posts - 104 , comments - 115 , trackbacks - 0

Domain Naming Service

Consider this article on DNS a prequel to the upcoming ADDS series. After all, any active directory implementation requires DNS integration.

So what is DNS?

DNS is a highly reliable, hierarchal, distributed and scalable database used for name resolution and service location. So basically it translates friendly names ( in to IP addresses ( allowing clients to connect to resources in the infrastructure without memorising pesky IP numbers.

History of DNS

When the DoD initially started up the “internet” in its early days host files, which were replicated between the hosts, were used for name resolution. As the number of hosts started the grow the traffic generated by these replications was growing exponentially, not to mention the size of the host file!

In 1984 the domain name system got introduced to the infrastructure. This system allowed for host names to reside on a database that could be distributed amongst multiple servers, decreasing loads on single servers and allowing administration on a per-partition basis. Theoretically the size of a dns database is unlimited and performance does not degrade by adding more & more servers.

Hierarchical DNS

The system is set up as a hierarchical system where a fully qualified domain name (FQDN) is separated by dots (.) and the highest hierarchy is at the end of the FQDN. So for the hierarchy would look as following:

1· COM

a. Contoso

             I. Hosting

How is DNS structured?

As discussed before DNS is a hierarchical system. More so, each zone in the hierarchy has a number of “default” kinds of “resource records”:


Time to live


Data it contains

Start of Authority

60 minutes by default


Owner name

Primary dns name

Refresh/retry interval

Expire time

Minimum TTL


Same as Zone


Host DNS name

IP address

Name server

Same as Zone


Owner name

Name server DNS

Mail Exchange

Same as Zone


Owner name

Mail Exchange DNS name



Same as zone


Owner name

Host DNS name

Replication and zone types

To allow for a distributed system to be accurate and fast for every local user of that system replication is needed as well as the ability to have different replication types. In a DNS server we have the following different zones:

· Primary

· Secondary

· Stub

A primary zone is the zone to which all updates for the records which belong to that zone are made.
A secondary zone is a read only copy of a primary zone. A stub zone is a read only copy of a primary which only contains the name server records of that primary zone.


Time To Live

The TTL value is, quite literally, the time a records lives in a resolver. This entry makes sure the DNS server does not keep information for so long it becomes outdated. This also means that when a change is made to a record it might take up to the maximum amount of time specified in the TTL before that information is “up to date” with every other DNS server.

Care has to be taken as a TTL value which is too high will cause cached entries to become outdated, but a TTL which is too low will increase network traffic and server utilization.


Recursion is, by default, enabled on the DNS Server service. Simply put, recursion is the action of a DNS server sending other DNS servers a query on behalf of the client, until an authoritative answer has been received. That answer will then be forwarded to the requesting client.

If recursion is disabled no forwarders can be set for the DNS and lookups will only be performed internally.

Round Robin

As a method to manage server congestion by disturbing connection loads across multiple servers containing identical content round robin is slightly outdated but still widely used. In this setup multiple A records are created for the same host name, but with different IPs. When queried the DNS server will give out the information on the first record, on the next query the second and so on until the end of the list is reached at which time DNS will loop back to the first record.

Root hints

Root hints allow servers to lookup information for zones they are not authoritative for to learn and discover these zones. Best practice is to disable root hints all together if your DNS servers are on a private network.


A forwarder is a domain name system server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network. Forwarders can also be used to forward queries to specific DNS servers for specific domain names (conditional forwarders).

Ports used by DNS

Traffic type

Source port

Destination port

Queries from local DNS

Any port above 1023


Responses to local DNS


Any port above 1023

Queries from remote DNS

Any port above 1023


Responses to remote DNS


Any port above 1023


All traffic is initially sent over UDP but the message sender can choose to reissue the DNS request through TCP if the query is too long.



Used to view the properties of DNS servers, zones and resource records as well as having the capability to be used to modify all aspects of the DNS server service. Scriptable.


This tool can be used to help diagnose common DNS name resolution issues. Targetting it for specific DNS record sets and ensuring that they are consistent across multiple DNS servers is possible.


This is the default DNS console.


A tool which can capture and log data about the packets on a network .


Used to query DNS servers and to obtain detailed responses.


A network connectivity tester enabling you to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client,

Active directory integration


Active directory integration for DNS gives us a distinct set of benefits, namely the following:

· Replication is performed by Active directory removing the need for a separate replication topology.

· Active directory offers a “per-property” replication.

· Replication is secure when integrated in to Active Directory.

· Active directory eliminates the primary DNS server as a single point of failure. AD replication is multi master and updates can be made to any domain controller which will then propagate the change to other domain controllers.

Active directory integration also stores its information in the application directory partition where each directory-integrated zone is stored under its own dnsZone container object.


Active directory is highly dependent on DNS as a domain controller location mechanism and uses domain naming conventions in the architecture of active directory domains. (aka DNS breaks = AD breaks).


Domain controller locator: This record enables clients to locate domain controllers.
AD domain names in DNS: Separate name space for AD domains in DNS
AD DNS Objects: When stored in AD each DNS zone becomes a class (dnsZone) and receives unique attributes.

Print | posted on Tuesday, December 6, 2011 7:48 PM | Filed Under [ Platforms ]


No comments posted yet.
Post A Comment

Powered by: