module_5_planning a dns name resolution strategy

Planning a DNS Name Resolution StrategyPlanning a DNS Name Resolution Strategy

© 2006 IIHT Limited

Module – Planning a DNS Name Resolution Module – Planning a DNS Name Resolution StrategyStrategy

IntroductionDNS is the most commonly used name resolution method. Internet names are assigned based on the DNS. A DNS plan involves various stages that includes determining requirements for DNS servers, zones and security. The module covers the following 8 lessons:

Lesson 1 Determining Name Resolution Requirements – explains the different names that can be resolved. It also explains the DNS requirements for a network.Lesson 2 Planning a DNS Server Implementation – explains the activities involved in creating a plan for installing DNS servers in the network.Lesson 3 Planning a Server Implementation – explains the components of a namespace plan and the best practices and guidelines for creating the namespace plan.Lesson 4 Planning Zones – explains the different types of zones and zone locations. It also explains the zone security considerations and guidelines for planning a zone.

Contd..



Module – Planning a DNS Name Resolution Module – Planning a DNS Name Resolution StrategyStrategy

Overview (contd.)Lesson 5 Planning Zone Replication and Delegation – explains the reasons for creating secondary zones and the principles involved in planning a zone transfer and delegation.Lesson 6 Integrating DNS and WINS – explains the principles of integrating WINS and DNS and the best practices that are used for WINS integration.Lesson 7 Planning DNS Security – explains the threats that can affect DNS and the tools provided by Windows Server 2003 to secure the DNS service. Lesson 8 Troubleshooting Name Resolution – explains the methods to optimize DNS performance. It also explains troubleshooting name resolution problems in DNS.



Lesson 1 – Determining Name Resolution Lesson 1 – Determining Name Resolution RequirementsRequirements

Introduction

Name resolution is a very important function for Internet communications. When you are planning your network infrastructure, you should plan the name resolution methods for the network. In this lesson, you will learn about :

Defining Name ResolutionTypes of Names to be ResolvedDetermining DNS RequirementsNetBIOS Names Local Host Name Resolution



Topic 1 – Defining Name ResolutionTopic 1 – Defining Name Resolution

Name resolution is a process of converting a computer name to an address.

Example of a name resolution • IIHT Web site address is www.iiht.com and its IP address is 172.68.1.1.



Topic 2 – Types of Names to be ResolvedTopic 2 – Types of Names to be Resolved

Before planning a name resolution strategy, the types of names that are to be installed should be determined. This topic explains the types of names to be resolved.

Name types that require resolution• Network Basic Input/ Output (NetBIOS) names• Domain Name System (DNS) names



Topic 3 – Determining DNS RequirementsTopic 3 – Determining DNS Requirements

DNS requirements depend on the applications and domains hosted on a network. The following are the thumb rules to determining DNS requirements:

Either use DNS servers provided by ISP or install your own DNS servers for the network.If you host an Internet domain on the network, you will have to configure the domain with a second-level name. If you host a Web server on the network, you will have to register a first-level name. If you are running Active Directory services on the network, you will have to install a DNS server on the network



Topic 4 – NetBIOS NamesTopic 4 – NetBIOS Names

NetBIOS names are used by computers that run on Windows operating systems released before Windows 2000. The following are traits of NetBIOS names:

Used by computers that run on Windows operating systems released before Windows 2000. Not hierarchical in its design.

Intended for private networks and not for Internet



Topic 5 – Local Host Name ResolutionTopic 5 – Local Host Name Resolution

The Lmhosts and Hosts files is a standby method for resolving local host names

The Lmhosts and Hosts files are created on a computer to store important name resolution information.This method is rarely used.



Lesson 2 – Planning a DNS Server ImplementationLesson 2 – Planning a DNS Server ImplementationIntroductionAfter determining the DNS requirements, you must plan the DNS server requirements. Planning a DNS server involves a list of activities. In this lesson, you will learn about :

Planning DNS Server CapacityDNS Server RequirementsPlacing DNS Servers in the NetworkDetermining the Number of DNS Servers



Topic 1 – Planning DNS Server CapacityTopic 1 – Planning DNS Server Capacity

This topic lists the factors to be considered in planning a DNS server capacity. These are:

Number of zones in the networkSize of the zone. The size of the zone can be computed based on the size of the zone file or the number of resource records that are used in the zoneNumber of IP address assigned for the DNS serverNumber of clients that have to be serviced by a DNS server



Topic 2 – DNS Server RequirementsTopic 2 – DNS Server Requirements

This topic explains methods of arriving at DNS server requirements. These are:

Review sample DNS server performance test results -Developments and testing teams for Windows Server 2003 DNS provide these result. Use Windows Server 2003 monitoring tools.- DNS server-related counters provides performance measurements for the DNS servers



Topic 3 – Placing DNS Servers in the NetworkTopic 3 – Placing DNS Servers in the Network

This topic explains the factors to be considered in placing DNS servers in the network. These factors are:

Client accessNumber of subnets in the networkMaking available an alternate DNS server as a backupEnsuring that if DNS servers on a particular subnet fail, DNS requests of the subnet clients are routed to a DNS server on a different subnetEnsuring that a DNS server installed to support Active Directory can also service other DNS functions of the network.



Topic 4 – Determining the Number of DNS ServersTopic 4 – Determining the Number of DNS Servers

This topic explains the factors to be considered in determining the number of DNS servers to be placed on the network. These factors include

Traffic load on the DNS server Number of subdomains in the network namespace Use of Active Directory Service Requirement for backup servers Balancing network traffic



Lesson 3 – Planning a Namespace StrategyLesson 3 – Planning a Namespace StrategyIntroductionA namespace plan includes selecting names for the computers on the network. The functioning of the internal and external network must be taken into account when creating the namespace plan. In this lesson, you will learn about :

Selecting a domain name Options available for DNS NamespaceBest practices for namespace planningGuidelines for planning a namespace



Topic 1 – Selecting a Domain Name Topic 1 – Selecting a Domain Name This topic explains the types of domains and the factors to be considered in creating a domain.

Domain Types• External Domain• Internal DomainThumb rules for setting up external domain names• Register multiple second level domains• Register a single second level domain and create multiple sub-domains

under itThumb rules for setting up internal domain names• Keep domain names short, avoid names that are difficult to spell• Do not have a number of domain levels• Avoid abbreviations that cannot be easily understood• Design a proper DNS name that you do not have to change. Replacing

existing DNS names is a difficult task.



Topic 2 – Options Available for DNS NamespaceTopic 2 – Options Available for DNS Namespace

There are different ways by which you can create a DNS namespace for your internal and external networks. This topic explains the following options which are available for creating a DNS namespace:

Using the same DNS NamespaceUsing separate domain namesUsing a subdomain for the internal network



Topic 3 – Best Practices for Namespace PlanningTopic 3 – Best Practices for Namespace Planning

This topic explains the best practices for planning a namespace. These include:

Use unique names throughout the organization namespaceDo not overlap internal and external domainsCreate Active Directory–compatible namespace, if the network uses Active Directory features or plans to use in the future



Topic 4 – Guidelines for Planning a NamespaceTopic 4 – Guidelines for Planning a Namespace

This topic provides the guidelines for planning a namespace for a network. These are:

Select a DNS namespace for your domainCreate separate namespaces for internal and external useInstall separate servers for internal and external namespace



Lesson 4 – Planning ZonesLesson 4 – Planning ZonesIntroduction

In a DNS plan, it is necessary that you decide the creation of zones in the environment. Decisions have to be taken for the type of zones and also their storage locations. These decisions will influence the placement of DNS servers in the network. In this lesson, you will learn about :

Selecting Zone TypesSelecting a Zone Data LocationConsiderations for Zone SecurityGuidelines for Zone Planning



Topic 1 – Selecting Zone TypesTopic 1 – Selecting Zone Types

This topic explains the different zone types that are used to synchronize zone information located in different servers.Zone types:

Primary Zone – this is the first zone created by the user to store DNS records.Secondary Zone – this is the second zone which copies records from the primary zone.Stub Zone – this zone is created to store the name server records, that is, the IP address of the DNS server



Topic 2 – Selecting a Zone Data LocationTopic 2 – Selecting a Zone Data Location

This topic explains the factors to be considered in selecting a zone data location. Location options and their advantages are:

Active Directory-integrated DNS server - allows you to make updates in the DNS records on any server. Changes are reflected in all servers Traditional DNS server - mainly used to integrate with an already existing system



Topic 3 – Considerations for Zone SecurityTopic 3 – Considerations for Zone Security

After planning zone type and storage location for the network, you will have to plan the security for the zones. This topic explains the measures to be adopted for zone security. To ensure security, you can

Allow only DHCP servers to update DNS server recordsSecure dynamic updates by using the Active Directory security features. Assign of zone permissions to users or groups in the Active Directory



Topic 4 – Guidelines for Zone PlanningTopic 4 – Guidelines for Zone Planning

This topic explains the guidelines to be followed when planning zones for DNS service on the network. Before zone planning, determine:

Type of zone for the DNSStorage location for the zone dataIntegration process of DNS with WINS, if requiredSecurity requirements for the zone



Lesson 5 – Planning Zone Replication and Lesson 5 – Planning Zone Replication and DelegationDelegation

Introduction

DNS is a service that is mostly required by all network users. To make the service available to all network users, you have to install multiple servers on the network. The DNS namespace is then managed by creating zones. In this lesson, you will learn about :

Creating a secondary zoneTransfer and replication of zonesSecurity measures for zone transfersDelegating zonesGuidelines for zone replication and delegation



Topic 1 – Creating a Secondary ZoneTopic 1 – Creating a Secondary Zone

This topic explains reasons for creating a secondary zone in the network. Reasons for creating a secondary zone:

Providing a backup for the DNS service Reducing network traffic



Topic 2 – Transferring and Replication of ZonesTopic 2 – Transferring and Replication of Zones

This topic explains the difference between zone transfer and zone replication. The differences are:

Zone transfers occur in traditional DNS zones.In zone transfers, only the primary zone can enable changes to the DNS database. Zone replication occurs in Active Directory-integrated zones. In zone replication, any DNS server can make changes to the DNS database.



Topic 3 – Security Measures for Zone TransferTopic 3 – Security Measures for Zone Transfer

This topic explains how to secure data during zone transfers. The following guidelines apply:

Restrict zone transfers to only specific servers. The servers should be specified by their IP addressesUse IPSec protocol for protecting the dataUse a VPN tunnel for transferring the data from one server to another

Use Active Directory for transferring the data.



Topic 4 – Delegating ZonesTopic 4 – Delegating Zones

This topic explains the concept of delegating zones and its advantages.

Definition of zone delegation• Zone delegation is the process of assigning responsibility of a sub-

domain a zoneAdvantages• Delegation helps in better management of the namespace• Enlarges the namespace by adding more subdomains• Helps distribute network traffic among different zone



Topic 5 – Guidelines for Zone Replication and Topic 5 – Guidelines for Zone Replication and DelegationDelegation

This topic provides the guidelines for zone replication and delegation. The guidelines are:

Decide when to create additional zonesDecide whether to use zone transfers or zone replicationDecide security requirements for the DNS environmentDecide whether you need zone delegation in your environment



Lesson 6 – Integrating DNS and WINSLesson 6 – Integrating DNS and WINSIntroduction

Before DNS was used as a communications standard, Microsoft networks relied on WINS to resolve the name resolution. WINS operated on NetBIOS names. Even at present, there are computers that use NetBIOS names and as a result require WINS. In this lesson, you will learn about :

WINS IntegrationModification of Cache Timeout SettingsBest Practices of WINS Integration



Topic 1 – WINS IntegrationTopic 1 – WINS Integration

This topic explains the need for integrating DNS with WINS and the process of WINS integration. WINS integration is required when a network has clients with NetBIOS names and a standard DNS serverIntegration requirements

Standard DNS servers cannot process NetBIOS names. The network should contain both DNS and WINS servers. A DNS zone that includes WINS must be created.

Contd..



Topic 1 - WINS IntegrationTopic 1 - WINS Integration

Integration options Integrating WINS on DNS server

• Disadvantages: A request is processed by both services leading to more processor utilization and system degradation

Separate DNS and WINS Servers• Disadvantages: Increase in network traffic between both servers

Integrating DNS on WINS• Request is first processed by DNS. If the name does not match the database

record for WINS, it is forwarded to wins for resolution.



Topic 2 – Modification of Cache Timeout SettingsTopic 2 – Modification of Cache Timeout Settings

This topic explains the DNS server cache and the procedure to modify the cache timeout value for a DNS zone. Characteristics of DNS cache

Information received by a DNS server is stored in its cacheTime for which the information is stored is called Time To Live (TTL)When WINS server data does not change frequently, data stored in the cache can remain for a longer timeResults in a faster response and also lesser traffic exchanged between the DNS server and the WINS server

Setting cache timeout value in the DNS console



Topic 3 – Best Practices of WINS IntegrationTopic 3 – Best Practices of WINS Integration

There are many best practices for integrating WINS with DNS. The most important of these are:

Create a subdomain for the WINS serverTransfer unresolved DNS queries to a WINS server on the network Configure WINS in the DNS zone



Lesson 7 – Planning DNS SecurityLesson 7 – Planning DNS SecurityIntroductionProviding security to the DNS service is a component of the DNS name resolution strategy. There is a risk involved if the data from the DNS server is intercepted by unauthorized users. The enterprise functioning will be affected if DNS service fails. In this lesson, you will learn about :

Identifying DNS Security ThreatsSecuring the DNS Server



Topic 1 – Identifying DNS Security ThreatsTopic 1 – Identifying DNS Security Threats

This topic explains the threats against which the DNS system should be protected.Critical DNS threats include

DNS service interruption• Denial-of-Service (DoS). • IP Spoofing

Unauthorized access to DNS data• Redirection • Footprinting



Topic 2 – Securing the DNS ServerTopic 2 – Securing the DNS Server

A DNS server has to be protected against all possible threats. The following measures help to protect your DNS server and prevent service interruptions:

Installing backup DNS serversUsing Active Directory-integrated DNSSecuring DNS server cacheSecuring Dynamic UpdatesLimiting DNS network interfaces



Lesson 8 – Troubleshooting Name ResolutionLesson 8 – Troubleshooting Name ResolutionIntroductionIt is important that the DNS server that is installed performs to optimum capacity and problems in name resolution are effectively resolved. In this lesson, you will learn about :

Optimization of DNS ServersTroubleshooting Name Resolution



Topic 1 – Optimization of DNS ServersTopic 1 – Optimization of DNS Servers

There are several methods to optimize DNS Servers. These include:

Disabling recursion option in Windows Server 2003Update to the root hintsDisabling round robin DNSDisabling priority based IP addressesModifying cache timeout settingsUsing caching-only serversUsing Extension Mechanisms for DNS (EDNSO) protocol



Topic 2 – Troubleshooting Name ResolutionTopic 2 – Troubleshooting Name ResolutionTroubleshooting name resolution requires problem identification. The steps in troubleshooting such problems:

First, isolate the problem to the DNS Server. Problems with connectivity could also arise due to other causes such as network connectivity.Check if client is able to ping the serverCheck whether DNS Service activatedIf the client computer is able to connect to the DNS server for name resolution, but the resolved names are incorrect, problems could be:• Incorrect resource records• Failed Dynamic Updates • Failed Zone transfers If the DNS server is able to resolve names in its domain and cannot resolve names outside the domain, the problem could be recursion failure.



ConclusionConclusion

Summary of the module• NetBIOS and DNS are the two types of names that are to be resolved• DNS server capacity depends on the number of clients, zones and IP

addresses assigned to the DNS server• Domains are categorized as internal and external domains• Types of zone: Primary zone, Secondary zone and Stub zone• Active Directory-integrated DNS service offers a more efficient and secure

zone than a traditional DNS server• Secondary zones provide zone redundancy and lesser network traffic• DNS server is secured by providing DNS server redundancy; using Active

Directory services; securing DNS server cache; securing dynamic updates; limiting network interface

• Possible errors of the DNS server are: Incorrect TCP/IP configurations, problems with the resource records and recursion failures

Question and Answer Session

module_5_planning a dns name resolution strategy

Documents