DNS overview
What is a domain name?
Typically, the domain name is the name of the word separated by the English fiction, such as "Microsoft.com". The rear part of the domain name (such as "COM") is called a top field (TLD), and the previous part is typically composed of the name of the company or organization.
Full-qualified domain name (FQDN) typically contains hostnames to uniquely identify specific servers or devices on the network, such as "Server1.Microsoft.com", where it can be added to the domain name (called main domain name) ).
As shown in Figure 1, the DNS domain name is managed in a hierarchical tree (called "domain name space"), which has a plurality of top-level domains maintained by the "Name Registry" maintained by the Internet.
If your browser does not support the inline box, click here to view it in a separate page.
Figure 1 Hierarchical tree structure of DNS namespace
The following is the most common top-level domain:
COM for commercial organizations. EDU for educational institutions. ORG for non-profit organizations. NET for computer network organizations. GOV for US government organizations. Two letters or three-letter country code, such as JP is the code in Japan.
The domain names of different organizations are expanded accordingly under each top-level domain. More domains (called subdomains) in the organization within the organization can be further subdivided along the tree structure. Finally, the host name is added to the front of the name structure, such as "Server2.msdn.microsoft.com". In fact, "msdn.microsoft.com" is also a FQDN that refers to a web server cluster in Microsoft.com.
DNS working principle
DNS is a distributed database system that provides information that converts domain names into corresponding IP addresses. This method of converting the name into an IP address is called a name resolution.
In general, each organization has its own DNS server, and maintains a domain name map database record or resource record. When requesting a name resolution, the DNS server checks if there is a corresponding IP address in its own record. If not found, it will ask other DNS servers asking this information.
For example, when a web browser is required to access the "msdn.microsoft.com" site, it will parse the IP address of the domain name by the following steps:
The web browser calls the DNS client (called a parser) and uses the information for the last query cache to resolve the query locally. If the query is unable to resolve the query locally, the client will ask the answer to the known DNS server. If the DNS server has processed the same domain name ("MSDN.MICROFT.com") request within a specific time period, it retrieves the corresponding IP address in the cache and returns it to the client. If the DNS server does not find the appropriate address, the client will ask a global root DNS server, the latter returns a pointer to the top-level authoritative DNS server. In this case, the IP address of the "COM" field authority server will return to the client. Similarly, the client queries the address of the "Microsoft.com" server to the "COM" server. The client then passes the original query to the "Microsoft.com" server. Because the "Microsoft.com" server maintains the authority record of the "msdn.microsoft.com" field locally, it returns the final result to the client and completes a query for a particular IP address.
Note that the DNS resource record can be cached in any number of DNS servers on the network. The DNS server mentioned in step 2 may not include "msdn.microsoft.com" cache record. However, it may have a record of "Microsoft.com", which is more likely to have a record of the "COM" domain. This saves the client to get the final result to get the final result, thus speeding up the entire search process. In order to maintain the latest information in the DNS cache, the cache record has a "survival time" setting associated with the information (similar to the preservation of milk). When the record expires, they must be searched again.
DNS resource record
As mentioned earlier, each DNS database is composed of resource records. In general, the resource record contains information related to a particular host, such as an IP address, owner of the host, or a type of service.
Table 1 Common resource record type
Resource Recording Type Description Interpretation SOA Start Authorization Agency This record the starting point of the specified area. The information it contains has a region name, a regional administrator email address, and how to update the area data file for auxiliary DNS server. A Address This record lists the IP address of a particular host name. This is an important record of the name resolution. CNAME Standard Name This record specifies the alias of the standard host name. MX Mail Exchanger This record lists the host responsible for receiving emails in sent to the domain. NS Name Server This record specifies the name server responsible for a given area.
DNS area
Typically, the DNS database can be divided into different resource records. Each of these records is called a region. The area can contain the entire domain, a partial domain, or a resource record of one or several subdomains.
Managing a DNS server of a region (or recordset) is called the authoritative name server of the area. Each name server can be an authoritative name server of one or more areas.
The main purpose of dividing multiple regions in the domain is to simplify the management tasks of DNS, that is, appointed a set of authoritative name servers to manage each area. With this distributed structure, when domain namespace continuously expand, administrators of each domain can effectively manage their respective subdomains.
Sometimes, regional and domains are difficult to distinguish.
The area is a subset of the domain. It can regard it as a branch (or child) in the domain namespace. For example, the Microsoft Name Server can be the "Microsoft.com" area, "msdn.microsoft.com" area, and the authoritative name server of the "Marketing.Microsoft.com" area. However, you can delegate the area of the subdomain (such as "msdn.microsoft.com") to other dedicated name servers management. If the setting area contains the resource record of the entire domain, the area is the same as the range of the domain.
For Windows 2000, regional information, or in traditional text file format, or integrated into the Active Directory database. Later, we will explain how DNS and Active Directory collaborate.
Main DNS server and secondary DNS server
To ensure high availability of services, DNS requires multiple name servers to reduce each area.
The resource record of a region is updated to a single primary name server (called the primary DNS server) by manual or automatic mode. The primary DNS server can be an authoritative name server of one or several areas.
Other redundant name servers (called secondary DNS servers) are used as backup servers of the primary server in the same area to access or downtime. The secondary DNS server is regularly communicating with the primary DNS server to ensure that its area information remains up to date. If not the latest information, the secondary DNS server will obtain a copy of the latest area data file from the primary server. This process of copying the area file to multiple name servers is called zone replication.
The relationship between Active Directory and DNS
Active Directory is a new directory service in Windows 2000. This service stores information for all network resources, such as computers, shared folders, users, and so on. It also supplies such information to users and applications through standard Internet protocols (lightweight directory access protocols, LDAP). For more information on Active Directory, see the TechNet article Setting an Active Directory domain. The relationship between Active Directory and DNS is closer compared to the domain controllers in Microsoft Windows NT® 4.0. In fact, DNS is necessary to support Active Directory. Typically, when you install an Active Directory server, if you can't find a DNS server on your network, you will install DNS servers during the installation process.
Support domain controller locator service
One of the most important new concepts in Windows 2000 is: The computer is no longer identified by the network basic input / output system (NetBIOS) name, but is identified using DNS full qualified domain name (FQDN), such as "Server1.duwamishonline) .COM.
Therefore, to log in and access resources in the Windows NT domain, the Windows 2000 computer must find DNS servers, the latter helps locate the Active Directory domain controller. In other words, DNS is used as a locator service for a domain controller.
Integrate with Active Directory
Another important feature of the Windows 2000 DNS server is that the DNS area can be integrated into the Active Directory to provide enhanced fault tolerance and security. Each area integrated with Active Directory will automatically copy all domain controllers in the Active Directory domain.
However, you can still configure the Windows 2000 DNS server as a DNS server based on traditional files. However, to provide DNS service fault tolerance, except for the main DNS server, you must also manually install auxiliary DNS server.
Configuring DUWAMISH Online DNS services
Duwamish Online requires an external and internal domain name resolution.
External, DNS service resolves "www.duwamishonline.com" as the IP address of the web server. Duwamish Online Application uses internal name resolution to resolve the name of the server. To access the Message Queue (MSMQ) public queue from the COM Column (QC), you must use Active Directory, while the latter requires the use of DNS. For more information on MSMQ and network architectures, see the articles on Duwamish Online Message Queuing Configuration.
The installation of DNS services in Windows 2000 is relatively simple. However, the security requirements for external and internal DNS information are different. In this section, we will discuss these security issues and possible solutions. We will discuss the relationship between the Active Directory service and the DNS in the DUWAMISH Online Web group. Also tell you how to register the domain name, how to install the DNS server with Windows 2000.
Security issues for public and dedicated DNS information
Initially, we installed two DNS servers: a primary DNS server and a secondary DNS server for redundant. Two zones are set in these DNS servers: a for external Internet domain "duwamishonline.com" and another for internal domain "internaldomain.com". As mentioned earlier, the DNS server installed for internal domains is a new requirement for the Windows 2000 Active Directory domain. With this original configuration, the DNS server is also set to "multiple mains" of the internal domain and the external domain, for example, the IP address of the external network interface card (NIC) is 192.168.100.1, and the IP address of the internal NIC is 10.10.10.1.
Allow Internet users to query external areas to the server. However, because the same DNS server is used to manage external and internal regions, external users can query internal areas to the server. Internet users can access all internal domain DNS information using basic network tools such as Name Service Search, NSLookup.
In theory, any network packet cannot be routed to the internal domain, and the internal server is directly attacked. However, the less internal information leaked into the outside, the higher the security. This prevents others from using the potential vulnerability of the backend server (here to store important business information), further stealing confidential information.
DNS deployment solution
The following lists some solutions to solving the original configuration security problem:
Two domain / regions use their respective DNS servers. The external DNS is hosted by the Internet Service Provider (ISP). Place the two areas in a server and configure Active Directory with the correct access control.
Use their respective DNS servers
One way to solve security issues is to separate the DNS operations of the two areas in the public network segment using two separate DNS servers, and another is only for internal DNS queries.
However, for small web operations, do not want to manage one server more. In fact, according to the general recommendation, each area is configured to configure at least two authoritative name servers, then we need to install four DNS servers to provide sufficient fault tolerance for two domains (with main DNS servers and secondary DNS servers). This way, if one of the servers fails, the site can still work.
In a large Web group, this may be preferred because it can absolutely control the entire operating environment and will minimize dependence on third-party systems.
Hosting external DNS by ISP
Another common method is to maintain an external domain by an Internet service provider, while we continue to manage DNS servers in the internal domain. For such configurations, the DNS server is only connected to the internal network and cannot access it via the Internet.
This may be the easiest way to isolate two domains and minimize the management of additional overhead of other DNS servers. At the same time, ISP provides better network and system redundancy for its DNS servers. Then we can install auxiliary DNS server on the internal network to provide fault tolerance for internal name searches.
Configuring Active Directory Access Control
The two areas can be placed in one server and integrated with the Active Directory security feature. By correcting access to DNS files in Active Directory, internal DNS queries can only be limited to authenticated users.
However, we have not verified the solution yet. Since the scheme is very complicated, a large number of tests must be made to ensure that the settings are correct and the internal information is output to the Internet.
Domain name registration
To avoid the namespace conflicts with other organizations, the specified name "duwamishonline.com" of the external domain must be registered by the corresponding domain name authority (called "registration authority"). For the entire domain space, there is only one registration body in the past. However, with the US government's continuous privatization and globalization of the entire Internet infrastructure, there are now many registered institutions.
On the Internet Name and Number Assignment Association (ICANN) Web Site (http://www.icann.org /), you can find a list of trusted registration agencies around the world, which is the only non-profit of the US government. Organize, monitor the allocation of IP addresses and management of DNS infrastructure.
Although the registration process of different registration agencies is different, they are substantially the same. You can log in to a Web site in it, search for the domain name you want to use, see if there is already. If this domain name is not used, you will ask you to provide contract and accounting information. In addition, you need to provide two IP addresses and FQDNs for primary DNS servers and secondary DNS servers.
If your ISP is managing the DNS server of the Internet domain, ask them to ask them before starting the registration process. In fact, most providers are now submitted to registration requests in addition to providing DNS services to your domain.
Because the DNS server installation of the internal domain is automatically completed by the Active Directory installation wizard, this paper no longer discusses this simple process. For more information, please refer to the article to set the Active Directory domain.
External domain DNS server configuration
If you choose to manage a set of separate DNS servers for the external domain, you can get a set of basic external DNS server configurations by the following steps.
Install DNS in Windows 2000
In Windows 2000 Server, Advanced Server, and Datacenter Server, DNS is provided as part of the operating system software. However, it is not part of the default installation and must be installed before installing the DNS server.
To install DNS
From the start menu, point to Settings / Control Panel. Double-click Add / Remove Programs, click Add / Remove Windows Components, and then click the Component button. In the Windows Component Wizard, select Network Services, and then click Details. Select the domain name system component and click OK.
Install the main DNS server
The primary DNS server contains the resource record of external area duwamishonline.com. The secondary DNS server is used as a backup server for the server.
To install the primary DNS server
From the start menu, point to Programs / Management Tools. Click the DNS to enable the DNS console program. In the left pane, select the server being configured. If you have not configured a DNS server, click Configure Server from the action menu and launch the Configure DNS Wizard. This wizard will guide you to complete the setting of "forward search area" and "reverse search area". Note If the DNS server is configured to other regions, you cannot use this option on the menu. You need to right-click the "Positive Search Zone" and "Reverse Search Zone" folders, point to the new area, start the New Area Wizard. The setting process is similar to the following steps. Set the forward search area in accordance with the instructions of the wizard. "Positive Search Area" is a resource record set that converts domain names into IP addresses. Undoubtedly, this is the most important data file of the DNS server. In the New Area Wizard dialog box, click the Options button to specify the area type as the standard main area, the latter stores area data in traditional text file format. Note If you use the Active Directory server on your network, you can select an Active Directory integrated Area option button. This option allows the zone data to be stored in the Active Directory database and automatically copied to other Active Directory servers. Enter a fully qualified domain name ("duwamishonline.com" in this example). Accept the default file name of the new area file. If you need, create a reverse search area. The "reverse search area" is a resource record set that converts IP addresses back to the corresponding domain name. Many Internet services often need to use this information for security verification. To set the name of the Reverse Search area, the system will ask you to enter the network ID of the external network. For example, if the DNS server is in a fully Class C network, enter the first three segments of the server IP address. However, you should get such information from the ISP. (For more information on IP address categories, see http://msdn.microsoft.com/library/wcedoc/wcecomm/tcpip_11.htm.) Use the area name as the "reverse search area" data file name. At this point, you have completed the installation of the primary DNS server and is ready to configure other resource records in the area.
Configure the primary DNS server
There are many useful features in the Windows 2000 DNS server. The minimum demand for the main DNS server for the Web group such as duwamishonline.com is described below. Assume that you have successfully created a new forward and reverse search area as described above.
To modify SOA and Name Server Record
From the left pane of the DNS console, expand the tree structure below the selected computer name. Point to the FQDN that is positive to the search area folder (in this case, FQDN is "duwamishonline.com"); right-click and select Properties. In the Properties dialog box, click the Start Authorization (SOA) tab. Modify the primary server field as needed. This field should contain the FQDN of the primary DNS server. Modify the person in charge of the person in charge as needed. This field should include the email address of the DNS administrator. But according to DNS standards, "." Should be used instead "@". For example, if the administrator's email address is "admin@duwamishonline.com", the field should contain "admin.dushonline.com". Click the Name Server tab. If the primary server field on the SOA tab has been modified, the first server item is modified. Add a second item, specify the FQDN and IP addresses of the secondary DNS server. Click the Area Copy tab. Click the Options button to allow region to copy only the servers listed in the Name Server tab. Click OK. A new "name server" record with auxiliary DNS server information will be seen.
Note You can press the F5 key to refresh the screen and view the modifications made. To create a new host address record
From the left pane of the DNS console, expand the tree structure below the selected computer name. Point to the FQDN that is in the search area folder (in this case, the FQDN is "duwamishonline.com"); right-click and select New Host. In the Name field, enter the host name of the web server, for example, in this example "WWW". In the IP Address field, enter the IP address of the web server. Select this check box to create a related pointer (PTR) record. This way, the new pointer record of the respective host will be automatically created in the "reverse search area". Click Add Host button and click Finish to apply changes. A new resource record will be seen in the "forward search area".
Note You can press the F5 key to refresh the screen and view the modifications made.
Install auxiliary DNS server
The installation department of the DNS server is as easy as the main server is installed.
Note that the secondary DNS server cannot be installed on the same computer with the main DNS server. In this way, there will be no redundancy in the DNS service.
Install auxiliary DNS server
Execute steps 1 and Step 2 in the "Install DNS" section. Then, complete the same steps as the installation main DNS server, indicate the area type as a standard auxiliary area. And ask you to add the IP address of the primary DNS server to the list of main DNS server.
summary
We choose to hosted external DNS information by ISP to speed up deployment procedures and minimize the operation and maintenance of site. Because this is a common feature provided by many ISPs, we think this will be the configuration used by most users in the web group.