DNS
a. History
Computer networks on the internet as a naming problem, considered the father of the first ARPANET. time has emerged. In the 1970s, the ARPANET network compared with today's situation was too small and can be expressed with only a few hundred were serving system. These dates for naming a file held there at one point and all other systems these files periodically update their side had solved the problem of nomenclature.
Address-name definition file that contains the hosts.txt by SRI SRI-NIC (Stanford Research Institute - Network Information Center) were kept on a computer named. This file is arranged to correspond to each address has a name. ARPANET and changes on new name identification emails sent to SRI is done by performing a copy of the File Transfer Protocol and hosts.txt.
Over TCP / IP explosion occurring in parallel with the use of links, many server for name resolution and in assigning a unique name to each computer was experiencing problems. In addition, the only name to be resolved was spent quite a large amount of bandwidth. However, the name used is compatible databases not use to be ensured at all times.
After the emergence of this situation Arpanet name resolution for a more scalable structure began to research. Paul Mockapetris. It will open in a new window. This work was commissioned. Mockapetris in 1984, Domain Name System (DNS) 's RFC 882 defines and RFC 883 'Was published. They then are still valid RFC 1034. It will open in a new window. and RFC 1035 brought up by the update.
Source
:
http://tr.wikipedia.org/wiki/DNS
b. What is the purpose of the DNS service?
All objects on the Internet, has a unique address. Each object can communicate with each other via this address and communicates. In use, the human is difficult to keep these figures in mind, a DNS server is designed to solve this problem. Each household consists of a maximum of 3 households receive IP addresses, names, turning objects send a reply to queries. And so communication can be ensured.
http://www.alperyazgan.com/wp-content/uploads/resim/1.jpg
c. Uses of DNS Services
Make sure the communication DNS for doing business, any kind of installation, configuration, etc. are featured in transactions.
Root Servers : Top Level Domain name these servers worldwide were the source of name resolution. There are 13 pieces root servers all over the world.
TLD Servers : gTLD (Generic Top Level Domain) also referred to as. Country codes, are composed of commercial organizations belonging to the extension. Major extensions are :
Com = Commercial Organizations
Org = Non-Commercial Organizations
Mil = Military Organizations
Net = Network Organizations
EDU = Educational Institutions
Gov = Government Institutions
Int = International Organizations
Info = Information Services Institutions
Tel = Communication, Telecommunication Institutions
Country Codes
TR = Turkey
USA = United
GB = United Kingdom
DE = Germany
AU = Australia
FR = France
Ri = Russia
CA = Canada
Slds, Second Level Domain Servers (Second Level Domain Servers)
These servers can be given to a private person or corporation. When you install any commercial company, through this server for name resolution occurs.
Example: alperyazgan.com
In addition, we as IT professionals; Our web servers and mail servers are used at this level.
http://www.alperyazgan.com/wp-content/uploads/resim/2.jpg
Name Resolution
Name resolution on the internet means that there is a sought-after record. I want to explain that one of the common examples. Each of us and all of us are Turkish citizens belonging to TC Identification Number available. So how identity number is known to belong to us? It's simple. Directorate of Population and because he had a unit identity number 1234567891122 name registration of citizens as Alper YAZGAN storing there. In this example, we set off; Our current IP address within the network of our identity number of the population directorate within the network can be thought as the DNS service team. A phone call to the directorate of the population, and we'll tell identification number. He also let us in response to our citizens first and last name is returned. In the following example :
Question: Who is 127.0.0.1?
http://www.alperyazgan.com/wp-content/uploads/resim/3.JPG
Answer: 127.0.0.1 = ALPERYAZGAN
http://www.alperyazgan.com/wp-content/uploads/resim/4.JPG
Belongs to the DNS service has a database and the IP address of the corresponding author of the names in that database. When we sent a name query, numbers and names are mapped to each other, and returns us the answer. Another example: When I type to browser: technet.microsoft.com the DNS responding to us, is that page to the browser screen.
Publication of Proxy
This process means that the information is kept. When I refer to the types of records will be understood more clearly. If I have to summarize simply, the answer returned by the DNS records makes distinctions based on the type and what amount of information that record, which makes the task. A (Host Record), MX (Mail Exchanger Record) as well.
Zones
DNS servers managed by a domain authority to the zone is called. In computer names, IP addresses belonging to these names, resource contains data such as registration information.
Forward Lookup Zone
Function of this area, converting the IP addresses to names.
- Primary Zone: Within the admin area known as DNS. Authority to write to the DNS database is the only kind of area.
- Secondary Zone: Does not have the authority to write to the database. Primary Zone 's read what he wrote is in charge. In periods we identified, the Primary Zone copy of the records occur, transferring onto another primary zone acts as a backup.
- Stub Zone: Inside NS (Name Server-Name server), SOA (Start Of Authority-Start of Authority) and A (Address Record-Address Record) that registers and any authority over not contain field type. The other domain responsible for the NS records query to the DNS server with the principle that making out their work.
- Reverse Lookup Zone: Forward Lookup Zone, the exact opposite of the IPs converts names.
Record Types and Funtions
Host (A) : Name and IP addresses are matched to each other.
Name Server (NS) : DNS server is used to introduce. Requests from the client which according to these records and decide to go to the server.
SRV (Service Locator): If you have a special service, TCP / IP and port information within the host.
PTR (Pointer Record): IP solves the the name. Also referred to as reverse dns record. ISP (Internet service provider) must be opened in tarafr and fixed WAN IP 's holding in the types of records is called.
CNAME (Canonical Name): the current host (A) record, help to solve different names. My servant is suitable for web sites.
SPF (Sender Policy Framework): Mail servers, used to prevent spam messages. Permitted an e-mail server used to address other mail servers. TXT is based. Advanced use: https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
SOA (Start of Authority): Primary Zone information in the name server, domain admin account's e-mail address information and counter information in other hosts.
MX (Mail Exchanger): Mail servers Host (A) records the amount. Another feature, in which priority is hosting. The first task is to provide communication between mail servers. Priority on the side, the priority (priority) MX record with the lowest value on the opposite side to the mail server sends the first answer.
d. Query Types
We have two types of queries:
- Recursive: by the client, a network resource to access any of his, asking for the IP address to the DNS record type is suucu. Workflow is as follows:
Recursive DNS Client - "Compare IP and Names" (if true) to the client RESPOND positive or negative.
Recursive DNS Client - "Compare IP and Names" (if false) Ask the client to other DNS server RESPOND positive or negative.
- Iterative: The DNS server is a type of query that is happening among themselves. When the query from the client, the DNS looks into its own, does not find registration go to other DNS servers, the client will search until you find the record you want. If the answer period fixed in its cache or can not find the answer Returns will not return.
Microsoft Windows Server DNS
First, Microsoft started with Windows NT DNS support and has come up today. Some computers use dynamic DNS, and Microsoft DNS database must register themselves. This method is called the client registration.
When it comes to application, service DLL runs with the help of DLL files and all communications over TCP / IP is returned. DNSCache was running method, the server returns the response to the client. Microsoft-based computers, the primary DNS server that the answer is always the first. Do it start to explain.
a. Installation and Configuration
DNS for Windows NT installation: http://www.digitalissues.co.uk/html/os/ms/dns_on_nt4.html
DNS Setup for Windows 2000: http://support.microsoft.com/kb/300202
Windows Server 2003 DNS, Domain Controller is installed with the installation. DC During the installation the computer, the Windows Server 2003 CD 'trays must be installed. This setup also can be done later if desired.
For installation: http://support.microsoft.com/kb/814591
Microsoft, Windows Server 2008 with little change in our lives and changed our management console. Although the methodology the same setup, the screen has changed. Therefore this case, the DNS can affect the setup screen has differentiated. Windows Server 2008, Windows Server 2008 SBS, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 servers, the installation is now almost all of the Server Manager console can be called.
Windows Server 2008 and later operating systems in all of the same in 2003 as in architecture, DNS, DC is done with the installation.
DC (Domain Controller) for installation: http://social.technet.microsoft.com/wiki/contents/articles/25364.windows-server-2012-r2-install-domain-controller-role-video-tr-tr.aspx
Microsoft 'I get recognized as a resource in the following diagram, a full DNS server architecture and operation are described as:
http://www.alperyazgan.com/wp-content/uploads/resim/5.jpg
DNS Management Console Review
In this section of our review, established through the DNS console screens and its work will tell.
http://www.alperyazgan.com/wp-content/uploads/resim/6.JPG
http://www.alperyazgan.com/wp-content/uploads/resim/7.JPG
Configure a DNS server: DNS server is present on the primary, secondary and used to create a reverse lookup zone.
Create Default Application Directory Partition: The DNS for a new application partition is created and stored in the database.
New Zone: Used to create and manage new domain name.
Set aging / scavenging for All Zones: Domain names creates a record in the area of the renewal period is determined.
http://www.alperyazgan.com/wp-content/uploads/resim/8.JPG
Update Server Data Files: Update domain name changes in the Forward Lookup Zones.
Clear Cache: DNS responses to the client the same query again when the traffic is stored in the cache to consume. The client sends the same query, compare and name instead of IP, cache hold to return the answer. If we click here, about the cache will be deleted and re-query the DNS to prepare the client sees the new address will be sent. In the panel when an IP or name changes, this process needs to be done. By default, the cache will be refreshed within 60 minutes.
Launch Lookup DNS in itself, refer to the NS query and returns the first record of NS sees.
Scavenge Stale Resource Records: Set the aging process that is carried out automatically in the settings, it enables us to manually click.
DNS Management Console Properties
Interfaces: DNS host records where the selected ethernet cards are created in the primary zone. Come and ask questions of the client IP address is specified here. By default, the "All IP Addresses" is selected. DC contains more than one Ethernet card, this screen by selecting Only the following IP addresses, we would like to respond to clients need to select the ethernet card.
DNS Response Hierarchy
DC Interface IP Address
DNS Host Records
If the answer does not turn Host records, Forwarders
Forwarders does not return answer the Root Hints
Forwarders, DNS their zone can not find the records in the query is the first address.
http://www.alperyazgan.com/wp-content/uploads/resim/9.JPG
- Advanced
http://www.alperyazgan.com/wp-content/uploads/resim/10.JPG
Disable Recursion: This option dn'll go to other DNS servers are self-determine. If you tick the box, another DNS queries from DNS yourself to answer without prompting and positive / negative returns an answer. Mark if we do not find the DNS queries on their own forwarders & root hints will continue to search the hierarchy. Public opening of DNS servers is recommended.
Enable BIND secondaries: Zone which the transfer is to be made. Marked during the DNS zone transfers to income and will be looking to transfer format is decided.
Fail on Load If Bad Zone Data: MS Windows Server 2000, except for the family in the next server, DNS, see here, and the box is checked, false records in the unavailable zones.
Enable Round Robin: MS Windows Server 2008 and later operating systems, the DNS server in inter-making process provides load balancing. DNS queries from its initial default view check and correct the record was submitted to the client. If this box is checked, and the same CNAME / host record too much request (connection request) when, thanks to this option, the more queries the DNS itself, allocates to other DNS servers in the environment. DNS is not active at the point of this Round of rouba while referring to decide what to do.
Enable Netmask Ordering: Which according to the network card using the mask determines how to respond to the client side. When this option is checked the DNS, its incoming TCP / IP packet, and the client side and solved the client's network reputation appropriate response is returned.
Secure cache pollution agonists: Secure cache means repetition. Here is not checked, cache DNS queries only from its latest amount, and the client-side response to the last query returns the answer.
Enable DNSSEC Validation for Remote Addresses: a DNS server on the zone 's signed if this option is activated, the DNS response when rotating the opposite side of the same validation method if there is a question and answer whether that accordingly decides. If mutual marked both on the DNS server (zones assume that the signured) name resolution is performed.
Checking Name: Name that will be used in the analysis determines the international format. UTF-8 is understandable for each language that is selected by default. Changing is not recommended.
Load Zone Data on Startup: From the net, from the registry and from Active Directory and registry is divided into three. By default is selected from the Active Directory and registry. If the file C:\Windows\system32\dns folder you will see. We should leave as Active Directory.
Enable automatic scavenging of : On his own records that you would automatically change when the area is determined. It is not selected by default. It is recommended to be selected and set on a weekly basis.
Root Hints: You yourself can not find records is the area to ask for help. These are public DNS, this is disabled.
Monitoring: A simple and recursive queries tests are performed here.
Event Logging: The DNS events, automatically collected under the Event Viewer. On this tab, the event will be me, to be taken to be what we set it.
http://www.alperyazgan.com/wp-content/uploads/resim/11.JPG
No events: This option does not print the log.
Errors only: This option will only record errors.
Errors and warning: Errors and warnings (warnings not to intervene in the future appears as Error) registers.
All events: All events will record.
Debug Logging: DNS requests received, with clients who are dn TCP / IP networking utility to save. It is considered unnecessary to be covered off by default in case of income. If you want a detailed DNS management, so check it, communication between the client and the DNS server can examine in detail.
http://www.alperyazgan.com/wp-content/uploads/resim/13.JPG
Packet direction: Packet direction, meaning this word is divided into outgoing and incoming. Bi-directional TCP packet monitoring utility.
Packet content: TCP / IP packet contents Dunn collects and writes to the log file.
Transport protocol: Communication protocol that follows bidirectional port 53.
Other options
Login unmatched incoming response packet: DNS logs the demands of self; By default, sent from the client queries and their positive / negative results would. We invalid queries (in the absence of DNS request from the client, etc.) also need to check this option if you want to register.
Details: Registration during the author details. Which package came from, where you went, the answer is positive or negative mu, negative, negative, such as why.
Filter packets by IP address: if we want to, we can organize according to private IP address to register. When you click on the Filter option, only these IP 's able to say that the demands from the record.
http://www.alperyazgan.com/wp-content/uploads/resim/15.JPG
Log File and name: The recorded file and the name of the folder to which is that post.
Maximum size (bytes): Entries in bytes of the file we specify the maximum value. The default maximum value of 50 MB is. If you want to free to play on.
Securiy: Who in the DNS Management Console screen is what we would do business. Also here, it may take a query to the DNS server who appears. Allowed by default mechanism is as follows.
SYSTEM : Full Control
DNSAdmins : Full Control
Organization Management : Read
Domain Admins : Full Control
**Enterprise Admins ** : Full Control
ENTERPRISE DC : Full Control
- Conditional Forwarders
Static IP and name requests from clients, to deliver benefits to the right place. for instance; When the system is running normally on my google.com forwarders, the same google.com as I define conditional forwarder if we enter a static IP, DNS requests from the IP side will be directed to only within the CF.
http://www.alperyazgan.com/wp-content/uploads/resim/16.JPG
In the figure above, ayazgan.com defined as the DNS Domain, IP address has not been entered yet. Clients, which I shows the IP address, if I asked my ayazgan.com they will answer DNS look here.
Store this conditional forwarder in Active Directory, and replicate it as Follows: I marked this option, the DNS 's replicating structure manages.
http://www.alperyazgan.com/wp-content/uploads/resim/17.JPG
All DNS Servers in this forest: all DNS servers in the forest with a Board of replication takes place.
All DNS servers in this domain: all DNS servers within a domain, and replication takes place.
All Domain Controllers in this domain: replication between all DCs within a domain occurs.
a. Backup & Restore
Surely, this is such an important service must be backed up and never collapse. Microsoft, it has been systematically take all appropriate measures, and we will trust DNS system administrators. We presented ourselves for system administrators managing our method with the replacement structure would sustain our DNS. Here, the first method is a method of replication I described in the previous paragraph. Now, however, I will refer to some other yötnem.
b. System State Backup
DNS and Directory Service objects to back up all of these methods, I think is one of the most suitable method for the removal. Short and hence the return to be easy, especially in the IT industry is preferred. In fact, this method did his job in the background, "C:\Windows\system32\dns" folder, a copy of the backup and an area of our crash, instantly makes the return is short. Because this path, as in zonename.dns domain names and their associated records, these records store information. During the return, system state restore operation without anything except Finn, we have lifted up our DNS service.
c. Bare-Metal Recovery
This method, applies to all Windows components. In short, all the operating system, the operating system would completely collapse and return as a precaution during the system image backup with the return of the DNS also be returned. Yapabildiğimz with this method, such as the operating system itself, with the backup software can make various 3rd. The main issues in order to get out of our software do not share names.
d. DNS Replication
Conditional Forwarders, defining this area we saw. Replication, we want our takes place in the domain name and server.
http://www.alperyazgan.com/wp-content/uploads/resim/18.jpg
DNS Server Cmdlets
All parts of our booklet written so far, I have seen on the interface. Now let's see the same configurations cmdlets. From Microsoft in the table below, the command sets and their meanings are against them:
Cmdlet |
Description |
Adds a conditional forwarder to a DNS server. |
|
Creates a DNS application directory partition. |
|
Adds server level forwarders to a DNS server. |
|
Adds a primary zone to a DNS server. |
|
Adds a resource record of a specified type to a specified DNS zone. |
|
Adds a type A resource record to a DNS zone. |
|
Adds a type AAAA resource record to a DNS server. |
|
Adds a type CNAME resource record to a DNS zone. |
|
Adds a type DNSKEY resource record to a DNS zone. |
|
Adds a type DS resource record to a DNS zone. |
|
Adds an MX resource record to a DNS zone. |
|
Adds a type PTR resource record to a DNS zone. |
|
Adds root hints on a DNS server. |
|
Adds a DNS server secondary zone. |
|
Adds a KSK or ZSK to a signed zone. |
|
Adds a DNS stub zone. |
|
Adds a trust anchor to a DNS server. |
|
Adds a new delegated DNS zone to an existing zone. |
|
Clears resource records from a cache on the DNS server. |
|
Clears all DNS server statistics or statistics for zones. |
|
Converts a zone to a DNS primary zone. |
|
Converts a primary zone or stub zone to a secondary zone. |
|
Disables key rollover on an input key. |
|
Enables rollover on the input key. |
|
Exports DS and DNSKEY information for a DNSSEC–signed zone. |
|
Exports contents of a zone to a file. |
|
Retrieves a DNS server configuration. |
|
Gets DNS server cache settings. |
|
Retrieves DNS event logging details. |
|
Gets a DNS application directory partition. |
|
Gets DNSSEC settings for a zone. |
|
Retrieves DNS Server Active Directory settings. |
|
Gets EDNS configuration settings on a DNS sever. |
|
Gets forwarder configuration settings on a DNS server. |
|
Retrieves DNS server GlobalName zone configuration details. |
|
Gets a global query block list. |
|
Retrieves DNS server recursion settings. |
|
Gets resource records from a specified DNS zone. |
|
Gets root hints on a DNS server. |
|
Gets DNS aging and scavenging settings. |
|
Retrieves DNS server settings. |
|
Gets zone signing keys. |
|
Retrieves DNS server statistics or statistics for zones. |
|
Gets trust anchors on a DNS server. |
|
Gets trust points on a DNS server. |
|
Gets details of DNS zones on a DNS server. |
|
Gets DNS aging settings for a zone. |
|
Gets the zone delegations of a DNS server zone. |
|
Imports DS resource record information from a file. |
|
Copies root hints from a DNS server. |
|
Imports a trust anchor for a DNS server. |
|
Initiates rollover of signing keys for the zone. |
|
Signs a DNS server zone. |
|
Unsigns a DNS server zone. |
|
Registers a DNS server in a DNS application directory partition. |
|
Removes a DNS application directory partition. |
|
Removes server level forwarders from a DNS server. |
|
Removes specified DNS server resource records from a zone. |
|
Removes root hints from a DNS server. |
|
Removes signing keys. |
|
Removes a trust anchor from a DNS server. |
|
Removes a zone from a DNS server. |
|
Removes a name server or delegation from a DNS zone. |
|
Transfers the role of Key Master for a DNS zone. |
|
Restores primary DNS zone contents from Active Directory or from a file. |
|
Restores secondary zone information from its source. |
|
Resumes name resolution on a suspended zone. |
|
Overwrites a DNS server configuration. |
|
Modifies cache settings for a DNS server. |
|
Changes settings for a DNS conditional forwarder. |
|
Sets debugging and logging parameters. |
|
Changes settings for DNSSEC for a zone. |
|
Modifies DNS Active Directory settings. |
|
Changes EDNS settings on a DNS server. |
|
Changes forwarder settings on a DNS server. |
|
Changes configuration settings for a GlobalNames zone. |
|
Changes settings of a global query block list. |
|
Changes settings for a DNS primary zone. |
|
Modifies recursion settings for a DNS server. |
|
Changes a resource record in a DNS zone. |
|
Begins aging of resource records in a specified DNS zone. |
|
Replaces a list of root hints. |
|
Changes DNS server scavenging settings. |
|
Change settings for a DNS secondary zone. |
|
Modifies DNS server settings. |
|
Changes settings of a signing key. |
|
Changes settings for a DNS server stub zone. |
|
Configures DNS aging settings for a zone. |
|
Changes delegation settings for a child zone. |
|
Shows the records in a DNS Server Cache. |
|
Returns a list of key storage providers. |
|
Notifies a DNS server to attempt a search for stale resource records. |
|
Starts a zone transfer for a secondary DNS zone from master servers. |
|
Rolls over a KSK that is waiting for a parent DS update. |
|
Suspends a zone on a DNS server. |
|
Checks the DNS server memory for changes, and writes them to persistent storage. |
|
Tests that a specified computer is a functioning DNS server. |
|
Validates DNSSEC settings for a zone. |
|
Deregisters a DNS server from a DNS application directory partition. |
|
Updates all trust points in a DNS trust anchor zone. |
When clicked on those links, you can view the syntax from the Microsoft's website.
DNS Server Delegations
The main objective of the delegation Setup DNS in the environment the child (different sites, in locations such as DNS) DNS is to determine the root DNS as some would recognize. Namely; a child domain, at the top, at which the query to the DNS server, if the delegation would like to assign it to the server, and thus related to the child domains of the root domain, DNS is going on that we specify. In this process, Server 2012, while creating secondary or stub-zone can be made. In the meantime, if we do, then we can do it with command set.
Method – 1 : UI ( User Interface )
http://www.alperyazgan.com/wp-content/uploads/resim/19.JPG
http://www.alperyazgan.com/wp-content/uploads/resim/20.JPG
Method - 2: Command Line
**Komut : **DNSCMD SERVER_NAME /RECORDADD ZONE_NAME SERVER_NAME NS HOSTNAME / FQDN
If this command is set describes ; Dnscmd is the name of the command. SERVER_NAME, represents the server name. / RecordAdd is the parameter. I'm adding records means. ZONE_NAME it, will open stub or secondary name represents our zone. If NS is a parameter and back again, the hostname or FQDN, we have opened stub-zone 'master' s determine who it will be.
Yes, so far as general features of DNS service in detail and with examples from Microsoft infrastructure have studied. We latest headlines, especially in MS Windows Server 2012 feature that strikes the eye from DNSSEC want to talk about.
DNS hosting by default does not in itself was a security methodology. The DNSSEC to the TA. DNSSEC corresponding to the number of names is based on the technology to be digitally signed. With this signature, double-sided safety is confirmed and the name resolution takes place. In short, the work of DNSSEC, the client and the client's ambition to penetrate the client sees the work to prove the accuracy of the target. While it does not encrypt traffic, only proves its accuracy.
http://www.alperyazgan.com/wp-content/uploads/resim/21.jpg
The building operates as described above. When the client sends a query to the server, DNS will rotate through contact with other DNS DNSSEC validation done to answer and the answer has been confirme sends it to the client side. Thus, aggressive early intervention, even if the traffic is switched with the public and private key, DNS can not capture.
Dear IT volunteers and employees, DNS .. i have studied in detail as an IT volunteer, to share with you this issue and in the field with the most used areas I wanted to tell.
Best Regards,
Alper