—Recursive lookup
DNS server, resolve this NSLOOKUP on behalf of the client.
Resolve .
Resolvce .com
Resolve google.com.
Resolve www.google.com.
—Authoritive zone
DNS server hosting that domain name
—Conditional Forwarders
For specfic domain name spaces, we can say Hosts using this DNS server
resolve to DNS server x.x.x.x directly. Manual metheod
Conditional forwarders are used over forwarders and forwarders over root hints.
—Stub zone
Automatically update if additional servers become available. unlike conditional
forwarders which are manually updated.
Read only, in the event we do not want all zone information sent to partner companies
a Stub zone can be created and only shared with the partner
Contains A (Glue) Records which points to the exact server preforming
the resolution.
—Caching server
Not authoritive, cant be hacked, Cannot do zone transfer updates
Very fast. Remembers DNS entries from the next hop resolving na.
Only added the DNS server role + forwarders. A DNS server
Every DNS server is a cache server by default
//Viewing the cache
DNS Manager Tools -> View -> Advanced
//Clearing the cache
1. DNS Manager Tools -> View -> Advanced
2. DNS -> Cache lookups -> CLEAR CACHE
On the DNS Server
-dnscmd /clearcache
—Primary Zone
Read/write zone that can add edit entries
To have 2 primary DNS servers, join the active directory domain controller’s domain
—Secondary Zone
Copy a read only copy from a primary or other secondary zone
Must be pointed to another domain format = “cisco.com”
red X normal until zone replicates.
Stored in C:\Windows\System32\DNS\Domain.local.dns
//configuration
1. Right click forward/reverse lookup zone -> New zone
2. Must be pointed to another domain format = “cisco.com”
3. On the authoritative Primary zone, zone transfers/ Name Servers
Add the client as an allowed host.
4. Right click zone -> Transfer from Master.
—Store the zone in active directory
Replicates throughout the domain, required for HA
—-Host master
Hostname.cisco.com = hostname@cisco.com email address
—-Start of Authority
//Refresh interval – Check every 15 minutes for DNS updates from other servers
//Retry Interval – Wait 10 minutes if the neighbour is offline and try again
//Expires After – In the event of neighbour is offline 1day (default), give a red X
//Minimum (Default) TTL – Exist for 1 hours in the client cache before expiring.
—-Reverse lookup zone
Good for resolving IP to hostname
PTR Pointer records resolve hostname to IP
//Configuration to populate entries
-Update PTR Record (forward lookup zone)
-ipconfig /registerdns
//Resolve an IP to a Hostname
Ping -a 10.0.0.10
—Local Client Cache
ipconfig /displaydns
—CNAME
Mask the hostname of the server to prevent attacks
Use a new hostname
CNAMES point to A records.
—Mail MX Records
mail.domain.com.au was the example record in the video
Priority lower is a higher preference to be used
—DNS Load Balancing
To load balance between multiple servers for the same hostname
Round robin fashion.
//Configuration
1. Create CNAME “www” point to webserverfarm
2. Create A record webserverfarm 10.1.1.1
3. Create A Record webserverfarm 10.1.1.2
—Forward Lookup Zones
If you have children domains, point the forward lookup zones to the parent DNS server
Point the Root domain DNS server to the public DNS server.
conditional forwarders take precedence over forwarders
Forwarders take precedence and are used over root hints.
Root hints are only used if the forwarder does not respond, or not configured.
—Delegation Zones
We can break out different sub-domain spaces over multiple DNS servers.
Good for load balancing.
//Configuration
- Create the Primary zone (Non AD integrated) on the Secondary DNS server “Melbourne.cloud2tech.com.au”
- Create the Primary zone on the Primary DNS server “clould2tech.com.au”
- Right click “Cloud2tech.com” -> Delegate zone “Melbourne.cloud2tech.com.au”
—Ports
Zone transfers take place over TCP 53
NS DNS queries take place over UDP 53
—SRV Records
SRV records are domain controller records used to locate the closest domain controller site to the user.
They are stored under _msdcs.nuggetlab.com -> TCP
//Help! Someone has messed with my SRV records and they are missing
1. nltest /dsregdns
—–Two Way Trust between domains
DNS Setup
Open the DNS manager on the first server
Expand the Forward Lookup Zones, right click on the primary zone (e.g. domain1.local) and click properties.
Go to the zone transfers section and configure the server to allow zone transfers either all servers (unsecure) or type the IP of the second server and allow access to that server.
Expand the Reverse Lookup Zones, right click on the primary zone (e.g. 10.10.10.in-addr.arpa) and click properties.
Go to the zone transfers section and configure the server to allow zone transfers either all servers (unsecure) or type the IP of the second server and allow access to that server.
Open the DNS manager on the second server.
Expand the Forward Lookup Zones, right click on the primary zone (e.g. domain2.local) and click properties.
Go to the zone transfers section and configure the server to allow zone transfers either all servers (unsecure) or type the IP of the second server and allow access to that server.
Expand the Reverse Lookup Zones, right click on the primary zone (e.g. 11.11.11.in-addr.arpa) and click properties.
Go to the zone transfers section and configure the server to allow zone transfers either all servers (unsecure) or type the IP of the second server and allow access to that server.
On the first server, create a secondary zone in the Forward Lookup Zones naming it after the domain on the second server (e.g. domain2.local).
When asked, set the master server as the IP of the second server.
In the Reverse Lookup Zone, create a secondary zone named after the primary zone of the second server (e.g. 11.11.11.in-addr.arpa).
When asked, set the master server as the IP of the second server.
On the second server, create a secondary zone in the Forward Lookup Zones naming it after the domain on the first server (e.g. domain1.local).
When asked, set the master server as the IP of the first server.
In the Reverse Lookup Zone, create a secondary zone named after the primary zone of the first server (e.g. 10.10.10.in-addr.arpa).
When asked, set the master server as the IP of the first server.
DNS should now be replicated across both domains. You can test it by pinging a FQDN computer name, (e.g. ping server.domain1.local). If you receive a response then it’s working correctly.
Two Way Trust Set Up
On the first server, open Active Directory Domains and Trusts from the Administrative Tools area in Control Panel.
Right click on the domain name and click Properties.
Navigate to the Trusts tab and click New Trust at the bottom.
The Trust wizard will appear, press next and type in the FQDN address of the second server (e.g. server.domain2.local) and press next.
Choose Realm Trust and press Next.
For Trust Transitivity choose Nontransitive.
For the direction choose Two-way and press Next.
Type a password for the trust twice and press Next and Next again on the next tab.
Press Finish.
On the second server, open Active Directory Domains and Trusts from the Administrative Tools area in Control Panel.
Right click on the domain name and click Properties.
Navigate to the Trusts tab and click New Trust at the bottom.
The Trust wizard will appear, press next and type in the FQDN address of the first server (e.g. server.domain1.local) and press next.
Choose Realm Trust and press Next.
For Trust Transitivity choose Nontransitive.
For the direction choose Two-way and press Next.
Type a password for the trust twice (not sure if this needs to be the same as the password on the other server, I usually set it the same) and press Next and Next again on the next tab.
Press Finish.
All done, you now have a two way trust set up!