Notes: source ITFreetraining
In 2012 these trust anchors can be viewed in DNS manager stored in AD DS.
Hierarchy database, created on 1983
Maps names to IP addr
Previously Hosts files were used which were local to machine. But it is difficult to maintain the same file on no of systems and also host file increasing due to
internet. So central administration is required i.e. DNS.
Requirements:
Bind (Berkley Internet Name Domain) compliant.
There is UNIX DNS but
Integration with AD is harder and
DDNS(dynamic) is not automatically setup i.e. when client starts in domain it creates an entry in DNS automatically and also any further changes in address should be
done manually.
Windows DNS is recommended.
The client on which you are installing DNS role should have static IP address either v4/v6.
Install-Server manager - role- DNS server
Features:
DNSSEC:
Domain Name System Security Extensions
DNS traffic is not encrypted so can be modified (replication between primary DNS and secondary DNS, client query to DNS server)
DNSSEC proves data has not changed.(receiving party gets data with signature[key] to verify)
If DNSSEC is supported on DNS servers then:
Trust Anchors:
Address is resolved from right to left ex: example.com.au
Root Hint Server- the root server in DNS has anchor and has key (signature) which it passes to DNS server which can resolve 'au'. The key thus will be passed to DNS
server which can resolve 'com'. If DNS server which is resolving 'com' does not support DNSSEC then the subsequent DNS server which resolves 'example' (lets say it
supports DNSSEC) cannot figure out if the data has altered or not. So in such case we can create trust anchor at 'example' DNS server. So clients can use this anchor
when queried.
In 2012 these trust anchors can be viewed in DNS manager stored in AD DS.
Key Management:
Keys can be stored in AD. So that they will be replicated like other data.
Automated key rollover in AD- changing of keys i.e. expiry of keys and adding new in place of them.
Key Master - Works on one primary zone ->Server which is given the role takes care of all keys in that zone. Role can be transferred to another server but only one
server at a time.
Namespace:
It is decentralised.
hierarchy:
Root hint server - . All names ends with '.' even if you don't add '.'
Top level domain - com au org edu net
Second level domain - Example ITfreeTraining (admins have access from here, they can create further child domains, can change IPaddress if required)
Third level domain - East West Sales Marketing
Fourth level domain - www ftp
Process:example.com.
Client sends request to its DNS server, which checks its cache and if not found contacts root hint(on network). Address of few root hint servers will be stored by
local DNS servers.
Root Hint DNS has the address of .com DNS server.
Client DNS contacts .com DNS server which has the address of DNS server which can resolve example
Client DNS contacts the example DNS server and gives the result to client.
The results are stored on local DNS including address of Root Hint and .com
Root Hint Server:
Configured by default
-normally no need to change them
In rare cases administrators will disable
Most companies will forward DNS requests to their ISP DNS, as they handle more requests already address may have resolved and stored.
It is a DNS server configured to route to other DNS server, the root hint values will not be used.
Recursive and Iterative Queries: At every step cache will be checked for resolution and results were also cached for easy future resolutions. Like instead of
contacting root hint server again it can directly contact com DNS server by storing com server adress.
Recursion:
DNS servers take responsibility for resolution
Will contact other DNS servers as required
Iterative: to avoid load
Responds with best information it has - from cache or another server that can help.
Does not contact other DNS servers.
In the above example of resolving example.com. address -
Desktop computer first checks its cache if not found it contacts its DNS server via recursive query i.e. this DNS server will take responsibility to contact other DNS
servers as required for resolution.
Local DNS server checks it cache if not found then contacts root hint dns via iterative i.e. either root hint provides resolution or tells about com server which can
help out further.
Local DNS sends iterative query to com server which in turn sends info about DNS server which can resolve 'example'.
Local DNS contacts example DNS via iterative and sends resolution address to desktop.
https://www.lifewire.com/what-is-a-dns-cache-817514
Configuring root hint servers:
open dnsmgmt.msc -> Rt click on dns server -> properties -> Forwarders
Option: Use root hints if no forwarders are available.
This option will be helpful in case the forwarders are unavailable /offline.
open dnsmgmt.msc -> Rt click on dns server -> properties -> Advanced
option: Disable recursion (also disables forwarders)
If this is ticked it will prevent DNS to contact any DNS if it does not know answer to query.
Use it when in secured isolated networks.
Or if you have a set of DNS servers and you do not want this DNS to take up task of resolving if it does not have in its cache.
open dnsmgmt.msc -> Rt click on dns server -> properties -> Root Hints
Max no of root hint servers are limited to 13 due to limitation of UDP protocol when DNS was first developed.
data of root hint stored on "C:\Windows\System32\dns\cache.dns"
U can click 'remove' and then 'copy from server' and give the server DNS name or IP addr.
DNS Zones:
Zones are nothing but DNS namespace divide for administration. Zone stores DNS records.
Primary zone:
Contains read/write copy of zone data.
In Primary zone Bind stores data in a text file and hence any changes can be made only one DNS server that holds primary zone.
If any chnage requested from other zone it goes to DNS server which holds primary zone and if in case it is unavailable then changes cannot be made until it is available. - problem
Problem solved by-
Active Directory Integrated Zone:
A primary zone stored in AD.
The text file that holds the zone data has been moved to AD database.
Hence replication can be used and changes can be made on multiple servers.
DNS must be installed on DC.
Allows secure domain updates: A computer part of AD when it is first up tries to add its host name in DNS. When secure channel is enabled it does so securely.
It can be done without AD integrated zone but prone to attacks where attackers may add their DNS records into the zone.
Secondary Zone: Adv is redundancy -complete copy of a zone is stored as back up.If primary zone is unavailable, still queries can be answered with help of read only copy.
Read only copy -of a primary/secondary zone. Can be a copy of AD integrated zone.
Change requests passed onto primary zone.
Adv - They work on DNS server not part of domain. -They can be configured on linux/unix servers.
Case:
If zone file is large and changes a lot, then it is lot of replication.
A case where there is a branch office with few users- they will get replicated with all the changes but they might not even query them. -problem
Problem solved by-
Stub Zone:
Contains only partial data from other zone - only records to find an authoritative server(DNS server that holds primary or secondary zone)
DNS server that holds stub zone redirects queries to DNS server that can answer (primary or secondary).
U can also do this by conditional forwarding but it is static. If there is additional or removal of DNS servers on other network, that needs to be updated. But Stub zone is dynamic, it updates automatically.
One more advantage of using stub instead of secondary is ,if secondary lost access to read the data of another or all the updates are not received by secondary.
Reverse look up zone:
Contains IP address to host mapping.
Used mostly for troubleshooting.
Administrator choice to have it created or not.
Not required for day to day activity.
Services like AD can work without need of single record of reverse look up.
DNS Zone demonstration:
Dynamic updates through Secure Channel is allowed only for AD integrated zones.
Secondary zone:
For secondary server to function, zone transfer to be allowed from primary server. Properties->zone transfer.
Option- Zone transfer are allowed to servers which are mentioned under name server tab is preferred instead of zone transfer to any server for security.
IN that case add the secondary server you configured to the list of name servers.
Name Server:
Considered to be authority
The servers that are considered to be best source of information for that zone.
After zone transfer set , use option 'transfer from master' to force replication. Secondary zone->rt click->'transfer from master' .Press F5.
Start of Authority:
Replication can be observed through Start of authority record. Primary zone->Properties->start of authority. Refresh interval- the time when secondary contacts primary for any changes to replicate.
Retry interval-If not successful then when to retry.
Serial number- if any changes to zone file, the number gets incremented. This is how secondary server comes to know whether any changes by comparing its service number with primary zone service number.
Stub zone can be integrated with AD.
Records:
A record ipv4
AAAA ipv6
while creating based on IP address given, it will decide the record type.
Alias(Cname):
Enter the name and select the record (target host)
Mail Exchanger record (MX record):
Will have priority. Ex: priority 5 record will be contacted first and if not available then priority 10 record will be contacted.
While creating mail record, select existing host record.
Other records can also be created under all tasks-common records.
Time to live:
Time to live is a parameter for DNS record which specifies how much time the record can be allowed in cache of computer and DNS server. After that computer/client and DNS server will be required to query from authoritative server.
For example mail records will be given less time to live and hence if the server is down or ip changed, will query from authoritative instead of service being down for long time.
But it increases the queries to authoritative, hence network traffic will be increased.
DNS record Aging:
Timestamp on DNS record. this is for dynamic update records. By default not for static records but can be configured to them as well. Each time computer starts up it may update timestamp of its record.
To avoid network traffic where all the computers updating their timestamp each time they start up and further replication to other DNS servers - no refresh interval, refresh interval were defined.
No refresh interval: By default 7 days , No timestamp changes are allowed and all other changes like Ip addr, ports, (service changes) are allowed.
Refresh Interval: By default 7 days, all changes including timestamp are allowed. Thus a computer have 7 days to set its timestamp.
On whole a record will have 14 days period before removing.
Scavenging:
Removing of outdated DNS records.
>14 days by default - no refresh + refresh interval - only if record timestamp is out of this interval.
While scavenging a record, timestamp is checked and next the setting 'delete this record when it becomes stale'. It is to be checked for scavenging to work, by default all dynamic records have this checked and static records unchecked.
On the server we have scavenging option for all zones but that applies only to AD integrated zones (new and for existing if ticked). ->set aging/scavenging for all zones->scavenge stale resource records
Zone wise scavenging option we have as well. -> properties->general->aging->scavenge stale resource records
To force scavenging at that point, on server we have 'scavenge stale resource records', if its clicked then it will work only on zones for which scavenging is checked and for records for which 'delete record when becomes stale' is selected.
DNS Delegation:
Creating sub domains for-
Delegate administrative authority. Administrators will have rights on sub domain and not given rights on parent domain.
Improved performance. For load balance as each sub domain will be hosted on separate DNS servers.
Expand the namespace.
On client machine-Go to server manager->rt click all servers->add server->DNS->add with help of IP address
Left hand side DNS rt click-> DNS manager
DNS manager->DNS rt click-> connect to DNS server->enter IP addr->create zone->give name as subdomain.parentdomain name ex:west.itfreetraining.local where itfreetraining.local is parent domain and west is a subdomain.
Then create host record of the same server.
Now if you ping the server fqdn it wont resolve as itfreetraining.local domian does not know.
Go to parent zone rtclick ->new domain - it will create new sub domain but it will be stored on the same server. It will be promoted as DNS automatically post server2008r2.
There is other option New delegation which will delegate relationship between parent and sub domain.
New delagation->give domain name (west)-> give authoritative server of that sub domain (as it wont resolve with fqdn, give IP address).
Now the domain west is visible but in grey as it says it is not stored on this server.
Now ping the fqdn west.itfreetraining.local will resolve but may be request time out as firewall on that server may not allow ping requests to fulfill.
Windows DNS server settings:
Properties of server->Advanced
Disable recursion (also disables forwarders) - Will prevent dns server from contacting others for answers.
Helps prevent Denial Of Service DOS attack.
Enable BIND secondaries- For replication with BIND below 4.9.4 (released at late 90's)
This option will slow down zone transfers. As it is for very old version and it is not in use mostly, it will be in unchecked .
Fail on load if bad zone data- If enabled zone will not load (will not answer queries) if there are data errors in the file like illegal characters in DNS record.
Enable round robin: When multiple records exist, returns records in sequence.
DNS allows more than one record with same name but with different IP address.
Ex: If there are two records with same name and different ipaddr; if 4 comps query the record then 1st record given to 1st comp, 2nd record to 2nd comp, 1st record to 3rd comp and 2nd record to 4th comp. Thus it helps load balancing.
If this is not enabled then the record it finds first in the zone file will be given to all requests.
Enable netmask ordering: Returns records in same network.
Enable both round robin and netmasking.
##click on image which shows the link of image; click it to enlarge in next tab##
Secure Cache against pollution: Prevents false records being added to cache. By default it is enabled.Attacker sends a query and when DNS server does not know and contacts another DNS server for answer, attacker sends multiple generic requests where instead of response from another DNS server, the fake address from attacker will be stored in cache and when a client queries the fake will be answered.
Enable DNSSEC validation for remote responses: Available for Svr 2012 only.
Allows clients to validate records (to make sure the record returned by DNS serever is not tampered with), confirm record does not exist thus preventing attacker saying record does not exist and thus preventing DOS attack. By default it is enabled.
RoundRobin and NetMasking:
When client address is IPv4 and dns records are IPv4 then round robin and netmasking works normal.
When client is IPv6 and dns records are IPv4 the netmasking wont work as DNS server cant figure out from which IPv4 network client came from. Round robin works normal.
When it is IPv6 to IPv6, netmasking is performed by the client as it is by default taken care by Ipv6 protocol. DNS net masking setting will be ignored. RoundRobin works as normal.
Scavenging:
https://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx
DNS scavenging and the DHCP lease duration relation
https://blogs.technet.microsoft.com/askpfe/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate/
Scavenging is set in three places on a Windows Server: 1. On the individual resource record to be scavenged. 2. On a zone to be scavenged. 3. At one or more servers performing scavenging. It must be set in all three places or nothing happens.
DNS audit:
Audit Directory Service Access should be enabled
Event id 566
https://blogs.msdn.microsoft.com/anthonw/2006/08/23/auditing-dns-record-entries-or-deletions/
https://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx
DNS scavenging and the DHCP lease duration relation
https://blogs.technet.microsoft.com/askpfe/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate/
Scavenging is set in three places on a Windows Server: 1. On the individual resource record to be scavenged. 2. On a zone to be scavenged. 3. At one or more servers performing scavenging. It must be set in all three places or nothing happens.
Value adds:
1 | How DNS Works |
2 | DNS Client Resolver Behavior |
3 | Name Resolution |
4 | Network Ports Used by DNS |
5 | Optimizing your network to keep your DNS squeaky clean |
6 | Creating a Pinpoint DNS Zone |
7 | DNS Round Robin and Destination IP address selection |
8 | Tracking DNS Record Deletion |
9 | Auditing a DNS Zone |
10 | How DNS Scavenging and the DHCP Lease Duration Relate |
11 | Aging and Scavenging of Stale Records : |
12 | Don't be afraid of DNS Scavenging. Just be patient. |
13 | How DNS Support for Active Directory Works |
14 | Domain Name System |
15 | Troubleshooting DNS Clients |
16 | Troubleshooting DNS Servers |
17 | Troubleshooting Dynamic Updates |
18 | Troubleshooting zone problems |
19 | Event ID 4515 is logged in the DNS Server log in Windows Server 2003 |
20 | Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record |
21 | Best Practices for Administering DNS Server |
22 | Auditing a DNS Zone |
23 | Auditing DNS Record Entries (or deletions) |
24 | Deploying DNS Security Extensions (DNSSEC) |
25 | Windows client and server operating system compatibility with DNSSEC enabled root servers |
26 | Checklist: Deploying DNSSEC and IPsec on the DNS client |
27 | DNS Registry Entries |
28 | Determine DNS requirements for Lync Server 2013 |
29 | Communicator Automatic Configuration and Split-Brain DNS |
30 | DNS requirements for mobility with Lync Server 2013 |
DNS audit:
Audit Directory Service Access should be enabled
Event id 566
https://blogs.msdn.microsoft.com/anthonw/2006/08/23/auditing-dns-record-entries-or-deletions/
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02027857
ADSIedit settings
https://www.eventsentry.com/blog/2017/11/auditing-dns-server-changes-on-windows-20082008r22012-with-eventsentry.html
dnsTombstoned:
https://blogs.technet.microsoft.com/isrpfeplat/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones/
Other info:
http://clintboessen.blogspot.com/2010/02/active-directory-dns-zone-locations.html
https://blogs.msmvps.com/acefekay/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones/