次の方法で共有


Chapter 9 - Windows Support for DNS

Published: June 27, 2005 | Updated: April 18, 2006

Writer: Joe Davies

Abstract

This chapter describes the details of Domain Name System (DNS) support in Windows, which consists of the DNS Client and DNS Server services. The Microsoft® Windows® XP operating systems include the DNS Client service, and the Microsoft Windows Server™ 2003 operating systems include both the DNS Client and the DNS Server services. A network administrator must understand the capabilities and configuration of both the DNS Client and DNS Server services to effectively manage and troubleshoot a DNS name infrastructure and DNS name resolution behavior on a Windows network.

For a download of the entire "TCP/IP Fundamentals for Microsoft Windows" online book, which contains a version of this chapter that has been updated for Windows Vista and Windows Server 2008, click here.

On This Page

Chapter Objectives
The DNS Client Service
The DNS Server Service
DNS Server Service Configuration
Using the Nslookup Tool
Chapter Summary
Chapter Glossary

Chapter Objectives

After completing this chapter, you will be able to:

  • Describe the capabilities and configuration of the DNS Client service.

  • Describe the name resolution process of the DNS Client service.

  • List and describe the features of the DNS Server service.

  • Install the DNS Server service, and configure its properties.

  • Configure DNS zones and zone transfers.

  • Delegate authority for zones.

  • Configure DNS dynamic update behavior for both the DNS Client service and the DNS Server service.

  • Configure Windows Internet Name Service (WINS) lookup and WINS reverse lookup.

  • Describe how to use the Nslookup tool.

The DNS Client Service

The DNS Client service in Windows Server 2003 and Windows XP is responsible for name resolution, caching of name resolution attempts (including negative caching), tracking connection-specific domain names, and prioritizing multiple resource records of the same type based on their IP addresses.

The following sections describe how to configure the DNS Client service and how it resolves names.

DNS Client Configuration

You can configure the DNS Client service in the following ways:

  • Automatically, using Dynamic Host Configuration Protocol (DHCP) and DHCP options.

  • Manually, using either the Netsh tool or the properties of the Internet Protocol (TCP/IP) component in the Network Connections folder.

  • Automatically, for Point-to-Point Protocol (PPP) connections.

  • Automatically, using Computer Configuration Group Policy.

To determine the IP addresses of the DNS servers and the DNS domain name assigned to the connections of your computer running Windows Server 2003 or Windows XP, do one of the following:

  • Use the ipconfig /all command.

  • Use the netsh interface ip show dns command.

  • Open the Network Connections folder, right-click a connection, and click Status. Click the Support tab, and then click Details.

The following sections describe how to configure the DNS Client service.

DHCP Configuration of the DNS Client Service

As described in Chapter 6, "Dynamic Host Configuration Protocol," DHCP provides IP configuration information to DHCP clients. You can assign the IPv4 addresses of DNS servers to DHCP clients by configuring the DNS Servers DHCP option (option 6). You can assign a DNS domain name to DHCP clients by configuring the DNS Domain Name DHCP option (option 15). If DNS servers or the connection-specific domain name are manually configured in the properties of the Internet Protocol (TCP/IP) component, the DNS Client service ignores the DHCP-based DNS settings.

Manual Configuration of the DNS Client Service Using Network Connections

To manually configure the DNS Client service on a specific connection using the Network Connections folder, obtain the properties of the Internet Protocol (TCP/IP) component for the network connection. You can configure the following DNS Client service settings from the properties of the Internet Protocol (TCP/IP) component:

  • Primary and alternate DNS server addresses for the connection.

  • Primary and alternate DNS server addresses for the alternate configuration for the connection.

  • Advanced DNS server properties.

Figure 9-1 shows the configuration of primary and alternate DNS server addresses on the General tab.

Bb727009.ch09xx01(en-us,TechNet.10).gif

Figure 9-1  Primary and alternate DNS servers on the General tab

In this example, IPv4 addresses for primary and alternate DNS servers are configured for a connection with a static IPv4 address configuration. You can also configure addresses for primary and alternate DNS servers even when the connection is configured to obtain an IPv4 address automatically (using DHCP).

As Figure 9-2 shows, you can also specify the IPv4 addresses of a primary and an alternate DNS server when you configure an alternate configuration (for example, so that you can seamlessly operate your laptop computer on a work network that uses DHCP and on a home network that uses static IPv4 configuration).

Bb727009.ch09xx02(en-us,TechNet.10).gif

Figure 9-2  Primary and alternate DNS servers on the Alternate Configuration tab

The example in Figure 9-2 shows the configuration of a primary DNS server corresponding to an Internet gateway device (IGD) on a home network. The IGD is acting as a DNS server for all of the computers on the home network.

To manually configure the IPv4 addresses of more than two DNS servers or to configure additional DNS Client service settings for a connection, open the Network Connections folder, right-click the connection, and click Properties. Then click Internet Protocol (TCP/IP) without clearing its check box, click Properties, click Advanced, and then click the DNS tab. Figure 9-3 shows an example of the DNS tab.

Bb727009.ch09xx03(en-us,TechNet.10).gif

Figure 9-3  The DNS tab from the advanced configuration of Internet Protocol (TCP/IP)

From the DNS tab, you can configure the following:

  • DNS server addresses, in order of use  Lists one or more DNS servers that the computer queries, in order. If you want to manually configure more than two DNS servers, you must add them to this list and configure their order.

  • Append primary and connection-specific DNS suffixes  Specifies whether you want to use the primary and connection-specific DNS suffixes to attempt to resolve unqualified names. An unqualified name has no trailing period, such as "dev.example". In contrast, a fully qualified name has a trailing period, such as "dev.example.com." The primary DNS suffix is assigned to the computer and configured from the Computer Name tab of the System item in Control Panel. Connection-specific DNS suffixes are assigned to each connection, either manually or through the DNS Domain Name DHCP option. For more information about the name resolution process, see the “Name Resolution Behavior” section of this chapter.

  • Append parent suffixes of the primary DNS suffix  Specifies that during name resolution, the DNS Client service uses the parent suffixes of the primary DNS suffix, up to the second-level domain, in an attempt to resolve unqualified host names.

  • Append these DNS suffixes  Specifies a list of DNS suffixes to try during name resolution, instead of the primary and connection-specific DNS suffixes.

  • DNS suffix for this connection  Specifies a DNS suffix for this specific connection. The DNS Client service uses the connection-specific suffix to identify this connection on the computer, whereas the DNS Client service uses the primary suffix to identify the computer regardless of the connection. If you specify a DNS suffix, the DNS Client service ignores the DNS suffix obtained through the DNS Domain Name DHCP option.

  • **Register this connection’s addresses in DNS  **Specifies that the DNS Client service uses DNS dynamic update to register the IP addresses of this connection with the primary name of the computer, which consists of the computer name combined with the primary suffix.

  • **Use this connection’s DNS suffix in DNS registration  **Specifies that the DNS Client service uses DNS dynamic update to register the IP addresses of this connection with the name of the connection—the computer name combined with the connection-specific suffix—in addition to the primary name of the computer.

Manual Configuration Using Netsh

You can also configure DNS server settings for the DNS Client service from the command line. To configure these settings for the local computer or a remote computer, use the Netsh tool and the following command:

netsh interface ip set dns [name=]String [source=]dhcp|static [addr=]IPAddress|none  [[register=]none|primary|both]

The netsh interface ip set dns parameters are the following:

  • name is the name of the connection as it appears in the Network Connections folder.

  • source is either dhcp, which sets DHCP as the source for configuring DNS servers for the specific interface, or static, which sets the source for configuring DNS servers to local static configuration.

  • addr is either an IPv4 address for a DNS server or none, which clears the list of DNS servers.

  • For the register parameter, specify none, to disable DNS dynamic update registration; primary, to register using the primary DNS suffix only; both, to register using both the primary DNS suffix and the connection-specific suffix.

To configure a remote computer, use the –r RemoteComputer parameter as the last parameter in the command line.

By default, the DNS Client service uses IPv4 for all DNS messages. If you have installed the Microsoft TCP/IP version 6 component and you have IPv6-capable DNS servers, you can configure the DNS Client service with the IPv6 addresses of DNS servers so that it uses IPv6 for all DNS messages. Use the following command:

netsh interface ipv6 add dns interface= NameOrIndex address= IPv6Address index= PreferenceLevel

The netsh interface ipv6 add dns parameters are the following:

  • interface is the name of the connection as it appears in the Network Connections folder or its IPv6 interface index.

  • address is the IPv6 address of a DNS server.

  • index is a number indicating the preference level of a specific DNS server. You use the index number to specify an order to the DNS servers. The DNS server with the highest preference level is used first.

Configuration for Remote Access Clients

Dial-up or virtual private network-based remote access clients running Windows XP or Windows Server 2003 obtain the initial configuration of a primary and alternate DNS server during the negotiation of the Point-to-Point (PPP) connection. The PPP negotiation includes the Primary DNS Server Address and Secondary DNS Server Address options in the Internet Protocol Control Protocol (IPCP) as specified in RFC 1877.

Remote access clients running Windows XP or Windows Server 2003 also use a DHCPInform message to obtain an updated list of DNS servers and the DNS domain name. If the remote access server running Windows Server 2003 is correctly configured with the DHCP Relay Agent routing protocol component, it forwards the DHCPInform message to a DHCP server and forwards the response (a DHCPAck message) back to the remote access client. For more information about remote access servers and connections, see Chapter 14, "Virtual Private Networking."

If the remote access client receives a response to the DHCPInform message, the DNS servers contained in the DHCPAck message replace the DNS servers configured during the PPP connection negotiation.

Configuration of DNS Settings Using Group Policy

You can also configure DNS settings using Computer Configuration Group Policy and the Group Policy Object Editor snap-in. By using this snap-in, you can modify Group Policy objects for system containers (such as sites, domains, or organizational units) within the Active Directory® directory system. To configure DNS settings, open the Group Policy Object Editor snap-in, and click the Computer Configuration\Administrative Templates\Network\DNS Client node in the tree, as Figure 9-4 shows.

Bb727009.ch09xx04(en-us,TechNet.10).gif

Figure 9-4  DNS settings in Computer Configuration Group Policy

Group Policy-based DNS settings override the equivalent settings configured on the local computer or through DHCP.

Name Resolution Behavior

When an application uses the getaddrinfo() or gethostbyname() Windows Sockets functions, the resolver component of the DNS Client service performs name resolution as described in Chapter 7, “Host Name Resolution.” The DNS Client service checks the local host name and the local DNS client resolver cache, and then the service sends out DNS Name Query Request messages.

If DNS name resolution fails and the name is longer than 15 bytes, name resolution fails and TCP/IP for Windows indicates the error condition to the application. If the name is 15 bytes or shorter in length, the resolver verifies whether NetBIOS over TCP/IP is enabled. If it is not enabled, name resolution fails. If NetBIOS is enabled, the resolver converts the name to a NetBIOS name and attempts NetBIOS name resolution. For more information about NetBIOS name resolution, see Chapter 11, "NetBIOS Over TCP/IP."

Before the resolver sends any DNS Name Query Request messages, it determines the type of name to resolve. An application can submit one of the following types of names:

  • Fully qualified domain name (FQDN)

    Names that are terminated with a period, indicating the name relative to the root domain of the DNS. For example, host7.example.com. is an FQDN.

  • Single-label, unqualified domain names

    Names that consist of a single label and contain no periods. For example host7 is a single-label, unqualified domain name.

  • Multiple-label, unqualified domain names

    Names that contain more than one label and one or more periods but are not terminated with a period. For example, host7.example or example.com are multiple-label, unqualified domain names.

Name Resolution for FQDNs

When the application specifies an FQDN, the resolver queries DNS using that name. No other combinations are tried.

Name Resolution for Single-Label, Unqualified Domain Names

When the application specifies a single-label, unqualified domain name, the resolver systematically appends different DNS suffixes to the single-label, unqualified domain name; adds periods to make them FQDNs; and submits them to DNS for name resolution. The resolver appends the DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes or Append these suffixes check boxes on the DNS tab in the Advanced TCP/IP Settings dialog box of the Internet Protocol (TCP/IP) component.

If the Append primary and connection specific DNS suffixes check box is selected, the resolver appends the following names and sends separate queries:

  • The primary DNS suffix, as specified on the Computer Name tab of the System item of Control Panel.

  • Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.

If resolution is still not successful and the Append parent suffixes of the primary DNS suffix check box is selected, the resolver creates new FQDNs by appending the single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping at the second-level domain name. This process is known as name devolution. For example, if the application specified the name emailsrv7 and the primary DNS suffix is central.example.com., the resolver tries to resolve the FQDNs of emailsrv7.central.example.com. and emailsrv7.example.com.

If resolution is still not successful and the Append these suffixes check box is selected, the resolver appends each suffix from the search list in order and submits the FQDN to the DNS server until the resolver finds a match or reaches the end of the list. For example, if the application specified the name filesrv11 and the DNS suffix list consists of admin.wcoast.example.com., admin.ecoast.example.com., and admin.central.example.com., the resolver tries the FQDNs of filesrv11.admin.wcoast.example.com., filesrv11.admin.ecoast.example.com., and filesrv11.admin.central.example.com.

Name Resolution for Multiple-Label, Unqualified Domain Names

When an application specifies a multiple-label, unqualified domain name, the DNS resolver uses the same process as that for a single-label, unqualified domain name to resolve the name.

IPv6 Addresses Used First  

When a DNS server replies with a DNS Name Query Response message that contains both IPv4 addresses and IPv6 addresses and the IPv6 protocol is installed on the DNS client, the resolver returns IPv6 addresses to the application before IPv4 addresses.

The DNS Server Service

The DNS Server service in Windows Server 2003 supports the following features:

  • An Internet standards-compliant DNS server

    DNS is an open protocol and is standardized by a set of Internet Engineering Task Force (IETF) RFCs. The DNS Server service in Windows Server 2003 supports and complies with these standard specifications.

  • Interoperability with other DNS server implementations

    Because the DNS Server service is RFC-compliant and uses standard DNS data file and resource record formats, it can successfully work with most other DNS server implementations, such as those that use the Berkeley Internet Name Domain (BIND) software.

  • Support for Active Directory

    DNS is required to support Active Directory. If you make a server an Active Directory domain controller, you can automatically install and configure the DNS Server service on that server.

  • Enhancements to DNS zone storage in Active Directory

    DNS zones can be stored in the domain or application directory partitions of Active Directory. A partition is a data structure stored in Active Directory that is used for different replication purposes. You can specify in which Active Directory partition to store the zone and, consequently, the set of domain controllers among which the zone's data is replicated.

  • Conditional forwarding

    The DNS Server service extends standard forwarder support with additional capability as a conditional forwarder. A conditional forwarder is a DNS server that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries it receives for names ending with wcoast.example.com to one or multiple DNS servers.

  • Stub zones

    DNS supports a new zone type called a stub zone, which is a copy of a zone that contains only the resource records required to identify the authoritative DNS servers for that zone. A DNS server that hosts a parent zone and a stub zone for one of the parent zone's delegated child zones can receive updates from the authoritative DNS servers for the child zone.

  • Integration with other Microsoft networking services

    The DNS Server service offers integration with other services and contains features beyond those specified in the DNS RFCs. These include integration with Active Directory, WINS, and DHCP.

  • Improved ease of administration

    The DNS snap-in offers a graphical user interface for managing the DNS Server service. Also, you can use several configuration wizards to perform common tasks for administering servers.

    You can also use the Dnscmd command-line tool to perform most of the tasks that you can perform from the DNS snap-in. You can also use Dnscmd to write scripts and administer remote DNS servers. Dnscmd is one of the Windows Support Tools installed from the \Support\Tools folder on the Windows Server 2003 product CD.

  • RFC-compliant support for the DNS dynamic update protocol

    The DNS Server service allows clients to dynamically update address and pointer resource records, based on the DNS dynamic update protocol that RFC 2136 defines. DNS dynamic update eliminates the administration associated with manually managing DNS address and pointer records. Computers running Windows Server 2003 or Windows XP can dynamically register their DNS names and IP addresses.

  • Support for secure dynamic updates in zones that are integrated with Active Directory

    You can configure zones that are integrated with Active Directory for secure dynamic update. With secure dynamic update, only authorized computers can make changes to a resource record.

  • Support for incremental zone transfer between servers

    DNS servers use zone transfers to replicate information about a portion of the DNS namespace. The DNS Server service uses incremental zone transfers to replicate only the changed portions of a zone, conserving network bandwidth.

  • Support for new resource record types

    The DNS Server service includes support for several new resource record (RR) types, such as service location (SRV) and Asynchronous Transfer Mode address (ATMA) resource records. These types expand the use of DNS as a name database service.

  • Support for aging and scavenging of records

    The DNS service is capable of aging and scavenging records. When enabled, this feature can remove stale records from DNS.

Support for Active Directory and DNS integration is not included on computers running the Microsoft Windows Server 2003, Web Edition, operating system.

Installing the DNS Server Service

You can install the DNS Server service in Windows Server 2003 in the following ways:

  • As a Windows component using the Add or Remove Programs item of Control Panel.

  • Using the Active Directory Installation Wizard (Dcpromo.exe).

  • Using the Manage Your Server Wizard.

To install the DNS Server service with Add or Remove Programs, do the following:

  1. Click Start, click Control Panel, double-click Add or Remove Programs, and then click Add/Remove Windows Components.

  2. In Components, select the Networking Services check box, and then click Details.

  3. In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.

  4. If prompted, in Copy files from, type the full path to the distribution files for Windows Server 2003, and then click OK.

To perform this procedure, you must be logged on as a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

After you install the DNS Server service, you can decide how to configure it and its zones. Local text files contain information about zones and the boot process for the DNS Server service, and you can use a text editor to update that information. However, this method is not described in this chapter. The DNS snap-in and the Dnscmd command-line tool simplify maintenance of the DNS Server service, and you should use them whenever possible. After you begin to use snap-in-based or command-line management of the DNS Server service, manually editing the text files is not recommended.

DNS and Active Directory

DNS and Active Directory are integrated to provide a location service for Active Directory operations and to store DNS zones in Active Directory, taking advantage of Active Directory security and replication.

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory, provides the methods for storing directory data and making this data available to network users and administrators. For example, Active Directory stores information about user accounts such as names, locations, phone numbers, and so on, and Active Directory enables authorized users on the same network to access this information.

Active Directory Location Service

Active Directory requires the use of DNS to store various types of DNS resource records so that Active Directory clients and domain controllers can locate one another and perform various types of domain operations.

For example, an Active Directory client that starts up uses DNS queries to locate the nearest Active Directory domain controller in its site to perform logon and authentication functions. To facilitate this location service for Active Directory clients, the following records must exist in the DNS servers that the Active Directory clients use:

  • the _ldap._tcp.dc._msdcs.DNSDomainName service (SRV) resource record

  • the address (A) resource records for the DNS names of the domain controllers specified in the data field of the _ldap._tcp.dc._msdcs.DNSDomainName SRV resource records

These records are automatically added when you install a DNS server using the Active Directory Installation Wizard.

Storage of Zones Integrated with Active Directory

After you have installed Active Directory, you have two options for storing and replicating your zones when the DNS Server service is running on a domain controller:

  • Standard zone storage, using a text-based file.

    Zones are located in .Dns files that are stored in the systemroot\System32\Dns folder. Zone file names correspond to the zone root name. For example, the wcoast.example.com. domain uses the wcoast.example.com.dns file.

  • Directory-integrated zone storage, using the Active Directory database.

    Zones are located in the Active Directory tree under the domain or application directory partition. Each directory-integrated zone is stored in a dnsZone container object that corresponds to the zone root name.

For networks deploying DNS to support Active Directory, directory-integrated primary zones are strongly recommended and provide the following benefits:

  • Zones have multimaster update and enhanced security based on the capabilities of Active Directory.

    In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary server for the zone, and that server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.

    With directory-integrated storage, updates to DNS are conducted based on a multimaster update model. In this model, any authoritative DNS server, such as a domain controller running a DNS server, is designated as a primary source for the zone. Because the master copy of the zone is maintained in the Active Directory database, which is fully replicated to all domain controllers, the DNS servers operating on any domain controller for the domain can update the zone.

  • Zones are replicated and synchronized to new domain controllers automatically whenever a zone is added to an Active Directory domain.

    Although you can selectively remove the DNS Server service from a domain controller, directory-integrated zones are already stored at each domain controller, so zone storage and management is not an additional resource. Also, the methods used to synchronize directory-stored information offer performance improvement over standard zone update methods, which can potentially require transfer of the entire zone.

  • By integrating storage of your DNS zone databases in Active Directory, you can streamline database replication planning for your network.

    When your DNS namespace and Active Directory domains are stored and replicated separately, you need to plan and potentially administer each separately. For example, when using standard DNS zone storage and Active Directory together, you would need to design, implement, test, and maintain two different database replication topologies. You need one replication topology for replicating directory data between domain controllers, and you need another topology for replicating zone databases between DNS servers. With integrated DNS zone storage in Active Directory, you must design and maintain only an Active Directory replication.

  • Directory replication is faster and more efficient than standard DNS replication.

    Because Active Directory replication processing is performed on a per-property basis, only relevant changes are propagated. Therefore, directory-stored zones require less traffic to synchronize changes across the replication topology.

    Only primary zones can be stored in the directory. A DNS server cannot store secondary zones in Active Directory. It must store them in standard text files. The multimaster replication model of Active Directory removes the need for secondary zones when all the zones are stored in Active Directory. When all of the DNS servers in your organization are also domain controllers, all of your DNS servers are primary servers for all of your zones.

DNS Server Service Configuration

The configuration of the DNS Server service consists of a set of properties for the DNS server and forward and reverse lookup zone files.

Properties of the DNS Server

To modify the properties of a DNS server, open the DNS snap-in, right-click the name of the server in the tree, and then click Properties. Figure 9-5 shows an example of the resulting ServerName Properties dialog box.

Bb727009.ch09xx05(en-us,TechNet.10).gif

Figure 9-5  The properties dialog box for a DNS server

From this dialog box, you can configure properties on the following tabs:

  • Interfaces  You can specify the IPv4 addresses on which the DNS Server service is listening for incoming DNS messages. You can specify all the IPv4 addresses assigned to the DNS server, or you can specify individual addresses (and, therefore interfaces) on which you want to receive DNS traffic as a DNS server.

  • **Forwarders  **You can specify the forwarding behavior of this DNS server including the ability to forward based on a specific domain name (conditional forwarding), the list of IP addresses to which the server should forward DNS traffic, timeout behavior, and whether to use recursive queries for each domain.

  • **Advanced  **You can enable various options (such as round robin and subnet prioritization), the data format for checking names, the location of zone data (Active Directory or local files), and scavenging settings.

  • **Root Hints  **You can configure the set of root domain servers that this DNS server uses during iterative queries. Changes that you make on the Root Hints tab are updated in the Cache.dns file, which is stored in the systemroot\System32\Dns folder. Using the Root Hints tab is the recommended method of maintaining the list of root domain servers, rather than using a text editor to modify the Cache.dns file.

  • **Debug Logging  **You can enable and configure various options for the DNS debug log file, which you can use when troubleshooting DNS issues. The DNS debug log file is stored in systemroot\System32\Dns\Dns.log. By default, debug logging is disabled.

  • **Event Logging  **You can specify the level of logging for information stored in the DNS event log, which you can view with the Event Viewer snap-in. By default, logging is enabled for all events.

  • Monitoring  You can perform simple diagnostic functions to ensure the correct configuration and operation of the DNS server, such as performing recursive and iterative queries and electing to run them as needed or at a specified interval.

  • Security  You can specify access control lists (ACLs) for DNS server administration. For more information about ACLs, see Help and Support for Windows Server 2003.

Maintaining Zones

You can use the DNS snap-in to administer two main types of zones:

  • Forward lookup zones

  • Reverse lookup zones

Forward Lookup Zones

To create a forward lookup zone by using the DNS snap-in, open the snap-in, right-click the Forward Lookup Zones node in the tree, and click New Zone. The New Zone Wizard launches and guides you through creating a forward lookup zone. In the New Zone Wizard, you must specify the following:

  • Whether to create a primary, secondary, or stub zone

  • Whether to store the zone in Active Directory

  • For Active Directory storage, whether to replicate the zone to all DNS servers in the forest, to all DNS servers in the domain, or to all domain controllers in the domain

  • What the FQDN of the zone should be

  • Whether to allow dynamic updates, to require secure dynamic updates, or both

  • For secondary and stub zones, from which master name servers (as specified by IPv4 address) the DNS Server service obtains the zone data

To modify the properties of a forward lookup zone, open the DNS snap-in, right-click the zone under the Forward Lookup Zones folder in the tree, and click Properties. Figure 9-6 shows an example of the resulting ForwardZoneName Properties dialog box.

Bb727009.ch09xx06(en-us,TechNet.10).gif

Figure 9-6  The properties dialog box for a forward lookup zone

From this dialog box, you can configure properties on the following tabs:

  • General  You can specify the zone's state (running or paused), the type of zone (primary, secondary, or stub), its replication scope, and behaviors for dynamic update and aging/scavenging.

  • Start of Authority (SOA) You can view or specify all of the parameters of the SOA resource record for the zone.

  • Name Servers  You can view and change all of the Name Server (NS) resource records for the zone.

  • WINS  You can specify the WINS lookup behavior. For more information, see "DNS and WINS Integration" in this chapter.

  • Zone Transfers  You can specify the zone transfer behavior for the zone (whether to allow zone transfers, to which servers, and the notify list).

  • Security  You can specify ACLs for zone administration.

Reverse Lookup Zones

To create a reverse lookup zone in the DNS snap-in, open the snap-in, right-click the Reverse Lookup Zones node in the tree, and click New Zone. The New Zone Wizard launches and guides you through creating a reverse lookup zone. In the New Zone Wizard, you must specify the following:

  • Whether to create a primary, secondary, or stub zone

  • Whether to store the zone in Active Directory

  • For Active Directory storage, whether to replicate the zone to all DNS servers in the forest, to all DNS servers in the domain, or to all domain controllers in the domain

  • Either the IPv4 address prefix (up to the third octet) or the reverse lookup zone name

  • Whether to allow dynamic updates, and whether to require secure dynamic updates

  • For secondary and stub zones, from which master name servers (as specified by IPv4 address) the DNS Server service obtains the zone data

To modify the properties of a reverse lookup zone, open the DNS snap-in, right-click the zone under the Reverse Lookup Zones folder in the tree, and click Properties. Figure 9-6 shows an example of the resulting ReverseZoneName Properties dialog box.

Bb727009.ch09xx07(en-us,TechNet.10).gif

Figure 9-7  The properties dialog box for a reverse lookup zone

From this dialog box, you can configure properties on the following tabs:

  • General  You can specify the zone's state (running or paused), the type of zone (primary, secondary, or stub), its replication scope, and behaviors for dynamic update and aging/scavenging.

  • Start of Authority (SOA)  You can view or specify all of the parameters of the SOA resource record for the zone.

  • Name Servers  You can view and change all of the Name Server (NS) resource records for the zone.

  • WINS-R  You can specify the WINS reverse lookup behavior. For more information, see "DNS and WINS Integration" in this chapter.

  • Zone Transfers  You can specify the zone transfer behavior for the zone (whether to allow zone transfers, to which servers, and the notify list).

  • Security  You can specify ACLs for zone administration.

Delegation

To perform a delegation, open the DNS snap-in, right-click the parent zone in the tree, and then click New Delegation. The New Delegation Wizard launches and guides you through creating delegation and glue records for a subdomain of an existing domain. In the New Delegation Wizard, you must specify:

  • The name of the domain to delegate.

  • The FQDN and IPv4 addresses of the DNS servers to which the domain is being delegated.

To complete the delegation, you create the delegated domain zones on the servers specified in the New Delegation Wizard.

Zone Transfers

You can configure zone transfers from the Zone Transfers tab in the properties dialog box for the zone. Figure 9-8 shows an example of the Zone Transfers tab for a forward lookup zone.

Bb727009.ch09xx08(en-us,TechNet.10).gif

Figure 9-8  The Zone Transfers tab for a forward lookup zone

From the Zone Transfers tab, you can configure the following:

  • Whether zone transfers for the zone are allowed.

  • The servers to which zone transfers are allowed. You can specify any server, only the servers listed on the Name Servers tab, or specific servers listed by IPv4 address.

  • The notify list (click Notify), from which you can specify the servers on the Name Servers tab or specific servers listed by IPv4 address.

Resource Records

The DNS Server service stores resource records in their respective containers in a zone. You might manually configure the following typical resource records:

  • IPv4 address records

  • IPv6 address records

  • Pointer records

IPv4 Address Records

To manually add an IPv4 address record (also known as an Address [A] record), open the DNS snap-in, right-click the appropriate forward lookup zone in the tree, and then click New Host (A). In the New Host dialog box, type the host portion of the domain name and its IPv4 address. You can also  automatically create the associated PTR record, allow an unauthenticated update to the record, and specify the Time-to-Live (TTL) for the A and PTR records.

Computers running Windows Server 2003 or Windows XP automatically add their IPv4 host address resource records using dynamic update. For more information, see "Dynamic Update and Secure Dynamic Update" in this chapter.

IPv6 Address Records

To manually add an IPv6 address record (also known as a AAAA record), open the DNS snap-in, right-click the appropriate forward lookup zone in the tree, and then click Other New Records. In the Resource Record Type dialog box, click IPv6 Host (AAAA), and then click Create Record.

In the New Host dialog box, type the host portion of the domain name and its IPv6 address. You can also automatically delete the record if it becomes stale and specify its TTL.

When you install the IPv6 protocol on a computer running Windows Server 2003 or Windows XP, the IPv6 protocol automatically adds AAAA resource records for site-local and global IPv6 addresses using dynamic update. For more information, see "Dynamic Update and Secure Dynamic Update" in this chapter. The IPv6 protocol does not register link-local addresses or global addresses with temporary interface identifiers using dynamic update.

Pointer Records

To manually add a Pointer (PTR) resource record for an IPv4 address, open the DNS snap-in, right-click the appropriate reverse lookup zone in the tree, and then click New Pointer (PTR). In the New Resource Record dialog box, type the host IPv4 address (in reverse order, if needed) and the host's FQDN. You can also automatically delete the record if it becomes stale, allow an unauthenticated update to the record, and specify its TTL.

Computers running Windows Server 2003 or Windows XP automatically add their PTR records using dynamic update. For more information, see "Dynamic Update and Secure Dynamic Update" in this chapter.

DNS Traffic Over IPv6

By default, the DNS Server service in Windows Server 2003 does not listen for DNS traffic sent over IPv6. You can configure DNS servers running Windows Server 2003 and DNS clients running Windows XP or Windows Server 2003 to use DNS traffic over IPv6 through either locally configured or well-known unicast addresses of DNS servers.

Using Locally Configured Unicast Addresses

In this method, DNS clients and servers send DNS traffic over IPv6 to a unicast address locally assigned to the DNS server, such as a site-local or global address of the DNS server configured through IPv6 address autoconfiguration. This method requires the following steps:

  1. On each DNS server running Windows Server 2003, enable the DNS Server service for DNS traffic by using the dnscmd /config /EnableIPv6 1 command and then restarting the DNS Server service.

  2. Obtain the site-local or global addresses of each DNS server by using the ipconfig command.

  3. Configure each DNS client computer with the unicast IPv6 addresses of your DNS servers using the netsh interface ipv6 add dns interface= NameOrIndex address= IPv6Address index= PreferenceLevel command.

Using Well-Known Unicast Addresses

In this method, DNS clients and servers send DNS traffic over IPv6 to a set of well-known unicast addresses that have been manually configured on the DNS server. Computers running Windows Server 2003, Windows XP with Service Pack 1 (SP1), and Windows XP with Service Pack 2 (SP2) and the IPv6 protocol automatically attempt to use DNS servers at the well-known unicast addresses of FEC0:0:0:FFFF::1, FEC0:0:0:FFFF::2, and FEC0:0:0:FFFF::3. This method requires the following steps:

  1. On each DNS server running Windows Server 2003, enable the DNS Server service for DNS traffic by using the dnscmd /config /EnableIPv6 1 command at a command prompt and then restarting the DNS Server service.

  2. Determine which well-known unicast addresses to assign to which DNS servers.  

  3. On each DNS server, add one or more of the well-known unicast addresses using the netsh interface ipv6 add address interface= NameOrIndex address= IPv6Address command.

  4. Add host routes for the well-known unicast addresses to your routing infrastructure so that the DNS servers are reachable from all of your IPv6-based DNS client computers. First, you must add host routes for the DNS server addresses to the neighboring routers of the DNS servers. If you are using an IPv6 routing protocol, configure it to propagate host routes to the non-neighboring IPv6 routers. If you are using static IPv6 routers, add host routes with the appropriate next-hop and metric information to all the non-neighboring routers.

Dynamic Update and Secure Dynamic Update

DHCP servers assign IPv4 addresses and other configuration settings to DHCP client computers. These addresses are valid for a specific lease time. If the DHCP client computer cannot renew the current lease or moves to another subnet, the DHCP server assigns a new IPv4 address configuration to the client computer. This variability of IPv4 address configuration for DHCP client computers complicates DNS administration because you must update A and PTR resource records.

RFC 2136 describes the DNS dynamic update protocol, which keeps DNS current in a DHCP environment. DNS dynamic update allows DNS client computers to both register and dynamically update their resource records with a DNS server whenever the client computers’ IP addresses or names change. This process reduces the need for you to administer zone records manually, especially for computers that use DHCP.

Windows supports DNS dynamic update for both the DNS clients and servers. For DNS servers, you can use the DNS Server service to enable dynamic updates on a per-zone basis for either standard primary zones or zones that are integrated with Active Directory.

DNS clients running Windows Server 2003 or Windows XP register A and PTR resource records for IPv4 addresses and AAAA records for IPv6 addresses in DNS by default. Additionally, domain controllers and other service-providing computers register service (SRV) resource records in DNS. Because SRV resource records provide a way to resolve service names to IP addresses, registering them with DNS allows client computers running Windows to locate domain controllers and other types of servers.

DNS clients that are running Windows send dynamic updates in the following circumstances:

  • For statically assigned IP addresses, when the computer is started or an IP address on any of the computer’s network connections is added, removed, or modified.

  • For dynamically assigned IP addresses, when an IP address lease on any of the computers’ network connections changes or is renewed with the DHCP server (for example, when the computer is started or the ipconfig /renew command is used).

  • When the Net Logon service is started on domain controllers.

  • When a member server is promoted to a domain controller.

  • When the user runs the ipconfig /registerdns command to manually force a refresh of name registration in DNS.

  • Periodically after the initial dynamic update (by default, every seven days).

When one of these events triggers a dynamic update, the DHCP Client service on the computer running Windows Server 2003 or Windows XP sends the update. For IPv4-based addresses, the DHCP Client service sends the updates, rather than the DNS Client service, because the DHCP Client service provides IP address configuration, whether static or dynamic, to the Internet Protocol (TCP/IP) component and monitors changes in IP address configuration.

For IPv6-based addresses, the IPv6 protocol component sends the updates when the computer is started or an IPv6 address on any of the computer’s network connections is added, removed, or modified.

How Computers Running Windows Update their DNS Names

The specific mechanism and types of records registered by a computer running Windows Server 2003 or Windows XP depends on whether its IPv4 configuration is static (configured manually) or automatic (configured using DHCP):

  • By default, computers running Windows Server 2003 or Windows XP that are manually configured with static IPv4 addresses attempt to dynamically register A and PTR resource records for all configured DNS names.

  • By default, computers running Windows Server 2003 or Windows XP that are automatically configured with IPv4 addresses allocated by a DHCP server attempt to dynamically register A resource records. The DHCP server attempts to dynamically register the PTR resource records on the DHCP client's behalf. This behavior is controlled by:

    • The inclusion of the Client FQDN DHCP option (option 81) in the DHCPRequest message sent by the DHCP client.

    • In the DHCP snap-in, the settings on the DNS tab (see Figure 9-9) for the properties of a DHCP server or the properties of a DHCP scope.

For DHCP clients that do not send the Client FQDN option, the DHCP server does not automatically register the A or PTR resource records on the DHCP client's behalf. To enable this support, you can select the Dynamically update DNS A and PTR records for DHCP clients that do not request updates check box on the DNS tab.

Figure 9-9 shows the DNS tab in the properties dialog box of a DHCP server.

Bb727009.ch09xx09(en-us,TechNet.10).gif

Figure 9-9  The DNS tab on the properties of a DHCP server

DNS Dynamic Update Process

A DNS client computer running Windows Server 2003 or Windows XP uses the following process to perform a DNS dynamic update:

  1. The client queries its configured DNS server to find the Start of Authority (SOA) resource record for the DNS zone of the DNS name that is being updated.

  2. The DNS client's configured DNS server performs the standard name resolution process and sends the SOA record, which contains the IP address of the primary name server for the queried DNS zone.

  3. The client sends a dynamic update request to the primary name server for the zone of the DNS name that is being updated.

    This request might include a list of prerequisites that must be fulfilled before the update can be completed. Types of prerequisites include the following:

    • The resource record set exists.

    • The resource record set does not exist.

    • The name is in use.

    • The name is not in use.

  4. The primary name server determines whether the prerequisites have been fulfilled. If they have, the primary DNS server performs the requested update. If they have not, the update fails. In either case, the primary DNS server replies to the client, indicating whether the update succeeded.

If the DNS dynamic update is not successful, the DNS client records the event in the system event log.

Configuring DNS Dynamic Update

You configure DNS dynamic update behavior on DNS client computers running Windows, DNS servers running Windows Server 2003, and DHCP servers running Windows Server 2003.

To configure DNS dynamic update on a DNS client computer running Windows Server 2003 or Windows XP, do the following:

  1. Click Start, point to Settings, and then click Network Connections.

  2. Right-click the network connection that you want to configure, and then click Properties.

  3. On the General tab (for a local area connection) or the Networking tab (for any other connection), click Internet Protocol (TCP/IP), and then click Properties.

  4. Click Advanced, and then click the DNS tab.

  5. Do one or more of the following:

    • To use DNS dynamic update to register the IP addresses for this connection and the full computer name of the computer, select the Register this connection's addresses in DNS check box. This check box is selected by default.

    • To configure a DNS suffix for the specific connection, type the DNS suffix in DNS suffix for this connection.

    • To use DNS dynamic update to register the IP addresses and the domain name that is specific for this connection, select the Use this connection's DNS suffix in DNS registration check box. This check box is not selected by default.

To enable DNS dynamic update on a DNS server that is running Windows Server 2003, do the following:

  1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.

  2. In the tree, click the appropriate zone in the Forward Lookup Zones or Reverse Lookup Zones node.

  3. On the Action menu, click Properties.

  4. On the General tab, verify that the zone type is either Primary or Active Directory-integrated.

  5. If the zone type is Primary, in the Dynamic Updates list, click either Nonsecure and secure or Secure only.

To configure DNS dynamic update for a DHCP server that is running Windows Server 2003, do the following:

  1. Click Start, point to Programs, point to Administrative Tools, and then click DHCP.

  2. In the tree, click the appropriate DHCP server or a scope on the appropriate DHCP server.

  3. On the Action menu, click Properties.

  4. Click the DNS tab.

  5. Do one of the following:

    • To enable DNS dynamic update for DHCP clients that support it, select the Enable DNS dynamic updates according to the settings below check box and either the Dynamically update DNS A and PTR only if requested by the DNS clients check box (selected by default) or the Always dynamically update DNS A and PTR records check box.

    • To enable DNS dynamic update for DHCP clients that do not support it, select the Dynamically update DNS A And PTR records for DHCP clients that do not request updates check box. This check box is cleared by default.

Secure Dynamic Update

Secure DNS dynamic update is available only for zones that are integrated into Active Directory. After you integrate a zone, you can add or remove users or groups from the ACL for a specified zone or resource record using the DNS snap-in.

After a zone becomes integrated with Active Directory, DNS servers running Windows Server 2003 allow only secure dynamic updates by default. When configured for standard zone storage, the DNS Server service by default blocks dynamic updates on its zones. For zones that are either integrated with Active Directory or that use standard file-based storage, you can change the zone to allow both secure and unsecured dynamic updates.

DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, DNS clients try to use secure dynamic update.

DNS and WINS Integration

If DNS and Windows Internet Name Service (WINS) are integrated, the DNS Server service can look up DNS names in WINS if the service cannot be resolve the names by querying DNS servers. To perform WINS lookup, the DNS Server service uses two specific resource record types that can be enabled for any zone:

  • The WINS resource record, which you enable to integrate WINS lookup into forward lookup zones

    The WINS resource record is specific to DNS servers that are running Windows and that you can attach only to the root domain of a forward lookup zone by placing the record in the root zone file. The presence of a WINS record instructs the DNS Server service to use WINS to look up any requests for hosts in the zone root that do not have an A resource record. This functionality is particularly useful for DNS clients that are not running Windows and that need to resolve the names of NetBIOS and DHCP-enabled hosts that do not perform DNS dynamic update, such as computers running older versions of Windows.

  • The WINS-R resource record, which you enable to perform IPv4 address-to-NetBIOS name lookups for reverse lookup zones

    The WINS-R resource record is also specific to DNS servers that are running Windows and that you can attach only to the root domain of a reverse lookup zone by placing the record in the root zone file. The presence of a WINS-R record instructs the DNS Server service to use WINS to look up any requests for hosts that are in the zone root but that do not have an A resource record.

How WINS Lookup Works

When a DNS client sends a recursive or iterative query to a DNS server that is authoritative for the domain portion of an FQDN, the DNS server first attempts to find a matching A record in its zone files. If the DNS server does not find a matching A record and is configured for WINS lookup, the server does the following:

  1. The DNS server separates the host part of the FQDN contained in the DNS query and converts the host part to a 16-byte NetBIOS name. The NetBIOS name consists of the host name, padded with spaces up to 15 bytes, and 0x00 as the last byte.

  2. The DNS server sends a NetBIOS Name Query Request message to the WINS server.

  3. If the WINS server can resolve the constructed NetBIOS name, it returns the IPv4 address to the DNS server using a NetBIOS Name Query Response message.

  4. The DNS server constructs an A resource record using the IPv4 address resolved through the WINS server and sends a DNS Name Query Response message containing the A record to the requesting DNS resolver.

The DNS Server service performs all of the steps for WINS lookup. The DNS resolver is not aware that WINS lookup is being used—it sent a DNS Name Query Request message and received a DNS Name Query Response message. The WINS server is not aware a DNS server is using WINS lookup—it received a NetBIOS Name Query Request message and replied with a NetBIOS Name Query Response message.

When you enable WINS lookup on a DNS zone, it is performed for only those names in the zone root domain. For example, if a zone file contained names for the example.com domain and the dev.example.com subdomain and WINS lookup was configured for that zone, then WINS lookup could be performed on the name newssrv1.example.com but not for the name newssrv1.dev.example.com.

You can configure WINS lookup from the WINS tab for the properties of a forward lookup zone. To enable WINS lookup, select the Use WINS forward lookup check box, and type the IPv4 addresses of your WINS servers.

The TTL for a DNS name that is resolved through WINS lookup is not the default timeout value from the SOA record for the zone. You configure the TTL for a name resolved through WINS lookup on the WINS tab for the properties of a forward lookup zone.

WINS Reverse Lookup

Although WINS was not constructed to provide reverse lookup capabilities, this functionality can be accomplished using a special NetBIOS message. The presence of a WINS-R record at the zone root instructs the DNS Server service to send a NetBIOS Adapter Status message for any reverse lookup requests for IPv4 addresses in the zone root domain for which PTR records were not found. The response to the NetBIOS Adapter Status message contains the NetBIOS computer name of the queried host.

You can configure WINS lookup on the WINS-R tab for the properties of a reverse lookup zone. Select the Use WINS-R lookup check box, and type the domain name to be appended to the computer name when the DNS Server service returns the response to the DNS resolver.

If a reverse query for a host name based on an IPv4 address is sent to a DNS server running Windows Server 2003 for a zone in which WINS reverse lookup is enabled, the server will first attempt to perform a reverse resolution using the local reverse lookup zone files. If the DNS server does not find a PTR record, it sends a NetBIOS Adapter Status message to the IPv4 address in the reverse query. The response to the NetBIOS Adapter Status message includes the NetBIOS name table of the responder, from which the DNS server determines the computer name. The DNS Server service appends the domain name configured on the WINS-R tab to the computer name and returns the result to the requesting client.

Using the Nslookup Tool

The Nslookup diagnostic tool allows you to interact with a DNS server using either individual command-line queries or interactively as a name resolver or as another DNS server. The Nslookup tool is the primary troubleshooting tool for DNS. You can use Nslookup to display any resource record on any DNS server, including DNS servers that are not running Windows.

Nslookup Modes

Nslookup has two modes: interactive and noninteractive. If you need a single resource record, use non-interactive or command-line mode. If you need more than one resource record, you can use interactive mode, in which you issue successive commands from an Nslookup prompt. For interactive mode:

  • To interrupt interactive commands at any time, press CTRL+C.

  • To exit, use the exit command.

  • The command line must be less than 256 characters long.

  • To treat a built-in command as a computer name, precede it with the "\" character.

  • An unrecognized command is interpreted as a computer name.

Nslookup Syntax

Nslookup has the following syntax:

nslookup [- Options] [ComputerToFind | - [Server]]

The Nslookup command line can include the following parameters:

  • - Options  Specifies one or more Nslookup commands as a command-line option. For a list of commands, use the help option inside Nslookup. Each option consists of a hyphen (-) followed immediately by the command name; in some cases, an equal sign (=); and then a value.

  • ComputerToFind  Look up information for ComputerToFind using the current default server or using Server if specified. If ComputerToFind is an IP address and the query type is A or PTR, the name of the computer is returned. If ComputerToFind is a name and does not have a trailing period, the default DNS domain name is appended to the name.     

    If you type a hyphen (-) instead of ComputerToFind, the command prompt changes to Nslookup interactive mode with the ">" character as the command prompt.

  • Server  Use this server as the DNS name server. If the server is omitted, Nslookup uses the currently configured default DNS server.

Examples of Nslookup Usage

The following are usage examples for the Nslookup tool.

Example 1: Nslookup in Interactive Mode

The following is a usage example for Nslookup in interactive mode with the default DNS server:

C:\USERS\DEFAULT>nslookup 
Default Server:  dnssrv1 
Address:  157.54.9.193 
>

Nslookup performs a reverse query on the IPv4 address of the default DNS server and displays its name (dnssrv1 above). If the query fails, Nslookup displays the error message "*** Default servers are not available" and shows the default server as "Unknown." From the ">" prompt, you can enter names to be queried, IP addresses to be reverse queried, or commands to modify the behavior of Nslookup. To exit the Nslookup command prompt, use the exit command.

Example 2: Nslookup and Forward Queries

The following is an example of how to use Nslookup to obtain the IP address of a host name using the default DNS server:

C:\USERS\DEFAULT>nslookup filesrv17 
server =   dnssrv1 
Address:  157.54.9.193 
 
Name:    filesrv17.example.com 
Address:  131.107.21.19
Example 3: Nslookup Forward Query Using Another DNS Server

The following is an example of how to use Nslookup to obtain the IP address of a host name using another DNS server:

C:\USERS\DEFAULT>nslookup msgsrv3 –dnssrv9 
server =   dnssrv9 
Address:  157.60.10.41 
 
Name:    msgsrv3.central.example.com 
Address:  157.60.10.201
Example 4: Nslookup Debug Information

The following is an example of how to use Nslookup to obtain the IP address of a host name using the default DNS server. The example also shows how to modify the display option to include detailed information about the contents of the DNS messages being exchanged between the DNS client and the DNS server:

C:\USERS\DEFAULT>nslookup -debug=on emailsrv1 
------------ 
Got answer: 
    HEADER: 
        opcode = QUERY, id = 1, rcode = NOERROR 
        header flags:  response, auth. answer, want recursion, recursion avail. 
        questions = 1,  answers = 1,  authority records = 0,  additional = 0 
 
    QUESTIONS: 
        193.9.60.157.in-addr.arpa, type = PTR, class = IN 
    ANSWERS: 
    ->  193.9.60.157.in-addr.arpa 
        name = dnssrv1 
        ttl = 3600 (1 hour) 
 
------------ 
server =   dnssrv1 
Address:  157.60.9.193 
 
------------ 
Got answer: 
    HEADER: 
        opcode = QUERY, id = 2, rcode = NOERROR 
        header flags:  response, auth. answer, want recursion, recursion avail. 
        questions = 1,  answers = 1,  authority records = 0,  additional = 0 
 
    QUESTIONS: 
        emailsrv1.example.com, type = A, class = IN 
    ANSWERS: 
    ->  emailsrv1.example.com 
        internet address = 157.54.9.193 
        ttl = 3600 (1 hour) 
 
------------ 
Name:    emailsrv1.example.com 
Address:  157.54.9.193
Example 5: Nslookup Reverse Query

The following is an example of using Nslookup to perform a reverse query:

C:\USERS\DEFAULT>nslookup 157.60.13.46 
server =   dnssrv1 
Address:  157.60.9.193 
 
Name:    emailsrv18.wcoast.example.com 
Address:  157.54.13.46

Chapter Summary

The chapter includes the following pieces of key information:

  • You can configure the DNS Client service manually using Network Connections or automatically using DHCP, PPP, or Computer Configuration Group Policy.

  • To help resolve an unqualified name, the DNS Client service uses the primary or connection-specific DNS suffixes (with name devolution on the primary suffix) or a configured list of DNS suffixes.

  • You can install the DNS Server service in Windows Server 2003 as a Windows component using the Add or Remove Programs item in Control Panel, the Active Directory Installation Wizard (Dcpromo.exe), or the Manage Your Server Wizard.

  • Active Directory requires DNS to locate domain resources for domain operations.

  • Storage of DNS zones in Active Directory can take advantage of multi-master administration, Active Directory security, and the existing Active Directory replication topology.

  • To administer a DNS server that is running Windows Server 2003, you must configure server properties, forward lookup zones, reverse lookup zones, delegation, and zone transfers.

  • Typical resource records to manually add to a DNS server running Windows are A, AAAA, and PTR.

  • To enable DNS traffic over IPv6, you must configure the DNS server to listen for DNS traffic over IPv6. Then, you must either configure the DNS clients with the unicast IPv6 addresses of the DNS servers or configure the DNS server and the routing infrastructure for the well-known unicast addresses assigned to IPv6 DNS servers.

  • With DNS dynamic update, DNS client computers that are running Windows dynamically update their A, AAAA, and PTR records (for IPv4) addresses with the primary name server for the zone. For zones that are integrated with Active Directory, DNS clients can use secure dynamic update.

  • WINS lookup allows a DNS server running Windows to use WINS for name resolution when no A record for the host is found. WINS reverse lookup uses NetBIOS Adapter Status messages to perform reverse lookups when no PTR record is found.

Chapter Glossary

DNS – See Domain Name System.

DNS dynamic update - A DNS standard that permits DNS clients to dynamically register and update their resource records in the zones of the primary name server.

DNS server – A server that maintains a database of mappings of DNS domain names to various types of data, such as IP addresses.

domain – Any tree or subtree within the DNS namespace.

Domain Name System (DNS) – A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.

forward lookup – A DNS query that maps an FQDN to an IP address.

FQDN – See fully qualified domain name (FQDN).

fully qualified domain name (FQDN) - A DNS name that has been stated to indicate its absolute location in the domain namespace tree. An FQDN has a trailing period (.) to qualify its position to the root of the namespace (for example, host.example.microsoft.com.).

Host name – The DNS name of a device on a network. Host names are used to locate computers on the network. To find another computer, its host name must either appear in the Hosts file or be known by a DNS server. For most computers running Windows, the host name and the computer name are the same.

Host name resolution – The process of resolving a host name to a destination IP address.

iterative query - A query made to a DNS server for the best answer the server can provide without seeking further help from other DNS servers.

master server – An authoritative DNS server for a zone. Master servers are either primary or secondary master servers, depending on how the server obtains its zone data.

primary server - An authoritative DNS server for a zone that can be used as a point of update for the zone. Only primary servers can be updated directly to process zone updates, which include adding, removing, or modifying resource records that are stored as zone data.

recursive query – A query made to a DNS server in which the requester asks the server to assume the full workload and responsibility for providing a complete answer to the query. The DNS server then uses separate iterative queries to other DNS servers on behalf of the requester to assist in finding a complete answer for the recursive query.

reverse lookup – A DNS query that maps an IP address to an FQDN.

root domain - The beginning of the DNS namespace.

secondary server - An authoritative DNS server for a zone that obtains its zone information from a master server.

second-level domain – A DNS domain name that is rooted hierarchically at the second tier of the domain namespace, directly beneath the top-level domain names. Top-level domain names include .com and .org. When DNS is used on the Internet, second-level domains are names that are registered and delegated to individual organizations and businesses.

stub zone – A copy of a zone that contains only the resource records required to identify the authoritative DNS servers for that zone. A DNS server that hosts a parent zone and a stub zone for one of the parent zone's delegated child zones can receive updates from the authoritative DNS servers for the child zone.

top-level domains – Domain names that are rooted hierarchically at the first tier of the domain namespace directly beneath the root (.) of the DNS namespace. On the Internet, top-level domain names such as .com and .org are used to classify and assign second-level domain names (such as microsoft.com) to individual organizations and businesses according to their organizational purpose.

zone – A manageable unit of the DNS database that is stored on a DNS server. A zone contains the domain names and data of the domain with a corresponding name, except for domain names stored in delegated subdomains.