• 12 heures
  • Moyenne

Ce cours est visible gratuitement en ligne.

course.header.alt.is_video

course.header.alt.is_certifying

J'ai tout compris !

Mis à jour le 01/06/2022

Install a DNS Server

In this chapter, we will install the DNS server role onto a server. This role is essential for various other roles (Active Directory being the most commonly used). It is used for associating a qualified name with an IP address. In fact, the internet as we know it today depends upon this protocol!

Review the DNS Basics

A client (often the web browser) sends a request to find out the IP address of the web server corresponding to the address that you entered.

Let’s say you’re accessing www.example.com. Your browser must ask for the server’s IP address named www in the DNS zone example.com.

It will send a request to the DNS server configured on your computer and make a type A request for www.example.com. If your DNS server doesn’t know the answer, it will turn to another DNS server (this will often be one of the Root Servers managing records in the “.” zone).

The servers for .com and .org are listed in this particular zone and, more generally speaking, .domain name extension.

Then your server will query the .com zone name server for the DNS server of the .com zone, and the process will start again, looking for the example.com zone, which will then return the A record corresponding to the www field of its zone: you should have the IP 107.180.40.145.

Diagram of how the DNS works
Diagram of how the DNS works

Install the DNS Server Role

 Now let’s install the DNS role on Windows Server. First, go to Server Manager and add a role. When selecting the role, just like for DHCP, Microsoft will prompt you to add any required features:

Required features for the DNS Server role
Required features for the DNS Server role

Next, you’ll receive some information about this role, which will give a general overview of how it works (with the link to the DHCP) and optional Microsoft recommended configuration (integration with Active Directory). This optional configuration gives you the AD replication mechanism, which simplifies zone replication on AD servers (which must have the DNS server role to operate):

Information on the DNS server role from the installation wizard
Information on the DNS server role from the installation wizard

Confirm the final bit of information and launch installation by clicking Install. You must be pretty familiar with this wizard by now, right?

You’ll see your newly installed DNS role appear in Server Manager:

Server manager after installing the DNS server role
Server manager after installing the DNS server role

You’ll see why naming is so important if you head to your server dashboard! I’ve deliberately left the name that I used for the server while installing the DHCP role so you can see how confusing this could potentially be for the administrator:

DNS role installed on SRVDHCPNY01
DNS role installed on SRVDHCPNY01

Now that you’ve installed this role, let’s work on managing it!

Manage the DNS Service

Just like the DHCP Manager, you have the DNS Manager. This console is designed for administering the DNS role and lets you create the different zones necessary for DNS to work.

DNS manager
DNS Manager

Before creating your first forward zone, you need to know how a DNS server operates.

Whenever a client makes a request, the response will be put into a local cache. This cache lets your server (after retrieving the www.example.com server IP address) respond more quickly without having to send another recursive query to the root servers and the server from the zone www.example.com. You must manage this cache.

Why do I have to manage this cache?

Quite simply to avoid remembering the association between www.example.com and the IP 107.180.40.145.

If this server’s administrator needed to change the site’s IP address, it would be a shame to no longer be able to access www.example.com

The default value is a day (24 hours) for positive responses (an IP address that at least exists for a qualified name) and 15 minutes for negative responses. To display this information, open PowerShell and, type in the command  Get-DnsServerCache  :

Cache configuration for the DNS server
Cache configuration for the DNS server

We’ll come back to PowerShell in the final part of this course. Use Microsoft’s online help to change these values.

Finally, check that the DNS role is correctly configured. In the DNS Manager, right-click on the server name, then select Properties:

DNS server properties
DNS server properties

This is exactly what you need to check.

What interface is the DNS service listening on?

By default, it will listen to DNS queries on all interfaces. If you have an administration network, it might be a good idea not to listen to queries on this network. Instead, selecting the fixed IP that you configured in the first chapter is better.

Head to the Root Hints tab and check that your server knows the root servers. These servers will be contacted to identify a response to www.example.com (for example!).

Root servers known by your DNS server
Root servers known by your DNS server

I know what you’re thinking – how can you test your DNS server? Should it be able to respond to any query with these servers?

Open a shell on your server. Type in the command  nslookup - 10.0.2.15  (where 10.0.2.15 is the IP address of your server’s network interface). Then enter an interactive DNS client linked to your server! Try out www.example.com:

nslookup - 10.0.2.15

Default Server: UnKnown
> www.example.com

Server: UnKnown
Non-authoritative answer:
Name: www.example.com
Addresses: 2606:2800:220:1:248:1893:25c8:1946
           107.180.40.145

Since your server doesn’t own the example.com zone, it recursively queries the root servers and then the DNS server in the example.com zone. Therefore, your server’s response is non-authoritative, as your server gets it from another one!

How do we get authoritative responses?

By having a DNS zone, and luckily enough, that’s what we’re just about to set up!

Set Up Your First Forward Zone

First, you need to choose a domain name. I suggest taking a private zone.

Let’s imagine that after configuring DHCP, the managers at Gift Ltd. ask you to find a way to name the different devices and services on the network. The manager is tired of typing in the IP address 10.0.2.10 to access the intranet. Therefore, you’re going to create a forward zone for the gift.ltd domain and put an A record there that points  intranet.gift.ltd  to 10.0.2.10. Now your manager can type inhttps://intranet.gift.ltdinstead of the IP address. Mission accomplished!

There’s another wizard to help with this. Click on Action at the top of your screen, then select New Zone.

You’ll see the following after the welcome screen:

DNS server Configuration Wizard
DNS server Configuration Wizard

You want the first option, so confirm by clicking Next until you get to the Zone Name page (in this case, gift.ltd). Next is the zone file creation (and its location on your server), and then the issue of Dynamic Updates.

Managing dynamic updates for DNS records
Managing dynamic updates for DNS records

Now that you’ve created your zone, let’s look at its contents by clicking Finish and then Forward Lookup Zones:

Forward Lookup Zone gift.ltd
Forward Lookup Zone gift.ltd

Your zone only contains two records identifying the start of authority (SOA) server and the name server (NS). To create the intranet record your managers requested, right-click in the right-hand window (or on the zone name), and select New Host (A or AAAA). The A records are for the IPv4 and the AAAA for IPv6. Next, enter the host name within the zone (i.e., intranet), and the associated IP address:

Creating an A record
Creating an A record

You now have the option of creating a PTR, which you’ll see in the next section, so leave this box unticked for now and confirm by clicking Add a Host. You’ll see the (non-modifiable) field of the fully-qualified domain name (FQDN), which has a “dot” at the end representing the root zone, followed by the extension “ltd,” then the domain “gift.” Therefore, the qualified name of the intranet is “intranet.gift.ltd”.

Restart a command prompt and type in the command  nslookup intranet.gift.ltd 10.0.2.15  to check that you created your record correctly and  ask what IP address the host intranet.gift.ltd has on the server 10.0.2.15:

>nslookup intranet.gift.ltd 10.0.2.15 
Server : UnKnown 
Address: 10.0.2.15
 
Name : intranet.gift.ltd 
Address : 10.0.2.10

Super! You know how to create A records in a forward zone! You can now give all your devices or servers names without using the IP addresses.

Discover Other Record Types

Let’s look at a few more things before moving on to the reverse zone. DNS responds to client queries, and type A requests an IP address from a name. However, many other types are available, such as NS for finding out the name server. With Windows, you can query different types with the option  set type=XXX  , where XXX is the type requested.

Another type is SOA (start of authority), which you can use to determine which server has authority in a zone.

>nslookup - 10.0.2.15
Default server : UnKnown
Address: 10.0.2.15

>set type=SOA
>gift.ltd
Server : UnKnown
Address: 10.0.2.15

gift.ltd
 primary name server = srvdhcpny01
 responsible mail addr = hostmaster
 serial = 2
 refresh = 900 (15 mins)
 retry = 600 (10 mins)
 expire = 86400 (1 day)
 default TTL = 3600 (1 hour)

>set type=NS
>gift.ltd
Server : UnKnown
Address: 10.0.2.15

gift.ltd nameserver = srvdhcpny01

Another type is CNAME, which you use to associate a name to a name.

This is practical for giving a name to a server by pointing to the service name. For example, it can be useful to have a different name for administering the intranet, but it can be time-consuming to type “intranet.gift.ltd” when administering this service. So a CNAME “int.gift.ltd” pointing to intranet.gift.ltd solves this problem:

>set type=CNAME
>int.gift.ltd
Server : UnKnown
Address: 10.0.2.15

int.gift.ltd canonical name = intranet

There are lots of types, but the best known are NS, SOA, A, AAAA, CNAME, TXT, and MX (Mail eXchange for mail servers). The implementation method is the same, though, regardless of the type.

Set Up Your First Reverse Zone

Now that you have a forward zone, wouldn’t it be nice to create a reverse zone? This associates an IP address to a name, so it’s the opposite of a forward zone. It allows you to confirm that the name chosen in a forward zone is indeed associated with the IP address, and to query a DNS on an IP address if you change the address of the DNS server configured on your DNS server, here, in the zone Preferred DNS server:

Configuring your DNS server as the DNS server of your server
Configuring your DNS server as the DNS server of your server

All name queries will now be sent to your server. Open a command prompt and type in ping intranet.gift.ltd :

C:\Users\Administrator>ping intranet.gift.ltd

Send a 'ping' request on intranet.gift.ltd [10.0.2.10] with 32 bytes of data : 
Ctrl+C
^C
C:\Users\Administrator>ping 10.0.2.10 
Send a 'ping' request 10.0.2.10 with 32 bytes of data :
Ctrl+C
^C

The name intranet.gift.ltd is correctly resolved (through the forward zone) into 10.0.2.10, but the opposite is not true! You need to create a reverse zone.

To create a reverse zone, head to your DNS manager, right-click reverse zone, and select New Zone. You should end up here after the welcome screen:

Creating a reverse zone
Creating a reverse zone

Here again, you have different zones depending on the level of control you want. We’ll only look at the main one. On the next screen, you can choose between IPv4 and v6.

Stick with IPv4. Next, enter your network ID. These are the octets from the IP address that represents your network, and finally, the suggested zone file name and dynamic updates (same applies: we’ll refuse dynamic updates):

Network ID
Network ID
Finishing the reverse zone setup
Finishing the reverse zone setup 

You only have two default records (just like for a forward zone):

Reverse zone
Reverse zone

Add a PTR record for intranet.gift.ltd (look over your forward zone with the PTR record creation wizard to be sure to point towards the right name!). Enter the IP address (the final octet), and you’ll get your first record:

PTR record
PTR record

Add  -a  to your command line to test resolution with a ping.

C:\Users\Administrator>ping -a 10.0.2.10

Send a 'ping' request on intranet.gift.ltd [10.0.2.10] with 32 bytes of data : 
Ctrl+
^C

Great work! You have a configured DNS server to simplify network management for Gift Ltd. If you want to run diagnostics, go back to the methods and tools covered in the previous chapter – they apply to all roles and features.

One Last Thing

Before configuring other roles, there is another bit of configuration we need to do together. First, zone transfer. This feature is handy if you have several servers for a single zone (which is a good thing) but can be dangerous if you publicly expose your DNS server.

For this, right-click the name of your zone, head to the Zone Transfer tab, refuse transfers, or list the trusted server you approve to receive your records. It’s also good practice to log all DNS transactions.

Zone transfer settings
Zone transfer settings

Finally, you can launch Microsoft BPA for this role to check that your configuration aligns with Microsoft’s best practices.

Don’t forget to allow UDP port 53 on your firewall; otherwise, your DNS server will no longer be accessible on the network. 

Remember, activate your firewall to block all streams not covered by an incoming traffic rule!

Additional Resources

Let’s Recap!

  • The DNS role in Windows Server lets you create forward and reverse zones.

  • A DNS server resolves domain names to IP addresses and IP addresses to domain names.

  • The transfer zone should be restricted to trusted servers only.

  • A DNS server is queried using the nslookup command or via web browsers (among other things). 

Let’s continue your learning by setting up a file server in Windows Server – we’ll take a look at how to do this in the next chapter!

Exemple de certificat de réussite
Exemple de certificat de réussite