In this chapter, we will install the DNS server role onto a server. This role is essential for various other roles (Active Directory being the most commonly used). It is used for associating a qualified name with an IP address. In fact, the internet as we know it today depends upon this protocol!
Review the DNS Basics
A client (often the web browser) sends a request to find out the IP address of the web server corresponding to the address that you entered.
Let’s say you’re accessing www.example.com. Your browser must ask for the server’s IP address named www in the DNS zone example.com.
It will send a request to the DNS server configured on your computer and make a type A request for www.example.com. If your DNS server doesn’t know the answer, it will turn to another DNS server (this will often be one of the Root Servers managing records in the “.” zone).
The servers for .com and .org are listed in this particular zone and, more generally speaking, .domain name extension.
Then your server will query the .com zone name server for the DNS server of the .com zone, and the process will start again, looking for the example.com zone, which will then return the A record corresponding to the www field of its zone: you should have the IP 107.180.40.145.
Install the DNS Server Role
Now let’s install the DNS role on Windows Server. First, go to Server Manager and add a role. When selecting the role, just like for DHCP, Microsoft will prompt you to add any required features:
Next, you’ll receive some information about this role, which will give a general overview of how it works (with the link to the DHCP) and optional Microsoft recommended configuration (integration with Active Directory). This optional configuration gives you the AD replication mechanism, which simplifies zone replication on AD servers (which must have the DNS server role to operate):
Confirm the final bit of information and launch installation by clicking Install. You must be pretty familiar with this wizard by now, right?
You’ll see your newly installed DNS role appear in Server Manager:
You’ll see why naming is so important if you head to your server dashboard! I’ve deliberately left the name that I used for the server while installing the DHCP role so you can see how confusing this could potentially be for the administrator:
Now that you’ve installed this role, let’s work on managing it!
Manage the DNS Service
Just like the DHCP Manager, you have the DNS Manager. This console is designed for administering the DNS role and lets you create the different zones necessary for DNS to work.
Before creating your first forward zone, you need to know how a DNS server operates.
Whenever a client makes a request, the response will be put into a local cache. This cache lets your server (after retrieving the www.example.com server IP address) respond more quickly without having to send another recursive query to the root servers and the server from the zone www.example.com. You must manage this cache.
Why do I have to manage this cache?
Quite simply to avoid remembering the association between www.example.com and the IP 107.180.40.145.
If this server’s administrator needed to change the site’s IP address, it would be a shame to no longer be able to access www.example.com.
The default value is a day (24 hours) for positive responses (an IP address that at least exists for a qualified name) and 15 minutes for negative responses. To display this information, open PowerShell and, type in the command Get-DnsServerCache :
We’ll come back to PowerShell in the final part of this course. Use Microsoft’s online help to change these values.
Finally, check that the DNS role is correctly configured. In the DNS Manager, right-click on the server name, then select Properties:
This is exactly what you need to check.
What interface is the DNS service listening on?
By default, it will listen to DNS queries on all interfaces. If you have an administration network, it might be a good idea not to listen to queries on this network. Instead, selecting the fixed IP that you configured in the first chapter is better.
Head to the Root Hints tab and check that your server knows the root servers. These servers will be contacted to identify a response to www.example.com (for example!).
I know what you’re thinking – how can you test your DNS server? Should it be able to respond to any query with these servers?
Open a shell on your server. Type in the command nslookup - 10.0.2.15 (where 10.0.2.15 is the IP address of your server’s network interface). Then enter an interactive DNS client linked to your server! Try out www.example.com:
nslookup - 10.0.2.15
Default Server: UnKnown
> www.example.com
Server: UnKnown
Non-authoritative answer:
Name: www.example.com
Addresses: 2606:2800:220:1:248:1893:25c8:1946
107.180.40.145Since your server doesn’t own the example.com zone, it recursively queries the root servers and then the DNS server in the example.com zone. Therefore, your server’s response is non-authoritative, as your server gets it from another one!
How do we get authoritative responses?
By having a DNS zone, and luckily enough, that’s what we’re just about to set up!
Set Up Your First Forward Zone
First, you need to choose a domain name. I suggest taking a private zone.
Let’s imagine that after configuring DHCP, the managers at Gift Ltd. ask you to find a way to name the different devices and services on the network. The manager is tired of typing in the IP address 10.0.2.10 to access the intranet. Therefore, you’re going to create a forward zone for the gift.ltd domain and put an A record there that points intranet.gift.ltd to 10.0.2.10. Now your manager can type inhttps://intranet.gift.ltdinstead of the IP address. Mission accomplished!
There’s another wizard to help with this. Click on Action at the top of your screen, then select New Zone.
You’ll see the following after the welcome screen:
You want the first option, so confirm by clicking Next until you get to the Zone Name page (in this case, gift.ltd). Next is the zone file creation (and its location on your server), and then the issue of Dynamic Updates.
Now that you’ve created your zone, let’s look at its contents by clicking Finish and then Forward Lookup Zones:
Your zone only contains two records identifying the start of authority (SOA) server and the name server (NS). To create the intranet record your managers requested, right-click in the right-hand window (or on the zone name), and select New Host (A or AAAA). The A records are for the IPv4 and the AAAA for IPv6. Next, enter the host name within the zone (i.e., intranet), and the associated IP address:
You now have the option of creating a PTR, which you’ll see in the next section, so leave this box unticked for now and confirm by clicking Add a Host. You’ll see the (non-modifiable) field of the fully-qualified domain name (FQDN), which has a “dot” at the end representing the root zone, followed by the extension “ltd,” then the domain “gift.” Therefore, the qualified name of the intranet is “intranet.gift.ltd”.
Restart a command prompt and type in the command nslookup intranet.gift.ltd 10.0.2.15 to check that you created your record correctly and ask what IP address the host intranet.gift.ltd has on the server 10.0.2.15:
>nslookup intranet.gift.ltd 10.0.2.15 Server : UnKnown Address: 10.0.2.15 Name : intranet.gift.ltd Address : 10.0.2.10
Super! You know how to create A records in a forward zone! You can now give all your devices or servers names without using the IP addresses.
Discover Other Record Types
Let’s look at a few more things before moving on to the reverse zone. DNS responds to client queries, and type A requests an IP address from a name. However, many other types are available, such as NS for finding out the name server. With Windows, you can query different types with the option set type=XXX , where XXX is the type requested.
Another type is SOA (start of authority), which you can use to determine which server has authority in a zone.
>nslookup - 10.0.2.15 Default server : UnKnown Address: 10.0.2.15 >set type=SOA >gift.ltd Server : UnKnown Address: 10.0.2.15 gift.ltd primary name server = srvdhcpny01 responsible mail addr = hostmaster serial = 2 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) >set type=NS >gift.ltd Server : UnKnown Address: 10.0.2.15 gift.ltd nameserver = srvdhcpny01
Another type is CNAME, which you use to associate a name to a name.
This is practical for giving a name to a server by pointing to the service name. For example, it can be useful to have a different name for administering the intranet, but it can be time-consuming to type “intranet.gift.ltd” when administering this service. So a CNAME “int.gift.ltd” pointing to intranet.gift.ltd solves this problem:
>set type=CNAME >int.gift.ltd Server : UnKnown Address: 10.0.2.15 int.gift.ltd canonical name = intranet
There are lots of types, but the best known are NS, SOA, A, AAAA, CNAME, TXT, and MX (Mail eXchange for mail servers). The implementation method is the same, though, regardless of the type.
Set Up Your First Reverse Zone
Now that you have a forward zone, wouldn’t it be nice to create a reverse zone? This associates an IP address to a name, so it’s the opposite of a forward zone. It allows you to confirm that the name chosen in a forward zone is indeed associated with the IP address, and to query a DNS on an IP address if you change the address of the DNS server configured on your DNS server, here, in the zone Preferred DNS server:
All name queries will now be sent to your server. Open a command prompt and type in ping intranet.gift.ltd :
C:\Users\Administrator>ping intranet.gift.ltd Send a 'ping' request on intranet.gift.ltd [10.0.2.10] with 32 bytes of data : Ctrl+C ^C C:\Users\Administrator>ping 10.0.2.10 Send a 'ping' request 10.0.2.10 with 32 bytes of data : Ctrl+C ^C
The name intranet.gift.ltd is correctly resolved (through the forward zone) into 10.0.2.10, but the opposite is not true! You need to create a reverse zone.
To create a reverse zone, head to your DNS manager, right-click reverse zone, and select New Zone. You should end up here after the welcome screen:
Here again, you have different zones depending on the level of control you want. We’ll only look at the main one. On the next screen, you can choose between IPv4 and v6.
Stick with IPv4. Next, enter your network ID. These are the octets from the IP address that represents your network, and finally, the suggested zone file name and dynamic updates (same applies: we’ll refuse dynamic updates):
You only have two default records (just like for a forward zone):
Add a PTR record for intranet.gift.ltd (look over your forward zone with the PTR record creation wizard to be sure to point towards the right name!). Enter the IP address (the final octet), and you’ll get your first record:
Add -a to your command line to test resolution with a ping.
C:\Users\Administrator>ping -a 10.0.2.10 Send a 'ping' request on intranet.gift.ltd [10.0.2.10] with 32 bytes of data : Ctrl+ ^C
Great work! You have a configured DNS server to simplify network management for Gift Ltd. If you want to run diagnostics, go back to the methods and tools covered in the previous chapter – they apply to all roles and features.
One Last Thing
Before configuring other roles, there is another bit of configuration we need to do together. First, zone transfer. This feature is handy if you have several servers for a single zone (which is a good thing) but can be dangerous if you publicly expose your DNS server.
For this, right-click the name of your zone, head to the Zone Transfer tab, refuse transfers, or list the trusted server you approve to receive your records. It’s also good practice to log all DNS transactions.
Finally, you can launch Microsoft BPA for this role to check that your configuration aligns with Microsoft’s best practices.
Don’t forget to allow UDP port 53 on your firewall; otherwise, your DNS server will no longer be accessible on the network.
Remember, activate your firewall to block all streams not covered by an incoming traffic rule!
Additional Resources
RFCs governing the DNS.
Part 3 of Set Up TCP/IP Networks deals with DNS.
List of different types of DNS records.
Managing the Microsoft DNS cache.
Let’s Recap!
The DNS role in Windows Server lets you create forward and reverse zones.
A DNS server resolves domain names to IP addresses and IP addresses to domain names.
The transfer zone should be restricted to trusted servers only.
A DNS server is queried using the nslookup command or via web browsers (among other things).
Let’s continue your learning by setting up a file server in Windows Server – we’ll take a look at how to do this in the next chapter!
