![Page 1: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/1.jpg)
DNS Zones
![Page 2: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/2.jpg)
DNS Zones
• DNS records kept in zones• DNS server is authoritative for a domain if it
hosts the zone for that domain• Sub-domains can be kept in same zone as long
as they are contiguous– Example: west.Company.com can be kept in
the same zone as Company.com.
![Page 3: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/3.jpg)
DNS Zones Continued
• Zones are either “Forward Lookup” or “Reverse Lookup” – “Forward Lookup” zones resolve FQDNs to
IP addresses– “Reverse Lookup” zones resolve IP
addresses to FQDNs
![Page 4: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/4.jpg)
FQDNs vs IP Addresses
Client1.company.com
192.168.1.10/24
![Page 5: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/5.jpg)
Tips
• “Reverse Lookup” zones are written backwards.
This zone would provide IP to FQDN name resolution for the 192.168.1.0 network.
![Page 6: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/6.jpg)
Tips Continued
• The DNS server in an nslookup command is listed as “UnKnown” unless you create a reverse lookup zone.
![Page 7: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/7.jpg)
DNS Zones Continued
• There are two main types of zones that can be created:– Standard zones–Active Directory Integrated zones
![Page 8: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/8.jpg)
Recap
• DNS Records kept in zones• “Forward lookup:” Name to IP• “Reverse lookup:” IP to name–Written backwards
• Each can have either Standard or Active Directory Integrated (ADI) zones
![Page 9: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/9.jpg)
Standard Zones
![Page 10: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/10.jpg)
Standard Zones
• Standard zones kept in text files in %systemroot%\system32\dns named domain name.dns.
![Page 11: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/11.jpg)
Standard Zones Continued
• Two types of Standard zones:– Standard Primary: only read/write copy of
the zone– Standard Secondary: read-only, used for
fault tolerance and load balancing.
![Page 12: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/12.jpg)
Standard Zones Continued
• Modifications to Standard zones must be made on the Primary
• Clients can only update records by contacting the Primary
• Updates to the Primary are sent to the Secondary using zone transfers
![Page 13: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/13.jpg)
Zone Transfers
• Two triggers for zone transfers:–Refresh Interval–DNS Notify
• Zone transfers:–Require permission–Always initiated by the Secondary zone
![Page 14: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/14.jpg)
Zone Transfers Continued
![Page 15: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/15.jpg)
Zone Transfers Continued
![Page 16: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/16.jpg)
Zone Transfers Continued
![Page 17: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/17.jpg)
Zone Transfers Continued
• Best security: “Allow zone transfers:” “Only to the following servers”
• Second choice: “Allow zone transfers:” “Only to servers listed on the Name Servers tab”
• Avoid “Allow zone transfers:” “To any server”
![Page 18: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/18.jpg)
Zone Transfers Continued• The “Name Servers” tab lists authoritative
DNS servers
![Page 19: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/19.jpg)
Zone Transfers Continued
1. Secondary requests a copy of Primary’s “Start of Authority” (SOA) record– “Serial number:” starts at 1 and increments
to infinity2. If “Serial number:” on Primary is higher than
Secondary’s, Secondary initiates zone transfer
![Page 20: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/20.jpg)
Zone Transfers Continued
![Page 21: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/21.jpg)
Zone Transfers Continued
• Zone transfers are in clear text.• The only way to secure them would be a
“Connection Security Rule” (IPSec)
![Page 22: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/22.jpg)
Recap
• Standard Primary – only read/write• Standard Secondary – read only• Primary transfers changes to Secondary using
zone transfers:–Need permission for copy of zone – Initiated by Secondary server–Not secure
![Page 23: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/23.jpg)
Active Directory Integrated Zones
ADI
![Page 24: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/24.jpg)
Active Directory Integrated Zones (ADI)
• ADI zones store DNS in Active Directory–Only created on Domain Controllers–Changes exchanged through AD replication–No permission needed
• Three main benefits:–Multi-master– Secure “zone transfers”– Secure dynamic updates
![Page 25: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/25.jpg)
ADI Continued
![Page 26: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/26.jpg)
ADI Continued
![Page 27: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/27.jpg)
Tips
• Active Directory is a multi-master database: all copies of zone accept updates
• Any time clients must update records at more than one location requires ADI
![Page 28: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/28.jpg)
ADI Continued
• DNS info transferred using replication, which is encrypted.
• “Zone transfers” automatically secure
![Page 29: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/29.jpg)
ADI Continued
• Dynamic updates allow clients to update DNS records
• Secure Dynamic Updates record the SID of the client on the DNS record–Only that client can update record
• Secure Dynamic Updates can only be enforced on ADI zones
• To limit Dynamic Updates to domain members, allow only Secure Dynamic Updates
![Page 30: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/30.jpg)
ADI Continued
![Page 31: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/31.jpg)
ADI Continued
• Four replication scopes:– “To all DNS servers running on domain
controllers in this forest.”– “To all DNS servers running on domain
controllers in this domain.”– “To all domain controllers in this domain.”– “To all domain controllers in the scope of
this directory partition.”
![Page 32: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/32.jpg)
Tips
• DNS info must be stored on less than all of DCs in domain, create a directory partition–Can also be created using ntdsutil
![Page 33: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/33.jpg)
ADI Continued
![Page 34: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/34.jpg)
ADI Continued
• Replication scope of “To all domain controllers in the scope of this directory partition,” must create new partition in AD
• Then, select which Domain Controllers receive a copy
![Page 35: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/35.jpg)
ADI Continued• Create partition:
dnscmd /createdirectorypartition• Specify which DCS have a copy:
dnscmd /enlistdirectorypartition
![Page 36: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/36.jpg)
ADI Continued
![Page 37: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/37.jpg)
Recap
• ADI zones store DNS in Active Directory–Only created on Domain Controllers–Changes exchanged through AD replication–No permission needed
• Three main benefits:–Multi-master– Secure “zone transfers”– Secure dynamic updates
![Page 38: DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone](https://reader030.vdocuments.mx/reader030/viewer/2022032709/56649eab5503460f94bb1892/html5/thumbnails/38.jpg)
Recap Continued
• Four replication scopes:– “To all DNS servers running on domain
controllers in this forest.”– “To all DNS servers running on domain
controllers in this domain.”– “To all domain controllers in this domain.”– “To all domain controllers in the scope of
this directory partition.”• Less than all DCs in Domain