Windows Server DNS Settings Notes
This article is based on the notes I have taken during a course I have completed on configuring and troubleshooting Windows Server DNS. I wanted to take better notes so I promised myself to publish them once I completed the course. The course where this was taken from is : Advanced DNS name resolution | LinkedIn Learning
Shout out to Ed Liberman , great teacher and content!
DNS Zones
DNS Zone: This can be a domain or subdomain, each is a zone (landonhotel.local is a zone, child.landonhoteo.local is another zone)
Primary Zone: Controls the authority over certain zone (An SOA Record is created on the Primary Zone, this is the Start of Authority Record)
Secondary Zone: Only receives information from the primary zone. Used for duplicate purposes (primary zone needs allow replication allowed)
Zone Transfer: Transfer the information of a DNS Zone to other DNS servers. Newer versions of Windows Servers 2016+ now only send records that were updated to the Secondary Servers, instead of whole database like back then.
Authoritative DNS: It means the server has the official records and can respond with definitive answers for that domain
DNS Type Settings and Replication
Its recommended to use an Active Directory integrated zone.
AD Integrated Zone(DNS Type): Database is stored on DNS partition within of Active Directory. An integrated zone will also help with DNS replication over the domain more information here
Local DNS(DNS Type): This is the least secure option.
DNS Records will be saved locally within a file located at C:\Windows\System32\DNS
Dynamic updates
Secure Dynamic Updates: Only authorized domain-joined computers and users can update DNS records (A Records). Secure option is only available on AD integrated Zone
Non-Secure Dynamic Updates: Any device can update DNS records without authentication
Zone Replication
Its mostly used for redundancy, and reduce latency within queries. Zone replication can save the DNS database within Active Directory or within a file on C:\Windows\System32\DNS
Stub Zones
Useful when client query Primary DNS for child.domain.local, but domain.local does not hold records for child.domain.local
ie: A Stub zone can be added that points to DNS server XYZ to pull the SOA and NS record only for child.domain.local these will be stored on the cache. DNS Server XYZ needs to have replication enabled and server querying on its allowed list
DNS Query
Simple Query: A few types of queries exist within DNS Module for Windows Server. The DNS server will give an answer based if knows the answer, it can also give a referral to client instead (check this other place instead)
Recursive Query: Will go out and do research in behalf of the client
ROOT DNS
There are a total of 13 root DNS servers distributed globally, which serve as the foundation of the internet’s DNS system by handling queries for top-level domains and directing traffic efficiently.
You can look more into the Root Servers this link.
Order DNS Query
DNS Forward
DNS Forwarding: When a DNS server receives a request for a zone that its not authoritative in, it will forward the request down to the forwarder servers or we can also tick the box and pass it to ROOT DNS Servers instead.
Conditional DNS Forwarder: We can create custom forward policies ie: Whenever you receive a DNS request for particular zone, forward to this other DMS server instead. Create rules that are triggered based on the request its receiving.
DNS Cache
Before it sends the answer to the client, it stores the answer on its cache. If server has to research anything beyond what exist on its Zone, it will cache it. If another server queries the server, the DNS Server does not have to process that query again.
If needed we can [Right click on the Server > Clear Cache] - There is no harm in clearing the cache.
领英推荐
DOS Commands:
Common useful commands that we can use when troubleshooting DNS on client
ipconfig /displaydns
ipconfig /flushdns
DNS Advance Properties
DNS Round Robin: It gives the ability to have more than one servers acting a single resource to a client. It acts like a Load Balancer and helps create a "Web Farm" to help with resilience
Enable Netmask Ordering: Similar to round robin, but it will receive a result that is most relevant to its location (less hops)
Disable Recursion(also disable forwarders): It will only query the records within the DNS server itself
DNS Security
DNS Cache Locking (enabled default:100%): Prevents entries in the cache from being overwritten until a percentage of the TTL has expired. When a DNS server queries a resource outside its zone it will cache the result for a certain time, this is controlled by the TTL on the record. Until the Cache has 100% expired that cache cannot be overwritten.
Change this percentage with:
dnscmd /Config /CacheLockingPercent <percent>
Set-DnsServerCache -LockingPercent <value>
DNS Socket Pool (enabled by default): Enable DNS to user randomized source port for issuing DNS queries. This makes DNS tampering attack much more difficult, as attacker has to guess source port and transaction ID to successfully attack
dnscmd /Config /SocketPoolSize <value>
DANE
DANE(DNS-based Authentication of Named Entities)
Uses TLSAuthenticate records that state the CA from which they should expect a certificate from. Helps prevent MiTM attack, where someone might corrupt the DNS cache and point to their website and provide a certificate pointing to a different CA.
scenario: Real certificate site.local.com signed by CA West | Fake certificate site.local.com signed by CA East.
DANE will check and detect if the certificate presented matches the real record on the DNS, and if is not from CA West, the connection will be terminated.
DNSSEC
DNS Security Extensions
Enables DNS Zone and all records in the zone to be singed cryptographically signing DNS, so that client computers can validate the response
Resource Record
Let me know any other important aspects of DNS config I have missed, we learn more when we share.