fully qualified domain names fqdns. dns database a distributed, hierarchical database resolves fully...

Fully Qualified Domain Names

FQDNs

DNS Database

• A distributed, hierarchical database • Resolves Fully Qualified Domain Names

(FQDNs) to IP addresses–Distributed: Each DNS server is responsible

(authoritative) for only part of the DNS database–Hierarchical: Organized in levels

FQDNsClient1.tech.sales.Company.com.

Host .(root)TopLevel

2nd LevelSub-domain

• FQDNs: The name of the host (the device assigned an IP address) and its location in the DNS “tree”

• Includes the name of the host and all DNS domains back to the .(root)

FQDNs ContinuedClient1.tech.sales.Company.com.

Host .(root)TopLevel

2nd LevelSub-domain

• Name on the far left is the host• The period (.) on the far right represents the

.(root) of the DNS “tree”

Tips

• A DNS domain is a section of the DNS “tree.”• Do not confuse with an Active Directory

domain which is container in AD.• Example: Company.com might be one AD

domain but it would be two DNS domains.

Recap

• FQDN is the name of the host and its position in DNS tree

• Host name on the far left• .(root) server on the right• Every time you cross a period, it’s a different

DNS domain

Client Name Resolution

Client Name Resolution

1. Cache2. DNS Server

www.yahoo.com

Name Resolution Continued

• Client checks to see if there is an entry in its DNS cache–View the DNS cache: ipconfig /displaydns–Clear the DNS cache: ipconfig /flushdns

DNS Cache

DNS Cache Continued

Hosts File

• All Windows clients have a Hosts file.• Located in the “c:\windows\system32\drivers\

etc” folder• Should only be edited with Notepad• Entries in the Hosts file pre-populate the

client DNS cache

Hosts File Continued

Hosts File Continued

Tips

• To save changes to Hosts file, open in an elevated copy of Notepad

• If you flush the DNS cache and an entry remains, check the Hosts file

Tips Continued• Any time a client needs a different IP for a host

than all other clients, use the Hosts file.DNS Server Intranet.Company.com

192.168.1.10

Intranet.Company.com

192.168.2.10

Production Network

Development Network

Name Resolution Continued

• FQDN not in client cache, client forwards query to primary DNS server

• Client only contacts secondary DNS server if no response from primary

Recap

• Clients check their cache before querying DNS• If a client needs a different “answer” than

contained in DNS, use the Hosts file

Server Name Resolution

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

1. Cache2. Authoritative

DNS Server Name Resolution

1. DNS server checks its cache– To clear the DNS server cache use

dnscmd /clearcache2. DNS server determines if it is authoritative

for DNS domain–Authoritative servers host the records for

the domain

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

1. Cache2. Authoritative3. Conditional Forwarding

Name Resolution Continued

3. DNS server checks for Conditional Forwarding –DNS forward request if it matches a

condition, ie: a particular domain name– Example: forward all queries for

Microsoft.com to IP address 12.34.56.78

Note: Conditional Forwarding will be covered more in-depth later.

Conditional Forwarding

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

1. Cache2. Authoritative3. Conditional Forwarding4. Forwarding

Name Resolution Continued

4. DNS server checks for Forwarding– Forwards all requests for which server is

not authoritative to another DNS server– This may be done for:• Security • Server is a caching only server: Not

authoritative for any domains

Forwarding Continued

Internal NetworkInternet

DMZ

Forwarding Continued

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

1. Cache2. Authoritative3. Conditional Forwarding4. Forwarding5. Root Hints

.(root)

Name Resolution Continued

5. DNS server uses Root Hints– “Root Hints” tab contains names and IP

addresses of all.(root) servers

Note: Visit www.root-servers.org for a list and map of all .(root) servers.

Root Hints

.(root) Servers• .(root) servers are authoritative for the .(root)

domain.

Tips• When a DNS server has a .(root) zone

“Forwarders” and “Root Hints” are disabled.

Tips Continued

• If server hosts a .(root) zone: – “Forwarders” and “Root Hints” disabled– Server will not be able to resolve

Internet names –Delete the .(root) zone to resolve names on

the Internet

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

1. Cache2. Authoritative3. Conditional Forwarding4. Forwarding5. Root Hints

.(root)

Name Resolution Continued

• .(root) servers have delegations for top level domains

• Delegations identify name and IP address of authoritative DNS server for sub-domain

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

1. Cache2. Authoritative3. Conditional Forwarding4. Forwarding5. Root Hints

.(root).com IN NS dns.comdns.com IN A 34.56.78.90

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

.(root)

yahoo.com IN NS dns.yahoo.comdns.yahoo.com IN A 56.12.34.78

dns.com

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

.(root)

yahoo.com IN NS dns.yahoo.comdns.yahoo.com IN A 56.12.34.78

dns.com

dns.yahoo.com

www.yahoo.com IN A 56.12.34.78

Name Resolution Continued

1. Cache2. DNS Server

www.yahoo.com

.(root)

yahoo.com IN NS dns.yahoo.comdns.yahoo.com IN A 56.12.34.78

dns.com

dns.yahoo.com

www.yahoo.com IN A 56.12.34.78

56.12.34.78

Name Resolution Continued

• DNS server obtains the IP address and stores it in server cache

• Forwards IP to client• Client stores it in client cache• Client initiates contact using IP address

Tips

• Hosts only communicate using IP addresses• DNS only matches host names to IP addresses;

it is not used in the actual communication• If you can ping a computer by IP address but

not by name, the problem is DNS

Recap

• Servers resolve names by:1. Cache2. Authoritative3. Conditional Forwarding4. Forwarding5. Root Hints

Recap Continued

• For Internet resolution: use Forwarding or Root Hints– Internet name resolution not working,

check for and delete .(root) zone• DNS servers have delegations used to locate

authoritative servers lower in the database

Conditional Forwarding and Stub Zones

Name Resolution Continued

Corp.Company.com Int.Partner.com

Corp.Company.com and Int.Partner.com are not resolvable from the Internet.

After a company merger, clients in each forest must be able to resolve names in the other forest.

Name Resolution Continued

Corp.Company.com Int.Partner.com

Since the domains are not resolvable using Root Hints, the DNS servers in each forest must be configured to directly contact the DNS servers in the other forest.

Name Resolution Continued

In a complicated forest, DNS resolution can become challenging.Suppose clients in C.B.A needed to resolve names for resources in E.D.A.

C.B.A

B.A

A

D.A

E.D.A

Name Resolution Continued

A

B.A

C.B.A

D.A

E.D.A

Name Resolution Continued

A

B.A

C.B.A

D.A

E.D.A

Name Resolution Continued

A

B.A

C.B.A

D.A

E.D.A

Name Resolution Continued

C.B.A

B.A

A

D.A

E.D.A

It would be faster if DNS servers in C.B.A could send requests right to the DNS servers in E.D.A.

Stub Zone

• Copy of the zone that contains only DNS server records

Conditional Forwarding

• Pro: does not require permission.• Pro: no transfer of records.• Con: static.

Stub Zones• Con: does require permission.• Con: some transfer of records.• Pro: dynamic.

Recap

• Conditional Forwarding/Stub Zones used to:–Resolve domains not available

through .(root)– Speed up internal name resolution in

complex AD• Conditional Forwarding (+no permission, +no

transfer of records, -static)• Stub zones (-needs permission, -minimal

transfer of records, +dynamic)