Export (0) Print
Expand All
Expand Minimize
7 out of 15 rated this helpful - Rate this topic

Managing DNS Server Configuration and Security

from Chapter 19, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

You use the Server Properties dialog box to manage the general configuration of DNS servers. Through it, you can enable and disable IP addresses for the server and control access to DNS servers outside the organization. You can also configure monitoring, logging, and advanced options.

Enabling and Disabling IP Addresses for a DNS Server

By default, multihomed DNS servers respond to DNS requests on all available network adapters and the IP addresses they're configured to use.

Through the DNS console, you can specify that the server can only answer requests on specific IP addresses. To do this, follow these steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. In the Interfaces tab, shown in Figure 19-14, select Only The Following IP Addresses and then type the IP addresses that should respond to DNS requests. Only these IP addresses will be used for DNS. All other IP addresses on the server will be disabled for DNS.

Controlling Access to DNS Servers Outside the Organization

Restricting access to zone information allows you to specify which internal and external servers can access the primary server. For external servers, this controls which servers can get in from the outside world. You can also control which DNS

Figure 19-14: Use the Interfaces tab to set the IP addresses that should handle DNS requests and responses.

Figure 19-14: Use the Interfaces tab to set the IP addresses that should handle DNS requests and responses.

servers within your organization can access servers outside it. To do this, you need to set up DNS forwarding within the domain.

With DNS forwarding, you configure DNS servers within the domain as

  • Nonforwarders Servers that must pass DNS queries they can't resolve on to designated forwarding servers. These servers essentially act like DNS clients to their forwarding servers.

  • Forwarding-only Servers that can only cache responses and pass requests on to forwarders. This is also known as a caching-only DNS server.

  • Forwarders Servers that receive requests from nonforwarders and forwarding-only servers. Forwarders use normal DNS communication methods to resolve queries and to send responses back to other DNS servers.

Note: The root server for a domain can't be configured for forwarding. But all other servers can be configured for forwarding.

Creating Nonforwarding DNS Servers

To create a nonforwarding DNS server, follow these steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. In the Forwarders tab, select Enable Forwarders.

  3. Enter the IP addresses of the network's forwarders.

  4. Set the Forward Time Out. This value controls how long the server tries to query the server if it gets no response. When the Forward Time Out interval passes, the server tries the next forwarder on the list. The default is 0 seconds. Click OK.

Creating Forwarding-Only Servers

To create a forwarding-only server, follow these steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. In the Forwarders tab, select Enable Forwarders and then select Operate As Slave Server.

  3. Enter the IP addresses of the network's forwarders.

  4. Set the Forward Time Out. This value controls how long the server tries to query the server if it gets no response. When the Forward Time Out interval passes, the server tries the next forwarder on the list. The default is 0 seconds. Click OK.

Creating Forwarders Servers

Any DNS server that isn't designated as a nonforwarder or a forwarding-only server will act as a forwarder. Thus, on the network's designated forwarders, you should make sure that Enable Forwarders and Operate As Slave Server are not selected.

Logging DNS Activity

You normally use the DNS Server event log to track DNS activity on a server. This log records all applicable DNS events and is accessible through the Event View node in Computer Management. If you're trying to troubleshoot DNS problems, it's sometimes useful to configure a temporary debug log to track certain types of DNS events. To do this, follow these steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. In the Logging tab, shown in Figure 19-15, select the events you want to track temporarily. These events are logged in %SystemRoot%\System32\Dns\ Dns.log by default.

  3. Click OK. When you're finished debugging, turn off logging by clearing any of the selected check boxes in the Logging tab.

Monitoring DNS Server

Windows 2000 has built-in functionality for monitoring DNS server. You can configure monitoring to occur manually or automatically by completing the following steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. Select the Monitoring tab, shown in Figure 19-16. You can perform two types of tests. To test DNS resolution on the current server, select A Simple Query Against This DNS Server. To test DNS resolution in the domain, select A Recursive Query To Other DNS Servers.

    Figure 19-15: Select the events you want to log, and then click OK. Don't forget to clear these events after you've finished debugging.

    Figure 19-15: Select the events you want to log, and then click OK. Don't forget to clear these events after you've finished debugging.
  3. You can perform a manual test by clicking Test Now or schedule the server for automatic monitoring by selecting Perform Automatic Testing At The Following Interval and then setting a time interval in seconds, minutes, or hours.

    Figure 19-16: You can configure a DNS server for manual or automatic monitoring. Monitoring is useful to ensure that DNS resolution is configured properly.

    Figure 19-16: You can configure a DNS server for manual or automatic monitoring. Monitoring is useful to ensure that DNS resolution is configured properly.

    Real World If you're actively troubleshooting a DNS problem, you may want to configure testing to occur every 10–15 seconds. This will provide a rapid succession of test results. If you're monitoring DNS for problems as part of your daily administrative duties, you'll want a longer time interval, such as two or three hours.

  4. The results of testing are shown in the Test Results area. You'll see a date and time stamp indicating when the test was performed and a result, such as Pass or Fail. While a single failure may be the result of a temporary outage, multiple failures normally indicate a DNS resolution problem.

Integrating WINS with DNS

You can integrate DNS with WINS. WINS integration allows the server to act as a WINS server or to forward WINS requests to specific WINS servers. When you configure WINS and DNS to work together, you can configure forward lookups using NetBIOS computer names, reverse lookups using NetBIOS computer names, caching and time-out values for WINS resolution, and full integration with NetBIOS scopes.

Configuring WINS Lookups in DNS

When you configure WINS lookups in DNS, the leftmost portion of the fully qualified domain name can be resolved using WINS. The procedure works like this: The DNS server looks for an address record for the fully qualified domain name. If a record is found, the server uses the record to resolve the name using only DNS. If a record isn't found, the server extracts the leftmost portion of the name and uses WINS to try to resolve the name (as a NetBIOS computer name). You configure WINS lookups in DNS by doing the following:

  1. In the DNS console, right-click the domain you want to update and then from the pop-up menu, choose Properties.

  2. Click the WINS tab, shown in Figure 19-17.

  3. Select Use WINS Forward Lookup and then type the IP addresses of the network's WINS servers. You must specify at least one WINS server.

  4. If you want to ensure that the WINS record on this server isn't replicated to other DNS servers in zone transfers, select Do Not Replicate This Record. Selecting this option is useful to prevent errors and transfer failures to non-Microsoft DNS servers. Click OK.

Configuring Reverse WINS Lookups in DNS

When you configure reverse WINS lookups in DNS, the IP address of the host can be resolved to a NetBIOS computer name. The procedure works like this: The DNS server looks for a pointer record for the specified IP address. If a record is found, the server uses the record to resolve the fully qualified domain name.

Figure 19-17: Use the WINS tab to configure WINS lookups in DNS.

Figure 19-17: Use the WINS tab to configure WINS lookups in DNS.

If a record isn't found, the server sends a request to WINS, and, if possible, WINS returns the NetBIOS computer name for the IP address and the host domain is appended to this computer name.

You configure reverse WINS lookups in DNS by doing the following:

  1. In the DNS console, right-click the subnet you want to update and then from the pop-up menu, choose Properties.

  2. Click the WINS-R tab, shown in Figure 19-18.

    Figure 19-18: Use the WINS-R tab to configure WINS reverse lookups in DNS.

    Figure 19-18: Use the WINS-R tab to configure WINS reverse lookups in DNS.
  3. Select Use WINS-R Lookup, and then, if you wish, select Do Not Replicate This Record. As with forward lookups, you usually don't want to replicate the WINS-R record to non-Microsoft DNS servers.

  4. In the Domain To Append To Returned Name field, type the host domain information. The domain is appended to the computer name returned by WINS. For example, if you type seattle.domain.com and WINS returns the NetBIOS computer name gamma, the DNS server will combine the two values and return gamma.seattle.domain.com.

  5. Click OK.

Setting Caching and Time-Out Values for WINS in DNS

When you integrate WINS and DNS, you should also set WINS caching and time-out values. The caching value determines how long records returned from WINS are valid. The time-out value determines how long DNS should wait for a response from WINS before timing out and returning an error. These values are set for both forward and reverse WINS lookups.

You set caching and time-out values for WINS in DNS by doing the following:

  1. In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.

  2. Select the WINS or WINS-R tab, as appropriate, and then click Advanced. This opens the dialog box shown in Figure 19-19.

  3. Set the caching and time-out values using the Cache Time-Out field and the Lookup Time-Out field. By default, DNS caches WINS records for 15 minutes and times out after 2 seconds. For most networks, you should increase these values. Sixty minutes for caching and three seconds for time-outs may be better choices.

  4. Click OK. Repeat this process for other domains and subnets, as necessary.

    Figure 19-19: In the Advanced dialog box, set caching and time-out values for DNS.

    Figure 19-19: In the Advanced dialog box, set caching and time-out values for DNS.
Configuring Full Integration with NetBIOS Scopes

When you configure full integration, lookups can be resolved using NetBIOS computer names and NetBIOS scopes. Here, a forward lookup works like this: The DNS server looks for an address record for the fully qualified domain name. If it finds a record, the server uses the record to resolve the name using only DNS. If it doesn't find a record, the server extracts the leftmost portion of the name as the NetBIOS computer name and the remainder of the name as the NetBIOS scope. These values are then passed to WINS for resolution.

You configure full integration of WINS and DNS by doing the following:

  1. In the DNS console, right-click the domain or subnet you want to update, and then from the pop-up menu, choose Properties.

  2. Select the WINS or WINS-R tab, as appropriate, and then click Advanced.

  3. In the Advanced dialog box, select Submit DNS Domain As NetBIOS Scope.

  4. Click OK. Repeat this process for other domains and subnets, as necessary.

Before you use this technique, make sure that the NetBIOS scope is properly configured on the network. You should also make sure that a consistent naming scheme is used for all network computers. Because NetBIOS is case-sensitive, queries resolve only if the case matches exactly. Note also that if the domain has subdomains, the subdomains must be delegated the authority for name services in order for WINS and DNS integration to work properly.

from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.