DNS 3

Question 1

A secondary zone is not able to be loaded by DNS. How do you configure the secondary zone to replicate with the primary?

Answer 1

1. On the primary zone, navigate to “Properties”, then the “Zone Transfers” tab and check the box to allow zone transfers (copying of the zone).
2. Set the secondary zone as an authoritative name server by inputting the IP address of the server hosting the secondary zone.

Question 2

What integration service with DNS allows a multi-master model within a zone?

Answer 2

Active Directory Integration

Question 3

Along with the output of nslookup, which record, if configured correctly, displays the FQDN of the DNS server your using?

Answer 3

The PTR (pointer) record.

Question 4

What different methods can you use to get information and help about commands in PowerShell?

Answer 4

Get-Command (gcm), Get-Help, Get-Member, and the command add-on utility in PowerShell.

Question 5

What can you do to force a replication between a primary and secondary DNS zone?

Answer 5

R-click on secondary zone and then “Transfer new copy of zone from Master”. Lastly, after a few moments, hit Refresh and the secondary zone should replicate.

Question 6

What is the purpose of DNS Round Robin?

Answer 6

To distribute load across servers providing the same service.

Question 7

What are the steps to configure DNS Delegation?

Answer 7

After creation of a sub-domain primary zone, you would:

1. Within DNS Manager, select the server hosting the parent domain primary zone and r-click on the parent domain and choose “New Delegation” to go through the New Delegation Wizard
2. Specify the authoritative name server of the sub-domain

Or use the Add-DnsServerZoneDelegation command in PowerShell.

Question 8

What is the main difference between conditional forwarding and stub zones?

Answer 8

With conditional forwarding, ip addresses are manually maintained while stub zones are maintained automatically. Security-wise, conditional forwarding is more secure since it only requires the IP address of the DNS server versus a stub zone containing SoA, NS, and A records.

Question 9

What PowerShell command is used to create an Active-Directory integrated primary zone?

Answer 9

Add-DnsServerPrimaryZone -Name “Domain.com” -ReplicationScope “Domain”

Question 10

How would you convert an existing standard primary zone to an AD DS-integrated zone?

Answer 10

1. Through DNS Manager, r-click on zone and then Properties.

2. On the General tab, click Change and select the “Store The Zone In Active Directory checkbox

Question 11

What two records are automatically created when you create a new forward lookup zone?

Answer 11

An SoA and NS record.

Question 12

Within a stub zone, what record is defined as a glue record?

Answer 12

An A (host) record.

Question 13

When creating a stub zone, what setting configures the stub zone to be dynamically updated?

Answer 13

By checking the box for “Use the above servers to create a local list of master servers” in the Master DNS Servers screen.

Question 14

What PowerShell commands are used to configure GlobalNames in PowerShell?

Answer 14

Set-DnsServerGlobalNameZone -AlwaysQueryServer $True
Set-DnsServerGlobalNameZone -Enable $True
Add-DnsServerPrimaryZone -Name GlobalNames -ReplicationScope Domain

Question 15

If GlobalZones wasn’t configured and you had to use the Windows Internet Naming Service, what would be the disadvantages?

Answer 15

1. Increased administrative overhead from maintaining two name services.
2. Potential name resolution delay from clients using both DNS and WINS.

Question 16

Where can DNS clients obtain the public key for DNSSEC?

Answer 16

In the Trust Anchor

Question 17

How does a DNS client know whether or not to expect or request a signed DNS response?

Answer 17

Through the Name Resolution Policy Table

Question 18

What is the difference between the Zone Signing Key and the Key Signing Key?

Answer 18

The ZSK’s private key is used by the DNS server to sign DNS messages while the client uses the ZSK’s public key to verify authenticity of the signatures. The private KSK signs both the private and public ZSKs while the public KSK is used by the resolvers verify the public ZSK.

Question 19

What two keys are created as part of the implementation of DNSSEC?

Answer 19

The Zone Signing Key and the Key Signing Key.

Question 20

What PowerShell command can be used to check the cache locking percentage?

Answer 20

Get-DnsServerCache

Question 21

What PowerShell command can be used to change the cache locking percentage?

Answer 21

Set-DnsServerCache -LockingPercent (90)

Question 22

Using the dnscmd utility, what command can be used to view the socket pool size?

Answer 22

Dnscmd /info /socketpoolsize

Question 23

Using the dnscmd utility, what command is used to change the socket pool size?

Answer 23

Dnscmd /config /socketpoolsize (6783)

Question 24

What PowerShell command can be used to view the DNSSEC zone settings?

Answer 24

Get-DnsServerDnsSecZoneSettings -ZoneName Domain.com

Question 25

What PowerShell command can be used to create a new zone scope?

Answer 25

Add-DnsServerZoneScope -ZoneName “example.com” -Name “examplescope”

Question 26

What is Cache Locking?

Answer 26

When enabled, cache locking prevents updates to cached records until the TTL expires, potentially mitigating malicious efforts to overwrite cached records.

Question 27

What is the socket pool size?

Answer 27

When enabled, the DNS server randomly selects a source port from a pool of ports specified in the configuration.

Question 28

What is WINS?

Answer 28

The Windows Internet Name Service is an older name resolution protocol that uses NetBIOS over TCP/IP(NetBT). WINS and NetBT do not support IPv6.

Question 29

What is Tracelog.exe

Answer 29

Tracelog is an event tracing controller that runs in a command prompt window.

Question 30

What is the dnscmd utility equivalent of the PowerShell command Set-DnsServerGlobalNameZone -Enable $True

Answer 30

Dnscmd /config /enableglobalnamessupport 1

Question 31

Which version of Windows Server was DNSSEC introduced?

Answer 31

Windows Server 2008R2

Question 32

Using the dnscmd utility, what command enables DNS cache locking for 100%?

Answer 32

dnscmd /Config /CacheLockingPercent 100