Microsoft Windows Server 2003 DNS Stub Zones and Conditional Forwarding

Tim Rains Technical Lead - Networking Team EPS Server Platforms P.S.S. Microsoft Corporation

DNS Stub Zones and Conditional Forwarding

Presentation Content

Stub Zones Conditional Forwarding

Stub Zones: Background Information

DNS clients send two types of queries

Iterative queries Client expects best answer from server DNS server does not query other DNS servers May refer client to another DNS server Typically sent by DNS servers, not Microsoft Windows clients

Stub Zones: Background Information

Iterative Queries
1. Iterative query for ad.reskit.local
DNS Server/Client

2. Response: Ask DNS Server B DNS Server A

.local

4. Response: Ask DNS Server C

3&5 Iterative query for ad.reskit.com

DNS Server B reskit.local

DNS Server C ad.reskit.local

6. Response: Answer
4

Stub Zones: Background Information

DNS clients send two types of queries

Recursive queries Client expects the answer or an error DNS server may query other DNS servers Should not refer client to another DNS server Can be sent by both DNS servers and Windows clients
5

Stub Zones: Background Information

Recursive Queries
Local DNS

4. Response: Answer 2. Iterative Queries for ad.reskit.local

1. Recursive query for ad.reskit.local

DNS Server/Client

3. Response: Answer

DNS Server A .local

DNS Server B reskit.local

DNS Server C ad.reskit.local

6

Stub Zones

A stub zone is:

Used to maintain/improve DNS name resolution efficiency Read-only copy of a zone containing specific resource records Records in zone identify authoritative DNS servers for domain

Stub Zones (2)

Stub zones contain only:

Start of Authority (SOA) record Name Server (NS) records Glue (A) records

Administrator of stub zone cannot modify resource records Changes must be made in original primary zone

Stub Zones (3)

Client sends recursive query to DNS server hosting stub zone DNS server uses stub zones resource records to help resolve query Stub zone identifies authoritative DNS servers for original zone DNS server queries authoritative severs without having to find them first

Stub Zones
Iterative Query with Stub Zone
1. Iterative query for ad.reskit.local
DNS Server/Client

2. Response: Ask DNS Server DNS Server A C

Stub zone: ad.reskit.local SOA NS - Server C A - IP of Server C

3 Iterative query for ad.reskit.local

Not used
DNS Server B reskit.local DNS Server C ad.reskit.local

4. Response: Answer
10

Stub Zones: Background Information

Recursive Query with Stub Zone
Local DNS

4. Response: Answer
Stub zone: ad.reskit.local SOA NS - Server C A - IP of Server C

1. Recursive query for ad.reskit.local

DNS Server/Client

2. Iterative query for ad.reskit.local

3. Response: Answer

Not Used
DNS Server A .local

Not Used
DNS Server B reskit.local DNS Server C ad.reskit.local
11

Stub Zones: When to Use Them

Using Windows 2000 DNS

Delegate responsibility for child domain from parent domains DNS server to child domains DNS The server hosting child domain can use root hints to locate names in parent domain
The delegation must be updated manually on parent DNS server

As DNS servers are added to child domain

12

Stub Zones: When to Use Them (2)

Using Windows Server 2003 DNS

Stub zones do not remove the requirement for delegations

Stub zone data doesnt transfer during zone transfers like delegation information does Can be dangerous to use instead of delegation If parent zone is transferred without delegation information, how will server find child zones?

13

Stub Zones: When to Use Them (3)

Using Windows Server 2003 DNS

In most cases do not use stub zones and delegations

Using stub zones in a configuration where typical delegations are enough is overkill Name server will use stub zone first and ignore the delegation Can cause confusion administering DNS

14

Stub Zones: When to Use Them (4)

Using Windows Server 2003 DNS

Use stub zones when the problem cannot be solved by using delegation Environments with disjoint namespaces may benefit using stub zones Typically contiguous namespaces will not benefit using stub zones

15

Stub Zones: Updates

Stub zones are updated automatically There are three update options when you right-click a stub zone in DNS MMC

Reload Transfer from Master Reload from Master

16

Stub Zones: Updates (2)

Reload

Reloads stub zone from local DNS servers own storage When standard zone it loads .dns file in Windows\system32\dns directory When Active Directory integrated it loads from Active Directory

17

Stub Zones: Updates (3)

Transfer from Master

Checks if stub zone has expired by examining local SOA record If SOA has expired, it performs a zone transfer from stub zones master DNS server It queries zones primary server for SOA, NS, and A resource records

18

Stub Zones: Updates (4)

Reload from Master

Performs a zone transfer from stub zones master DNS server Local SOA record expiration not considered

19

Stub Zones: Updates (5)

Can also update stub zone using dnscmd.exe

/ZoneReload = Reload /ZoneUpdateFromDS = Reload /ZoneRefresh = Transfer from Master

No dnscmd command for Reload from Master

20

Stub Zones: Masters

Same concept as primary/secondary distributed zone model DNS server hosting stub zone contacts zone master for zone transfer A master server may be a primary or secondary server for actual zone

21

Stub Zones: Masters (2)

Can configure a list of masters for a single stub zone Use of master servers is prioritized according to their position in list

22

Stub Zones: Masters (3)

Active Directoryintegrated stub zones have additional option

Use the list above as local list of masters

Permits admins to specify which master servers to transfer the stub zone from

Example, DNS servers in same site

23

Stub Zones: Masters (4)

Stub zones potentially have two lists of masters Default list is stored in Active Directory Administrators can also specify local master list

Stored in registry only on server where it is set Overrides list stored in Active Directory Permits a server to have list of masters different from all other servers hosting the same Active Directoryintegrated stub zone

24

Stub Zones: Masters (5)

Check box in GUI toggles registry value DNS server first checks for LocalMasterServers located in registry If value is missing or empty it uses MasterServers value instead Both values located in this key:
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows NT\CurrentVersion\DNS Server\Zones\<zonename>
(Note that this is one registry subkey line-wrapped for readability.)
25

Stub Zones: Masters (6)

MasterServers value contains list of masters used by all DNS servers hosting stub zone Only stub zones with a LocalMasterServers list override MasterServers list Can also configure using dnscmd.exe

/local [MasterIPAddress] /ZoneResetMasters

26

Conditional Forwarding: Background Information

DNS can be configured to forward queries to other DNS servers

DNS server will forward any query it cant answer Checks zone data and cache then forwards

27

Conditional Forwarding: Background Information (2)

Windows 2000 configurable forwarder list List is global for all queries sent to DNS server

28

Conditional Forwarding: Background Information (3)

Several drawbacks to conventional DNS forwarding

Forwarders are single point of failure High load and heavy lifting on forwarders Forwarders receive recursive queries Implementation is inflexible in many scenarios Good for small networks and simple namespaces
29

Conditional Forwarding

New feature in Windows Server 2003 DNS Allows forwarding to DNS servers based on queried domain name Examples - forward queries for:

reskit.local to 10.0.0.1 ad.reskit.local to 169.254.33.9 and 169.254.8.22 and 169.254.8.77

30

Conditional Forwarding (2)

Each domain name used for forwarding associated with a forwarders list If DNS server cant resolve name, it uses forwarders list

Checks zone data and cache for answer Then uses forwarders list to resolve

31

Conditional Forwarding: Background Information

Conditional forwarders list Domain names associated with forwarders list Queries for reskit.local forwarded to 10.0.0.1

32

Conditional Forwarding: Background Information (2)

Queries for ad.reskit.local forwarded to different servers Query timeout period set for domain name in seconds Re-order server list manually
33

Conditional Forwarding: Background Information (3)

Queries for all other domains forwarded to 192.168.1.100

34

Conditional Forwarding

DNS server compares queried name to list of domain name conditions It uses longest domain name condition matching queried name

35

Conditional Forwarding (2)

Example query: host.na.ad.reskit.local Compare to:

reskit.local ad.reskit.local

Longest matching domain name condition is ad.reskit.local Query forwarded to 169.254.33.9

36

Conditional Forwarding Background Information

Query timeout period set for domain name in seconds Re-order server list manually Can disable recursion on each domain in forwarders list
37

Conditional Forwarding: Background Information (2)

Disabling recursion on server disables forwarders Option under Advanced tab of server properties

38

Conditional Forwarding

Related registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft \Windows NT\CurrentVersion\DNS Server\Zones\<zonename>
(Note that this is one registry subkey line-wrapped for readability.)

ForwarderSlave

Toggles recursion for a domain

Sets forwarder time-out for a domain List of ordered forwarders for a domain
39

ForwarderTimeout

MasterServers

Conditional Forwarding: When to Use

Use conditional forwarding when problem cannot be solved using:

A shared root Secondary zones Standard forwarding

Environments with disjointed namespaces may benefit Environments with namespace issues caused by perimeter network (DMZ) implementations, for example, may also benefit

40

Thank you for joining todays Microsoft Support WebCast.

For information about all upcoming Support WebCasts, and access to the archived content (streaming media files, PowerPoint slides, and transcripts), visit: http://support.microsoft.com/webcasts/ Your feedback is sincerely appreciated. Please send any comments or suggestions about the Support WebCasts to supweb@microsoft.com.