Originally transferred from http://hi.baidu.com/shyoung/blog/item/b0ccff03fd462481d43f7c5a.html
The complete DNS System of the DNS component consists of the DNS server, region, Parser (DNS client), and resource records, and you need to correctly configure them. The DNS protocol uses UDP/tcp 53 ports for communication: the DNS server listens to UDP/tcp 53 ports, and the DNS client initiates a connection to the two ports of the server for DNS protocol communication. UDP port 53 is mainly used to respond to DNS Client resolution requests, while TCP port 53 is used for regional replication.
DNS Server
The computer that runs the DNS server software. Common DNS server software includes Windows DNS Server and Unix bind. A DNS server contains some DNS namespace data. When a DNS customer initiates a resolution request, the DNS server replies to the customer's request, you can also provide another server address that can help the customer resolve the request, or the reply customer does not have a corresponding record.
When a DNS server manages a region, it is the authoritative DNS server in this region, whether it is a primary region or a secondary region. The DNS server can be an authoritative DNS server in a level-1 or multi-level DNS namespace. For example, the DNS server in the Internet root domain is only for top-level domain names such as ". org is authoritative, and top-level domain name. the authoritative DNS server of Org is authoritative only for the winsvr.org second-level domain name, and for the third-level domain name www.winsvr.org, only the DNS server of winsvr.org domain is authoritative.
DNS Region
A dns region is an authoritative continuous namespace for a DNS server. a dns server can have authority for one or more regions, and a region can contain one or more consecutive domains. For example, a DNS server can have authority for winsvr.org and isacn.org, and each region can contain multiple domains. However, you can use regional delegation to store consecutive domains such as winsvr.org and tech.winsvr.org in different regions.
The region file contains all resource records of authoritative regions on the DNS server. Generally, the region data is stored in a text file, but runs on the DNS server on Windows 2000 or Windows Server 2003 Domain Controller. You can store the region information in the Active Directory.
DNS Parser (DNS Client)
The DNS parser is a service that uses a client computer to query DNS servers through the DNS protocol. In Windows 2000 and later systems, the DNS parser is implemented through the DNS Client service. In addition, the DNS Client Service can cache DNS resolution results. You must configure the DNS server in the TCP/IP attribute of the client computer. In this case, the DNS server of the client computer will send the DNS resolution request to the corresponding DNS server.
Resource Record
A resource record is a DNS database record used to respond to DNS client requests. Each DNS server contains all the resource records of the DNS namespace it manages. Resource Records contain information related to a specific host, such as IP addresses and service provision types. Common resource record types include:
Description of resource record types
Start authorization structure (SOA) Start authorization Organization
The starting point of the specified region for this record. It contains information such as the region name, the email address of the region administrator, and how the secondary DNS server updates the settings of the region data file.
Host (a) address host (a) record is an important record for name resolution. It is used to map a specific host name to the IP address of the corresponding host. You can manually create a DNS server or dynamically update the DNS Client.
Standard alias (cname) Name
This record is used to point an alias to a host (a) record, so that no additional a record is created for a host that requires a new name resolution.
Email Exchange (MX)
Email Exchange this record lists the hosts responsible for receiving emails sent to the domain, typically used for sending and receiving emails.
Name Server (NS) Name Server
This record specifies the authoritative name server responsible for this DNS region.
Understanding how DNS servers work
When the DNS client needs to query the name of an application, it will contact its own DNS server to resolve the name. DNS customers' resolution requests contain the following three types of information:
The domain name to be queried. If the original application does not submit a complete FQDN, the DNS client adds a domain name suffix to form a complete FQDN;
The specified Query type. Specifies the type of resource record to be queried, such as a record or MX record;
Specifies the DNS domain name type. For DNS Client Services, this type is always specified as Internet [in.
The complete DNS resolution process of the DNS Client is as follows:
1. Check your local DNS name cache
When the DNS client needs to resolve an FQDN, first check its local DNS name cache. The local DNS name cache consists of two parts:
The host name-to-IP address ing definition in the hosts file;
The results obtained from the previous DNS query are still valid;
If the DNS Client obtains the result from the local cache, the DNS resolution is complete.
2. Contact your DNS server
If the DNS client does not find the corresponding record in its local cache, contact your DNS server. You must configure the DNS server used by the DNS Client in advance.
When the DNS server receives the DNS Client's resolution request, it first checks whether it can answer the resolution request authority, that is, whether it manages the DNS region corresponding to the request record; if the DNS server manages the corresponding DNS region, the DNS server is authoritative for this region. In this case, if the corresponding resource records in the local region match the customer's resolution request, the DNS server uses this resource record to answer the customer's resolution request (authoritative reply ); if no corresponding resource record exists, no corresponding resource record (no reply) exists for the authoritative reply customer of the DNS server ).
If no region matches the resolution request initiated by the DNS client, the DNS server checks its local cache. If a matched result is returned, the DNS server does not provide an authoritative response to the customer's resolution request, whether positive or negative. DNS resolution is complete.
If the DNS server still does not find the matching results in its local cache, the DNS server will execute different request queries based on different configurations:
By default, the DNS server uses recursion to resolve the name. The recursive method means that the DNS server queries the resolution request from other DNS servers as the DNS client until the resolution result is obtained. During this process, the original DNS Client waits for a reply from the DNS server.
If you disable the DNS server from using recursion, the DNS server is working in iteration mode, that is, returning a reference reply to the original DNS Client, it contains information that is conducive to client resolution requests (such as root prompt information), instead of other operations. The original DNS Client determines the processing method based on the reference information returned by the DNS server. However, in the actual network environment, disabling recursive queries on the DNS server often causes the DNS server to return a reference reply to a server failure for client requests that cannot be locally parsed, the client determines that the resolution fails.
The difference between recursive mode and iterative mode is that when the DNS server does not locally complete client request resolution, who plays the role of the DNS client initiates resolution requests to other DNS servers. The recursive method is usually used, which is conducive to network management and security control. The Recursive Method consumes more performance of the DNS server than the iterative method. However, in general, this performance consumption does not matter.
The root prompt is the IP address of the root DNS server in the Internet namespace. For normal recursive resolution, the DNS server must know where to start searching for the DNS domain name, and the root prompt information is used to achieve this requirement. There are a total of 13 root DNS servers worldwide. Their names and IP addresses are stored in % SystemRoot % system32dnscache. in the DNS file, each time the DNS server is started from the cache. read from the DNS file. In general, you do not need to modify this file. If your DNS server is deployed in an internal network and does not need to use the internet root DNS server, you can modify it as needed, point it to an internal root domain DNS server.
For example, when a DNS client requests to resolve a domain name www.winsvr.org and the DNS server is working in recursive mode, the complete resolution process is as follows:
The DNS Client checks its local name cache and does not find the corresponding record;
The DNS Client contacts the DNS server nameserver1 to query the domain name www.winsvr.org;
Nameserver1 checks its authoritative region and local cache, and does not find the corresponding value. Therefore, contact a root domain server in the root prompt to query the domain name www.winsvr.org;
The Root Domain Server does not know the corresponding value of www.winsvr.org. Therefore, it returns a reference reply to nameserver1, telling nameserver1. Org the authoritative DNS server of the top-level domain;
Nameserver1 contacts the authoritative DNS server of the. org top-level domain to query the domain name www.winsvr.org;
The. org top-level domain server does not know the corresponding value of www.winsvr.org. Therefore, it returns a reference reply to nameserver1 and tells nameserver1 the authoritative DNS server in the winsvr.org domain;
Nameserver1: contact the authoritative DNS server in the winsvr.org domain to query the domain name www.winsvr.org;
The authoritative DNS server in the winsvr.org domain knows the corresponding value and returns it to nameserver1;
Nameserver1 returns the result of www.winsvr.org to the original DNS Client. At this time, the resolution is complete.
Query response type
The DNS server provides multiple types of responses to customer requests. The following are common types:
Authoritative reply: the authoritative response is a positive response returned to the customer and an authoritative position in the DNS message is set. This reply is sent from an authoritative DNS server;
Positive Response: The forward response contains resource records matching the client resolution request;
Reference answer: the reference answer is used only when the DNS server is working in iteration mode. It contains other information that helps the client parse requests. For example, when the DNS server cannot find a matching value for the resolution request initiated by the client, it sends a reference reply to the DNS client to inform it of the information that is helpful for parsing the request;
Negative answer: the negative answer indicates that the authoritative server may encounter one of the following two situations when parsing client requests:
The authoritative DNS server reports that the name queried by the client does not exist;
Authoritative DNS reports have corresponding names but do not have resource records of the specified type.
The DNS Client saves the results in its local cache regardless of the positive or negative response.
Understanding how the cache works
Both the DNS client and the DNS server cache the obtained resolution results, which can improve the DNS service performance and reduce DNS-related network traffic.
DNS Client Cache
When the DNS Client Service is started, all host names and IP address mappings in the hosts file are read and saved in the cache. Hosts is stored in the % SystemRoot % system32driversetc directory. After you modify the hosts file, the DNS Client will immediately read the hosts file and update the local cache.
In addition, the DNS client caches the previous query results. When the DNS Client service is stopped, the local cache is cleared.
DNS server Cache
The DNS Server caches the name resolution results like the DNS client, and can use the cached information to reply to requests from other clients. You can manually clear the cache on the DNS server console or by using the dnscmd command line tool. When the DNS server is stopped, the DNS server cache is also cleared.
The resource record TTL specifies the duration for which the resource record can be cached, whether it is the DNS Client Cache or the DNS server cache. By default, TTL is 3600 seconds (1 hour ). Note that modification to resource records on the DNS server may not take effect immediately due to the caching function. For Internet domain names, modification to resource records may take more than 24 hours to complete updates on all DNS servers.
Dynamic Update
When an update event is triggered on the DNS Client Computer, the DHCP Client Service on the DNS Client Computer updates its a record on the corresponding DNS server for all network connections used in the local computer, this ensures the correspondence between DNS domain name records and IP address records. The DNS server must be configured to allow dynamic updates to allow the DNS Client Computer to complete the update.
When the following events occur on the DNS Client Computer, dynamic update of the DHCP Client Service is triggered:
Added, deleted, or modified the IP addresses in any network connection TCP/IP attribute of the local computer;
Any network connection of the Local Computer obtains the IP address lease or renewal from the DHCP server;
The ipconfig/registerdns command is run on the DNS Client;
Start the DNS Client Computer;
A Member Server in this DNS region is promoted to a domain controller;
For major areas of the standard, you can choose not to allow dynamic updates or non-secure and secure dynamic updates. However, it is a security risk to allow non-security and security dynamic updates. Because the DNS server does not verify the client computer that performs dynamic updates, any client computer can dynamically update any a record, whether it is the owner of the record or not. Generally, you should not use this option.
In addition to the above two options, you can also use security dynamic updates for the Active Directory integration area. When this method is used, when the client computer updates its own records, the DNS server will require the client computer to perform authentication to ensure that only the owner of the corresponding resource record can update this record.
Dynamic updates can only be performed on client computers of Windows 2000 and later versions, while those of earlier versions of Windows (NT4, 9x/ME) do not. However, you can use the DHCP server to dynamically update the computer proxies of these earlier Client versions. When the DHCP server registers a record on the agent's client computer of a lower version, it sets itself as the owner of this a record. In the security dynamic update mode, this record can be modified only when all resource records exist. In this way, access is denied when other DHCP servers register for this low-version client computer agent. Therefore, you need to add the DHCP server to the dnsupdateproxy security group so that when the DHCP server updates the record, the owner information of the record is not recorded, this allows other DHCP servers to modify the record.
Regional Delegation
A complete DNS region contains information about all DNS namespaces based on your own DNS domain name. When you create a DNS region based on this DNS namespace, the newly created region is called a subarea. For example, the complete winsvr.org region contains information about all DNS namespaces Based on winsvr.org, while tech.winsvr.org is called a subregion of winsvr.org.
By default, the DNS region manages its own sub-regions, and the sub-regions are copied and updated along with the DNS region. However, you can assign a sub-region to another DNS server for management. At this time, the delegated server will be responsible for the management of this DNS sub-region, in the parent DNS region, only the delegate records in this subregion are available.
Regional Delegation applies to many environments. Common scenarios include:
Assign a subarea to the DNS server of a corresponding department for management;
Server Load balancer of DNS servers divides a large area into several small areas and delegates them to different DNS servers for management;
Assign a subarea to a branch or remote site.
You can only perform regional delegation in the main area. For any assigned sub-region, the parent DNS region only has the record and NS record pointing to the authoritative DNS server in the sub-region, the actual resolution process must be completed by the authoritative DNS server in the assigned subarea. That is, the delegated DNS server must have the primary area with the assigned subarea as the domain name.
On the Windows Server 2003 DNS Server Management Console, a wizard tool is provided, allowing you to easily complete DNS region delegation.
DNS region type
When deploying a DNS server, you must consider the DNS region type in advance to determine the DNS server type. DNS regions are classified into two categories: forward and reverse lookup regions.
The forward lookup area is used to map FQDN to IP addresses. When a DNS client requests to resolve an FQDN, the DNS server searches in the forward lookup area and returns the corresponding IP address to the DNS Client;
The reverse lookup area is used for IP address-to-FQDN ing. When a DNS client requests to resolve an IP address, the DNS server searches in the reverse lookup area and returns the corresponding FQDN to the DNS Client.
Each type of area is divided into three types: main area, auxiliary area, and stub area:
Primary: contains all resource records of the corresponding DNS namespace. It is the authoritative DNS server for all DNS domains contained in the region. All resource records in the region can be read and written, that is, the DNS server can modify the data in this region. By default, the region data is stored in the text file format. You can store data in the main region in the Active Directory and copy the data with the replication of the Active Directory data. In this case, this region is called the main region of Active Directory integration. In this case, each DNS server running on the domain controller can read and write the primary region, which avoids spof in the standard primary region.
Secondary region: backup of the primary region is directly copied from the primary region. It also contains all resource records of the corresponding DNS namespace, is the authoritative DNS server for all DNS domains contained in the region. Unlike the primary region, the DNS server cannot modify the secondary region, that is, the secondary region is read-only. Data in the secondary area can only be stored as text files.
Stub area (stub): It is a new feature of Windows Server 2003. This region only contains records used to identify authoritative DNS servers in the main region. There are three types of records:
SOA (initial authority of the delegated region): This record is used to identify the primary source DNS servers and other region attributes of the region;
NS (Name Server): This record contains the list of authoritative DNS servers in this region;
A glue (adhesion a record): This record contains the IP addresses of authoritative DNS servers in this region.
By default, area data is stored in text files. However, you can store the data in the stub area in the Active Directory as the primary area and copy the data in the Active Directory.
When a DNS client initiates a resolution request, the DNS server performs an authoritative reply to the DNS Client for resolution in the managed primary and secondary regions. If the client initiates a recursive query for the resolution of the managed stub region, the DNS server uses the resource records in the stub region to parse the query. The DNS server sends iterative queries to the authoritative DNS server specified in the NS resource record in the stub region, as if it was using the NS resource record in its cache; if the DNS server cannot find the authoritative DNS server in its stub region, the DNS server will try to use the root prompt information for standard recursive query. If the client initiates an iterative query, the DNS server returns a reference message containing the server specified in the stub area, instead of performing other operations.
If the authoritative DNS server in the stub area replies to the resolution request initiated by the local DNS server, the local DNS server stores the received resource records in its own cache, instead of storing these resource records in the stub area, the only exception is the returned adhesion a record, which is stored in the stub area. Resource records stored in the cache are cached Based on the TTL value in each resource record; the SOA, NS, and adhesion a resource records stored in the stub area expire at the expiration interval specified in the SOA record (the expiration interval is created during the creation of the stub area, updated when copying from the original primary region ).
When a DNS server (parent DNS server) delegates a sub-region to another DNS server, the parent DNS server will not know if a new authoritative DNS server is added to the sub-region, unless you manually add it on the parent DNS server. The stub area is mainly used to solve this problem. You can create a stub area for the assigned child area on the parent DNS server, in this way, the authoritative DNS server update can be automatically obtained from the delegated subarea without manual operations.
DNS server type
Depending on the managed DNS region, DNS servers also have different types. A DNS server can manage multiple regions at the same time, so it can belong to multiple DNS server types at the same time.
Primary DNS servers
When the DNS server manages the main region, it is called the main DNS server. The primary DNS server is the centralized update source for the primary region. You can deploy the primary regions in two modes:
Standard main region: Data in the standard main region is stored in local files. Only the primary DNS server can manage this DNS region (Single Point update ). This means that if the primary DNS server fails, the primary region cannot be modified. However, the secondary server located on the secondary server can also reply to the DNS Client's resolution request. Standard regions only support non-secure dynamic updates.
Active Directory integration main region: Active Directory integration main region is valid only when the DNS server is deployed on the domain controller, region data is stored in the Active Directory and copied as the Active Directory data is copied. By default, each DNS server running on the domain controller becomes the primary DNS server and can modify the data in the DNS region (Multi-Point update ), this avoids single point of failure (spof) in major areas of the standard. Active Directory Integration supports secure dynamic updates in main areas.
Secondary DNS Server
In the DNS service design, we always recommend that you use at least two DNS servers for management in each region. One is the primary DNS server, and the other is the secondary DNS server.
When the DNS server manages the secondary region, it becomes the secondary DNS server. The benefit of using secondary DNS is load balancing and avoiding spof. The source DNS server used by the secondary DNS server to obtain regional data is called the primary server. The primary server can be served by the primary DNS server or other secondary DNS servers. When a secondary region is created, you are required to specify the master server. A region replication exists between the secondary DNS server and the primary server to update the region data from the primary server.
Note: The secondary DNS server is derived from different regions. When configuring the DNS server used by the DNS client, the DNS server for managing the secondary region can be configured as the primary DNS server for the DNS Client, while the DNS server for managing the primary region can also be configured as the secondary DNS server for the DNS Client.
Stub DNS Server
The DNS server that manages the stub area is called the stub DNS server. Generally, you do not need to separately deploy the stub DNS server, but use it with other DNS server types. There is also regional replication between the stub DNS server and the master server.
Cache DNS Server
The cache DNS server does not manage the DNS servers in any region, nor does it generate regional replication. It can only cache DNS names and use cached information to reply to DNS Client resolution requests. When the DNS server is installed, it is a cache DNS server. The cache DNS server can reduce the network traffic that the DNS client accesses to the external DNS server through caching, and reduce the DNS Client's domain name resolution time. Therefore, it is widely used in the network. For example, a common small and medium-sized enterprise network connected to the Internet does not use domain names in the internal network, so no DNS server is set up, the customer uses the DNS server of the ISP to resolve the Internet domain name. In this case, you can deploy a cache DNS server, configure to forward all other DNS domains to the DNS server of the ISP, and then configure the customer to use this cache DNS server, this reduces the time required for parsing client requests and the network traffic for customers to access external DNS services.