The Domain Name System (DNS) provides name-to-IP mapping by a distributed database. A Windows 2000 Professional– based client configured for DNS name resolution can query one or more DNS servers for name resolution services. This section describes the procedures for performing the following tasks:

• Configuring DNS Host and Domain Names

• Configuring DNS Query Settings

• Specifying DNS Servers

• DNS Performance and Security

Configure DNS Host and Domain Names

Table 22.4 summarizes the differences between each kind of name used in TCP/IP under Windows 2000, using the example fully qualified domain name (FQDN) client1.reskit.com.

Table 22.4 DNS and NetBIOS Names

Name Type	Description
NetBIOS name	A NetBIOS name is used to uniquely identify a NetBIOS service listening on the first IP address that is bound to an adapter. This unique NetBIOS name is resolved to the IP address of the server through broadcast, WINS, or the Lmhosts file. By default, it is the same as the host name up to 15 characters, plus any spaces necessary to make the name 15 characters long, plus the service identifier. The NetBIOS name is also known as a NetBIOS computer name . For example, a NetBIOS name might be Client1.
Host name	The term host name can mean either the FQDN or the first label of an FQDN. In this chapter, host name refers to the first label of an FQDN. For example, the first label of the FQDN client1.reskit.com is client1.
Primary DNS suffix	Every Windows 2000–based computer can be assigned a primary DNS suffix to be used in name resolution and name registration. The primary DNS suffix is specified on the Network Identification tab of the properties page for My Computer . The primary DNS suffix is also known as the primary domain name and the domain name . For example, the FQDN client1.reskit.com has the primary DNS suffix reskit.com.
Connection-specific DNS suffix	The connection-specific DNS suffix is a DNS suffix that is assigned to an adapter. The connection-specific DNS suffix is also known as an adapter DNS suffix . For example, a connection-specific DNS suffix might be reskit.com .
Fully qualified domain name (FQDN)	The FQDN is a DNS name that uniquely identifies the computer on the network. By default, it is a concatenation of the host name, the primary DNS suffix, and a period. The fully qualified domain name is also known as the full computer name . For example, an FQDN might be client1.reskit.com.

Computer and NetBIOS Names    The DNS host name is taken from the computer name assigned to it during Windows 2000 Professional installation. The host name can be 63 characters long, and uses the character set specified in RFC 2181, as shown in Table 22.5. The host name is used in combination with the primary domain name to form the fully qualified domain name (FQDN).

The NetBIOS computer name is used to identify the local computer for authentication by hosts and tools that use NetBIOS over TCP/IP (NetBT) for name resolution. NetBIOS names contain 15 characters, with an additional character used as the service descriptor. In a new Windows 2000 Professional installation, the NetBIOS name is initially taken from the assigned DNS host name. If the DNS host name exceeds 15 characters, the host name is truncated to form the NetBIOS computer name. Figure 22.3 shows the naming restrictions for NetBIOS names.

Figure 22.3 shows an example of a computer that has a DNS host name of serverislongerthan15bytes . Note that the NetBIOS name is truncated to 15 characters.

Figure 22.3 NetBIOS and DNS Domain Names

The DNS host name can be changed after installation by means of the Network Identification tab in the System control panel. The NetBIOS computer name changes also, based on the restrictions of NetBIOS.

To change the host name for DNS

1. In Control Panel, double-click System .

2. Select the Network Identification tab.

3. Click Properties .

4. Type the new host name in the Computer name text box and click OK .

5. When prompted, click OK .

6. Click 0K .

7. When prompted, click Yes to restart the computer.

Note

If you enter a DNS name that includes characters not listed in RFC 1123 during the setup for Windows 2000 DNS, a warning message appears suggesting that you use characters specified by RFC 1123.

Computer names in previous versions of Windows are based on NetBIOS names. If a Windows 2000 Professional– based computer has been migrated from a previous version of Windows, its DNS host name is taken from the previous NetBIOS-based computer name. In a network that contains non-Windows 2000 – based hosts, this might present problems.

Primary DNS Suffix    The primary DNS suffix is the name of the domain in which the host resides. If a Windows 2000 Professional– based computer is a member of a Windows 2000 domain, its primary DNS domain name is identical to its Windows 2000 domain. This information is provided during Windows 2000 Professional installation, migration, or when the computer joins a Windows 2000 domain.

If a computer is a member of workgroup, or a member of a Windows NT domain, the primary domain name is manually specified by using the Network Identification tab in the System control panel.

To set or change the primary DNS suffix

1. In Control Panel, double-click System .

2. Select the Network Identification tab.

3. Click Properties .

4. Click More .

5. In the Primary DNS suffix of this computer text box, type the primary DNS suffix, and then click OK .

When a Windows 2000 Professional– based computer changes Windows 2000 domains, its DNS domain membership can be changed as well. To allow Windows 2000 to automatically change the primary DNS domain name when its Windows 2000 domain membership changes, select Change DNS domain name when domain membership changes .

Connection-Specific DNS Suffix    Windows 2000 also permits each adapter to have a unique domain name, known as the connection-specific domain name .

For example, suppose the computer Client1 has the primary DNS domain name reskit.com, and it is connected to both the Internet and the corporate intranet. For each connection, you can specify a connection-specific domain name. For the connection to the corporate intranet, you specify the name reskit.com, and the FQDN is then Client1.reskit.com. For the connection to the Internet, you specify the name isp01.com, and the FQDN is then Client1.isp01.com.

Figure 22.4 shows this configuration.

Figure 22.4 Connection-Specific Domain Names

Connection-specific domain names for each adapter are specified on the DNS tab of the Advanced TCP/IP Settings page. From that page, you can also specify whether a dynamic update client registers the computer's fully qualified domain name or the adapter-specific name. For more information, see Configure Dynamic Update later in this chapter.

To set or change the connection-specific DNS suffix

1. In Control Panel, double-click Network and Dial-up Connections .

2. Right-click the local area connection you want to modify, and then select Properties .

3. Select Internet Protocol (TCP/IP) , and then click Properties .

4. Click Advanced .

5. Select the DNS tab.

6. In the DNS suffix for this connection text box, type the domain name for the connection.

Fully Qualified Domain Name    By default, the DNS domain name is used with the primary host name to create a fully qualified domain name (FQDN) for the computer. During DNS queries, the local domain name is appended to short names. A short name consists of only a host name, such as client1 . When querying the DNS server for the IP address of client1 , the domain name is appended to the short name, and the DNS server is actually asked to resolve the FQDN of client1.reskit.com .

Note

If an entry is specified in the Search these DNS domains (in order) box in the DNS section of Advanced TCP/IP settings dialog box, that entry is used instead of the domain and host name to create an FQDN.

For detailed information about how the FQDN is used to perform name-to-IP address resolution, refer to Configure DNS Name Resolution earlier in this chapter.

DNS Naming Restrictions

Different DNS implementations impose different character and length restrictions. Table 22.5 shows the restrictions for each implementation.

Table 22.5 Naming Restrictions

Restriction	Standard DNS (including Windows NT 4.0)	DNS in Windows 2000	NetBIOS
Characters	Supports RFC 1123, which permits A- Z, a-z, 0-9, and the hyphen (-).	Supports RFC 2044, which permits more characters than RFC 1123, but it is best to use only the characters permitted by RFC 1123.	Unicode characters, numbers, white space, symbols: ! @ # $ % ^ & ' ) ( . - _ { } ~
Computer/host name length	63 bytes per label and 255 bytes for FQDN	63 bytes per label and 255 bytes for FQDN; domain controllers are limited to 155 bytes for FQDN.	15 characters

According to RFC 1123, the only characters that can be used in DNS labels are A-Z, a-z, 0-9, and the hyphen (-). (The . character is also used in DNS names, but only between DNS labels and at the end of a FQDN.) Many DNS servers, including Windows NT 4.0 DNS servers, follow RFC 1123.

However, adherence to RFC 1123 can present a problem on Windows 2000 networks that still use NetBIOS names. NetBIOS names can use additional characters, and it can be time-consuming to convert all the NetBIOS names to standard DNS names.

To simplify the migration process from Windows NT 4.0, Windows 2000 supports a wider character set. RFC 2181, Clarifications to the DNS Specification, extends the character set allowed in DNS names. Based on this definition, the Windows 2000 DNS service has been adjusted to accommodate a larger character set: UTF-8 character encoding, as described in RFC 2044. UTF-8 character encoding is a superset of ASCII and a translation of the UCS-2 (also known as Unicode ) character encoding. The UTF-8 character set includes characters from most of the world's written languages, allowing a far greater range of possible names.

However, before using the extended character set, consider the following issues:

• If a client name containing UTF-8 characters is to be used, all DNS servers to which the client is to be registered must support RFC 2181. Avoid using UTF-8-compliant host names if your network includes servers that do not comply with this standard.

• Some third-party resolver software supports only the characters listed in RFC 1123. If there are any computers in your network that use third-party resolver software, that software probably cannot look up Windows 2000 – based clients with names that have nonstandard characters.

Configuring DNS Query Settings

The DNS resolver adds a domain name suffix to a name specified in a query that meets either of the following conditions:

• The name is a single-label unqualified name.

• The name is a multiple-label unqualified name and the resolver cannot resolve it as a fully qualified domain name.

The query process is shown in Figures 22.5 and 22.6.

Note

The flowcharts in Figures 22.5 and 22.6 direct you to other flowcharts in other figures. To locate the correct flow chart, see the figure captions.

Figure 22.5 DNS Name Resolution, Part 1

Figure 22.6 DNS Name Resolution, Part 2

You can configure how suffixes are added to queries from the Advanced TCP/IP Settings page, in Network and Dial-up Connections in Control Panel. Figure 22.7 shows the Advanced TCP/IP Settings :

Figure 22.7 DNS Query Settings

By default, the option Append primary and connection specific DNS suffixes is selected. This option causes the resolver to append the client name to the primary domain name, as defined in the Network Identification tab of the system properties, as well as the domain name defined in the DNS domain name field of each network connection. For example, if your primary DNS suffix is dom1.acquired01-int.com , the resolver queries for the following FQDN:

client1.dom1.acquired01-int.com

Next, if that query fails and if you have specified a connection-specific DNS suffix in the DNS suffix for this connection box, it appends that name. For example, if you entered the name acquired01-ext.com in the DNS suffix for this connection box and then queried for the unqualified, single-label name client1 , the resolver queries for the following FQDN:

client1.acquired01-ext.com.

Next, if you select the check box Append parent suffixes of the primary DNS suffix , the resolver performs name devolution on the primary DNS suffix, stripping off the leftmost label, and attempting the resulting domain name until only two labels remain. For example, if your primary DNS suffix is dom1.acquired01-int.com , and you selected the check box Append parent suffixes of the primary DNS suffix and then queried for the unqualified, single-label name client1 the resolver queries in order the following FQDNs:

client1.dom1.acquired01-int.com.

client1.acquired01-int.com.

To disable name devolution

1. In Control Panel, double-click Network and Dial-up Connections .

2. Right-click the local area connection you want to change, and then select Properties .

3. Select Internet Protocol (TCP/IP) , and then click Properties .

4. Click Advanced .

5. Click the DNS tab.

6. Clear the check box Append parent suffixes of the primary DNS suffix , and then click OK .

The box labeled Append these DNS suffixes (in order) allows you to specify a list of domains to try, called a domain suffix search list . If you enter a domain suffix search list, the resolver adds those domain name suffixes in order and does not try any other domain names. For example, if the Append these DNS suffixes (in order) box includes the names listed in Figure 22.7 and you enter the unqualified, single-label query coffee, the resolver queries in order for the following fully qualified domain names:

coffee.com.

coffee.reskit.com.

coffee.redmond.reskit.com.

To add entries to the domain suffix search list

1. In Control Panel, double-click Network and Dial-up Connections .

2. Right-click the local area connection you want to change, and then select Properties .

3. Select Internet Protocol (TCP/IP) , and then click Properties .

4. Click Advanced .

5. Click the DNS tab.

6. Select Append these DNS suffixes (in order) .

7. Click Add , and then type the domain suffix you want to include.

8. Click Add .

   • To remove a domain suffix from the list, select it, and then click Remove .

   • To change the domain suffix search order, select it, then click the up or down arrows.

Specifying DNS Servers

When a name is submitted to DNS, if the resolver is caching names, the resolver first checks the cache. If the name is in the cache, the data is returned to the user. If the name is not in the cache, the resolver queries the DNS servers that are listed in the TCP/IP properties for each adapter.

The resolver can query through all adapters in the computer, including remote access adapters. In Windows NT 4.0, the resolver queried all servers through all adapters. In Windows 2000, however, you can specify a list of DNS servers to query for each adapter.

Figures 22.8, 22.9, and 22.10 illustrate the process by which the resolver queries the servers on each adapter.

Note

The flowcharts in Figures 22.8, 22.9, and 22.10 direct you to other flowcharts in other figures. To locate the correct flow chart, see the figure captions.

Figure 22.8 Querying the DNS Server, Part 1

Figure 22.9 Querying the DNS Server, Part 2

Figure 22.10 Querying the DNS Server, Part 3

Windows 2000 Professional allows multiple DNS servers to be specified. The first DNS server, known as the preferred DNS server, can be followed by an unlimited number of alternate DNS servers. The resolver queries the DNS servers in the following order:

1. The resolver sends the query to the first server on the preferred adapter's search list and waits for one second for a response.

2. If the resolver does not receive a response from the first server within one second, it sends the query to the first DNS servers on all adapters still under consideration and waits two seconds for a response.

3. If the resolver does not receive a response from any server within two seconds, the resolver sends the query to all DNS servers on all adapters still under consideration and waits another two seconds for a response.

4. If the resolver still does not receive a response from any server, it sends the query to all DNS servers on all adapters still under consideration and waits four seconds for a response.

5. If it still does not receive a response from any server, the resolver sends the query to all DNS servers on all adapters still under consideration and waits eight seconds for a response.

If the resolver receives a positive response, it stops querying for the name, adds the response to the cache and returns the response to the client.

If it has not received a response from any server by the end of the eight-second time period, the resolver responds with a time-out. Also, if it has not received a response from any server on a specified adapter, then for the next 30 seconds, the resolver responds to all queries destined for servers on that adapter with a time-out and does not query those servers.

If at any point the resolver receives a negative response from a server, it removes every server on that adapter from consideration during this search. For example, if in step 2, the first server on Alternate Adapter A gave a negative response, the resolver would not send the query to any other server on the list for Alternate Adapter A.

The resolver keeps track of which servers answer queries more quickly, and might move servers up or down on the list based on how quickly they reply to queries.

Figure 22.11 shows how the resolver queries each server on each adapter.

Figure 22.11 Multihomed Name Resolution

To specify a preferred and alternate DNS server

1. In Control Panel, double-click Network and Dial-up Connections .

2. Right-click the local area network connection you want to change, and then click Properties .

3. Select Internet Protocol (TCP/IP) , and then click Properties .

4. In the General page, select the method to be used to access the DNS servers for your network:

   • If a DHCP server is available for automatic IP addressing and is configured to provide parameters for automatic DNS server configuration, select Obtain DNS server address automatically .

   • If the IP addresses for the DNS servers are to be manually configured, select Use the following DNS server addresses option button. Type the IP addresses of the preferred and alternate DNS servers in the appropriate boxes.

To specify additional alternate DNS servers

1. In the General section of the Network and Dial-up connections properties sheet, click Advanced .

2. Click the DNS tab.

3. Under DNS server addresses , in order of use, click Add .

4. Type the IP address of the DNS server you want to add.

5. Click Add .

To remove an IP address from the list, select it, and then click Remove .

The order of the IP addresses can be rearranged as needed to reflect changes in name server availability, performance, or to implement load balancing.

To set the DNS server search order

1. In Control Panel, double-click Network and Dial-up Connections .

2. Double-click Local Area Connections .

3. In the General dialog box, click Advanced .

4. Click the DNS tab.

5. In the DNS Server Search Order box, select the IP address of the DNS server you want to reposition.

6. Click the up or down buttons to reposition the selected IP address within the list of DNS servers.

DNS Performance and Security

The default settings of DNS might need to be changed in order to optimize the performance and security of the Windows 2000 Professional DNS client. The following sections describe the configuration changes that can be made to:

• Configure caching and negative caching

• Configure subnet prioritization

• Prevent the resolver from receiving responses from nonqueried servers

Configuring Caching and Negative Caching

When the Windows 2000 resolver receives a positive or negative response to a query, it adds that positive or negative response to its cache. The resolver always checks the cache before querying any DNS servers, so if a name is in the cache, the resolver uses the name from the cache rather than querying a server. This expedites queries and decreases network traffic for DNS queries.

You can use the Ipconfig tool to view and flush the cache.

To view the resolver cache

• At the command prompt, type:
  ipconfig /displaydns

Ipconfig displays the contents of the DNS resolver cache, including names preloaded from the Hosts file and any recently queried names resolved by the system.

After a certain amount of time, specified in the Time to Live (TTL) associated with the name, the resolver discards the name from the cache. You can also flush the cache manually. After you flush the cache, the computer must query DNS servers again for any names previously resolved by the computer.

To flush the cache manually by using Ipconfig

• At the command prompt, type:
  ipconfig /flushdns

The local Hosts file is preloaded into the resolver's cache and reloaded into the cache whenever Hosts is updated.

The length of time for which a positive or negative response is cached depends on the values of entries in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \DNSCache\Parameters

Positive responses are cached for the number of seconds specified in the query response the resolver received, but never for longer than the value of the entry MaxCacheEntryTtlLimit (REG_DWORD data type). The default value is 86,400 seconds (1 day).

Negative responses are cached for the number of seconds specified in the NegativeCacheTime entry (DWORD data type). The default value is 300 seconds. If you do not want negative responses to be cached at all, set the value of this entry to 0.

If all DNS servers on an adapter are queried and none reply, either positively or negatively, all subsequent name queries to any server listed on that adapter fail instantly and continue to fail for a default of 30 seconds. This feature decreases network traffic.

Configuring Subnet Prioritization

If the resolver receives multiple IP address mappings (A resource records) from a DNS server, and some have IP addresses from networks to which the computer is directly connected, the resolver orders those resource records first. This reduces network traffic across subnets by forcing computers to connect to network resources that are closer to them.

For example, suppose there are three Web servers that all host the Web page for www.reskit.com, and they are all located on different subnets. The DNS name server for the network contains the following resource records:

www.reskit.com.IN A172.16.64.11

www.reskit.com.IN A172.17.64.22

www.reskit.com.IN A172.18.64.33

When a Windows 2000 Professional– based computer queries www.reskit.com, its resolver puts IP addresses from subnets to which the computer is directly connected first in the list. For example, if a computer with the IP address 172.17.64.93 queried for www.reskit.com, the resolver returns the resource records in the following order:

www.reskit.com.IN A172.17.64.22

www.reskit.com.IN A172.16.64.11

www.reskit.com.IN A172.18.64.33

Subnet prioritization prevents the resolver from choosing the first IP address returned in the DNS query and using the DNS server round robin feature defined in RFC 1794. With round robin, the server rotates the order of resource record data returned in a query answer in which multiple resource records of the same type exist for a queried DNS domain name. Thus, in the example described earlier, if a user queried for www.reskit.com, the name server replies to the first client request by ordering the addresses as the following:

172.16.64.11

172.17.64.22

172.18.64.33

It replies to the second client response by ordering the addresses as the following:

172.17.64.22

172.18.64.33

172.16.64.11

If clients are configured to use the first IP address in the list they receive, then different clients use different IP addresses, balancing the load among multiple network resources with the same name. However, if the resolvers are configured for subnet prioritization, the resolvers reorder the list to favor IP addresses from networks to which they are directly connected, reducing the effectiveness of the round robin feature.

Although subnet prioritization does reduce network traffic across subnets, in some cases you might prefer to have the round robin feature work as described in RFC 1794. If so, you can disable the subnet prioritization feature on your clients by adding the PrioritizeRecordData entry with a value of 0 (REG_DWORD data type) in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \DnsCache\Parameters

Preventing the Resolver from Accepting Responses from Nonqueried Servers

By default, the resolver accepts responses from servers it did not query. This presents a possible security liability, as unauthorized DNS servers might pass along invalid A resource records to misdirect DNS queries. If you want to disable this feature, add the registry entry QueryIpMatching with a value of 1 (REG_DWORD data type) to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \DnsCache\Parameters