DNS Policies Background Information
Understanding the Terminology
- What is meant by a Server that is Authoritative?
A DNS server that is authoritative is one that owns the A, CNAME, PTR records. For example. None of the DNS servers on the internet contain the original records for serveracademy.com except the DNS server SADC01. These other servers may know about serveracademy.com but those other servers are NOT authoritative for serveracademy.com
- What is Recursive DNS? Recursive DNS is the opposite of standard DNS which is an authoritative DNS service which allows others to find your domain while recursive DNS allows you to resolve other people’s domains.
- What is a Recursive Resolver? Recursive name servers are the middlemen between authoritative servers and end users, because they have to recurse or perform the same sequence of operations up the DNS tree until they reach the name servers that own (or are authoritative) for those domain records.
- What is a DNS forwarder? A DNS forwarder is a DNS server that is used to forward DNS queries for external DNS names to DNS servers outside that Network. If the local DNS server can’t resolve the query, that DNS server forwards that request to a DNS server that can resolve the query which improves the efficiency of name resolution.
- What is the function of the Root Hints file? – Windows Servers that have the DNS server Role installed come with a file called Root Hints. This file lists 13 servers that are located out on the internet. This file will allow you to resolve any internet name as long as you have an internet connection.
- Should I use my ISP DNS as my forwarder, or should I use Root Hints?
It is recommended to use your ISP DNS as your forwarder. Performance will be better as there will be less hops than trying to resolve queries from servers halfway across the world.
DNS Policy Scenarios
Here is a list of five possible scenarios. Policies can be configured for the following Scenarios. At work you may encounter several of these situations. You can configure policies that will enable you to meet these challenges.
- Application High Availability – DNS clients are directed to systems that are likely to operate without failure for a long period of time
- Geo-Location based Traffic Management – DNS clients are directed to the closest resource based upon the location of the client and the resource.
- Network Location - Split Brain DNS Is used when two zones are created for the same domain. One to be used by the internal network and one to be used by the external network usually the internet.
- Block a Malicious Zone – You can create filter which is a policy to block a malicious DNS zone.
- Time of Day Based Redirection You can create a policy that distributes application traffic based upon the time of day.
New DNS Objects for Windows Server 2016
- Client Subnet – A client subnet is an object that represents an IPv4 or IPv6 subnet. You use the powershell command add-DnsServerClientSubnet to create a client subnet.
- Zone Scopes – A zone scope is a method of partitioning a DNS zone. You can have multiple zone scopes within a DNS zone. For example, you could have one zone scope for internal clients and another zone scope that would be for external clients that access the internet. A zone scope can contain its own set of resource records that represent the DNS clients based upon the clients IP subnet.Use the Powershell command Add-DnsServerZoneScope to define the zone scope.
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.