DNS Server Configuration

Question 1

DNS Server

Answer 1

• Essential to the function of the internet, Windows active directory and linux networks
• Usually configured to listen for queries on UDP port 53
• Some allow TCP connections over port 53
• Maintains DNS namespace in zones
• May be configured to manage multiple zones

Question 2

Primary Zone

Answer 2

• Zone records on server are editable
• Zone can be hosted by multiple primary servers for redundancy
• Changes must be carefully replicated and synced between servers
• Serial number must be updated for each change

Question 3

Secondary Zone

Answer 3

• Server can hold read-only copies of the zone
• Maintained through replication process call zone transfer from primary name server
• Typically provided on two or more separate servers to provide fault tolerance and load balancing
• Serial number is critical part of zone transfer process

Question 4

Authoritative server

Answer 4

• Name server that holds complete records for a domain
• Record in zone identifies server as a name server for that namespace
• Both primary and secondary name servers are authoritative

Question 5

Cache only servers

Answer 5

• Don’t maintain a zone(primary or secondary)

- Non-authoritative answer is one that derives from a cached record, rather than from zone records

Question 6

TTL

Answer 6

• Configured on resource record, measured in seconds
• Instructs resolvers how long a query result can be kept in cache
• Lower allows records to be updated more quickly, but increases load on servers

Question 7

DNS Caching

Answer 7

• Performer by both servers and client computers
• Each application on a client computer could be configured to manage its own DNS cache
• If there is a change to a resource record, caching means it updating can take time to propagate
• Planning for a change involved reducing TTL before change and waiting for the change to propagate before updating record, then reverting to original TTL after

Question 8

Internal DNS Zones

Answer 8

• Domains use on private networks only
• Name records should only be available to internal clients
• Name servers hosting internal subdomains should not be accessible from the internet

Question 9

External DNS Zones

Answer 9

• Records that internet clients must be able to access

Question 10

Resolver

Answer 10

• Performs recursive queries in response to requests from client systems(stub resolvers)
• If name server is not authoritative for requested domain, it can perform recursive query to locate authoritative name server or forward request to other server
• Might be configured with root hints file so it can query whole DNS hierarchy from root servers down
• Must allow recursive lookups from authorized internal clients only
• Usually separate from servers that house zone records

Question 11

Forwarding

Answer 11

• Alternative to recursive lookups
• Name server can be configured to resolve queries via forwarding
• Forwards query to another DNS server and routes reply back to client
• Conditional forwarded performs task for certain domains only
• Example might be server that is authoritative for local networks(internal DNS) but forwards requests for internet domains to external resolver run by ISP

Question 12

nslookup

Answer 12

• Command used to troubleshoot DNS name resolution

nslookup “-option host” “DNSServer”

• Host can be host name, domain name FQDN or ip address
• DNSServer is ip of server used to resolve query(Default is used if argument is omitted)
• Option specifies an nslookup subcommand

Question 13

Resolve-DNSName

Answer 13

• Powershell CMDlet

- Allows flexible testing of name resolution

Question 14

DIG

Answer 14

Domain Information Groper

• Command line tool for querying DNS servers
• Can be run pointing at specific DNS server, otherwise it uses default resolver
• You can add parameters like +nocomments and +nostats which reduce output