As previously mentioned, name servers, or DNS
servers, are systems that store information about the domain namespace.
Name servers can have either the entire domain namespace or just a
portion of the namespace. When a name server only has a part of the
domain namespace, the portion of the namespace is called a zone.
DNS Zones
There is a
subtle difference between zones and domains. All top-level domains, and
many domains at the second and lower levels, are broken into
zones—smaller, more manageable units by delegation. A zone is the
primary delegation mechanism in DNS over which a particular server can
resolve requests. Any server that hosts a zone is said to be
authoritative for that zone, with the exception of stub zones.
A name server can have
authority over more than one zone. Different portions of the DNS
namespace can be divided into zones, each of which can be hosted on a
DNS server or group of servers.
Forward Lookup Zones
A forward lookup zone
is created to do forward lookups on the DNS database, resolving names to
IP addresses and resource information.
Reverse Lookup Zones
A reverse lookup
zone performs the opposite operation as the forward lookup zone. IP
addresses are matched up with a common name in a reverse lookup zone.
This is similar to knowing the phone number but not knowing the name
associated with it. Reverse lookup zones must be manually created, and
do not exist in every implementation. Reverse lookup zones are primarily
populated with PTR records, which serve to point the reverse lookup
query to the appropriate name.
Tip
It is good
practice for the Simple Mail Transfer Protocol (SMTP) mail server to
have a record in the reverse lookup zone. Spam control sites check for
the existence of this record. It is possible to be placed on a spammer
list if the site does not have a PTR record for the MX entry in the DNS
reverse lookup zone.
Active Directory–Integrated Zones
A
Windows 2003 or Windows 2008 DNS server can store zone information in
two distinct formats: Active Directory–integrated or standard text file.
An Active Directory–integrated zone is an available option when the DNS
server is installed on an Active Directory domain controller. When a
DNS zone is installed as an Active Directory zone, the DNS information
is automatically updated on other server AD domain controllers with DNS
by using Active Directory’s multimaster update techniques. Zone
information stored in the Active Directory allows DNS zone transfers to
be part of the Active Directory replication process secured by Kerberos
authentication.
Primary Zones
In traditional
(non-Active Directory–integrated) DNS, a single server serves as the
master DNS server for a zone, and all changes made to that particular
zone are done on that particular server. A single DNS server can host
multiple zones, and can be primary for one and secondary for another. If
a zone is primary, however, all requested changes for that particular
zone must be done on the server that holds the master copy of the zone.
As illustrated in Figure 1, companyabc.com is set up on DC1 as an Active Directory–integrated primary zone. However, DC1 also holds a secondary zone copy of the amaris.org zone.
Creating a new primary
zone manually is a fairly straightforward process. The following
procedure outlines the creation of a standard zone for the companyabc.com DNS namespace:
1. | Open the Server Manager.
|
2. | Navigate to Roles\DNS Server\DNS\<Servername>\Forward Lookup Zones.
|
3. | Right-click Forward Lookup Zones, and choose New Zone.
|
4. | Click Next on the welcome screen.
|
5. | Select
Primary Zone from the list of zone types available. Also, determine if
the zone will be stored in Active Directory. If not, uncheck the Store
the Zone in Active Directory check box. Click Next to continue.
|
6. | If
the zone is Active Directory–integrated, the replication scope needs to
be selected. The replication can be to all DNS servers in the forest,
all DNS servers in the domain, or just to the domain controllers in the
domain for Windows 2000 compatibility.
|
7. | Type the name of the primary zone to be created, and click Next.
|
8. | Determine
whether dynamic updates will be allowed in this zone. By default, Allow
Only Secure Dynamic Updates is selected. Click Next to continue.
|
9. | Click Finish on the Summary page to create the zone.
|
Secondary Zones
A secondary zone
is established to provide redundancy and load balancing for the primary
zone. Secondary zones are not necessary if the zone has been set up as
the Active Directory–integrated zone because the zone will be replicated
to all domain controllers in the domain. With secondary zones, each
copy of the DNS zone database is read-only, however, because all
recordkeeping is done on the primary zone copy. A single DNS server can
contain several zones that are primary and several that are secondary.
The zone creation process is similar to the one outlined in the
preceding section on primary zones, but with the difference being that
the zone is transferred from an existing primary server.
Stub Zones (Delegated Zones)
A stub zone is a zone that
contains no information about the members in a domain but simply serves
to forward queries to a list of designated name servers for different
domains. A stub zone contains only NS, SOA, and glue records. Glue
records are A records that work in conjunction with a particular NS
record to resolve the IP address of a particular name server. A server
that hosts a stub zone for a namespace is not authoritative for that
zone.
A stub zone effectively
serves as a placeholder for a zone that is authoritative on another
server. It allows a server to forward queries that are made to a
specific zone to the list of name servers in that zone.
DNS Queries
The primary function of DNS
is to provide name resolution for requesting clients, so the query
mechanism is one of the most important elements in the system. Two types
of queries are commonly made to a DNS database: recursive and
iterative.
Recursive Queries
Recursive queries
are most often performed by resolvers, or clients that need to have a
specific name resolved by a DNS server. Recursive queries are also
accomplished by a DNS server if forwarders are configured to be used on a
particular name server. A recursive query asks whether a particular
record can be resolved by a particular name server. The response to a
recursive query is either negative or positive.
Iterative Queries
Iterative
queries ask a DNS server to either resolve the query or make a
best-guess referral to a DNS server that might contain more accurate
information about where the query can be resolved. Another iterative
query is then performed to the referred server and so on until a result,
positive or negative, is obtained.