DNS (itself an acronym for Domain Name Service) servers are used to resolve human-readable names into machine-readable IP addresses or vice versa. Today, a DNS server especially in a Windows environment provides more than name-IP address resolution features. For instance, it can support Domain Keys, Sender Policy Framework (SPF), DKIM and Active Directory container records among other things. In this article, we walkthrough the process of configuring a DNS server from scratch.
The first thing to know and remember about DNS servers is that they are hierarchical. One server does not have to contain the records of everything on the network or the Internet. If you try to, it will probably crash. At the top of the hierarchy are the “Root Servers”. These are simply DNS servers that resolve a single alphabet of the English language. For 26 alphabets, there are 26 resolvers. However, they are all paired and shared because the net load on any of them is so small that it is pointless to run dedicated machines for them. The DNS names for the root servers start with the alphabet, followed by “root-servers.net
”. So the resolver for the root name “a
” would be “a.root-servers.net
”. During a query, if the resolution request reaches all the way to the root server, it means the domain does not exist. For this purpose, most DNS implementations will detect that the next up-chain query would hit the root server and return a “Not found” result.
Recursion
Recursion is the feature using which DNS servers implement chaining. Each DNS server is configured with a list of “upstream” servers that it can contact if it cannot resolve a particular request by itself. If a server is not configured with these upstream addresses, it can only resolve what name/IP pairs it is directly configured with. This will cause resolution requests for other resources to fail. If you are creating a DNS server purely for internal purposes and probably isn’t the only DNS system your resources would contact, then this is fine.
Secure Updates – With Windows Active Directory
When used in a Windows Active Directory set up, the Windows DNS Server has the capability to perform its data transfers and inter-server data replications using Active Directory’s secure and redundant transport mechanisms. This mechanism offers a very high degree of data security and integrity. DNS servers can then be enabled to perform something called “Secure Updates”, that will latch on to this Active Directory feature. This feature will be unavailable to configure on your DNS server if it is not part of an Active Directory domain.
Forward and Reverse Lookup Zones
A forward lookup zone contains information to resolve a name to an IP address. A reverse lookup zone converts an IP address to a name. If one is present and the other is not, then DNS will still work, but some applications (like modern day e-mail anti-spam systems) that may require both to be present may not work.
Step by Step
Let us take a DNS server and configure it for use with both your internal resources as well as to resolve Internet based requests. For our purpose, we will need a root domain (or “zone”) name to which all internal resources will attach. We will use “foobar.com” as this name. You will also need to know the DNS server IP addresses of your ISP — alternately, you can use OpenDNS DNS servers that are free to use. If you are using OpenDNS, go to http://www.opendns.com/business-solutions/premium-dns/benefits/ and you will see two IP addresses listed on the page (208.67.222.222 and 208.67.220.220).
- Ensure that you have the DNS role installed. If not, open Server Manager and add the DNS role from the Add Roles wizard. For this exercise, leave all the installation settings at defaults. You do not need to reboot after this.
- After the installation is complete, from Administrative Tools, open the DNS management console (dnsmgmt.msc).
- If your local system has not been populated, right-click on the “DNS” root entry and select Connect to DNS server, select “This computer”, ensure “Connect to this computer now” checkbox is ON and click OK.
- After your computer appears with some items looking like folders under it, right click on your computer’s name and select “Configure a DNS Server”, this will open a wizard.
- Select Configure Root Hints only option and finish the wizard.
- Once you have returned to the main console, right click on the computer name and select Properties.
- If you have more than one network card, and you want the DNS server to respond only on one of those networks, go to the Interfaces tab and select only those IP addresses that you want the DNS to bind to.
- Now go to the Forwarders tab, click on the Edit button. On the first row is an area where you can type in, you can enter either a DNS name (www.example.com) or an IP address in this field. For now, type in the IP addresses of your upstream DNS servers.
IMPORTANT: If you miss or skip the step to configure forwarders, upstream chaining will not occur and the DNS will not be able to resolve any names it does not know about directly.
- Now it's time to create zones.
- Right click on the “Forward Lookup Zones” folder and select “New Zone” to bring up the New Zone wizard.
- Select to create a new Primary zone
- Enter “foobar.com” as the zone name (if you are creating zones for proper domain names like on the Internet, you would enter the appropriate domain name here).
- Leave everything else as is and finish the wizard.
- Now right-click on the “Reverse Lookup Zones” folder and select “New Zone”.
- Again, create a Primary zone
- Select IPv4 Reverse Lookup Zone (if you are already into IPv6, then hold off for now)
- Enter the Network ID (the first 3 sets of your IP address)
- Leave everything else again as is and finish the wizard.
- Now time to populate with records. The Windows DNS management console automatically creates matching reverse records (PTR records) when you play with the forward zones. So we will not be visiting the reverse zone folder any more in this exercise.
- If you click on the “foobar.com” zone inside the Forward Lookup Zones folder, you will see both an SOA record and a NS record already in there. To edit these, right click on the “foobar.com” zone and select Properties. You can make changes on the various fields on this properties box.
- Right click in a blank area with the foobar.com zone selected and select “New Host (A or AAA)”. Type in “www” and enter any IP address, leave the “Create associated pointer (PTR) record” checked ON and click OK. Now you have created a record called “www.foobar.com” that will resolve to the IP address you entered.
Let’s test —
- Open a command prompt window, type in “
nslookup
” to launch the interactive DNS lookup tool. - At the “>” prompt, type in “server <your server name>” and press enter. Alternately, you can provide your system’s IP address instead of the name.
- If you get a response with the name and IP address of your local DNS system, all is good so far. Otherwise, check for typos and try again.
- Now type in “
set q=any
”, press enter and type in “foobar.com”, press enter. You should get back a whole bunch of information. - Now type in www.google.com Since you enabled forwarders, you should see a list of IP addresses for Google come up. Since your local DNS did not know the answer, it would route the request to the upstream DNS server (OpenDNS) and get the answer from there.