Domain Name System Domain Name System DNS is

  • Slides: 32
Download presentation
Domain Name System

Domain Name System

Domain Name System • DNS is a client/server protocol which provides Name to IP

Domain Name System • DNS is a client/server protocol which provides Name to IP Address Resolution.

DNS Terms And Concepts • Domain Name Space – Fully Qualified Domain Name (FQDN)

DNS Terms And Concepts • Domain Name Space – Fully Qualified Domain Name (FQDN) • DNS Server • DNS Client (Resolver) • Query – Recursive – Iterative • • DNS Zone Types DNS Record Types DNS Forwarder Client Configuration

DNS Name Space • A DNS Namespace is a hierarchical tree in which each

DNS Name Space • A DNS Namespace is a hierarchical tree in which each node represents a named domain • Each level of the domain namespace is separated by a period • The first level of the tree is where you’ll find the top-level domains which form the base of the DNS namespace.

DNS Name Space

DNS Name Space

SRV 01. SALES. SOUTH. CONTOSO. COM. 6

SRV 01. SALES. SOUTH. CONTOSO. COM. 6

DC 01. Sales. South. Contoso. com FQDN= DC 01. Sales. South. Consoso. COM. 7

DC 01. Sales. South. Contoso. com FQDN= DC 01. Sales. South. Consoso. COM. 7

Server • DNS Server – A computer running the Domain Naming System (DNS) Service

Server • DNS Server – A computer running the Domain Naming System (DNS) Service – Hosts a namespace or portion of a namespace (Domain) – Is “authoritative” for a namespace or Domain – Resolves name resolution requests submitted by DNS Clients (DNS Client=Resolver) 8

“owns” contoso. com name space and therefore is authoritative to that space. 9

“owns” contoso. com name space and therefore is authoritative to that space. 9

Mail 2. Authoritative “NO”. I ‘own this space and there is no record “owns”

Mail 2. Authoritative “NO”. I ‘own this space and there is no record “owns” contoso. com name space and therefore is authoritative to that space. 10

‘owns’ microsoft. com namespace – not authoritative to contoso. com therefore sends query to

‘owns’ microsoft. com namespace – not authoritative to contoso. com therefore sends query to another DNS server 11

Recursive Query Client Side – The DNS Client typically issues a Recursive Query to

Recursive Query Client Side – The DNS Client typically issues a Recursive Query to its configured name server – This says, in effect, “don’t return until you have an answer or have failed to find an answer” to the query. • • Server Side – When the Server receives a Recursive Query, unless Recursion is disabled, server “goes to work” for the client. – Queries other name servers until it resolves client’s query, or fails to do so. – Responds to client with resolved address or “failure” message.

Iterative Query • • • Asks for “Final Answer” or “Closer Server”: Typically used

Iterative Query • • • Asks for “Final Answer” or “Closer Server”: Typically used between servers during resolution of client requests: – Lower-level server will issue Iterative queries to top-level servers – Reduces workload on toplevel servers Response to an Iterative Query : – Requested address – Authoritative “No” – A Referral, if server recognizes the domain name being queried and knows a server address for that domain.

DNS Zone Terminology • Zone – A collection of name/address mappings for hosts within

DNS Zone Terminology • Zone – A collection of name/address mappings for hosts within a contiguous portion of the DNS namespace • Zone Data is maintained on a DNS Server: – Flat “zone file” containing lists of mappings – Stored in Active Directory database • A server is “authoritative” for a zone if it can resolve names and addresses requested by clients – In most cases a zone corresponds to a domain, subdomain, or contiguous series of domains and subdomains

DNS Zone Types • Forward Lookup Zone – Resolves Names to IP Address •

DNS Zone Types • Forward Lookup Zone – Resolves Names to IP Address • • A (Host) Record SRV CNAME Etc. • Reverse Lookup Zone – Resolves IP Addresses to Host Names • PTR (Pointer) Records 15

The Root or “dot” (. ) Zone This DNS server that is authoritative for

The Root or “dot” (. ) Zone This DNS server that is authoritative for the Root Zone “owns” the entire namespace. It is the “top” of the hierarchy and does not refer to or forward queries to any other server. This would be a zone defined within a root hint DNS server in the toplevel domains 16

Record Types: – A (Host) – PTR (Pointer) – NS (Name. Server) – SOA

Record Types: – A (Host) – PTR (Pointer) – NS (Name. Server) – SOA (Start of Authority) – SRV (Service Record) – CNAME (Alias) – MX (Mail Exchanger) – Etc.

Record Types Defined • A (Host) – Primary entry for any computer or device

Record Types Defined • A (Host) – Primary entry for any computer or device on the network – Resolves host name to IP address • PTR (Pointer) – Reverse lookup entry, resolves IP Address to host name • NS (Name Server) – Identifies a named host as a DNS Server for a zone • SOA (Start of Authority) – Identifies primary DNS name server with “authority” to resolve names for a given zone

Additional Record Types Defined • SRV (Service Record) – Indicates availability of a given

Additional Record Types Defined • SRV (Service Record) – Indicates availability of a given service on a given host – Example: • Windows® Domain Controllers register SRV Records which are used to direct client logon requests… • CNAME (Alias) – Typically relates a well known “common name” to a specific host name. – Example: • “WWW” is commonly registered as a CNAME record for Web servers • MX (Mail Exchanger) – Identifies E-Mail Servers – Example: MS Exchange registers an MX record

DNS Forwarder • • DNS Servers can be configured to forward queries to designated

DNS Forwarder • • DNS Servers can be configured to forward queries to designated “Forwarders” Forwarders – Handle all non-local queries – Enabling forwarders allocates burden of resolving unknown names to designated server(s)

DNS Client Configuration l Client Configuration is Critical ¡ ¡ ¡ l Server Addresses

DNS Client Configuration l Client Configuration is Critical ¡ ¡ ¡ l Server Addresses DNS Suffix Configuration Dynamic updates Windows clients rely on DNS Name Resolution to perform key functions: ¡ ¡ ¡ 21 Locate/Connect to DCs for authentication Locate/Connect to Servers Locate/Connect to Web. Servers

Client Configuration – DNS Server Addresses l Server Addresses ¡ ¡ 22 Preferred DNS

Client Configuration – DNS Server Addresses l Server Addresses ¡ ¡ 22 Preferred DNS Server Address Alternate DNS Server Address(es) Sends query to Preferred DNS server Alternate DNS Server used ONLY if Preferred is not available.

Preferred & Alternate DNS Server Configuration: static config The Preferred DNS Server is the

Preferred & Alternate DNS Server Configuration: static config The Preferred DNS Server is the one the client tries first… If Preferred Server is not available, the client tries the Alternate DNS Server (if so configured)… 23

Preferred & Alternate DNS Server Configuration: static config Optionally, you can enter a whole

Preferred & Alternate DNS Server Configuration: static config Optionally, you can enter a whole list of Alternate DNS Servers 24 The Preferred and Alternate Servers specified on the previous Properties page automatically appear at the top of this list, and Preferred and Alternates are queried in order listed…

Preferred & Alternate DNS Server Configuration: dynamic config 25

Preferred & Alternate DNS Server Configuration: dynamic config 25

Name Query Resolution l When a host name is submitted to DNS: ¡ ¡

Name Query Resolution l When a host name is submitted to DNS: ¡ ¡ ¡ 26 Resolver first checks the cache (if caching enabled) If the name is in the cache, the data is returned to the user If name is not in cache, resolver queries DNS servers listed in the TCP/IP properties.

Client Configuration - DNS Suffixes If the query cannot be resolved as is, then

Client Configuration - DNS Suffixes If the query cannot be resolved as is, then suffixes are systematically appended to the name in the query l. Primary DNS Suffix l. Connection-specific DNS Suffix l. Domain Suffix Search List l. Client is configured to use either Primary and Connection Specific or Suffix Search List 27

Configuring Domain Suffixes Primary DNS Suffix System Properties > Computer Name >Change > More

Configuring Domain Suffixes Primary DNS Suffix System Properties > Computer Name >Change > More 28

Configuring Domain Suffixes Suffix Selection Option Domain Suffix Search List Client uses either Primary

Configuring Domain Suffixes Suffix Selection Option Domain Suffix Search List Client uses either Primary and Connectionspecific or Suffix Search List, not both! 29 Connection-specific Suffix

Nitpicking DNS Naming Terminology • Fully Qualified Domain Name – Srv 1. Sales. Contoso.

Nitpicking DNS Naming Terminology • Fully Qualified Domain Name – Srv 1. Sales. Contoso. Com. – Terminating period makes it Fully Qualified! • Unqualified Multi-label Name – Srv 1. Sales. Contoso. Com – No Period! • Single-label Unqualified Name – Srv 1 – No domain suffix! – No info to “qualify” name or indicate where in the namespace to look for this host 30

How Suffixes are Applied l If client submits FQDN (including period) ¡ l If

How Suffixes are Applied l If client submits FQDN (including period) ¡ l If client submits multi-label unqualified name (no period) ¡ l Resolver uses FQDN Submitted Resolver adds terminating period and uses that name If multi-label name submitted with period fails to resolve, or if client submits single-label unqualified name (no suffix) ¡ 31 Resolver appends specified Suffixes, adds period, and keeps trying! The suffixes it appends depends on how the DNS Suffix property is configured

Example: Primary & Connectionspecific setting • Resolver appends Primary and Connection-specific suffixes – Resolver

Example: Primary & Connectionspecific setting • Resolver appends Primary and Connection-specific suffixes – Resolver appends Primary Domain Name from System Properties > Computer Name > Change > more – Resolver “devolves” domain name from left to right – Tries Parent of specified domain – If that fails, tries “Parent of Parent” 32