Chapter 9 Design DNS Server This chapter includes: • The ability of the DNS server. Explain several factors affecting D N S server capabilities. • Decide the number of domains and domain zones. Help consider how to divide the domain into domains in the decision domain, as well as where they are placed, where they are facing. • Decide the number of D N s servers. This section describes the role of the D n S server when serving a single domain and multiple domain services to help determine how much D n s servers should be in the specific application. • Design instance. A number of D N S design examples are provided, which are available in D N s. • Windows 2000 and Active Directory. Provide a general view to the problem that uses the Windows 2000 domain environment. The features of the Windows 2000 server are also mentioned, which can be used as efficient use as design elements. The information provided in this chapter can help you make a critical decision, such as how much D n s servers and how many domains are required. Once the active directory domain environment is used, many decisions about the domain are no longer a D N S management problem. However, these domains are placed on different servers or by dividing the domain to domain zones, they are still D n s management issues. "Design Instance" section provides some design instances to help see what the problem is, and how different design choices can affect the decisions. Since the implementation of Windows 2000 DNS is also useful outside the range of active directory support, it is an alternative to any D n s servers that meet the RFC standard, so it can be used in many different environments. It can be used in NT 4.0 domains, on an isolated server, on either of the Windows 2000 domain, or on the domain controller to integrate with the active directory. This makes a very complex problem when there is no design that is required to meet the specific targets. Therefore, in the following section, first will see a discussion of the server selection criteria, then many small offices or design options common to design D n s as part of the large company. Most of this description are some traditional networks, namely U n i x, NT 4.0, or other standard T c P / I P network environments, excluding considerations of the hybrid environment. In the middle of this chapter, some of the specific advice on the Windows 2000 DNS server or domain environment is given, but most opinions have been made until the design element is finished. 9.1 Ability Server of the DNS Server Processing Received Query (internal or external) The ability of the following factors depends on the following factors: • The number of domains of the server supervisor. • The number and speed of the subnet directly connected to the server with the server with virtual I p or with actual independent network interface. • The number of client requests for the actual service of the server. • Dynamically update the number of activities and the number of excited domain delivery. • Hardware used by the server. The best way to determine server capabilities is to use system monitors (if you prefer to use NT 4.0 name, you call Performance Monitor). System Monitor provides the overall performance of the server and many specific aspects of measurement. The most important performance that needs to be monitored has network performance, disk performance, memory allocation, and C P U utilization, which helps to understand hardware and how it is driven. For D N S servers, you can see more than 6 0 measurement results in real time (Reference Table 11 - 3), some are rates, such as update or queries per second, and some are accumulated values. The system monitor can be used to record a period of activity, and you can analyze the recorded data later, but this is to take up a part of the disk space. Periodically, this work is to track the use of the original baseline that is originally established. Although the D N S service itself is not a heavy process, a large number of requests that deal with the load of the D n S server are to pay. If the D n S server is also used for other services, you should care about the time of D N S service response. In general, a single D n S server can also handle a significant amount of D n s domain and corresponding request. If a D n S server has a long response time, the process of issuing a request client or server recursive will give up, which reduces the value of a D n S server.
You can configure the D n S server to reject recursion queries when appropriate, which can extend its capabilities. In a large environment, when the transmission of dynamic updates and notice drivers become important factors, a solution is to use it as a primary task as a secondary. Therefore, when there are many customers from the D c service and the D c is the integrated active directory of host D N S, it is best to provide a local secondary server for customers. In summary, the low-level hardware system should not lack update in only a large number of disk activities. Another problem is to manage domain information on a single server. For I S P for providing a domain host, the performance of the server's processor is very important. If the existing network bandwidth is not limited in the interface portion, Windows 2000 provides support for AT M and Gigabit Ethernet. The memory capacity of the D n S server should be large enough, but only one suitable disk space is required, the capacity of the disk can be stored as long as the operating system and the domain area files in each domain can be stored. Since the domain area files are text files, the domain area files in each domain will generally be too large. Similarly, when the active directory is used, it is N t d s. The space of the space provided by D i t is not much affected by the magnetic disk subsystem. Many times it is necessary to put multiple I P addresses on an interface card, but sometimes don't need this to do this. If it is not really necessary to exist on the network, then all implemented virtual presence will increase the overhead of the T C P / I P protocol stack. Memory capacity is an important factor because the cache operation of the domain name server takes up system memory. There are more memory to ensure good performance of the domain name server, and some larger capacity caches can also be implemented. For a general company, it only needs to handle its domain information, so the requirements for the server are not too high. In most cases, there is a big enough memory that may be the biggest problem, but also a key factor in improving the performance of the domain name server. Resource Record and Domain Area Restrictions If you use NT 4.0 DNS server, you should be aware of it's following questions: 6553 resource records in each of 1 0 0 0 domains can support 6 5,0 million Record! However, there are still some limits: if more than 65,553 records in a domain area, D N SM A N A G E R will hang. These limits are described in the article Q 1 7 2 4 7 7 7 and Q 1 7 0 5 1 8 in the Microsoft Knowledge Base. The latter is included in the NT 4.0 service patch 4, the former is issued with the NT 4.0 DNS manager. The system configuration is now proposed according to the DNS server resource requirements recommended above. At least for your Wi N D O W S2 0 0 0 server, the minimum hardware required is supplied, and then R a M of 8 m B is added to the resource record per 6 4 k B, which includes domain and host records. Here, it is assumed that there is no other service to run on the same computer, resulting in competition for resources. However, starting from the minimum hardware provided by C P u, how much to rely on the number of customer requests is required at speed and service. If the system also provides other services, you should add system resources to meet the needs of the corresponding software. Of course, consider the speed and network bandwidth of the network interface. If there is enough memory, the speed of the hard disk is not particularly important. 9.2 The number of domains that determine the domain and the domain area can actually only manage problems. In theory, the second part of the domain name service 94 uses Windows 2000 DNS Server
The instructor can handle almost unlimited multiple domains, but it is actually impossible. Handling thousands of domains (or tens of thousands of domains) are not a relaxed thing. It is necessary to remember that a D n S server can handle many domains, and one domain can manage it by many D n s servers. If a company has thousands of computers in a location or a metropolitan area, it is easy to use only one domain. If a business is geographically dispersed, it can have a domain in the vertices of the domain name tree, and there is a subdomain in each city or region. In fact, if you use an active directory, the architecture of the active directory will often determine the division of the D n s domain. In this case, the domain structure can be divided into a domain zone in a different manner, then the flexibility of D N S service management is obtained by placing these domain zones in different servers. These domain zones determine D N S's data transmission unit, and the domain area is part of the domain space allocated to different servers. For smaller environments, it can be reduced to a separate domain zone; for large companies, this distribution is a balance between a large number of demand, not geographical issues. As Windows 2000 is gradually mature, strict DNS domain consistency can be easily divided into the domain boundaries of the active directory. Most initial implementations will maintain the consistency of two domain boundaries, but there are many times because there is no freedom for the previous configuration. The initial experience shows that although this separation is possible, there is still a problem, and some flexibility and manual operation are required. The I s P on a domain has significant responsibility for its clients that rely on emails and WE B services. Even if I SP is only one day, it is also serious for a company, because companies may wait for important emails to clean up accounts, or its customers cannot purchase products through WE B nodes. For D N s administrators or I S manners, the number of domains is often determined by the company's policy or geographic factors. This consideration is more clear when using a Windows 2000 domain environment. For a technology-type company, its engineering technology department usually has its own domain, as they do not want other unrelated personnel to access their domains and modify them. Engineers usually test new products are faster than others. Maintaining responsibility for these domains is also scattered into individual departments, which avoids some mutually conflicting requirements due to their respective tasks. From a geographic perspective, many companies have a comprehensive consideration of each office in geographic arrangements. A reasonable arrangement allows the local administrator to manage the corresponding department in the sub-domain without having to bypass half of the earth by email to modify the host record. In Windows 2000, in addition to customer access quantity, the type and speed of the connection, the type and speed of the connection, the main server other than the main area, also dependes on whether to use dynamic DNS, depend on whether or not to use the active directory Storage, depending on the design of the design activity directory where the domain controller is located. These arrangements and decisions are based on increasing efficiency, while also affecting email transmission. When using a mail system that does not affect the active directory, you must consider the transfer problem. Because the email address is related to the domain name, mail service is best consistent with the structure of the domain. D n s is often due to political reasons, the cause of the company itself, the cause of geography, usually this change is consistent with the structure supported by I T. When a potential mail recipor works for a certain company in the United States, but life and work is another place in the world, there is some problems in this time. Instead of providing all emails to a large server, it is better to set some subdomains and mail alias, and set the message to redirect the mail server to all localities, allowing mail to receive better service, and can also alleviate orders The load of the computer. 9.3 Deciding the number of D N s servers The number of domain name servers required by an enterprise can be judged by a variety of factors. There is generally no universal rule suitable for all situations, and the proposed recommendations are not necessarily the best. Of course, this chapter will still give some guiding chapter 9 design D n s servers 95
rule. If you need to set up a number of subdomains to match the company's hierarchy, it will definitely need a primary domain server, and each subdomain also has a secondary server. This is not to say that only two machines cannot complete all work, two servers should be, but always take into account accessibility, reliability, and redundancy. In fact, the two machines are not enough. 9.3.1 Accessibility, reliability, and redundancy accessibility refers to whether the services needed to be transferred to the customer's location. Customers' access is actually a connection problem of the network. Reliability means that the access is stable, that is, always access. A separate server for handling domain queries is easily saturated because of a heavier query load. This saturation is easy to lead to deny services. That is to say, the parsing of the name cannot be completed before timeout. Arranging a domain arrangement of many machines at least in some queries can be shared by other hosts. Reliability and redundancy considerations are important. If there is only one domain name server, the server's failure (hard disk damage, or memory error, etc.) will mean? If the domain is lost, the support is inherently, it is lost, until the service is recovered. If there are multiple hosts to serve a domain, administrators can ensure that at least a part of the query is an answer. You may think about using a method of hardware load balancing to increase the update speed and reliability. Arrangeing multiple machines also means that the load can be distributed in each machine. If a machine invalidates, the problem that may be a delay or timeout of a domain name resolution. If the outdated cache information points to a failure machine, it will also cause a short period of domain resolution failure. But at a lower level, the operation can continue. And sometimes you may need to transfer an IP address to a server that is still able to work outside of the failed server, reducing the problem encountered when repairing the failed server. Redundancy is the easiest way to improve reliability. Reliability does not only involve the cost of machine operation is interrupted, for example, it also needs to avoid possible errors in management of all machines. Another redundancy problem is a redundancy at the location. If all the domain name servers are placed in the same place, if the connection to the I S P is not connected, the domain is unacceptable. In general, the more the number of servers that provide domain name services, the more reasonable the geographic distribution of the server, the higher the reliability of the domain name service. Each server with multiple addresses in a completely different network can be seen as two servers from the perspective, but not all aspects provide redundancy. If a path on the network is invalid, other other can be used. But if the machine is invalid, then the two systems are not available. Problems that should be considered when determining the domain name server architecture include: Number of locations required, the type of network communication in each location, the number of each location client, characteristics between two locations, and this company and I NTERNET connection methods and properties. 9.3.2 Selecting the Number of D N S Servers The general rules of the server will mention that each company needs two D n s servers. However, if you process a domain name service by I S P, you don't need to set up and manage such a server. A small business often allows I s p to handle all things, while others only have a server: or a primary server, or a secondary server, allowing I s p to have another. This is better and safer because of the reasons previously discussed. Small enterprises internally use Active Directory often implement an internal, private name space, while using one of the above I s P to use the above way can be associated with public domain names. When you select an I SP service, use accessibility, reliability, and redundancy to determine the quality of the service. Mid-range companies only need two D N S servers, and can be configured with a node server for different locations (which can just cache servers) to improve the performance of outward queries. Another approach is to set these geographically dispersed servers to second part of the second part using Windows 2000 DNS server
The server in order to increase the redundancy of the internal query. If you use a dynamic update mechanism, the local server node is also the live server, which will pass the update information to the primary server, sometimes do not want to do this; sometimes this demand relies on Windows 2000 domain controller distribution and other factors . A large business can have a complex D N S setting with multiple domains and subdomains. The next section will be described in many of the various options to establish a large complex system. Simple rules are not used by D N s services for designing large enterprises. It must be compromised in capacity, availability, reliability, etc. to solve the problem. 9.4 Design Example This section provides a number of instances, hoping to help determine which design is best for you. 9.4.1 Setting the domain engineering unit with one or several subdomains is a sector in the dynamic environment of the experiment. It will have a lot of changes in the configuration of the machine, so it is best to divide this sector from the company's main domain. So the objective of design is to allow the Engineering Department to control its own subdomains, and can independently handle changes in the department and other departments of the company. Fig. 9 - 1 is a configuration for use in X YZ. C O m domain. The company's main domain is x y z. C O m, the engineering unit domain is E N g. X y z. C O m, its D n S server is entrusted to authorize the subdomain. In this case, E N g. X y z. The change made in the C O m domain does not affect the x y z. C O m domain, the engineering department can modify all of its hosts and not to bother the company's system administrator. The unique condition of the engineering department needs to contact your company's service is when their name server I P address changes. Figure 9-1 The company has the main, secondary DNS server, and the subdomain entrusted authorization 9.4.2 Provides the main DNS service for small companies or families with ISP, usually recommended by ISP to provide primary DNS services, such as Figure 9 2 shown. Chapter 9 Design DNS Server 97 Main DNS Main DNS Router Router Auxiliary DNS Auxiliary DNS Auxiliary DNS Figure 9-2 Provides primary DNS services to this domain, and can also use cache servers to improve performance, or use a secondary server to provide redundancy. If you don't have a secondary server, I S P is easy to provide one. In this case, D n s is managed by I S P, and the company itself does not need to participate unless I S P changes some of its information. As an internal use, if an active directory is used, configure a separate D n S server is sufficient. With this design method, each time the change is required to communicate with I S P, and I S P must edit the domain area file for this. One disadvantage of this method is that the transformation of information is sometimes taken for a long time, sometimes the delay can reach 7 2 hours or more, and the specific time will depend on whether it is a holiday. The internal name service can be easily sent to the D n S server provided by the I s P to go to the resolution. For small companies, the installation Active directory can provide the default template D N S service with this place name and I P address. This design can be used when a route access to I S P is configured. If the connection to I S P is fixed, a caching server is very good. And if the connection is a dialing method or a certain way to connect, install a secondary D N S server can be better because you can perform local search through the secondary server without having to establish a connection to I S P. Using a secondary server can also easily verify that the file changes are correct by checking the local copy of the domain area file, and the domain area file is updated by the primary server of I S P. 9.4.3 Providing a secondary D N S with L S P In Figure 9-3, the company manages the master D n S server, but is provided by I s p or other companies. Remember that the second part of 98 uses Windows 2000 DNS Server
ISP Main DNS Router Local DNS Cache or Auxiliary Server Auxiliary DNS XYZ Router Main DNS Auxiliary DNS Figure 9-3 ISP Provides two servers required at this domain at this time: a primary server and a secondary server, or Two auxiliary servers must be registered with I NTER NIC. This situation helps to improve the performance of the entire system, as D N S queries can be done to several machines of different locations. In addition, it also provides redundancy. For example, if x y z. C O m is turned on, its host can still be parsed by an external system. It is important to have the existence of D N s in this domain, which is one of the reasons why all primary and secondary servers that cannot be arranged in a non-dedicated link (such as dial-up link). If the primary server is only used inside, the public auxiliary server is likely to stop parsing your domain name. This happens when the network is interrupted because the public auxiliary server cannot receive the transmission from the main server, and finally can only be invalidated in this area, so there should be a good connection, and you can selectively adjust the timeout of the domain area. the term. 9.4.4 Protection Main Server Does not receive unauthorized access To improve security, you can register two auxiliary servers to i N t e R n i c instead of registering a primary server, as shown in Figure 9 - 4. Figure 9-4 Auxiliary Server For external query services, the primary server is hidden in the host of the host zone file to prevent Black. The primary server still provides domain domain data and passes the authorization data to the secondary server via the domain area. Although all servers provide an authorized answer, only the secondary server responds to the query from the outside. In addition, this configuration can only allow a secondary area to be transmitted to the domain zone to prevent unspecite to contact the content of the domain area file. This configuration prevents hackers from entering hosts with domain zone resources. The router can also be used to block access from the outside to the primary server. 9.4.5 Large-scale nodes establish a large-capacity query cache If you want to reduce the query that must be parsed by the server externally in the enterprise (such as the D N S server), you can set a cache server within a node range, as shown in Figure 9 - 5. Chapter 9 Design DNS Server 99 Auxiliary DNS Auxiliary DNS Auxiliary DNS Main DNS Router Router Figure 9-5 Cache Server of Node Range The Cache server comparable to a separate query faster installation node range to pass all domain name servers Table or several cache servers. This way makes all requests and answers to a host, and then queried by the company's other domain servers. The result of this setting allows the query for the cached information without having to get an answer from the domain name server to the outside. 9.4.6 Setting the internal dedicated primary D N S and the external primary D N S is sometimes referred to as split D N s, which uses multiple primary servers to improve the security of the domain, as shown in Figure 9 - 6. Normally, part of the name space is outside the firewall, while the other part is in the firewall, and in the non-defense area (D M Z), the public namespace of the primary server is usually placed outside. The actual value of this setting is obvious to large enterprises. 100 Second part Using Windows 2000 DNS Server
Router Router Main DNS Western Main DNS Eastern Main DNS Engineering Department Main DNS Cache DNS Router Router External Main DNS Internal Main Router Internal Secure Router INT Figure 9-6 Demolition DNS Improve Domain Area Data Security Split DNS is internal The client provides the DNS server for the query internal address, so you don't have to announce all internal addresses, so that the external client can know. Administrators can set which internal hosts will be listed in the external D N S server, which hosts are only listed in the interior D n S server. The domain area of the external primary server contains only host records that are intended to be seen externally, and the internal primary server contains records of all hosts of the domain. The internal primary server points all the queries that it can't answer directly to the external server and cach. This internal primary server is actually the slave server of an external server, so it will not be individually completed. Hide internal servers also reduced external hackers' goals. Typically, the internal network is connected to the external network through a firewall, and the firewall is a rotation router, not the router displayed here. For big companies, security is a big topic, and D N S server includes extremely important data: access to each host in the domain! Because of this, it is best to have appropriate measures to prevent access to the main D n S server, as the primary server has authorization data to be transmitted to the secondary service. Hackers are very clear, and they know how to explore these data to achieve their goals. This design can also be further discussed in the narrative of the firewall in Chapter 1 0. 9.5 Windows 2000 and Active Directory Consider that Windows 2000 brings a lot of more design requirements and options to this table. Here, the supported feature is included in the operating system rather than D n s own features, which can effectively meet the design requirements of D N S. 9.5.1 Private networks For a good network connection, the services provided by Windows 2000 servers are very broad. The feature of the route and remote access services can be used to provide intelligent control of the first segment of multiple address machines. Moreover, T C P / I P can also filter packages through the I P protocol, T C P, and U D P ports to limit access to a port of a port for a machine. As shown in Figure 9-7, all T C P / IP is allowed to allow all T C P / I P to be connected. Figure 9-7 Windows 2000 TCP / IP Properties dialog box in the Security Option (Security Option) If you look at the Option tab of the Advanced TCP / IP property, you will find that Windows 2000 contains an IP SEC Chapter 9 Design DNS Server 101
Security implementation. To use this feature, you need to specify a security policy by the domain, and you need a lot of preparation for the public key. When applications involving external network types or high security, you are likely to think carefully about this optional solution. I P S E c can be used in software decoding, or it is best to implement hardware on the interface card, thereby reducing the burden on C P u. This is more important to D n s and other servers. 9.5.2 Protection and Sharing of Name Space Once used Active Directory, the essential features of information from D N S queries S RV and other record types can be used by most system administrators. For this reason and habits, it is recommended to put the active directory behind the firewall, or placed outside the public name space on the I n t e R n e t. A variant using the split design is to connect two namespaces through forwarding and updating root prompts. Public domain names and internal domain names are not necessary, the internal domain name can be seen as a subset of formal registration names, or a separate, private name, or even unregistered names. In the last case, it is assumed that the selected name is not disclosed. If this assumption is inconvenient, then the internal domain name is treated as if the public domain name is controlled. Sometimes, after a period of time, it is likely to increase the number of domain names, which requires the activity directory technology on the public network. For example, companies providing services for their customers through variable catalogs require a public Windows 2000 domain structure. In this case, the company is likely to make its domain into a structure that "use only public use" and other internal activity directories as discussed earlier. After a while, the Yuan Directory Service - provides users with a unified access to multi-directory services, and sometimes gives administrators to provide a unified management way - will make this situation more convenient and operable. Variety of Windows 2000 supported virtual private network (V P N) has the ability to support the intranet type of enterprise network, and can use I N T E R N e t with remote access services to support small offices in the distance. Although your company's business external network and external company's communication is exceeded by D N s design and service, it can support more domain zones. Your company has a separate primary activity directory is completely used as internal use, and there is another one for business communication, and the latter is likely to be in D M Z. Of course, it has a separate domain name, but the consideration supported by D N S is the same as before. 9.5.3 Placing of DNS Servers When an active directory is used for multi-nodes, many design works have involved the layout of domain controllers. This design work affects D N S. This impact is definitely existing when using the standard domain area, and this effect is especially obvious when using an active directory and D N S domain zone. If the domain area is a standard, the location of the domain controller will indicate that the local D n S parsing is required. Problems such as connectivity, bandwidth, and continuity of the domain controller are related to support of D N S. The problem of the number of customers, the need to obtain independent operations through the network, indicating that there should be domain controllers and D N s services. As the domain is integrated, their data will automatically propagate on all domain controllers in the domain unit. This transmission occurs regardless of whether the data is used. Therefore, the domain zone data is used to use the domain zone data by installing another D n S server. It can be done in this locale server. Because nodes on a secure internal network prefer to use dynamic update mechanisms, use Microsoft's security dynamic update capabilities, the main D n s area area on the domain controller will use registration update records. If you use a dynamic update system, not using an active directory integration mechanism, registration and refresh will be managed by a separate domain area. Place of main domain zones Use Windows 2000 DNS Server 102 Part II for WINDOWS 2000 DNS Server