560 likes | 677 Views
Chapter 4. PLANNING A NAME RESOLUTION STRATEGY. CHAPTER OVERVIEW. Describe the structure of the DNS architecture. Explain the DNS name resolution process. Create an effective DNS domain hierarchy. Install and configure a Windows Server 2003 DNS server.
E N D
Chapter 4 PLANNING A NAME RESOLUTION STRATEGY
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY CHAPTER OVERVIEW • Describe the structure of the DNS architecture. • Explain the DNS name resolution process. • Create an effective DNS domain hierarchy. • Install and configure a Windows Server 2003 DNS server. • Install and configure a WINS server.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY WHAT IS NAME RESOLUTION? • Name resolution is the process of translating easy-to-remember host names, such as www.microsoft.com, into IP addresses that are used by network protocols. • Without name resolution, you would have to remember the IP address of every host that you wanted to communicate with. • Name resolution requests can be embedded within applications and services, such as those that locate a server that can authenticate a logon.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY WHAT TYPES OF NAMES NEED TO BE RESOLVED? • Domain Name System (DNS) names • Network Basic Input/Output System (NetBIOS) names
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY WHAT IS A HOST NAME? • A friendly name used to identify a host on a TCP/IP network • Can be assigned to a server, printer, client workstation, router, or any other device that is connected to the network • Must be unique within its domain, but can be duplicated in different domains
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY RESOLVING HOST NAMES • Host names can be resolved through a text file called hosts. • On a Windows Server 2003 system, the hosts file is located in the %systemroot%\system32\drivers\etc folder. • Entries can be made in the file using a text editor like Notepad, Edit, or WordPad. • Basic formatting rules make adding entries simple.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY INTRODUCING THE DOMAIN NAME SYSTEM • The Domain Name System (DNS) was designed to ease the administrative burden of maintaining host name resolution records. • DNS consists of three main elements: • The DNS namespace • Name servers • Resolvers
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY WHAT IS A DOMAIN? • In DNS, a domain is an administrative entity that contains hosts. • A domain hierarchy has been created to allow for logical divisions of administrative entities. • Each domain has one or more servers nominated as name servers. These name servers provide resolution services to clients (resolvers). • DNS domains are not always directly related to Active Directory domains, although a group of computers can be in the same Active Directory and DNS domain.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY UNDERSTANDING RESOURCE RECORDS • A resource record is an entry in the zone database that specifies a host and provides information about that host. • A single host may have multiple records assigned to it, for example Host, Alias, and MX records. • Each type of record has certain classifications of information that can be stored in it. • Records can be replicated between DNS servers.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY UNDERSTANDING THE STRUCTURE OF A DNS NAME
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY UNDERSTANDING THE DOMAIN HIERARCHY LEVELS • Under the DNS root, which is referred to as ‘.’, a number of top-level domains have been created to designate location and type of organization. Some examples are: .com, .org, .co.uk. • Anyone can apply for and purchase a second-level domain name. • Each domain name can be no more than 63 characters long. • The total fully qualified domain name, including the trailing period, can be no more than 255 characters long.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY UNDERSTANDING THE DNS NAME RESOLUTION PROCESS
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY SPEEDING UP THE DNS • Combined DNS servers • Name caching
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY REFERRALS AND QUERIES • DNS servers can perform two types of query: • Recursive query • Iterative query
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY REVERSE NAME RESOLUTION
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY DETERMINING DNS REQUIREMENTS • On a TCP/IP network, DNS is used to: • Resolve the names of Internet servers • Host Internet domains • Host Active Directory domains
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY RESOLVING INTERNET NAMES • Internal DNS servers can be used to resolve internal host names. • ISP DNS servers are used to resolve host names for Internet-based hosts. • Clients can be configured to send Internet resolutions to the internal DNS server, which in turn will forward them to the Internet, or they can be configured to send resolutions for hosts on the Internet directly to the ISP DNS servers.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY HOSTING AN INTERNET DOMAIN • If you have an Internet domain, you can host the DNS zones for the domain on your own DNS server or on an ISP’s DNS server. • If you are hosting an Internet domain on your own DNS server, the server must have a registered IP address and be accessible at all times. • If you use an ISP DNS server to host the domain, you should be aware of their policy regarding resource record additions and changes.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY HOSTING INTERNET SERVERS • Hosted servers on your network must have a registered IP address. • The domain information for the host can be hosted internally or be hosted on your ISP’s DNS servers. • Resource records for the Internet-accessible server must exist in the domain.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING ACTIVE DIRECTORY • Active Directory requires that at least one DNS that supports SRV records is implemented on the network. • Best practice dictates that more than one DNS server be provided for fault tolerance. • If the DNS server is unavailable, users may not be able to log on to the system, Active Directory replication may fail, and users already logged on may not be able to access resources.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY COMBINING DNS FUNCTIONS
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY DESIGNING A DNS NAMESPACE • Using an existing namespace • Creating Internet domains • Creating Internal domains
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING AN EXISTING NAMESPACE • Use the existing domain name, and if necessary expand it to include internal subdomains. • If replacing existing DNS servers which host a domain, inform the ISP of the change, so that the appropriate changes can be made to resource records. • If you are creating a subdomain, you do not need to inform the ISP.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY CREATING INTERNET DOMAINS • Registering a domain • Using multiple domains
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY CREATING INTERNAL DOMAINS • Create domains and subdomains as needed. • Keep domain names short and adhere to any naming policies. • Adhere to general geographic or functional boundaries.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY COMBINING INTERNAL AND EXTERNAL DOMAINS • Use the same domain name internally and externally. • Create separate and unrelated internal and external domains. • Make the internal domain a subdomain of the external domain.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY CREATING AN INTERNAL ROOT • Create your own internal root zone on one of your Windows Server 2003 DNS servers. • Creation of the internal root zone causes DNS servers in the organization to consider your DNS server as the root server. • Creation of the internal root zone can speed up resolutions for clients in the enterprise.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY CREATING HOST NAMES • Use short, descriptive names • Follow a predefined naming convention • Keep names unique throughout the organization
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING MICROSOFT DNS SERVER • How many DNS servers? • Understanding DNS server types • Creating zones
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY HOW MANY DNS SERVERS? • A single DNS server can perform a very large number of resolutions per second. • The DNS server service does not place a heavy burden on underlying hardware. • Best practice dictates that more than one DNS server be available for fault tolerance.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY UNDERSTANDING DNS SERVER TYPES • In addition to the standard DNS server types, there are also: • Caching-only servers • Forwarders
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING CACHING-ONLY SERVERS • A caching-only server contains no zone information and hosts no domains. • It forwards all resolution requests as iterative queries to another DNS server. • It caches results of successful resolutions to prevent repetitive queries.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING FORWARDERS
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY CREATING ZONES • Zones are created to devolve administrative responsibility or to distribute zones among multiple DNS servers. • A zone must consist of an entire domain or subdomain. • Zones must be contiguous in the DNS namespace.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY UNDERSTANDING ZONE TYPES Primary zone • Contains the master copy of the zone database, where administrators make all changes to the zone’s resource records Secondary zone • A duplicate of a primary zone held on another server Stub zone • A copy of a primary zone that contains only SOA and NS resource records, plus the Host (A) resource records that identify the authoritative servers for the zone
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING FILE-BASED ZONES • Resource records are held in a file on the server’s hard drive. • Primary servers perform zone transfers to ensure that secondary zones are up to date. • Zone transfers can be configured to occur when changes are made or at a specified interval.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING ACTIVE DIRECTORY-INTEGRATED ZONES
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY DELEGATING ZONES • Enables another DNS server to become authoritative for a domain • Can be used to manage DNS traffic by placing authoritative name servers in geographical locations that relate to the zone • Enables resource record administration to be delegated to another administrator
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY PLANNING DNS SECURITY • Determining DNS security threats • Securing DNS
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY DETERMINING DNS SECURITY THREATS Denial of Service (DoS) attacks • Can disable a DNS server, rendering it unable to process resolution requests Footprinting • Allows a hacker to determine the layout of the network and the host names and IP addresses of the systems on the network IP spoofing • Uses open IP ports on firewalls designated for DNS traffic to send harmful packets to a system on the network, which accepts them as DNS traffic Redirection • Causes DNS resolution requests to be forwarded to a hacker, who in this way obtains information about the hosts on the network
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY SECURING DNS • Providing redundant DNS services • Limiting DNS interface access • Securing zone replication • Preventing cache corruption • Using secure dynamic update • Using standard security measures
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY RESOLVING NETBIOS NAMES • Like host names, NetBIOS names must be resolved to IP addresses to enable communication. • As with host names, resolution can be achieved via a text file or through a resolution service. Results are cached to prevent repetitive queries. • NetBIOS names are provided in Windows Server 2003 for backward compatibility with pre-Windows 2000 client systems.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY WHAT IS A NETBIOS NAME? • Identifies a system for the purpose of addressing with the NetBIOS protocol. • Can be up to 16 characters long, but last character is reserved, which means that usable NetBIOS name can be up to 15 characters long. Has no positional element like DNS; in other words, NetBIOS names are nonhierarchical.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY NETBIOS NAME RESOLUTION METHODS • WINS • Broadcasts • LMHOSTS • NetBIOS name cache
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY NETBIOS NODE TYPES • Standard NetBT node types are: • B node (broadcast node) • P node (point-to-point node) • M node (mixed mode node) • Microsoft node types are: • Modified B node • H node (hybrid node) • Microsoft-enhanced H node
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY DETERMINING NETBIOS NAME RESOLUTION REQUIREMENTS • NetBIOS broadcasts require no configuration, but can create a great deal of traffic on a LAN with a large number of systems. • Broadcasts are not forwarded by routers, so unless a resolution method other than broadcasts is configured, resolution will be confined to the LAN. • WINS servers reduce the amount of broadcast traffic and enable NetBIOS name resolution across routers.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING LMHOSTS • Text file similar in format and function to the hosts file used for IP address to host name resolution • Rarely used as primary NetBIOS name resolution method
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING BROADCASTS WITH LMHOSTS • Use broadcasts to resolve NetBIOS names on the local network segment. • Use lmhosts to specify NetBIOS name to IP address resolution of frequently accessed systems or systems on other network segments. • lmhosts works best when access to only a small number of systems on another network segment is needed, since the file must be updated manually.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY CREATING AN LMHOSTS FILE • Can be created with any text editor (for example, Edit or WordPad) • Must be placed in the %systemroot%\system32\drivers\etc folder • Can be configured to preload entries into the NetBIOS name cache or include an LMHOSTS file from another system.
Chapter 4: PLANNING A NAME RESOLUTION STRATEGY USING WINS • Any Windows 2000 Server or Windows Server 2003 server can be a WINS server by installing the WINS server software. • A single WINS server can provide name registration and resolution services for up to 10,000 clients. • You should install more than one WINS server for fault tolerance. • Client registration and de-registration is automatic, but you must configure replication when using more than one WINS server.