-
Notifications
You must be signed in to change notification settings - Fork 1
DNS
DNS server role requiremenets:
- Statically assigned IP
- Signed-in user must be member of local Administrators group
There are several recommended DNS deployment scenarios, all of which involve installing DNS on a Server Core or Nano Server instance. This is because these installation options offer a reduced attack surface, a reduced resource footprint, and reduced patching requirements.
- DNS on DC: All DNS features are available and supports AD-integrated, primary, secondary, and stub zones.
- DNS on RODC: Passes DNS zone updates to a writeable DC
- DNS on standalone member server: Supports file-based primary, secondary, and stub zones but requiring zone replication because there is no integration over AD.
Installing DNS on a running Nano Server image requires running Install-NanoServerPackage as well as enabling the "DNS-Server-Full-Role" optional feature using Enable-WindowsOptionalFeature.
As of early 2017, Nano Server only supported a few roles, including DNS, but was only able to do so with some limitations
- Nano Server can only support file-based DNS and cannot host AD-integrated zones.
- Nano Server only supports the Semi-Annual servicing channel license.
- Nano Server is not suitable for primary zones, only caching-only, forwarder, or secondary zone DNS servers
Zones can be considered one or more DNS domains or subdomains, associated with zone files, which compose the DNS database itself and contain two types of entries:
-
Parser commands, which provide shorthand ways to enter records:
$ORIGIN,$INCLUDE, and$TTL - Resource records are whitespace delimited text files with columns for name, time to live, class, type, and data
The copies of zone files local to individual DNS servers can be primary (read/write) or secondary (read-only).
A primary zone is a writable copy of a DNS zone that exists on a DNS server.
A secondary zone is a read-only replica of a primary zone and necessitates the presence of a primary zone for the same zone.
Defining a secondary zone via PowerShell requires specifying that zone's MasterServers.
In Windows Server, zone files can also be integrated with Active Directory, making what is called an Active Directory Integrated Zone. These allow multi-master zones, meaning any DC can process zone updates and the zone can be replicated to any DC in the domain or forest.
An AD-integrated zone can be specified by passing the ReplicationScope parameter to the Add-DnsServerPrimaryZone cmdlet.
Stub zones contains only name server (NS) records of another zone, but unlike a forwarder is able to update when name servers in a target zone change.
Reverse Lookup zones are used to resolve IP addresses to FQDNs. Reverse lookup zones for public IP address space are often administered by ISPs, and they are useful in spam filtering to double-check the source domain name with the IP address.
GlobalNames zones provide "single label name resolution" (as opposed to a FQDN) and are intended to replace WINS servers.
The process of resolving a query by querying other DNS servers is called recursion. Recursion can be disabled outright but Windows Server 2016 supports recursion scopes which will allow recursion to be disabled unless certain conditions are met (such as receiving the request on a particular interface).
There are two types of query in the context of recursion:
- Recursive query sent by the petitioner: that is, the original query which begins recursion.
- Iterative query: individual queries sent out to authoritative name servers in order to resolve a recursive query.
Root hints are preconfigured root servers that are necessary to begin the recursion process.
The DNS Server service stores root hints in %systemroot%\System32\dns\CACHE.DNS.
These can be edited through the GUI or by using the PowerShell commands Add-, Import-, Remove-, and Set-DnsServerRootHint.
Forwarding of a request occurs when a petitioned DNS server is unable to resolve the query because it is both:
- Non-authoritative for the specified zone, and
- Does not have the response cached.
Two actions are possible when forwarding:
- Configure a DNS server only to respond to queries it can satisfy by referencing locally-stored zone information, forwarding all other requests.
- Configure forwarding for specific zones through conditional forwarding
A secondary zone is not to be confused with delegation, where a DNS server delegates authority over part of its namespace (i.e. a subdomain) to one or more other servers.
Windows Server 2016 supports a DNS GlobalNames zone meant to supercede WINS, which served a role similar to DNS for the old NetBIOS naming standard. NetBIOS names use a nonhierarchical structure (i.e. are a single name and not divisible into sub-domains) based on a name up to 16 characters long (although the 16th character defines a particular service running on the host defined by the previous 15). An organization must share a single GlobalNames zone, which must be created in PowerShell manually.
Zone scavenging allows servers with stale records to remove them. This feature is disabled by default, but can be set at the server or zone level.
| Type | Description |
|---|---|
| A | IPv4 address record |
| AAAA | IPv6 address record |
| CNAME | Hostname or alias for hosts in the domain |
| MX | Where mail for the domain should be delivered |
| NS | Name servers |
| PTR | Reverse lookup |
| SOA | Each zone contains a single SOA record |
| SRV | Generalized service location record, used for newer protocols instead of protocol-specific records |
| TXT | Typically holds machine-readable data |
- DNSSEC offers security features using public key certificates.
- A socket pool can be used to configure the DNS server to use a random source port when issuing DNS queries.
- Response rate limiting can pose a defense against DNS DoS attacks by ignoring potentially malicious, repetitive requests.
- DNS-based Authentication of Named Entities (DANE) is supported by Windows Server 2016 to reduce man-in-the-middle attacks. DANE works by informing DNS clients requesting records from the domain which Certification Authoority they must expect digital certificates to be issued from.
Zone transfer policies can prevent or allow zone transfers to any server, to name servers, or to servers specified by FQDN or IP address. DNS Policy is a new feature in Windows Server 2016 that can control DNS server behavior depending on certain criteria. These criteria include:
- Client subnet
- Recursion scope
- Zone scope
- ADCSAdministration
- ADCSDeployment
- ADDSAdministration
- ADDSDeployment
- Cluster
- DCBQOS
- DHCPServer
- Diagnostics
- DISM
- DNSServer
- Dedup
- GroupPolicy
- Hyper-V
- iSCSITarget
- iSCSI
- LocalAccounts
- Management
- NLB
- PackageManagement
- SR
- Utility
- WB
- WDS
- WSMan.Management
- WSUS
- cmdkey.exe
- dcgpofix.exe
- ddpeval.exe
- dism.exe
- djoin.exe
- dnscmd.exe
- dsamain.exe
- dsquery.exe
- netdom.exe
- ntdsutil.exe
- wbadmin.exe
- wdsutil.exe