Until now we have learned how to install and configure a DNS Server (either DC or Stand-alone) and we’ve familiarized with the theoretical concepts of this service. In today’s article we will discover and learn about DNS properties.
Before proceeding to explore the DNS properties I want to talk a little about what a Caching-only DNS Server is. If you’ve never heard about this term it might sound a little confusing. The term “caching” refers to information that is kept in the Server’s memory once a query is resolved. Every DNS Server contains a local cache in which response to queries are stored until the TTL value is reached, the machine is rebooted or the cache is emptied manually. TTL (time-to-leave) is a constant that determines how long a value is kept into the memory before it is flushed. You can view the cached information of your DNS Server by typing ipconfig /displaydns in a command prompt. When a query is sent to the DNS resolver, it will first check its local cache for the desired resource. If the record is found, than the response is sent directly to the client. A Caching-only server does not need any maintenance after its first installation so it’s a good option for serving DNS queries where there is no technical representative present. Another aspect of such Server is that resources found in the local cache are resolved immediately. To enable a Caching-only DNS server you need to add the DNS service and ensure that the root hints are configured properly.
The DNS properties can be accessed from the DNS console. Note that settings configured here are applied to all zones on the server. Open the console, navigate to the Server’s name, right click on it and select Properties:
We will talk about each of the tabs available in this pane:
Interfaces – here you can specify what interfaces will be used to respond to queries. This feature is applied on DNS Servers with multiple network interfaces (each interface will have a different IP address). By selecting on which interface the Server should listen to requests, you can isolates queries to a certain portion of your network. By default, the DNS Server will respond to requests on all its interfaces, you can change this behavior by selecting the “Only the following IP addresses” option.
In the Forwarders section we can configure one or more DNS Servers that will be used by the present server to respond to DNS queries that cannot be resolved locally:
When a query is received by a DNS server and cannot be resolved, it will forward the request to another server specified in this section. Forwarders can be used in many situations, either to facilitate faster response times by using a server to cache requests in front of multiple DNS servers, in an Active Directory infrastructure to resolve names between different domains or by resolving requests through a secure channel. To add a forwarder to your DNS server, press the Edit button and add the IP address or the name of the forwarder. You can also set the number of seconds before the queries are timed out:
There is another type of DNS forwarders called conditional forwarders. These are DNS Servers throughout queries are sent to be resolved for certain domains. There is a dedicated section in the DNS console for conditional forwarders. Right click the section and select New Conditional Forwarder:
But why should you use conditional forwarders? Often, in large enterprises there are trusts between multiple domains. Such company would have multiple AD sites for each domain and each domain would have its own DNS infrastructure. To facilitate communications between different domains, you can set up Conditional Forwarders for each domain.
Advanced section – is used to enable or disable multiple features that can change the Server’s behavior. I will try to shortly describe each of these options:
- Disable Recursion – if you enable this feature the DNS server will not perform any recursive queries to resolve names.
- BIND Secondaries – this option enables the DNS Server to perform zone transfers with BIND servers that uses a version earlier than 4.9.4. The DNS server uses compression for sending multiple records in a single TCP packet to increase transfer speed. If you are using BIND servers to communicate with your Windows Server, ensure that this option is enabled to peform slower and uncompressed zone transfers.
- Fail on Load if Bad Zone Data – the server will stop loading a zone once errors are detected in the zone data
- Enable Round Robin – if there are multiple IP addresses pointing to the same host record the DNS server will respond to queries using each IP in turn. By disabling this feature the server will always respond with the first match in the zone
- Enable Netmask Ordering – inside a DNS zone there is the probability that there are host records that point to multiple IP addresses. By default, Windows Server 2008 will verify the DNS client subnet with the IP addresses of host records hosted in the zone. If a record of a host, that is part of the same subnet as the client, is found, the server will order the records based on the subnet. By enabling this option, the response speed will be increased.
- Secure Cache Against Pollution – if you enable this feature the DNS server will not cache records from servers that are not authoritative for those particular resources. This ensures that the server will not cache spoofed records.
- In the name checking section you specify what standard will be used to read names. There are four options available Strict RFC (ANSI), Non RFC (ANSI), Multibyte (UTF8), or All names.
- Load Zone Data on Startup – this feature specifies the location from where the zone data is loaded. By default, the zone is loaded from Active Directory and registry but you can change the settings to load data from DNS files or registry.
- Enable Automatic Scavenging of Stale Records – you can enable this feature to automatically delete records that do no exist anymore. Remember that aging and scavenging is made for records that are dynamically added on the server using DDNS.
- Reset to Default – this option will load the default settings for the advanced section.
Root Hints – this section is used to add, change or remove root DNS Servers. “Root hints resolve queries for zones that do not exist on the local DNS server. They are only used if forwarders are not configured or fail to respond”:
The root servers database is stored in C:\Windows\System32\dns in the Cache.dns file. If you modify entries here they will be visible in the DNS console
Monitoring – you can verify the configuration of the server by performing certain tests available in this section:
You can run either a simple or a recursive query in a specified time interval. The results can be viewed in the bottom section.
Trust Anchors – “are used to validate secure DNS (DNSSEC) responses from remote DNS servers. Configure Trust Anchors in the form of public keys in the DNSKEY format to validate signed DNS responses”:
Event Logging – you can select what events are logged by the DNS Server. You have several options available but, it is recommended that you set the server to log all events:
Debug Logging – from this tab you can configure the server to log network packets for debugging. In certain cases you can enable this feature to debug problems regarding requests or problems with the Server. There are multiple check-boxes that can be enabled to save certain data from network packets. All data is saved in a log file specified in the bottom section:
That’s it for this post folks, hope you will find it useful. Please share your thoughts about this topic and if you think there are other things that needs to be mentioned here, don’t hesitate to leave a comment. Have a great day and stay tuned for the following articles from IT training day,