DNS 3 Flashcards

1
Q

A secondary zone is not able to be loaded by DNS. How do you configure the secondary zone to replicate with the primary?

A
  1. On the primary zone, navigate to “Properties”, then the “Zone Transfers” tab and check the box to allow zone transfers (copying of the zone).
  2. Set the secondary zone as an authoritative name server by inputting the IP address of the server hosting the secondary zone.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What integration service with DNS allows a multi-master model within a zone?

A

Active Directory Integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Along with the output of nslookup, which record, if configured correctly, displays the FQDN of the DNS server your using?

A

The PTR (pointer) record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What different methods can you use to get information and help about commands in PowerShell?

A

Get-Command (gcm), Get-Help, Get-Member, and the command add-on utility in PowerShell.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What can you do to force a replication between a primary and secondary DNS zone?

A

R-click on secondary zone and then “Transfer new copy of zone from Master”. Lastly, after a few moments, hit Refresh and the secondary zone should replicate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the purpose of DNS Round Robin?

A

To distribute load across servers providing the same service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the steps to configure DNS Delegation?

A

After creation of a sub-domain primary zone, you would:

  1. Within DNS Manager, select the server hosting the parent domain primary zone and r-click on the parent domain and choose “New Delegation” to go through the New Delegation Wizard
  2. Specify the authoritative name server of the sub-domain

Or use the Add-DnsServerZoneDelegation command in PowerShell.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the main difference between conditional forwarding and stub zones?

A

With conditional forwarding, ip addresses are manually maintained while stub zones are maintained automatically. Security-wise, conditional forwarding is more secure since it only requires the IP address of the DNS server versus a stub zone containing SoA, NS, and A records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What PowerShell command is used to create an Active-Directory integrated primary zone?

A

Add-DnsServerPrimaryZone -Name “Domain.com” -ReplicationScope “Domain”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How would you convert an existing standard primary zone to an AD DS-integrated zone?

A
  1. Through DNS Manager, r-click on zone and then Properties.

2. On the General tab, click Change and select the “Store The Zone In Active Directory checkbox

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What two records are automatically created when you create a new forward lookup zone?

A

An SoA and NS record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Within a stub zone, what record is defined as a glue record?

A

An A (host) record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When creating a stub zone, what setting configures the stub zone to be dynamically updated?

A

By checking the box for “Use the above servers to create a local list of master servers” in the Master DNS Servers screen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What PowerShell commands are used to configure GlobalNames in PowerShell?

A

Set-DnsServerGlobalNameZone -AlwaysQueryServer $True
Set-DnsServerGlobalNameZone -Enable $True
Add-DnsServerPrimaryZone -Name GlobalNames -ReplicationScope Domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

If GlobalZones wasn’t configured and you had to use the Windows Internet Naming Service, what would be the disadvantages?

A
  1. Increased administrative overhead from maintaining two name services.
  2. Potential name resolution delay from clients using both DNS and WINS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Where can DNS clients obtain the public key for DNSSEC?

A

In the Trust Anchor

17
Q

How does a DNS client know whether or not to expect or request a signed DNS response?

A

Through the Name Resolution Policy Table

18
Q

What is the difference between the Zone Signing Key and the Key Signing Key?

A

The ZSK’s private key is used by the DNS server to sign DNS messages while the client uses the ZSK’s public key to verify authenticity of the signatures. The private KSK signs both the private and public ZSKs while the public KSK is used by the resolvers verify the public ZSK.

19
Q

What two keys are created as part of the implementation of DNSSEC?

A

The Zone Signing Key and the Key Signing Key.

20
Q

What PowerShell command can be used to check the cache locking percentage?

A

Get-DnsServerCache

21
Q

What PowerShell command can be used to change the cache locking percentage?

A

Set-DnsServerCache -LockingPercent (90)

22
Q

Using the dnscmd utility, what command can be used to view the socket pool size?

A

Dnscmd /info /socketpoolsize

23
Q

Using the dnscmd utility, what command is used to change the socket pool size?

A

Dnscmd /config /socketpoolsize (6783)

24
Q

What PowerShell command can be used to view the DNSSEC zone settings?

A

Get-DnsServerDnsSecZoneSettings -ZoneName Domain.com

25
Q

What PowerShell command can be used to create a new zone scope?

A

Add-DnsServerZoneScope -ZoneName “example.com” -Name “examplescope”

26
Q

What is Cache Locking?

A

When enabled, cache locking prevents updates to cached records until the TTL expires, potentially mitigating malicious efforts to overwrite cached records.

27
Q

What is the socket pool size?

A

When enabled, the DNS server randomly selects a source port from a pool of ports specified in the configuration.

28
Q

What is WINS?

A

The Windows Internet Name Service is an older name resolution protocol that uses NetBIOS over TCP/IP(NetBT). WINS and NetBT do not support IPv6.

29
Q

What is Tracelog.exe

A

Tracelog is an event tracing controller that runs in a command prompt window.

30
Q

What is the dnscmd utility equivalent of the PowerShell command Set-DnsServerGlobalNameZone -Enable $True

A

Dnscmd /config /enableglobalnamessupport 1

31
Q

Which version of Windows Server was DNSSEC introduced?

A

Windows Server 2008R2

32
Q

Using the dnscmd utility, what command enables DNS cache locking for 100%?

A

dnscmd /Config /CacheLockingPercent 100