Chapter 9: DNS in Name Resolution Designs

1
Chapter 9 DNS in Name Resolution Designs

• Designs That Include DNS
• Essential DNS Design Concepts
• Name Resolution Protection in DNS Designs
• DNS Design Optimization

2
DNS and Microsoft Windows 2000
3
DNS Design Review

• Amount of data transmitted
• Segments requiring name resolution
• Network growth plans
• WAN connections in use
• Current domain namespace design
• Existing DNS servers

4
DNS Design Decisions

• Integration into existing design
• Existing domain namespace design
• OSs in use and versions of DNS and Berkeley
  Internet Name Domain (BIND)
• Location of existing DNS servers
• Existing Windows Internet Name Service (WINS)
  servers
• DNS zones
• Availability to DNS clients
• Optimization of DNS traffic

5
DNS and Active Directory Designs

• Support for SRV resource records
• Dynamic and incremental zone updating
• Storage of zone databases in the Active Directory
  directory service
• Active Directory replication
• Automatic management of DNS resource records
• Integration with WINS servers

6
Traditional DNS Designs

• For interoperability, servers must support
• A common character set
• The same DNS zone transfer method
• The same zone transfer compression method
• The correct DNS resource record type
• Dynamic DNS zone update protocol

7
Evaluating a Domain Namespace

• Domain namespace and Internet naming conventions
• External and internal namespaces
• Active Directory and domain namespace
• Namespace and subdomains within the namespace
• Domain namespace and DNS zones

8
Domain Namespace Structure
9
Domain Namespace Structure (Cont.)

• Domain root
• Top-level domain
• Second-level domain
• Subdomains
• Host or resource name

10
External and Internal Domain Namespace

• External visible to Internet computers
• Internal visible within organization only
• Internal namespace
• Can be part of external namespace
• Must be different from other organizations
  external namespace

11
Combined Domain Namespace
12
Domain Namespace and Subdomains
13
Domain Namespace and Active Directory

• Active Directory domains correspond to DNS
  domains.
• All domains must be in internal namespace.
• DNS zone dynamic updating should be enabled, if
  possible.

14
Domain Namespace and DNS Zones

• Use a single DNS zone when
• The namespace is small
• Administration is centralized
• The namespace is exclusively internal or external
• The namespace is exclusively dynamic or manual

15
Domain Namespace and DNS Zones (Cont.)

• Use multiple DNS zones when
• The namespace is large
• Administration is decentralized
• The namespace is internal or external
• The namespace is dynamic or manual

16
Zone Types

• Traditional DNS zones
• Active Directory integrated zones
• A combination of both zone types

17
Traditional DNS Zones

• The operating system stores zone information.
• The primary zone has one read-write copy of the
  zone information.
• Secondary zones have read-only copies of the zone
  information.
• Zone information is replicated similarly to BIND
  DNS.

18
When to Use Traditional DNS Zones

• For interoperability with BIND DNS servers
• When the organization doesnt use Active
  Directory
• When the staff is familiar with BIND DNS servers
• When secured dynamic updates are not required
• When zone information on unsecured segments is
  needed

19
Active Directory Integrated Zones

• Store
• Zone information in Active Directory
• Multimaster, read-write copy of zone information
• Use when
• The design includes dynamically updated zones
• Secured dynamic zone updates are required
• You want to reduce replication administration

20
Combining Zone Types

• Both zone types can be used in the design.
• An Active Directory integrated zone can be
  substituted for the primary zone.
• Active Directory integrated zones can replicate
  zone information using traditional zones.

21
DNS Server Placement Objectives

• Reduce network traffic.
• Support Active Directory domain controllers.
• Locally administer DNS servers.
• Improve query response time.
• Use load balancing.
• Use multiple servers for redundancy.

22
Integrating Other DNS Versions

• Can integrate with BIND and Microsoft Windows NT
  4.0 DNS
• Involves the following issues
• Dynamically updated DNS zones
• The character set supported in zones
• The resource records supported in zones

23
Integrating DNS and WINS An Example
24
Integrating DNS and WINS

• Is necessary for Windows NT networks
• Requires you to specify
• Subdomain for WINS resolution
• Order for name resolution
• IP addresses for WINS servers

25
Preventing Unauthorized Dynamic Updates

• Choose the method for dynamic zone updates
• Dynamic Host Configuration Protocol (DHCP) Server
  in Windows 2000
• Windows 2000 DNS Client
• Secure dynamic zone updates by specifying
• The Active Directory integrated zone required
• The permissions to update zones in Active
  Directory

26
Preventing Unauthorized DNS Server Access

• Restrict DNS administrators.
• Isolate read-write copies of DNS zones.
• Isolate zones managing internal namespaces.
• Require Active Directory integrated zones.

27
Enhancing DNS Availability

• Replicate DNS zones across servers.
• Use Windows Clustering.
• Dedicate a computer to DNS.

28
Improving DNS Performance

• Reduce DNS query resolution time.
• Place DNS servers at remote locations.
• Load balance queries across multiple DNS servers.
• Divide domains into subdomains.
• Include caching-only servers.
• Reduce DNS zone replication traffic.
• Dedicate a computer to DNS.

29
Chapter Summary

• Use DNS to
• Resolve resource names to IP addresses
• Integrate WINS and other DNS versions
• Determine support for Active Directory integrated
  zones.
• Consider domain namespace for placement.
• Choose among several methods to
• Secure DNS
• Optimize DNS design