Table of Contents
Aging and Scavenging
Aging is a feature that allows identifying stale DNS records. It actually uses two intervals and the DNS record is considered stale once both are elapsed. These intervals are:
Non-refresh Interval: It is a period of time during which a resource record could be refreshed.
A resource record refresh is a DNS dynamic update where the hostname and IP do not change. A DNS dynamic update to change the registered IP for a resource record is not considered as a refresh and is exempt from the Non-Refresh Interval. A client will attempt to refresh its DNS record at startup, and every 24 hours while the system is running.
Scavenging is a feature that allows the cleanup and removal of stale resource records in DNS zones.
A stale resource record will be removed only if scavenging is enabled on,
- The resource record
- The DNS zone where the resource record exist
- At least one DNS hosting a primary copy of the DNS zone where the resource record exist
Scavenging occurs at recurring intervals when enabled on a DNS server. A stale resource record can then till exist until the next cycle of DNS scavenging. Aging and scavenging are disabled by default.
Configuring advance DNS name resolution
When devices communicate with each other by using TCP/IP they begin the process by creating packets of data that will go out of the network adapter to other devices over the configured media. These packets must contain the specific IP address of the device for which the message is intended. To find that address, devices use DNS name resolution queries based on the FQDN of the device. The FQDN contains the zone name or if the client resolver does not have the zone name, appends its own to the name resolution packet.
DNS round-robin: Round Robin DNS is a technique of load distribution, load balancing, or fault-tolerance by managing the Domain Name System (DNS) responses to address requests from client computers according to an appropriate statistical model. Round robin works on a rotating basis in that one server IP address is handed out, then moves to the back of the list; the next server IP address is handed out, and then it moves to the end of the list; and so on, depending on the number of servers being used. This works in a looping fashion. Round robin DNS is usually used for balancing the load of geographically distributed Web servers. Although very easy to implement, round-robin DNS has important drawbacks, such as those inherited from the DNS hierarchy itself and TTL times, which causes undesired address caching to be very difficult to manage.
Netmask reordering: Enable netmask ordering it is also termed as LocalNetPriority and is similar to the Round-robin function. However, Its main job is to re-order and give preference to client’s queries using the addresses assigned to DNS server multiple network interface cards. Assume that a client generates a DNS query and sends it to the DNS server. If its IP address is in the same subnet of the client and Netmask Ordering is enabled; then the server will re-order its IP addresses and facilitate it to the top of the list to greatly improve its response to the client’s queries.
Recursion: By default, the DNS server performs recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion is a name-resolution technique in which a DNS server queries other DNS servers on behalf of the requesting client to fully resolve the name and then sends an answer back to the client. Attackers can use recursion to deny the DNS Server service. When a DNS server communicates with a root hints server, it only uses an iterative query. If you select the Do Not Use Recursion For This Domain option in the DNS Server Properties window, the server will not be able to perform queries on the root hints. You might set this option if you want to restrict all name resolutions to a particular network for security purposes.
Zone Transfer and Replication
Because the zone is an important aspect of DNS, zones must be available from more than one DNS server on the network to provide availability and fault tolerance when resolving name queries. Zone transfer occurs in a traditional DNS zone. Zone replication occurs in an Active Directory-integrated zone.
Zone transfer
Zone transfers are used to transfer zone records from a master server to a secondary server. A master server can be any other DNS server that loads the zone, such as the primary server for the zone or another secondary server. When the master server receives the request for the zone, it can reply with either a partial or a full transfer of the zone to the secondary server. The types of zone transfers include,
Full zone transfer: A full zone transfer occurs when you copy the entire zone from one DNS server to another. A full zone transfer is known as an all zone transfer (AXFR).
Incremental zone transfer: An incremental zone transfer occurs when there is an update to the DNS server and only the resource records that were changed are replicated to the other server. This is known as an incremental zone transfer (IXFR).
Fast zone transfer: Windows DNS servers perform fast transfers, which are a type of zone transfer that uses compression and sends multiple resource records in each transmission. Not all DNS server implementations support incremental and fast zone transfers.
Zone replication
You can store DNS zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. With AD DS replication, all domain controllers for the domain can modify the zone and then replicate the changes to other domain controllers. This replication process is known as multi-master replication because multiple domain controllers, or masters, can update the zone. this means that any standard domain controller that also holds the DNS role can update the DNS zone information, which then replicates to all DNS servers that host the DNS zone.
Configuring Secondary DNS Zone
We are having two server machines for configuring the Secondary DNS Zone. We have computer champ with the DNS zone eihstore.in will hold Secondary DNS zone.
DNS Forwarders and Conditional Forwarders
DNS Forwarding improves performance, load balance and makes your network more resilient. It provides a way to pass on queries of namespaces or resource records that are not contained in a local Domain Name System (DNS) server’s zone to a remote DNS server for resolution. There are two methods, forwarding, and Conditional Forwarding.
DNS Forwarders: A DNS server configured to use a forwarder will forward the query to the DNS server designated as a forwarder outside of its local network. The original DNS server that received the initial query will wait briefly for an answer from the forwarder. If that fails, it will attempt to contact the DNS servers specified in this root hints as a last resort.
Conditional Forwarders: Conditional forwarders are DNS servers that only forward queries for specific domain names. Instead of forwarding all queries, it cannot resolve locally to a forwarder, a conditional forwarder is configured to forward a query to specific forwarders based on the domain name contained in the query. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process. This allows you to create a direct point of contact between two network’s DNS servers, which reduces the need for recursion.
DNS Delegation
DNS is a hierarchical system, and zone delegation connects the DNS layers. A zone delegation points to the next hierarchical level down and then identifies the name servers that are responsible for the lower-level domain. When deciding whether to divide a DNS namespace to make additional zones, consider the following scenarios in which you might use additional zones,
You need to delegate management of a part of the DNS namespace to another organizational location or department.
You need to divide one large zone into smaller zones so you can distribute traffic loads among multiple servers. this improves DNS name-resolution performance, and it creates a more fault-tolerant DNS environment.
You need to extend the namespace by adding numerous subdomains immediately to accommodate the opening of a new branch or site.
Configuration DNS Forwarders
We have to have two server 2016 machines for this. champ (172.30.10.1) and champ2 (172.30.20.1) We already configured DNS on the champ with the domain name eihtech.com. And champ2 is having DNS with domain zone eihstore.in