Contents
Overview 1

Introducing DNS 2
Designing a Functional DNS Solution 7
Discussion: Designing DNS Solutions 20
Securing DNS 22
Enhancing a DNS Design for Availability 28
Optimizing a DNS Design for Performance 31
Discussion: Enhancing DNS Solutions 35
Lab A: Designing a DNS Solution 37
Review 49

Module 4: DNS as a
Solution for Name
Resolution


Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media,
Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries/regions.

Project Lead: Don Thompson (Volt Technical)
Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc.
Instructional Design Consultants: Paul Howard, Susan Greenberg
Program Managers: Jack Creasey, Doug Steen (Independent Contractor)
Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editor: Kristen Heller (Wasser)
Copy Editor: Kaarin Dolliver (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Test Leads: Sid Benevente, Keith Cotton
Test Developer: Greg Stemp (S&T OnSite)
Production Support: Lori Walker (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)

Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Manager: Ken Rosen
Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective
owners.



Module 4: DNS as a Solution for Name Resolution iii


Instructor Notes
This module provides students with the knowledge and decision-making skills
that are necessary to design a functional name resolution service by using DNS
within a Microsoft
® Windows® 2000 networking infrastructure. In the module,
students will make DNS technology decisions to enhance the design’s security,
availability, and performance based on the organization’s requirements.
At the end of this module, students will be able to:
 Recognize DNS as a solution for name resolution.
 Evaluate and create a DNS solution to support an organization’s namespace
requirement.
 Select appropriate strategies to secure DNS.
 Select appropriate strategies to improve the availability of DNS.
 Select appropriate strategies to improve DNS performance.

Upon completion of the design lab, students will be able to design DNS
solutions that meet the name resolution requirements of a variety of

organizations.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
 Microsoft PowerPoint® file 1562B_04.ppt

Preparation Tasks
To prepare for this module:
 Review the contents of this module.
 Read any relevant information in the Windows 2000 Help files, the
Windows 2000 Resource Kit, or in documents provided on the Instructor
CD.
 Read the relevant RFCs in the Windows 2000 Help files.
 Review discussion material and be prepared to lead class discussions on the
topics.
 Complete the lab and be prepared to elaborate beyond the solutions found
there.
 Read the review questions and be prepared to elaborate beyond the answers
provided in the text.

Presentation:
75 Minutes

Lab:
45 Minutes
iv Module 4: DNS as a Solution for Name Resolution




Module Strategy
Use the following strategy to present this module:
 Introducing DNS
Emphasize the importance of name resolution in a network. Give some
examples of user-friendly addresses and numerical Internet Protocol (IP)
addresses. After the students understand the importance of name resolution,
give a brief overview of Windows 2000 DNS. Explain how DNS resolves
names. For an overview of DNS, you can ask the students to view the DNS
video on the Student CD.
In this section:
• Emphasize that the first step in designing a DNS solution is to identify
the design decisions that influence the design. Point out that it is
essential to determine the network configuration and the number of
hosts, locations, subnets, and routers, before starting the design.
• Describe the solutions provided by DNS. Emphasize that DNS can
integrate with other products. Discuss the impact of DNS on network
management.
• Emphasize that integration of DNS with WINS, DHCP, and the Active
Directory
™
directory service helps in name resolution by obtaining IP
configuration and DNS server authentication.
 Designing a Functional DNS Solution
Explain that DNS functionality can be established by selecting appropriate
zone types, determining server placements, and integrating DNS with other
Windows 2000 services. Provide an overview of the decisions involved in
establishing a functional design.
In this section:
• Explain what a zone is and how zones work. Give a brief overview of

Active Directory integrated zone, traditional DNS zones, and the
combination zone in terms of how to select an appropriate zone.
• Tell the students that the structure of DNS namespace and the DNS zone
type influence the placement of DNS servers in a network design.
Discuss how to determine server placement based on namespace design
and zone type.
• Introduce reverse lookup zones. Tell the students that if applications or
network security requires the conversion of IP addresses to domain
names, they can include reverse lookup zones in their network design.
Explain that the reverse lookup zones can be Active Directory integrated
zones, traditional primary zones, or traditional secondary zones.
• Point out that DNS servers interact with servers on the Internet to
resolve names. Explain how DNS integrates with the Internet.
• Explain that the Windows 2000 DNS service can be combined with
BIND and DNS servers in Microsoft Windows NT
® version 4.0, if you
cannot replace the existing DNS servers.
• Point out that the host names found in WINS can be resolved by
forwarding unresolved DNS queries to a WINS server. The forwarding
Module 4: DNS as a Solution for Name Resolution v


of unresolved DNS queries to WINS can be established on a zone-by-
zone basis.
vi Module 4: DNS as a Solution for Name Resolution



• Explain that the DNS zones provided by Windows 2000 can be
integrated into the existing namespace of an organization. Tell students

that they need to integrate the DNS zones into the existing namespace if
they are unable to specify a computer running Windows 2000 as the
DNS root server for the organization.
• Ensure that students understand the scenario description and directions
for the Discussion. Direct them to read through the scenario and answer
the questions. Be prepared to clarify if necessary. Lead a class
discussion on the students’ responses.
 Securing DNS
Because DNS servers are exposed to the network, you need to secure DNS
access from private and public networks. In this section, explain the use of
restricted updates, Internet Protocol Security (IPSec), virtual private
network (VPN) tunnels, Active Directory, and screened subnets to secure
DNS.
In this section:
• Emphasize that unauthorized updates to the dynamically updated DNS
servers are prevented to avoid impersonation of DNS servers.
• Point out that names and IP addresses replicated over public networks
can be protected against unauthorized access by using IPSec, VPN
tunnels, and Active Directory.
• Point out that when integrating DNS into screened subnets, you must
restrict Internet-based user access and encrypt any zone replication
within the private network. Describe the placement and interaction of
DNS services within screened subnets.
 Enhancing a DNS Design for Availability
Describe the usage of replicated DNS zones and server clusters to enhance
the availability of a DNS design.
In this section:
• Emphasize that implementing multiple DNS servers that have replicated
zones at local and remote locations can enhance the availability of DNS.
By adding additional DNS servers at remote locations, DNS availability

can be ensured in the event of a wide area network (WAN) link or router
failure.
• Explain that the availability of DNS can be enhanced by using server
clusters. The availability that is provided by server clusters is used for
solving availability issues only at local locations.
 Optimizing a DNS Design for Performance
Explain the methods of improving the performance of a DNS design.
Reducing the query resolution time, and reducing the impact of replication
on network traffic, can maximize the performance of the DNS service.
In this section:
• Emphasize that the use of caching-only servers, delegated zones, and
load balancing can reduce query resolution time.
Module 4: DNS as a Solution for Name Resolution vii



• Point out that the data transmission rates for network traffic can be
improved by reducing the impact of DNS replication traffic. Explain that
the performance of the replication traffic can be improved by using fast
zone transfers, modifying the replication schedule, and performing
incremental zone updates.
• Make sure that students understand the scenario description and
directions for the Discussion. Direct them to read through the scenario
and answer the questions. Be prepared to clarify if necessary. Lead a
class discussion on the students’ responses.

Lab Strategy
Use the following strategy to present this lab.
Lab A: Designing a DNS Solution
In this lab, students will design a DNS solution based on specific requirements

outlined in the given scenario.
Students will review the scenario and the design requirements, and read any
supporting materials. They will use this information, and the knowledge gained
from the module, to develop a detailed design that uses DNS as the solution.
To conduct the lab:
 Read through the lab carefully, paying close attention to the instructions and
to the details of the scenario.
 Divide the class into teams of two or more students.
 Present the lab and make sure students understand the instructions and the
purpose of the lab.
 Explain that the planning worksheet is to be used to develop the design of
their solution.
 Remind students to consider any functionality, security, availability, and
performance criteria that are provided in the scenario, and how they will
incorporate strategies to meet these criteria in their design.
 Take the opportunity to assess each student’s comprehension of the design
strategies presented in the module while students are completing the lab.
 Allow some time to discuss the solutions after the lab is completed. A
solution is provided on the Instructor CD to help you review the lab results.
Encourage students to critique each other’s solutions and to discuss any
ideas for improving the designs.



Module 4: DNS as a Solution for Name Resolution 1


Overview
 Introducing DNS
 Designing a Functional DNS Solution

 Securing DNS
 Enhancing a DNS Design for Availability
 Optimizing a DNS Design for Performance


Name resolution processes allow users to remember resource names. You can
use these resource names instead of the numerical Internet Protocol (IP)
addresses that computers use to identify themselves on the network.
DNS in Microsoft
® Windows® 2000 allows users to refer to network resources
with easy-to-remember names by resolving names to IP addresses. In this
module, you will evaluate and design a DNS solution for name resolution.
At the end of this module, you will be able to:
 Recognize DNS as a solution for name resolution.
 Evaluate and create a DNS solution to support an organization’s name
resolution requirement.
 Select appropriate strategies to secure DNS.
 Select appropriate strategies to enhance the availability of DNS.
 Select appropriate strategies to improve DNS performance.

Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
While designing a network,
you must identify name
resolution solutions to locate
computers and services on
the network. In this module,

you will evaluate and design
a DNS solution for name
resolution.
2 Module 4: DNS as a Solution for Name Resolution





 Introducing DNS
 Design Decisions for a DNS Solution
 Microsoft DNS Features
 Integrating DNS with Other Windows 2000 Services


While designing a network, you must identify solutions for name resolution to
locate computers and services on the network. The large number of available
network resources creates the need for meaningful resource names to simplify
the user’s access to resources.
Windows 2000 DNS allows users to refer to network resources with names
complying with the DNS standard. You can use DNS to resolve names to IP
addresses. DNS can also integrate with other Windows 2000 services to extend
the name resolution capabilities.
To design a strategy for locating network resources by using DNS, you must:
 Collect information about network and host configuration, and the number
of locations.
 Identify the features provided by DNS and how these features support the
design requirements.
 Identify the benefits provided by integrating DNS with other services in
Windows 2000.


Slide Objective
To introduce DNS as a
solution for name resolution
in a Windows 2000 network.
Lead-in
While designing a network,
you must identify solutions
for name resolution to locate
computers and services on
the network.
Remind students that in this
module, DNS always refers
to the DNS services
provided by Windows 2000
unless otherwise specified.
Module 4: DNS as a Solution for Name Resolution 3



Design Decisions for a DNS Solution
 Number of Locations?
 Number of Hosts at Each Location?
 Existing DNS Servers?
 Active Directory Infrastructure?
DNS
Private
Network
Active
Directory

UNIX
DNS
Firewall
Internet
DNS


The design of your DNS solution is based on criteria that you collect during the
design process. After you have collected the criteria, you can begin designing
your DNS solution.
Some of the criteria that affects your DNS design includes the:
 Number of locations. The number of locations determines the minimum
number of DNS servers because each location typically has at least one
DNS server.
 Number of users at each location. The number of users at each location
determines the number of DNS clients that must be supported within the
location.
 Existence of any prior DNS servers, such as UNIX or DNS servers in
Microsoft Windows NT
® version 4.0. Existing DNS servers may limit the
use of DNS features such as incremental zone transfers.
 Existence or plans to include an Active Directory
™
directory service
infrastructure. Active Directory provides the option of including Active
Directory integrated zones in your DNS design.

Slide Objective
To identify the design
decisions that influence a

DNS solution.
Lead-in
To design a DNS solution,
you must determine the
number of locations and
hosts, the existing DNS
servers, and the Active
Directory infrastructure.
Discuss the bulleted points
with students. Tell them that
these are the questions they
need to answer before
designing a DNS solution.
Explain the relevance of
these decisions with
reference to the graphic.
4 Module 4: DNS as a Solution for Name Resolution



Microsoft DNS Features
 Resolving Domain Names
 Integrating with Active Directory
 Integrating into Existing Network Designs


To determine how Windows 2000 DNS integrates into an existing
infrastructure, you need to define the features provided by DNS, its compliancy
with the existing standards, and the scope for extending the existing services.
Resolving Domain Names

The solutions provided by DNS include:
 Resolving traditional fully qualified domain names (FQDNs).
 Resolving network basic input/output system (NetBIOS) names by
forwarding queries to WINS.

Integrating with Active Directory
The integration of the DNS service with Active Directory enhances a DNS
design by:
 Reducing network management. Network management is reduced because
DNS uses Active Directory replication to replicate DNS zone databases.
 Providing secured and automatic maintenance of DNS zone databases by
using dynamically updated DNS.

Slide Objective
To introduce the key
features of DNS.
Lead-in
When designing a DNS
name resolution service,
you must understand the
features available to support
the needs of your
infrastructure.
Module 4: DNS as a Solution for Name Resolution 5



Integrating into Existing Network Designs
The DNS service in Windows 2000 is a superset of the Internet Engineering
Task Force (IETF) standards. You can integrate DNS with other products that

are based on the IETF standards. DNS provides compatibility with DNS servers
on other operating systems by complying with Berkeley Internet Name Domain
(BIND) version 8.2.2. Crucial BIND compatibility includes:
 Incremental zone updates that are supported by BIND version 8.2.1 and
later.
 A dynamically updated DNS zone database that is supported by BIND
version 8.1.2 and later.
 Support for the SRV (service) resource record that is supported by BIND
version 4.9.6 and later.


Although other versions of BIND can integrate with the DNS services in
Windows 2000, BIND version 8.2.2 is recommended. BIND version 8.2.2 is the
latest version and supports all enhanced features.

Note
6 Module 4: DNS as a Solution for Name Resolution



Integrating DNS with Other Windows 2000 Services
WINS
Server
Name
Registration
Authentication
Replication
Name Resolution
DNS
Server

Active
Directory
DHCP
Server


DNS integrates with other networking services to take advantage of their
features. These features require you to include additional specifications in the
design, such as forwarding name resolution queries to a WINS server.
The following table describes the benefits of integrating DNS with other
networking services.
DNS integrates with To

DHCP Automatically update DNS entries when DHCP
addresses are assigned to DHCP client computers.
WINS Resolve DNS queries by forwarding the queries to a
WINS server and resolving the queries from the WINS
database entries.
Active Directory Provide multiple master DNS zones, secured zone
updates, and encrypted DNS replication.

Slide Objective
To describe how DNS
integrates with other
Windows 2000 networking
services.
Lead-in
DNS integrates with other
Windows 2000 networking
services such as DHCP and

WINS.
Module 4: DNS as a Solution for Name Resolution 7





 Designing a Functional DNS Solution
 Selecting the Appropriate Zone Types
 Server Placement by Zone Type
 Reverse Lookup Zone Design
 Connecting DNS to the Internet
 Integrating with BIND and DNS Servers in Windows NT 4.0
 Integrating DNS and WINS
 Strategies for Integrating into the Existing Namespace


There are a few essential design decisions that you need to make for a DNS
solution. After these essential design decisions are established, you can
optimize the DNS solution by adding security, availability, and performance
enhancements to your design.
The essential design decisions for your DNS solution must include:
 Which zone types to include in your design.
 Where to place DNS servers based upon the zone types.
 How to create designs that include reverse lookup zones.
 How to create designs if the DNS servers in the private network interact
with the DNS servers on the Internet.
 How the DNS services in Windows 2000 integrate with UNIX BIND and
Windows NT 4.0 DNS servers.
 How to create designs that include WINS servers as part of the solution.

 How the DNS services in Windows 2000 integrate into an organization’s
existing namespace.

Slide Objective
To provide an overview of
the decisions involved in
establishing a functional
DNS design.
Lead-in
To establish DNS
functionality, you must
consider a number of
configuration and design
issues.
8 Module 4: DNS as a Solution for Name Resolution



Selecting the Appropriate Zone Types
 Chosen When Integrating into
Existing Active Directory
 Single Point of Support for DNS and
Active Directory
 Chosen for Integration into Existing
Infrastructure
 Separate Support for DNS and Active
Directory
 Chosen When Root Server is
Traditional DNS
 Supports Active Directory Integrated

Zones As a Delegated Domain
Active Directory
Integrated Zone
Combination of
Both Zone Types
Traditional DNS
Zone


You can base DNS services on Active Directory integrated zones, on traditional
DNS zones, or on a combination of both. If your organization uses Active
Directory as the directory service, you can choose either traditional DNS zones
or Active Directory integrated zones.
Choose Active Directory integrated zones if an Active Directory infrastructure
exists or is part of the long-term strategy of the organization. Choose a
traditional DNS zone if DNS is being integrated with existing DNS servers
running UNIX or some other operating system.
Active Directory Integrated Zones
Active Directory integrated zones store DNS zone information in Active
Directory. Active Directory integrated zones are:
 Multi-master, read/write copies of the zone information. The multi-master
characteristic enables you to make updates to the original Active Directory
integrated zone, or make replicated copies of the zone. It ensures that you
can always perform updates to the DNS zone information.

As a best practice, select Active Directory integrated zones if your
DNS design includes dynamic updates to DNS. Traditional DNS zones are
not multi-master, so the failure of a DNS server with a primary zone
prevents dynamic updates.


 Replicated by Active Directory. Because Active Directory integrated zones
store the zone information in Active Directory, the zone information is
replicated along with other Active Directory data.
 Required for secured, dynamically updated DNS zones. Because Active
Directory integrated zones store the zone information, you can establish
permissions for the computer, group, or user who can update the DNS zone
information.
Slide Objective
To describe the various
zone types that you can
select for DNS services.
Lead-in
There are three approaches
to zone types. You can base
DNS services on Active
Directory integrated zones,
on traditional DNS zones, or
on a combination of both.
Note
Module 4: DNS as a Solution for Name Resolution 9



 Replicated only within an Active Directory domain. However, you can
replicate Active Directory integrated zone information outside the domain to
traditional secondary zones.
 Treated as a traditional primary zone from another BIND-based DNS server.
To a BIND-based DNS server, Active Directory integrated zones appear as
traditional primary zones. You can replicate to other Active Directory
integrated zones or to traditional secondary zones.


Traditional DNS Zones
Traditional DNS zones store the zone information in a file on the computer
running Windows 2000 and DNS. Traditional DNS zones:
 Follow a single master model for storing and replicating zone information.
Primary zones are the only zone types that support a read/write copy of the
zone information. You are allowed only one primary zone, but you can
replicate read-only copies of the zone information to any number of
secondary zones.
 Replicate incrementally or by transferring the entire zone information. The
replication between primary and secondary zones can occur incrementally
or by transferring the entire zone contents. The DNS service in
Windows 2000 supports both incremental and complete zone transfers.
 Function identically to BIND-based DNS servers. Traditional DNS zones
have the same benefits and constraints as BIND-based DNS zones. You can
use traditional DNS zones if high interoperability with BIND-based DNS
servers is a design requirement.

Combination of Both Zone Types
The following table compares Active Directory integrated zones with traditional
DNS zones.

Features of DNS
Active Directory
integrated zones
Traditional
DNS zones

Adheres to current IETF specifications Yes Yes
Uses a zone information replication method based

on Active Directory replication
Yes No
Improves availability because each DNS server
contains a read/write copy of the zone information
Yes No
Allows updates to the zone information, even with
the failure of a single DNS server
Yes No
Supports incremental zone transfers Yes Yes
10 Module 4: DNS as a Solution for Name Resolution



Server Placement by Zone Type
Recommend one
DNS server at
each remote
location
Add secondary
or delegated
zones for
availability and
performance
Requires one
primary zone
Traditional
DNS zone
Recommend one
DNS server at
each remote

location
Add DNS servers
for availability and
performance
Requires one
Active Directory
integrated zone
Active
Directory
integrated
zone
RecommendationImprovement
Procedure
RequirementZone Type


The DNS zone type influences the placement of DNS servers in a name
resolution design. Each zone type solves a specific requirement within a design.
For example, you would add a secondary zone server at a remote location to
improve performance.
When placing servers within a DNS design, you need to consider the DNS zone
type. The following table lists the DNS zone types and when you must select
them.
Choose this zone When you need to create a DNS server that

Active Directory integrated Is any server in a design based on Active Directory.
Primary Is the first DNS server in a design based on traditional
DNS.
Has a read/write copy of the zone information.
Can administer zone information separately.

Secondary Improves the availability of primary zones by providing
a complete copy of the primary zone.
Has a read-only copy of the zone information.
Improves performance at local and remote locations by
providing a local copy of a primary zone.
Is placed in screened subnets and accessed by Internet-
based users.
Delegated domain Contains a subset of the domain namespace in an Active
Directory integrated zone or a primary zone.
Improves performance by reducing the number of
records to be searched to a subset of the namespace.
Slide Objective
To describe when to use
certain zone types in
creating a DNS design.
Lead-in
To define namespace
design, you need to
determine the server
placement in a network
design.
Module 4: DNS as a Solution for Name Resolution 11



Reverse Lookup Zone Design
 Reverse Lookup Zone Types
 Dynamic Updates and Reverse Lookup Zones
 Reverse Lookup Zone Types
 Dynamic Updates and Reverse Lookup Zones

Internet
172.168.in-addr.arpa
Primary Zone
172.168.in-addr.arpa
Secondary Zone
10.in-addr.arpa
Active Directory Integrated Zone
10.in-addr.arpa
Active Directory Integrated Zone


If applications or network security requires the conversion of IP addresses to
domain names, you can include reverse lookup zones in your design. The
design decisions that you must make for reverse lookup zones are very similar
to those of forward lookup zones. Only the contents of the DNS zone records
are different between forward and reverse lookup zones.
Reverse Lookup Zone Types
You can include the same zone types for reverse lookup zones that you include
for forward lookup zones. The reverse lookup zones can be Active Directory
integrated zones, traditional primary zones, or traditional secondary zones. You
can apply the same decision process discussed earlier in this module to reverse
lookup zones.
Dynamic Updates and Reverse Lookup Zones
You can enable dynamic updates to DNS by:
 Enabling DNS clients running Windows 2000 to update DNS directly.
 Allowing DHCP to update the DNS records.

Slide Objective
To introduce the design
decisions that are required

when including reverse
lookup zones.
Lead-in
If applications or network
security requires the ability
to convert an IP address to
a domain name, you can
include reverse lookup
zones in your design.
12 Module 4: DNS as a Solution for Name Resolution



The following table lists the approaches to dynamically updating DNS and
when to select which approach.
Select this approach When you want to dynamically create

Windows 2000–based DNS
clients directly updating DNS
Forward lookup records, host (A) records.
Reverse lookup records, pointer (PTR) records.
DHCP directly updates DNS
on behalf of the DNS clients
Only forward lookup records, host (A) records.


If you enable DNS clients running Windows 2000 to dynamically update
DNS directly, establishing permissions for secured updates to DNS becomes
more complex because you must assign permissions for each DNS client.


Note
Module 4: DNS as a Solution for Name Resolution 13



Connecting DNS to the Internet
 Forwarding DNS Queries to Internet-based DNS Servers
 Responding to DNS Queries from the Internet
Secured
Private
Network
DNS Server
Forward Queries
Forward Queries
Forward Queries
Respond to Queries
Respond to Queries
Respond to Queries
Firewall
Firewall
Internet
Screened
Subnet
DNS Server


The DNS servers within a private network must interact with servers on the
Internet to resolve names. To do this, the DNS servers in the private network
forward queries to and respond to queries from Internet-based DNS servers.
Forwarding DNS Queries to Internet-based DNS Servers

The DNS servers within the organization may forward requests to:
 DNS servers provided by the Internet Service Provider (ISP) that the
organization uses.
 Internet root DNS servers provided by the Internet.

Responding to DNS Queries from the Internet
When organizations expose resources, such as www.microsoft.com, to the
Internet, the names and IP addresses of the servers hosting these resources must
be listed in a DNS server that is accessible from the Internet. You can provide
name resolution to these requests by:
 Placing a DNS server in a screened subnet that contains the DNS entries for
the resources. Use this method if the resource names may change frequently
and the organization wants to make the changes itself.
 Demanding that the ISP for the organization place the DNS entries in a DNS
server that the ISP supports. Use this method if the resource names change
infrequently and the organization does not need to make the changes itself.
‘
Slide Objective
To describe the interaction
between DNS servers within
the organization and
between Internet-based
DNS servers.
Lead-in
DNS servers in a private
network need to forward
queries to and respond to
queries from Internet-based
DNS servers.
14 Module 4: DNS as a Solution for Name Resolution




Integrating with BIND and DNS Servers in Windows NT 4.0
 Dynamic DNS Zone Updates
 Unicode Characters
 Non-RFC Compliant Records
 SRV Record Types
 WINS and WINS-R Record Types
Private Network
BIND DNS
DNS in Windows NT 4.0
DNS


You can integrate Windows 2000 DNS with BIND and Windows NT 4.0 DNS
servers if the organization is unable or unwilling to replace existing DNS
servers. If your organization has existing BIND or Windows NT 4.0 DNS
servers, you can integrate the DNS services in Windows 2000 with the existing
DNS servers.
Windows 2000 DNS service treats BIND and Windows NT 4.0 DNS servers as
traditional DNS servers. BIND and Windows NT 4.0 DNS servers support:
 Standard primary zones.
 Standard secondary zones.
 Delegated domains.

If your network designs include BIND and Windows NT 4.0 DNS servers, you
can make the same design decisions as you would with a Windows 2000 DNS
server with the same zone type.
Dynamic DNS Zone Updates

Dynamic DNS zone updates allow DNS client computers or DHCP servers to
dynamically update DNS zone entries. Dynamic DNS zone updates reduce the
administration of DNS zones and eliminate errors that manually updating DNS
zones introduce.
The most common reason for including dynamic DNS zone updates in your
network design is to support Active Directory. Although not required, dynamic
DNS zone updates are recommended if your DNS solution must support Active
Directory.
Slide Objective
To describe the decisions
involved in integrating DNS
with BIND and Windows NT
4.0 DNS servers.
Lead-in
You can integrate DNS
services in Windows 2000
with BIND and Windows NT
4.0 DNS servers if you
cannot replace the DNS
servers.
Module 4: DNS as a Solution for Name Resolution 15



If your design includes dynamic DNS zone update, remember:
 BIND versions 8.1.2 and later support dynamic DNS zone updates.
 Windows NT 4.0 DNS servers do not support dynamic DNS zone updates.


RFC 2136 documents dynamic DNS zone update support.


Unicode Characters
The DNS service in Windows 2000 supports the use of Unicode characters in
DNS zones. BIND DNS and Windows NT 4.0 servers support only RFC-
compliant (ANSI) characters.
If including BIND or Windows NT 4.0 DNS servers in your network design,
you must enforce RFC-compliant characters on the DNS service in
Windows 2000. This enables the replication of zone information to the BIND or
Windows NT 4.0 DNS servers.
Non-RFC-Compliant Resource Records
Many vendors who implement BIND include vendor specific, non-RFC-
compliant resource records in the DNS zone. Normally, when the DNS service
receives one of these resource records, the zone replication process stops. If the
BIND DNS zone includes non-RFC compliant resource records, you can
specify that the DNS service in Windows 2000 ignore the records.
SRV Record Types
SRV record types allow you to designate several servers as primary and backup
servers. SRV records are a special type of DNS round robin entries that are
similar to mail exchange (MX) records used by Simple Mail Transfer Protocol
(SMTP).
The most common reason for including SRV record types in your design is to
support Active Directory.
If your design includes SRV record types, remember:
 BIND versions 4.9.6 and later support SRV record types.
 Windows NT 4.0 DNS servers do not support dynamic DNS zone updates.


RFC 2052 documents SRV record type support.

WINS and WINS-R Record Types

The DNS service in Windows 2000 and Windows NT 4.0 supports WINS
forward lookup and reverse lookup record types (WINS and WINS-R). WINS
and WINS-R record types enable the DNS server to submit queries to a WINS
server and attempt resolution through WINS. Normally, when you replicate
these records to BIND DNS servers, they see the WINS and WINS-R records as
invalid, non-RFC-compliant records.
If your design includes the DNS service in Windows 2000 or Windows NT 4.0
that replicates to a BIND DNS server, you can specify that the WINS and
WINS-R records are not replicated to the BIND DNS server.
Note
Note
16 Module 4: DNS as a Solution for Name Resolution



Integrating DNS and WINS
wins.private.nwtraders.msft
public.nwtraders.msft
nwtraders.msft
private.nwtraders.msft
WINS
 Designate a Subdomain for WINS Resolution
 Delegate Unresolved DNS Queries to a Subdomain
 Specify WINS Server in Zone Configuration
 Designate a Subdomain for WINS Resolution
 Delegate Unresolved DNS Queries to a Subdomain
 Specify WINS Server in Zone Configuration


In your network design, you can allow DNS clients to resolve host names found

in WINS, so that you do not need to create DNS zone entries for all of the
computers in the organization. In the existing Windows NT 4.0 networks,
performing DNS queries, which are resolved by using WINS, does not require
many changes to the existing network infrastructure.
You can resolve host names found in WINS by forwarding unresolved DNS
queries to a WINS server. You can establish the forwarding of unresolved DNS
queries to WINS on a zone-by-zone basis.
Designating a Subdomain for WINS Resolution
To integrate a WINS resolution within your DNS design, designate a
subdomain within the organization’s namespace that you will use as a
placeholder for the WINS names. Specify that the subdomain contains no
entries, except for the WINS and WINS-R records.
For organizations that have a separate private and public namespace, create the
subdomain for WINS under the private namespace. For organizations that have
the same namespace for private and public name resolution, create the
subdomain for WINS at a level beneath the root of the organization.
Delegating Unresolved DNS Queries to a Subdomain
For domain names that are within the organization’s namespace, if you want to:
 Resolve names within WINS prior to other domains, specify that the DNS
queries be forwarded to a delegated subdomain for WINS first.
 Resolve names within other domains prior to WINS, specify that the DNS
queries be forwarded to a delegated subdomain for WINS last.

Slide Objective
To describe how to include
DNS and WINS integration
in the design.
Lead-in
If the existing network
includes WINS, your

network design can allow
DNS clients to resolve host
names found in WINS.
Module 4: DNS as a Solution for Name Resolution 17



Specifying WINS Server in Zone Configuration
To forward unresolved DNS queries to a WINS server, you enable WINS
resolution on a zone. A zone can resolve queries by using more than one WINS
server. You can specify the IP address of the WINS servers in the order that the
servers are to be contacted. To improve the availability of your DNS solution,
include more than one WINS server in the list.
Your organization may not replicate all WINS records between all WINS
servers. If your organization’s WINS database is divided across multiple WINS
servers, you can create a unique DNS zone for each WINS server.
For example, consider an organization that has a WINS server that includes
WINS records only for Paris and another WINS server that includes WINS
records only for London. You can create a DNS zone for Paris and a DNS zone
for London so that you can create different subdomain names for the Paris
WINS server versus the London WINS server. Conversely, you can create one
DNS zone that could list both WINS servers so that the WINS resolution occurs
beneath a single subdomain name.