Managing DNS Server Configuration and Security
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
By William R. Stanek
Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
from Chapter 16, Windows NT Administrator's Pocket Consultant.
The general configuration of DNS servers is managed through the Server Properties dialog box. Through it you can enable and disable IP addresses for the server and control access to DNS servers outside the organization.
Enabling and Disabling IP Addresses for a DNS Server
By default, multihomed DNS servers respond to DNS requests on all available network adapters and the IP addresses they're configured to use.
.gif "Cc722543.16wnta14(en-us,TechNet.10).gif")
Figure 16-14: Set the IP addresses that should handle DNS requests and responses by using the Interfaces tab.
Through DNS Manager, you can specify that the server can only answer requests on specific IP addresses. To do this, follow these steps:
In DNS Manager, right-click on the server you want to configure and then choose Properties from the pop-up menu.
In the Interfaces tab shown in Figure 16-14, enter the IP addresses that should respond to DNS requests.
Only these IP addresses will be used for DNS. All other IP addresses on the server will be disabled for DNS.
Controlling Access to DNS Servers Outside the Organization
Restricting access to the primary zone database allows you to specify which internal and external servers can access the primary server. For external servers, this controls which servers can get in from the outside world. You can also control which DNS servers within your organization can access servers outside it. To do this, you need to set up DNS forwarding within the domain.
With DNS forwarding, you configure DNS servers within the domain as
Nonforwarders Servers that must pass DNS queries they can't resolve on to designated forwarding servers.
Forwarding-only Servers that can only cache responses and pass requests on to forwarders. This is also known as a caching-only DNS server.
Forwarders Servers that receive requests from nonforwarders and forwarding-only servers. Forwarders use normal DNS communication methods to resolve queries and to send responses back to other DNS servers.
.gif "Cc722543.16wnta15(en-us,TechNet.10).gif")
Figure 16-15: Use the Forwarders tab to enter the IP addresses of the network's forwarders.
.gif "Cc722543.16wnta15(en-us,TechNet.10).gif")
Creating Nonforwarding DNS Servers
To create a nonforwarding DNS server, follow these steps:
In DNS Manager, right-click on the server you want to configure and then choose Properties from the pop-up menu.
In the Forwarders tab shown in Figure 16-15, select Use Forwarder(s).
Enter the IP addresses of the network's forwarders.
Set the Forward Time Out. This value controls how long the server tries to query the server if it gets no response. When the Forward Time Out interval passes, the server tries the next forwarder on the list. The default is 0 seconds.
Click OK.
Creating Forwarding-Only Servers
To create a forwarding-only server, follow these steps:
In DNS Manager, right-click on the server you want to configure and then choose Properties from the pop-up menu.
In the Forwarders tab, select Use Forwarder(s) and then select Operate As Slave Server.
Enter the IP addresses of the network's forwarders.
Set the Forward Time Out. This value controls how long the server tries to query the server if it gets no response. When the Forward Time Out interval passes, the server tries the next forwarder on the list. The default is 0 seconds.
Click OK.
Creating Forwarders
Any DNS server that is not designated as a nonforwarder or a forwarding-only server will act as a forwarder. Thus, on the network's designated forwarders, you should ensure that Use Forwarder(s) and Operate As Slave Server are not selected.
Integrating WINS with DNS
A Windows NT DNS server can be integrated with WINS. WINS integration allows the server to act as a WINS server or to forward WINS requests to specific WINS servers. When you configure WINS and DNS to work together, you can configure
Partial integration with forward lookups using NetBIOS computer names.
Partial integration with reverse lookups using NetBIOS computer names.
Caching and timeout values for WINS resolution.
Full integration with lookups resolved using NetBIOS computer names and NetBIOS scopes.
Configuring WINS Lookups in DNS
When you configure WINS lookups in DNS, the leftmost portion of the fully qualified domain name can be resolved using WINS. The procedure works like this:
The DNS server looks for an address record for the fully qualified domain name. If a record is found, the server uses the record to resolve the name using only DNS. If a record is not found, the server extracts the leftmost portion of the name and uses WINS to try to resolve the name (as a NetBIOS computer name).
You configure WINS lookups in DNS by doing the following:
In DNS Manager, right-click on the zone you want to update and then choose Properties from the pop-up menu.
Click on the WINS Lookup tab shown in Figure 16-16.
Select Use WINS Resolution and then enter the IP addresses of the network's WINS servers. At least one WINS server must be specified.
Click OK.
Configuring Reverse WINS Lookups in DNS
When you configure reverse WINS lookups in DNS, the IP address of the host can be resolved to a NetBIOS computer name. The procedure works like this:
The DNS server looks for a pointer record for the specified IP address. If a record is found, the server uses the record to resolve the fully qualified domain name. If a record is not found, the server sends a request to WINS, and, if possible, WINS returns the NetBIOS computer name for the IP address and the host domain is appended to this computer name.
.gif "Cc722543.16wnta16(en-us,TechNet.10).gif")
Figure 16-16: Use the WINS Lookup tab to configure WINS lookups in DNS.
You configure reverse WINS lookups in DNS by doing the following:
In DNS Manager, right-click on the in-addr.arpa zone for the domain and then choose Properties from the pop-up menu.
Click on the WINS Reverse Lookup tab shown in Figure 16-17.
Select Use WINS Reverse Lookup and then enter the IP addresses of the network's WINS servers.
In the DNS Host Domain field, enter the host domain information. The domain is appended to the computer name returned by WINS. For example, if you enter tvpress.com and WINS returns the NetBIOS computer name gamma, the DNS server will combine the two values and return gamma.tvpress.com.
Click OK.
.gif "Cc722543.16wnta17(en-us,TechNet.10).gif")
Figure 16-17: Use the WINS Reverse Lookup tab to configure WINS reverse lookups in DNS.
.gif "Cc722543.16wnta18(en-us,TechNet.10).gif")
Figure 16-18: In the Advanced Zone Properties dialog box, set caching and timeout values for WINS in DNS.
.gif "Cc722543.16wnta17(en-us,TechNet.10).gif")
.gif "Cc722543.16wnta18(en-us,TechNet.10).gif")
Setting Caching and Timeout Values for WINS in DNS
When you integrate WINS and DNS, you should also set WINS caching and timeout values. The caching value determines how long records returned from WINS are valid. The timeout value determines how long DNS should wait for a response from WINS before timing out and returning an error. These values are set for both forward and reverse WINS lookups.
You set caching and timeout values for WINS in DNS by doing the following:
In DNS Manager, right-click on the zone you want to update and then choose Properties from the pop-up menu.
Select the WINS Lookup tab and then choose the Advanced button. This opens the dialog box shown in Figure 16-18.
Set the caching and timeout values using the Cache Timeout Value field and the Lookup Timeout Value field. By default, DNS caches WINS records for 10 minutes and times out after 1 second. For most networks, you should increase these values. Sixty minutes for caching and three seconds for timeouts may be better choices.
Repeat this process for the in-addr.arpa zone for the domain.
Configuring Full WINS and DNS Integration
When you configure full WINS and DNS integration, lookups can be resolved using NetBIOS computer names and NetBIOS scopes. Here, a forward lookup works like this:
The DNS server looks for an address record for the fully qualified domain name. If a record is found, the server uses the record to resolve the name using only DNS. If a record is not found, the server extracts the leftmost portion of the name as the NetBIOS computer name and the remainder of the name as the NetBIOS scope. These values are then passed to WINS for resolution.
You configure full integration of WINS and DNS by doing the following:
In DNS Manager, right-click on the zone you want to update and then choose Properties from the pop-up menu.
Select the WINS Lookup tab and then choose the Advanced button.
In the Advanced Zone Properties dialog box, select Submit DNS Domain As NetBIOS Scope.
Click OK.
Before you fully integrate WINS and DNS, you should make sure that the NetBIOS scope is properly configured on the network. You should also ensure that a consistent naming scheme is used for all network computers. Because NetBIOS is case-sensitive, queries resolve only if the case matches exactly. Note also that if the domain has subdomains, the subdomains must be delegated the authority for name services in order for WINS and DNS integration to work properly.
from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.
.gif "Link")