What's New in DNS Server

 

Applies To: Windows Server 2012 R2, Windows Server 2012

This topic describes the DNS Server functionality that is new or changed in Windows Server 2012 R2 and Windows Server 2012. For information about the DNS Client service, see What's New in DNS Client.

In this topic:

What’s new in DNS Server in Windows Server 2012 R2

In Windows Server 2012 R2, DNS Server offers enhanced support in the following areas.

Functionality

New or improved

Description

DNS Logging and Diagnostics

New

Enhanced DNS logging and diagnostics in Windows Server 2012 R2 and later includes DNS Audit events and DNS Analytic events. Enhanced logging enables monitoring of all DNS query, response, and operational transactions.

Zone-level statistics

Improved

Zone level statistics are available for different resource record types, zone transfers, and dynamic updates.

DNSSEC support

Improved

DNSSSEC key management and support for signed file-backed zones is improved.

Windows PowerShell support

Improved

New Windows PowerShell parameters are available for DNS Server.

Dynamic DNS Forwarders

New

DNS now maintains a list of DNS Forwarders ordered by response time, to ensure queries are sent to forwarders with quicker response time.

Zone-level statistics

DNS server statistics available in Windows Server® 2012 using the Get-DnsServerStatistics Windows PowerShell cmdlet are: CacheStatistics, DatabaseStatistics, DnssecStatistics, DsStatistics, ErrorStatistics, MasterStatistics, MemoryStatistics, NetBiosStatistics, PacketStatistics, PrivateStatistics, Query2Statistics, QueryStatistics, RecordStatistics, RecursionStatistics, SecondaryStatistics, SecurityStatistics, TimeoutStatistics, TimeStatistics, UpdateStatistics, and WinsStatistics.

In Windows Server 2012 R2, the following additional statistics are available:

  • ZoneQueryStatistics: Zone query statistics provide the information about:

    • QueriesFailure: The number of queries that did not result in a successful response, for example when the response is DNS SERVER FAILURE.

    • QueriesNameError: The number of queries that resulted in an NXDOMAIN or EMPTY AUTH response.

    • QueriesReceived: The total number of queries received for the specified record type.

    • QueriesResponded: The total number of queries that resulted in a valid DNS response.

    Query information is provided for the following resource record types: A, AAAA, PTR, CNAME, MX, AFSDB, ATMA, DHCID, DNAME, HINFO, ISDN, MG (Mail Group), MB (Mail Box), MINFO (Mail Box Information), NAPTR (Naming Authority Pointer), NXT (Next Domain), KEY (Public Key), MR (Renamed Mailbox), RP (Responsible Person), RT (Route Through), SRV (Service Location), SIG (Signature), TXT (Text), WKS (Well Known Services), X.25, DNSKEY, DS, NS, SOA.

  • ZoneTransferStatistics: Zone transfer statistics provide the information about AXFR and IXFR transations, including:

    • RequestReceived: The total number of zone transfer requests received by the DNS Serverservice when operating as a primary server for a specific zone.

    • RequestSent: The total number of zone transfer requests sent by the DNS Serverservice when operating as a secondary server for a specific zone.

    • ResponseReceived: The total number of zone transfer requests received by the DNS Serverservice when operating as a secondary server for a specific zone.

    • SuccessReceived: The total number of zone transfers received by the DNS Server servicewhen operating as a secondary server for a specific zone.

    • SuccessSent: The total number of zone transfers successfully sent by the DNS Serverservice when operating as a primary server for a specific zone.

  • ZoneUpdateStatistics: Zone update statistics provide the information about:

    • DynamicUpdateReceived: The total number of dynamic update requests received by theDNS server.

    • DynamicUpdateRejected: The total number of dynamic updates rejected by the DNSserver.

To get zone level statistics, type the following commands at an elevated Windows PowerShell prompt.

PS C:\> $statistics = Get-DnsServerStatistics –ZoneName contoso.com
$statistics.ZoneQueryStatistics
$statistics.ZoneTransferStatistics
$statistics.ZoneUpdateStatistics

DNSSEC support

Enhanced support for DNSSEC includes changes to online signing for file-backed zones, and enhanced signing key management support:

  • In Windows Server 2012 R2, the Key Master role is introduced for file-backed multi-master zones.

    Note

    The Key Master is an authoritative DNS server that generates and manages signing keys for a zone that is protected with DNSSEC. The Key Master role was introduced in Windows Server 2012 for Active Directory-integrated zones. For more information, see Overview of DNSSEC.

  • DNSSEC is enhanced to enable isolation of the key management process from primary DNS servers which are not the key masters of a zone. The entire process of signing key generation, storage, rollover, retirement, and deletion can be initiated only from the Key Master while the other primary servers can continue the zone signing by accessing these keys.

    DNSSEC key separation is accomplished by enabling generation and storage of keys on a cryptographic next-generation (CNG) compliant offline storage module.

Windows PowerShell support

The following new Windows PowerShell cmdlets and parameters are introduced in Windows Server 2012 R2:

  • Step-DnsServerSigningKeyRollover: This cmdlet forces a KSK rollover when waiting for a parent delegation signer (DS) update. If a server hosting a securely delegated zone is unable to check if the DS record in parent is updated, this parameter enables you to force a rollover. It is expected that the DS record has been manually updated in the parent.

  • Add-DnsServerTrustAnchor -Root: The Root parameter set enables you to retrieve trust anchors from the URL specified in RootTrustAnchorsURL property of the DNS server. This cmdlet has the following alias: Retrieve-DnsServerRootTrustAnchor.

  • RootTrustAnchorsURL: The Get-DnsServerSetting and Set-DnsServerSetting cmdlets are extended to add a new output string of RootTrustAnchorURL.

Dynamic DNS Forwarders

When you add more than one forwarder in the settings for a DNS Server in Windows Server 2012 R2, the DNS service reorders the list of servers in the list of forwarders based on response time of each server in the list. The reordering and response checking operations are enabled by default in Windows Server 2012 R2. If you wish to disable this feature, you need to change the following registry DWORD value to 0:

HKLM\System\CurrentControlSet\Services\DNS\Parameters\EnableForwarderReordering

What’s new in DNS Server in Windows Server 2012

In Windows Server 2012, DNS Server offers enhanced support in the following areas:

DNSSEC support

In Windows Server 2012, DNS Security Extensions (DNSSEC) support is extended to include online signing and automated key management. Other enhancements to DNSSEC include:

  • Support for Active Directory-integrated DNS scenarios including DNS dynamic updates in DNSSEC signed zones.

  • Support for updated DNSSEC standards, including NSEC3 and RSA/SHA-2.

  • Automated trust anchor distribution through Active Directory.

  • Automated trust anchor rollover support per RFC 5011.

  • Updated user interface with deployment and management wizards.

  • Validation of records signed with updated DNSSEC standards (NSEC3, RSA/SHA-2).

  • Easy extraction of the root trust anchor.

For more information about DNSSEC, see Overview of DNSSEC and Step-by-Step: Demonstrate DNSSEC in a Test Lab.

Windows PowerShell support

DNS configuration and management is greatly enhanced with Windows PowerShell, including:

  • Parity with the user interface and dnscmd.exe.

  • DNS Server role installation/removal using Windows PowerShell.

  • Windows PowerShell client query with DNSSEC validation results.

  • Server configuration is enabled for computers running older operating systems.

See also