Domain Name System (DNS) is a system that is used in TCP/IP networks for naming computers and network services that is organized into a hierarchy of domains. It translates domain names meaningful toÂ humansÂ into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide. When a user enters a DNS name in an application, DNS services can resolve the name to other information that is associated with the name, such as an IP address. For example, the domain name www.google.com translates to the addressesÂ 220.127.116.11Â (IPv4) andÂ 2001:4860:a002::68Â (IPv6).
The Domain Name System makes it possible to assignÂ domain namesÂ to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this,Â World Wide WebÂ (WWW)Â hyperlinksÂ and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names like www.google.com are easier to remember than IP addresses such asÂ 18.104.22.168Â (IPv4) andÂ 2001:4860:a002::68Â (IPv6). Users take advantage of this when they recite meaningfulÂ Uniform Resource LocatorsÂ (URLs) andÂ e-mail addressesÂ without having to know how the computer actually locates them.
The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designatingÂ authoritative name serversÂ for each domain. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains. This mechanism has made the DNS distributed and fault tolerant and has helped avoid the need for a single central register to be continually consulted and updated.
In general, the Domain Name System also stores other types of information, such as the list ofÂ mail serversÂ that acceptÂ emailÂ for a given Internet domain. By providing a worldwide, distributedÂ keyword-based redirection service, the Domain Name System is an essential component of the functionality of theÂ Internet.
The Domain Name System also specifies the technical functionality of this database service. It defines the DNS protocol, a detailed definition of the data structures and communication exchanges used in DNS, as part of theÂ Internet Protocol Suite.
The Internet maintains two principalÂ namespaces, the domain name hierarchy and theÂ Internet ProtocolÂ (IP) address system. The Domain Name System maintains the domain namespace and provides translation services between these two namespaces. Internet name servers and a communicationÂ protocolsÂ implement the Domain Name System. A DNS name server is a server that stores the DNS records for a domain name, such as address records, name server records, and mail exchanger records. DNS name server responds with answers to queries against its database.
The DNS Server role in Windows ServerÂ 2008 contains several features that able to improve the performance of the DNS Server service which it combines support for standard DNS protocols with the benefits of integration with Active Directory Domain Services (ADÂ DS) and other Windows networking and security features, including such advanced capabilities as secure dynamic update of DNS resource records.
The DNS Server role provides the following:
Support for Active Directory Domain Services (ADÂ DS)
DNS is required for support of ADÂ DS to give network computers the ability to locate domain controllers and to support ADÂ DS replication. If you install the ADÂ DS server role on a server, you should install and configure the DNS Server service on the new domain controller at the same time. DNS zones can be stored in the domain or application directory partitions of ADÂ DS. A partition is a data container in ADÂ DS that distinguishes data for different replication purposes. You can specify in which ActiveÂ Directory partition to store the zone and, consequently, the set of domain controllers among which that zone's data will be replicated. Windows ServerÂ 2008 DNS Server service can ensures the best possible integration and support of ADÂ DS and enhanced DNS server features.
The DNS Server service extends the functionality of standard forwarders by providing conditional forwarders. A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.
DNS supports a zone type called a stub zone. A stub zone is a copy of a zone that contains only those resource records that are necessary to identify the authoritative DNS servers for that zone. A stub zone keeps a DNS server hosting a parent zone aware of the authoritative DNS servers for its child zone. This helps maintain DNS name resolution efficiency.
Enhanced DNS security featuresÂ
DNS provides enhanced security administration for the DNS Server service, the DNS Client service, and DNS data.Â
Integration with other Microsoft networking servicesÂ
The DNS Server service offers integration with other services and contains features beyond the features that are specified in the DNS RFCs. These features include integration with ADÂ DS, Windows Internet Name Service (WINS), and Dynamic Host Configuration Protocol (DHCP) services.
Improved ease of administrationÂ
DNS Manager, the DNS snap-in in Microsoft Management Console (MMC) offers an improved graphical user interface (GUI) for managing the DNS Server service. Also, there are several configuration wizards for performing common server administration tasks. In addition to the DNS snap-in, other tools are provided to help you better manage and support DNS servers and clients on your network.
RFC-compliant dynamic update protocol supportÂ
The DNS Server service enables clients to dynamically update resource records, based on the dynamic update protocol (RFCÂ 2136). This improves DNS administration by reducing the time needed to manage these records manually. Computers running the DNS Client service can register their DNS names and IP addresses dynamically.
Support for incremental zone transfer between serversÂ
DNS servers that store DNS data in files use zone transfers to replicate information about a portion of the DNS namespace. When it transfers zones that are not integrated with ADÂ DS, the DNS Server service uses incremental zone transfer to replicate only the changed portions of a zone, which conserves network bandwidth.
DNS is a hierarchically distributed database. In other words its layer are arranged in a definite order, and its data is distributed across a wide range of machines, each of which can exert control over a portion of the database. DNS is a standard set of protocols defining the following
A mechanism for querying and updating address information in the database
A mechanism for replicating the information in the database among servers
A schema of the database
DNS domain names
The Domain Name System is implemented as a hierarchical and distributed database containing various types of data, including host names and domain names. The names in a DNS database form a hierarchical tree structure called the domain namespace. Domain names consist of individual labels separated by dots, for example: mydomain.microsoft.com.
DNS Domain Name Hierarchy
DNS able to delegate control over portions of the DNS namespace to multiple organizations. For example, when you register a domain name (example.com), you control the DNS for the portion of the DNS namespace within "example.com". The registrar controlling the ".com" has delegated control over the "example.com" node in the DNS tree. No other node can be named "example" directly below the ".com" within the DNS database.
Within the portion of the domain namespace that you control (example.com), you could create a host records and other records. You could also further subdivide "example.com" and delegate control over those to other organization or departments. These divisions are called sub domains. For example, you can create sub domains named for the cities in which your company has branch offices and delegate the control over those sub domains to the branch offices. The sub domains might be named "penang.example.com", "kl.example.com" and so on.
Each domains or delegated sub domain is associated with DNS name servers. In other words, for every node in the DNS, one or more servers can give an authoritative answer to queries about that domain. At the root of the domain namespace are the root servers.
DNS servers work together to resolve hierarchical names. If server already has information about the name, it simply fulfills the query for the client. Otherwise it queries other DNS servers for the appropriate information. The system works well because it distributes the authority of separate parts of the DNS structure to specific servers. A DNS zone is a portion of the DNS namespace over which a specific DNS server has authority.
Within a given DNS zone, resource records (RRs) contain the hosts and other database information that make up the data for the zone. For example, and RR might contain the host entry for www.example.com, pointing it to the IP address 192.168.1.10
Distributing the DNS database: zone files and delegation
A DNS database can be partitioned into multiple zones. A zone is a portion of the DNS database that contains the resource records with the owner names that belong to the contiguous portion of the DNS namespace. Zone files are maintained on DNS servers. A single DNS server can be configured to host zero, one, or multiple zones.
Each zone is anchored at a specific domain name referred to as the zone's root domain. A zone contains information about all names that end with the zone's root domain name. A DNS server is considered authoritative for a name if it loads the zone containing that name. The first record in any zone file is a Start of Authority (SOA) RR. The SOA RR identifies a primary DNS name server for the zone as the best source of information for the data within that zone and as an entity processing the updates for the zone.
A name within a zone can also be delegated to a different zone that is hosted on a different DNS server. Delegation is a process of assigning responsibility for a portion of a DNS namespace to a DNS server owned by a separate entity. This separate entity can be another organization, department, or workgroup within your company. Such delegation is represented by the NS resource record that specifies the delegated zone and the DNS name of the server authoritative for that zone. Delegating across multiple zones was part of the original design goal of DNS.
The primary reasons to delegate a DNS namespace include:
A need to delegate management of a DNS domain to a number of organizations or departments within an organization.
A need to distribute the load of maintaining one large DNS database among multiple DNS servers to improve the name resolution performance as well as create a DNS fault-tolerant environment.
A need to allow for a host's organizational affiliation by including the host in appropriate domains.
The name server (NS) RRs facilitate delegation by identifying DNS servers for each zone and the NS RRs appear in all zones. Whenever a DNS server needs to cross a delegation in order to resolve a name, it will refer to the NS RRs for DNS servers in the target zone.
In the following figure, the management of the microsoft.com. domain is delegated across two zones, microsoft.com. and mydomain.microsoft.com.
DNS Database Zone
DNS zone is a portion of the DNS namespace over which a specific DNS server has authority. Within a given DNS zone, certain resource records define the hosts and other types of record that make up the database for the zone.
Three type of zone can be configure by a DNS server to host a zone
A primary zone
A secondary zone
A stub zone
The primary zone is responsible for maintaining all the records for the DNS zone. It contains the primary copy of the DNS database. This is the only zone type that can be edited or updated because the data in the zone is the original source of the data for all domains in the zone. All record update occur on the primary zone are made by the DNS server that is authoritative for the specific primary zone. When the zone is stored in a file, by default the primary zone file is namedÂ zone_name.dns and it is located in the %windir%\System32\Dns folder on the server. There are two types of primary zone:
Primary zone with Active Directory integration (Active Directory DNS)
Secondary zones are noneditable copies of the DNS database that can use for load balancing, which is a way of managing network overloads on a single server. Besides that, it contains a database with all the same information as the primary zone and can use be used to resolve request. Secondary zone have the following advantage
It provides fault tolerance, so if the primary zone server becomes unavailable, name resolution can still occur using the secondary zone server.
It can increase network performance by offloading some of the traffic that would otherwise go to the primary server.
Secondary servers are often placed within the parts of an organization that have high speed network access. This prevents DNS queries from having to run across slow wide area network connections. For example, if there are two remote offices within the "example.com" organization, you may want to place a secondary DNS server in each remote office. This way, when clients require name resolution, they will contact the nearest server for this IP address information, thus preventing unnecessary WAN traffic. However, if too many secondary zone servers can actually cause an increase in network traffic because of replication.
Stub zone work a lot like secondary zones which it database is a noneditable copy of primary zone. The difference is that the stub zone's database just contains only the information necessary (three record type - name server(NS), start of authority(SOA), glue host(A) records) to indentify the authoritative DNS servers for a zone. Stub zone have the following advantage and features
Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.
Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers, without having to query the Internet or an internal root server for the DNS namespace.
Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones and secondary zones are having different of purpose, therefore stub zone should not use to replace secondary zone, and use for redundancy and load balancing.
Active Directory Domain Services Integration
In windows server 2000, active directory-integrated DNS was introduced to the world. This zone type was unique zone, and it was a separate choice during setup. In windows server 2003 and 2008, this zone becomes an add-on to a primary DNS zone.
By integrating your zones with ADÂ DS, you can take advantage of DNS features, such as ADÂ DS replication, secure dynamic updates, and record aging and scavenging.
Advantage of ADÂ DS integration
The Active Directory replication topology is used for Active Directory replication, and for Active Directory-integrated zone replication. There is no longer a need for DNS replication when DNS and Active Directory are integrated.
Directory-integrated replication is faster and more efficient than standard DNS replication
ADÂ DS replication processing is performed on a per-property basis, only relevant changes are propagated. Less data is used and submitted in updates for directory-stored zones.
No additional network traffic
An Active Directory-integrated zone stored in Active Directory. Since all records are now stored in Active Directory, when a resolver needs TCP/IP address for User, any Active Directory DNS server can access User address and respond to the resolver.
When u choose an Active Directory-integrated zone, DNS zone data can be replicated automatically to other DNS servers during the normal Active Directory replication process
An Active Directory-integrated zone can use secure dynamic updates
The dynamic DNS standard allows secure-only updates or dynamic updates, but not both. If choose secure updates, then only machines with account in Active Directory can register with DNS. Before DNS register any account in its database it checks Active Directory to make sure it is an authorized domain computer.
An Active Directory-integrated zone stores and replicates its database through Active Directory replication. Because of this, the data gets encrypted as it is send from one DNS server to another
Background zone loading
It allows a DNS Active Directory-integrated zone to load in the background. As a result, a DNS server can service the client requests while the zone is still loading into memory
Only primary zones can be stored in the directory. A DNS server cannot store secondary zones in the directory. It must store them in standard text files. The multimaster replication model of ADÂ DS removes the need for secondary zones when all zones are stored in ADÂ DS.
Zone Transfer and Replication
DNS is such an important part of the network that you should not use just a single DNS server. With a single DNS server, you also now have a single point failure, and in face many domain registrars encourage the use of more than two name servers for a domain. Secondary servers or multiple primary Active Directory-integrated servers play an integral role in providing DNS information for an entire domain.
As previously stated, secondary DNS servers receive their zone database through zone transfers. When you configure a secondary server for the first time, you must specify the primary server that is authoritative for the zone and that will send the zone transfer. The primary server must also permit the secondary server to request the zone transfer.
Zone transfer occur in one of two ways, full zone transfers(AXFR) and incremental zone transfer(IXFR).
When a new secondary server is configured for the first time, it receives a full zone transfer from the primary DNS server. The full zone transfer contains all the information in the DNS database. Some DNS implementations always receive full zone transfers.
After the secondary server receives its first full zone transfer, subsequent zone transfer are incremental. The primary name server compare its zone version number with that on the secondary server and send only the changes that have been made in the interim. This significantly reduces network traffic generated by zone transfers.
Zone transfer are typically initiated by the secondary server when the refresh interval time for the zone expires or when the secondary or stub server boots. Alternatively, you can configure notify list on the primary sever that notify the secondary or stub servers whenever any changes to the zone database occur.
Active Directory-integrated zones do away with traditional zone transfer altogether. Instead, they replicate across Active Directory with all other AD information. This replication is secure since it use the Active Directory security.
Delegating Zone for DNS
DNS provides the ability to divide up the names space into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When deciding whether to divide your DNS namespace to make additional zone, consider the following reason to use additional zone
A need to delegate the management of part of your DNS namespace to another location or department within your organization
A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers for improving DNS name resolution performance or for creating a more fault-tolerant DNS environment
A need to extend the namespace by adding numerous sub domains at once, such as to accommodate the opening of new branch or site
Each new delegated zone requires a primary DNS server just like a regular DNS zone. When delegating zone within your namespace, be aware that for each new zone you create, you need to place delegation record in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone.
Example: Delegating a sub domain to a new zone
As shown in the following illustration, when a new zone for a sub domain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.
In this example, an authoritative DNS server computer for the newly delegated example.microsoft.com subdomain is named that is based on a derivative subdomain that is included in the new zone (ns1.na.example.microsoft.com). To make this server known to other servers outside the new delegated zone, two resource records are necessary in the microsoft.com zone to complete delegation to the new zone.