servers send back IP address of
Q4: DNS server service updates the local DNS server cache (ram memory)
A4: Next time, if client ask for it will come from DNS server cache
Q5: If DNS server service is allowed it can use recursion trying to find
A5: The reply from some recursion to other nameservers

9. Querying a DNS server Recursion Client query (recursive)
Preferred DNS server performing recursive query to first DNS server (dont know com zone) but I know
Sorry I dont know zone but I know who can know…
Next one has com but dont know microsoft zone but it knows who do…
Next one has microsoft but dont know example zone but it knows who do…
Next one has example.microsoft.com
Congratulations found ip address of example.micrsosoft.com…

10. DNS Alternate query responses
When quering a nameserver different reply’s can come
An authoritative answer
Indicate the answer was obtained from a server with direct authority for the queried name.
A positive answer
The query matches with the DNS domain name and record type specified in the query message. (For example to find mailserver in a domain)
A referral answer
A referral answer contains additional data
A negative answer
indicate that one of two possible results:
A) An authoritative server reported that the queried name does not exist in the DNS namespace.
B) An authoritative server reported that the queried name exists but no records of the specified type exist for that name
Often you will get Non authorative answer!

11. DNS server types Primary Secondary Caching only / Root HINT Forwarder
Is authorative for all locally stored domain info (zone files)
Can alter domain info (zone files)
Also known as Master DNS
Must have hostname ns
Replicates out zonefiles to secondary
Secondary
Recieves replicated zonefiles from primary
Can not alter domain info
Caching only / Root HINT
Does not keep any zonefiles
Just stores resolved names in ram memory (100 byte per resolved)
Forwarder
Just forwards all querys to another dns
Stub ZONE dns
Limited forwarder, forwards only secific queries for selected domains
A Primary can be a secondary and the reverse, it is all configured down on zonefile level.
All DNS:es are also caching dns:es, they store all out of zonefiles resolved names in ram memory.

12. Zone and Domain
The zone can be a part of domain or the whole domain. The zone is the collection of hosts in a specific zonefile.
All hosts in a zone belongs to same domain, but not nessesary same subnet or even IP Address class.
Zones are commonly organizational distributed.
Domains are commonly the whole organization togeather.

13. Zonefiles Each Zone need two zonefiles:
Forward name resolution: my.site.com.
This file contains the main resource records:
NS Nameserver’s of zone
MX Mailservers of zone
A Host address for client or server in zone
IN A Internet Address
CNAME Alias name
Reverse name resolution: in-addr.arpa.
PTR Reverse record
Resource Records or RR tell us:
What is inside this zone
Domain name of zone
Practical is to name the file after domain
ing-steen.se. IN SOA ns.ing-steen.se. root.ing-steen.se. (
10800
3600
604800
86400 )
IN NS ns.ing-steen.se.
IN NS ns2.navab.net.
IN MX ns.ing-steen.se.
IN MX lina.ing-steen.se.
localhost IN A
router IN A
balder IN A
ns IN A
lina IN A
smile1 IN A
salomon IN A

14. Nameservers need to be two!
In order to keep stable nameservice
Have one PRIMARY nameserver at a central administration point.
Setup at least one SECONDARY nameserver close to customers.
The secondary will not only offload the primary for name resolution, it will also secure name resolution for you.
Two nameservers are essential if you run public domain hosting services, you will in fact not be allowed to do ”pointing” without at least two nameservers.
You also need RP, responsible person, one who recieves for your zones. If this is not working, you will not got NIC acceptance.

15. Replicating zonefiles
Whenever one zonefile at the PRIMARY is modified or if a zone/domain is added/removed
Server PUSH
Keeping the infrastructure intact with zonefile’s the SECONDARY uses SOA header
SOA means start of authority and is first in zonefile.
 TimeToLive
 Serial number
Securing the infrastructure
Allowing only selected nameservers to access and replicate zonefiles
This is configured inside Windows dnsmgmt console on zonfile basis or globally
A zone transfer might occur during any of the following scenarios:
• When the refresh interval expires for the zone
• When a secondary server is notified of zone changes by its master server
• When the DNS Server service is started at a secondary server for the zone
• When the DNS console is used at a secondary server for the zone to manually initiate a transfer from its master server

16. Zonefile update process
incremental zone transfer (IXFR) ifull (AXFR) transfer of the zone
For servers running Windows 2000 and Windows Server 2003, incremental zone transfer through IXFR query is supported. For earlier versions of the DNS service and for many other DNS server implementations, incremental zone transfer is not available and only full-zone (AXFR) queries and transfers are used to replicate zones.

17. Reverse lookup
Client query is for PTR records found in file ” in-addr.arpa.”
Most services does not use reverse lookup, however some do to prevent spoofing of domain names and hostnames.
In most DNS lookups, clients typically perform a forward lookup, which is a search based on the DNS name of another computer as stored in an address (A) resource record. This type of query expects an IP address as the resource data for the answered response.
DNS also provides a reverse lookup process, enabling clients to use a known IP address during a name query and look up a computer name based on its address. A reverse lookup takes the form of a question, such as "Can you tell me the DNS name of the computer that uses the IP address ?”
DNS was not originally designed to support this type of query. One problem for supporting the reverse query process is the difference in how the DNS namespace organizes and indexes names and how IP addresses are assigned. If the only method to answer the previous question was to search in all domains in the DNS namespace, a reverse query would take too long and require too much processing to be useful.

18. Understanding stub zones
The STUB zone can speed up name resolution becauses it bypasses the root nameservers and going directly to the selected zone’s nameservers.
A stub zone consists of:
The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.
Stub zones are often used to improve name resolution.
It can take up to 4 hours for a name to be registered worldwide.
A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.

19. Dynamic update
DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records
Dynamic updates can be sent for any of the following reasons or events:
An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the ipconfig /renew command is used.
The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.
At startup time, when the computer is turned on.
A member server is promoted to a domain controller.
Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address.

20. Host Header LOOKUPS Commonly known as Virtual webbserver
Practically you bind a hostname to a specific directory in IIS
Practial to use if you dont have enough IP addresses
Does not work with SSL, the host header is encrypted when it arrives to IIS.
DNS resource record CNAME to share same IP address among several virtual webb servers in subdomains.
Use resource record IN A in zonefiles
When starting your hosting service, remember that each registered domain will need:
Two NS records
At least one MX record and one RP in SOA
At least one IN A or A record for the webbserver

21. Install a DNS server, Server installation
To install a DNS server (dont install any dns yet):
Install one Win2k3 SE with default and typical settings.
This is the PRIMARY nameserver it’s hostname is ”ns”
Open control panel
Select System icon
Select Computer Name
Click on Change
Verify Computer name: ns
Click on More…
Enter Primary DNS suffix of this computer: ”my-site.com”
or whatever this nameserver domain is.
Click on OK to accept everything
Go back to Control panel and click on Network Connections
Click on properties and select TCP/IP
Click on properties again
The PRIMARY nameserver must not recieve DHCP IP address, enter it IP address and subnet mask and default gateway
At Preferred DNS server: remove Alternate!
Goto Advanced Wins and Disable NetBios over TCP/IP!
Accept everyting

22. Install a DNS server, DNS installation
Open Windows Components Wizard.
In Components, select the Networking Services check box, and then click Details.
In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.
4. If prompted, in Copy files from, type the full path to the distribution files, and then click OK.
Required files are copied to your hard disk.
You now have CACHING ONLY DNS
If you do not follow these steps, it will be more difficult for you to administer your PRIMARY nameserver.
Also remember that it MUST have name ns nothing else will do!
SECONDARY nameserver is setup in a similar way, but its name does not need to be ns.
Avoid to run other services on the PRIMARY namesrver!

23. Configure a new DNS server
To configure a new DNS server, you can:
Using the Windows interface (preferred method)
Using a command line
Using the Windows interface:
To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.
Open DNS.
If needed, add and connect to the applicable server in the console.
In the console tree, click the applicable DNS server.
Where?
DNS/Applicable DNS server
On the Action menu, click Configure a DNS Server.
Follow the instructions in the Configure a DNS Server Wizard.

24. Summary DNS server is used to resolve name and IP
Configuration sit in /etc/named.conf
Zonefiles are in /var/named/
Zone transfter from primary to secondary
Stub zones speed up name resolution
Cache only nameserver is default setting
You have two files for each zone
Hosts can share same IP with CNAME or in zones
Stop dns server with dnsmgmt mmc GUI
Reload dns server with dnsmgmt mmc GUI
You can restrict and policy quieries
It takes time for names to update globaly
DNS server has default nameserver
Primary DNS must have name ns