N&SA-2025-S1-Wk3-4

DNS Server Functionality

• DNS servers translate hostnames to IP addresses and vice versa.
• They locate special records, including mail servers and domain controllers.
• Configuration options include:
  • Integrating DNS into Active Directory.
  • Using a standalone primary DNS server with a secondary server.

Active Directory Integrated Zones

• Can only be created on domain controllers.
• Offer scalability and redundancy.
• Replicate zone information to secondary domain controllers.
• Improve network performance by allowing multiple domain controllers to serve requests.
• Three dynamic update configuration options:
  • Secure dynamic updates only: For Active Directory integrated zones, only authenticated clients can update.
  • Non-secure and secure dynamic updates: Allows both types of updates.
  • No dynamic updates: Disables dynamic updates.
• Can replicate to read-only domain controllers, but these zones are read-only.

Primary and Secondary Zones

• In traditional DNS, a standalone primary server handles updates.
• Secondary servers update their records from the primary server.
• If the primary server fails, updates stop.
• Two types of primary zones:
  • Active Directory integrated zones: Hosted on domain controllers.
  • Standard primary zones: Cannot be hosted on non-domain controllers.
• DNS server service on a domain controller supports all zone types.
• Secondary zones are read-only copies and cannot process updates.
• Prior to configuring a secondary zone, configure the primary zone.

Reverse Lookup Zones

• Translate IP addresses into fully qualified domain names (FQDNs).
• Support IPv4 and IPv6.
• Can be Active Directory integrated, standard primary, or secondary zones.
• The domain controller promotion process automatically creates a reverse lookup zone.

Forwarders and Conditional Forwarders

• Enable DNS servers to forward traffic when they cannot resolve requests locally.
• If no forwarder is configured, or the configured forwarder cannot be contacted, the request is sent to a DNS root server.
• DNS forwarders are typically used to have a specific DNS server on the Internet handle an organization's DNS resolution and traffic.
• Conditional forwarders forward requests only from a specific domain.
• Conditional forwarders take precedence over standard forwarders.
• Useful for organizations with trust relationships or partnerships.

Stub Zones

• Store authoritative name server records for a delegated zone.
• Advantageous when target authoritative DNS server addresses change regularly.
• Often host records for authoritative DNS servers in dedicated zones.
• If created on a writable domain controller, can be stored in Active Directory and replicated.

Global Name Zones

• Can be used if DNS servers are on Windows 2008 or later.
• Deploy global names instead of WINS.
• Entries must be populated manually.

DNS Record Types

• A Records: Map fully qualified domain names to IPv4 addresses.
• AAAA Records: Map FQDNs to IPv6 addresses.
• CNAME (Alias) Records: Provide alternate names for existing host records.
  • Point to an existing host record.

DNS Security (DNSSEC)

• DNSSEC secures DNS records in modern network environments.
• Enables DNS servers to validate responses from other DNS services.
• Uses digital signatures for authentication.
• When a DNS resolver queries a signed zone, the authoritative DNS server provides both the record and a digital signature.
• Configuration steps:
  • Right-click on the zone in DNS Manager.
  • Click DNS Security, then Sign the Zone.
  • Select Use Default Settings.