Hello dear readers,
In this article we will continue discussing about the DNS service. Until now we have learned about all the important aspects and settings of this protocol and we have seen how to install and configure a DNS server. In this lesson we will learn how to create and configure DNS zones, we will talk about different zone types and replication scopes and discover more interesting feature of this service.
By now we know that except when installing and configuring the DNS service on a Domain Controller, zones must be added manually. A zone is nothing more than a database that contains records for a portion of the DNS namespace. Because there can be only one authoritative DNS server for a particular resource, it is important that you understand the different types of zones and how they influence the naming resolution mechanism.
We will start by configuring a new zone on our DNS server. If you haven’t followed the articles until this point please read those before proceeding to this lesson. Open the DNS console, navigate to your server’s name, right click it and select New Zone:
The welcome screen will appear, read the information written here and press Next. In the next window you will have to select what DNS zone type will be installed on the server. Before going any further let’s talk a little about each of the DNS zones shown here:
Primary Zone – this is the main and most important zone type that can be installed on a DNS server. A primary zone is authoritative for a certain domain so requests for resolving this particular domain will be sent to this server. Another aspect of this zone type is that it supports read and write operations. This means that records stored in a primary zone can be added and deleted either manually or through automatic updates. Because the server will host a primary zone for a domain it will also store the master copy of the zone in either Active Directory or local database (Windows/System32/Dns/zone.dns).
Secondary Zone – a secondary zone is a copy of a primary zone. This zone supports only read operations. In a secondary zone you cannot add or delete records manually, they will be replicated from the primary zone or from another secondary zone, this operation is called a zone transfer. Secondary zones are used in remote locations where the DNS service is required but there is no local technical support. You can also use secondary zones in a heavily used portion where there are many requests. By using multiple secondary zones that basically store a copy of the primary zone, you decrease the number of requests send to the primary server and thus offloading the DNS traffic. Another benefit is that in case the primarily server becomes unavailable for whatever reason, the secondary zones can carry out the requests and so you create a fault tolerant DNS infrastructure. A secondary zone cannot be stored in AD, it can only be stored in a local database.
Stub zone – the zone will store only records for Name Servers for the master zone. It will not be authoritative for the zone and is used to store an updated list of DNS servers. Using such zones throughout your domain, you increase the naming resolution speed and just like a secondary zone, you can deploy it in a location where there is not technical support available. Requests will be sent to servers stored on the stub zones and from there they will be forwarded to the primary DNS server.
The option storing the Zone in Active Directory will enable all DNS data to be integrated in Active Directory. Active Directory-integrated zones are read-write DNS zones so records can be easily modified. If you are configuring an AD-integrated zone on a RODC, the zone will support only read operations just like a secondary zone.
This option can be enabled on a Domain Controller and offers a lot of advantages:
- DNS information is replicated from one server to another using the Active Directory zone replication scope settings. Because you are using AD replication, DNS zone transfers are not needed anymore
- Records changes are automatically propagated throughout the primarily servers so entire zone transfers are not required. By eliminating this extra DNS zone transfers you eliminate extra undesired network traffic.
- Active Directory-integrated zones can offer secured zone replication.
- Because there are multiple primarily DNS servers for a particular domain and information is replicated between these servers, the infrastructure becomes fault tolerant.
If you install the DNS service on a server that is not a DC, this option cannot be enabled. This type of zone is called a Standard zone. It is a bit different than AD-integrated zones because the DNS information is stored in a local DNS database. Standard zones supports read-write operations but, there will be only one master copy of the zone. Other copies of the zone will support only read operations (secondary zones). With standard zones you don’t have fault tolerance mechanisms and zone transfers must be configured.
For now, select the primary zone and click Next. If the zone is configured on a Domain Controller and the storing the Zone in Active Directory option has been enabled then, in the next page, the Active Directory Zone Replication Scope must be configured. In this section you practically select what Domain Controllers will host the zone. The servers added in the scope will participate in the Active Directory zone replication mechanism:
From the four options available select the one that suits your needs better and then click Next.
In the next page you have to select if the zone will be either a Forward lookup zone or a Reverse lookup zone:
But what are these two types of DNS zones and which one should we install? A forward lookup zone maps names to IP addresses and a reverse lookup zone maps IP addresses to names. Basically, if a query for a certain name is made, the forward lookup zone will return the IP address of that resource and if a query is made for an IP address, the reverse lookup zone will return the name that corresponds with that address. A forward lookup zone will adopt the domain name for which the zone is configured and a reverse lookup zone will adopt for its name the last three octets (written in reverse) of the network IP address plus in-addr.arpa. We will discover in a future article the different types of DNS records available, for now, you’ll need to know that DNS records from a reverse lookup zone are named PTR records and records stored in a forward lookup zone are named Host records.
For our example, we will configure a forward lookup zone, select it and then press Next. In the next pane we have to enter the domain name for which the server will be authoritative:
Type in the domain name and then press Next. In the Dynamic Updates page you have to select what type of dynamic updates the zone will accept. There are three options available:
By default, the wizard will select the Allow only secure dynamic updates. This is recommended because updates will be received only from devices that are part of the domain. This is a protection mechanism for DNS information because data cannot be altered by unknown computers. If you select the “Allow both nonsecure and secure dynamic updates” option, the server will accept DNS updates by any computer. If the last option is selected then the DNS server will not accept any updates so DNS information will be modified manually.
Select the first option and then click Next. The last window will display a short brief of the zone, if you click Finish the zone will be created:
After creating the zone, some DNS records will be added automatically. We will discuss about DNS records types in the next article. If You’ve enjoyed this article don’t forget to rate and share it. If you think there are more things that needs to be mentioned on this topic don’t hesitate to leave a comment. Enjoy your day and stay tuned for the next article from IT training day.