윤

N&SA-2025-S1-Wk3-4

DNS Server Functionality

  • DNS servers translate hostnames to IP addresses and vice versa.
  • They locate special records, including mail servers and domain controllers.
  • Configuration options include:
    • Integrating DNS into Active Directory.
    • Using a standalone primary DNS server with a secondary server.

Active Directory Integrated Zones

  • Can only be created on domain controllers.
  • Offer scalability and redundancy.
  • Replicate zone information to secondary domain controllers.
  • Improve network performance by allowing multiple domain controllers to serve requests.
  • Three dynamic update configuration options:
    • Secure dynamic updates only: For Active Directory integrated zones, only authenticated clients can update.
    • Non-secure and secure dynamic updates: Allows both types of updates.
    • No dynamic updates: Disables dynamic updates.
  • Can replicate to read-only domain controllers, but these zones are read-only.

Primary and Secondary Zones

  • In traditional DNS, a standalone primary server handles updates.
  • Secondary servers update their records from the primary server.
  • If the primary server fails, updates stop.
  • Two types of primary zones:
    • Active Directory integrated zones: Hosted on domain controllers.
    • Standard primary zones: Cannot be hosted on non-domain controllers.
  • DNS server service on a domain controller supports all zone types.
  • Secondary zones are read-only copies and cannot process updates.
  • Prior to configuring a secondary zone, configure the primary zone.

Reverse Lookup Zones

  • Translate IP addresses into fully qualified domain names (FQDNs).
  • Support IPv4 and IPv6.
  • Can be Active Directory integrated, standard primary, or secondary zones.
  • The domain controller promotion process automatically creates a reverse lookup zone.

Forwarders and Conditional Forwarders

  • Enable DNS servers to forward traffic when they cannot resolve requests locally.
  • If no forwarder is configured, or the configured forwarder cannot be contacted, the request is sent to a DNS root server.
  • DNS forwarders are typically used to have a specific DNS server on the Internet handle an organization's DNS resolution and traffic.
  • Conditional forwarders forward requests only from a specific domain.
  • Conditional forwarders take precedence over standard forwarders.
  • Useful for organizations with trust relationships or partnerships.

Stub Zones

  • Store authoritative name server records for a delegated zone.
  • Advantageous when target authoritative DNS server addresses change regularly.
  • Often host records for authoritative DNS servers in dedicated zones.
  • If created on a writable domain controller, can be stored in Active Directory and replicated.

Global Name Zones

  • Can be used if DNS servers are on Windows 2008 or later.
  • Deploy global names instead of WINS.
  • Entries must be populated manually.

DNS Record Types

  • A Records: Map fully qualified domain names to IPv4 addresses.
  • AAAA Records: Map FQDNs to IPv6 addresses.
  • CNAME (Alias) Records: Provide alternate names for existing host records.
    • Point to an existing host record.

DNS Security (DNSSEC)

  • DNSSEC secures DNS records in modern network environments.
  • Enables DNS servers to validate responses from other DNS services.
  • Uses digital signatures for authentication.
  • When a DNS resolver queries a signed zone, the authoritative DNS server provides both the record and a digital signature.
  • Configuration steps:
    • Right-click on the zone in DNS Manager.
    • Click DNS Security, then Sign the Zone.
    • Select Use Default Settings.