1. CHAPTER 4 PLANNING A NAME RESOLUTION STRATEGY

2. Determining Name Resolution Requirement What is name resolution ? ◦ The name into 32-bit IP address conversion. ◦ The names does not affect the TCP/IP computers communication ◦ When you type the name in the URL, the first thing your computer does is resolve that name into IP address only then it will know where to send the message.

3. Determining Name Resolution Requirement What types of names need to be resolved?  DNS names  Network Basic Input/Output System (NetBIOS) names ◦ The names you associate with internet and type in the URLs are resolved by DNS name servers. ◦ All ISPs have DNS servers which they make available to their clients. ◦ Windows operating system prior to Windows 2000, used NetBIOS names to identify computers on the network which you assign during the operating system installation.

4. Determining Name Resolution Requirement Using the DNS At its core, DNS is still a list of names & its IP addresses & these information is distributed among servers all over the internet. When a DNS servers gets requests from resolvers, they first check their own records for the IP address meant for the name & if it doesn’t have it, then it will forward the request to other DNS server until it reaches the authoritative server for that name. Then the authoritative server supplies the IP address back to the requesting server which relays it back to resolver

5. Determining Name Resolution Requirement ◦ Domain is an administrative entity that consists of a group of hosts, when a DNS server is an authoritative source for a domain, it will possess information about the hosts in that domain in the form of resource records. ◦ Full name for a computer in the DNS consists of 2 parts; host name & domain name! just like IP. Request Reply ResolverDNS server Authoritative DNS server

6. Determining Name Resolution Requirement DNS name consists of 2 or more words separated by periods (.) A complete full name for a particular computer is called fully qualified domain name (FQDN) ◦ Ex: www.adatum.comwww.adatum.com  First checks the root name server = com, & returns source records that contains the IP addresses of authoritative servers for com domain  Then checks the top level domain = adatum through the root name server, then returns the IP address for the source records which is www.  Then check on the 2 nd level domain = www host, & now the client can send the request directly to the receiver

7. Determining Name Resolution Requirement Speeding up the DNS  The use of top level domains such as com, org, net etc are actually hosted by the root name servers.  DNS server caches information Understanding domain hierarchy levels  Root servers does nothing but responding to millions of requests by sending out the addresses of the authoritative servers in their domain.  Each top level domain has its collection of 2 nd level domains. Organizations & individuals may lease these domains for their own use.

8. Determining DNS Requirements Hosting an Internet Domain  First you must register a second level domain name & give the IP addresses of your servers to your domain registrar.  It must have a registered IP address & visible in the internet all times.  You may use your ISP’s DNS server with some fee ! Hosting Internet Servers  To host internet servers on your network, you must have access to a registered domain on the internet with authoritative DNS servers.

9. Using NetBIOS Names Computers running on versions earlier to Windows 2000 uses NetBIOS names which consists of single name up to 16 characters long. It is not hierarchical hence, it is not scalable as DNS & only suitable for private networks. Uses several name resolution mechanism for NetBIOS names ;  WINS  Broadcast Transmission  Lmhosts  NetBIOS name cache

10. Designing a DNS Namespace Using an existing namespace When to use existing name  The organization which your designing network for already has a domain name in use.  Or has a computer naming strategy already in place What is possible when using existing name?  Use the existing domain name / expand to include internal subdomains.  Continue using the DNS server / migrate the DNS services to the new network your designing.

11. Designing a DNS Namespace Creating Internet Domain ◦ Selection of 2 nd level domain name depends on what is available & in the case the name you want to use is already taken;  Choose different domain name  Register the name in different top-level domain  Attempt to buy the domain name from its current owner. ◦ Organizations maintains multiple sites on the internet for various reasons;  Involvement in several separate businesses  Have independent divisions with different sites.  Different sites for customers, suppliers etc

12. Designing a DNS Namespace 2 basic ways to implement multiple sites on the internet; ◦ Register single 2 nd level domain & then create multiple subdomains beneath it.  Price of single domain registration can create as many third level domains  Can maintain a single brand across all sites  Contoso.com = patients.contoso.com, staff.contoso.com etc ◦ Register multiple 2 nd level domains  Suitable for company that operates various unrelated businesses.  Register each domain separately & maintain separate DNS namespace for each server.

13. Designing a DNS Namespace Creating internal domains ◦ If company is consists of HQ & branches, choose single active directory & assign a name to that domain, create branch names under the main domain. ◦ Ex: adatum.com, miami.adatum.com, ny.adatum.com ◦ Rules when selecting internal domain:  Keep domain names short  Avoid an excessive number of domain levels  Create a naming convention & stick to it  Avoid obscure abbreviations  Avoid names that are difficult to spell

14. Designing a DNS Namespace Rules when designing an internal DNS namespace for a network that connects to the internet.  Use registered domain names  Do not use top level domain names or names of commonly known products or companies.  Use only characters that are compliant with internet standard Primary reason for creating subdomains beneath the domain is to delegate administrative authority for parts of the namespace.  Preventing bottleneck that could affect name resolution performance.

15. Designing a DNS Namespace Combining Internal & External domains ◦ When combining internal & external domains, there are 3 strategies to use; a)Use the same domain name internally & externally  Creates havoc in the resolution process due to the duplication b)Create separate & unrelated internal & external domains  Need to maintain 2 different DNS namespace & causes confusion. c)Make the internal domain a subdomain of the external domain.  Register 1 domain & use it for external, then create subdomains under it to use for the internal.

16. Designing a DNS Namespace Creating host names ◦ Create hosts in the same way you create domains, by using a naming rule & sticking to it. ◦ rules are based on users, geographical locations & functions of the computer. ◦ Guidelines to follow;  Create easily remembered names  Use unique names throughout the organization  Do not use case to distinguish names  Use only characters supported by all of your DNS servers.

17. How Many DNS Servers Private networks uses multiple DNS servers for reasons other than heavy client load, which are;  Providing redundancy  Improving performance  Balancing traffic load  Reducing WAN traffic  Delegating authority  Supporting active directory

18. Understanding DNS server types Caching-only servers ◦ DNS server that contains no zones & hosting no domain is called caching-only servers Using forwarders ◦ Is a DNS server that receives queries from other DNS servers that are explicitly configured to send them Chaining forwarders ◦ DNS server that is functioning as a forwarder can also forward its queries to another forwarder

19. Creating Zones Zones – administrative entity that you create on a DNS server to represent a discrete portion of the namespace. Valid zones must consists of contiguous domains. Understanding zone types ◦ Every zone consists of a zone database that contains records for that zone. 3 zone types are as follows;  Primary zone – contains the master copy of the zone’s database  Secondary zone – contains a backup copy of the primary zone database  Stub zone – copy of primary zone that contains Start of Authority (SOA), Name Server (NS) resource records & Host (A) records that identifies the authoritative server for the zone.

20. Determining DNS security threats Primary security threads in DNS : ◦ Denial-of-service (DOS) attacks  Flooding DNS server with huge number of queries can force to 100% usage, & DNS will deny any more queries. ◦ Footprinting  Intruders can capture DNS traffic & learn about the domain name, hosts, IP addresses to plan his attacks! ◦ IP spoofing  Interuders use ligitimate IP addresses (footprinting) to send damaging packages, & spoofing enables it to get thru. ◦ Redirection  Intruders causes the DNS server to forward name resolution request messages to incorrect server under the intruder’s control.

21. Securing DNS Providing redundant DNS services ◦ When you register domain names, your DNS server must be accessible from the internet therefore vulnerable to attacks. ◦ To overcome this, use multiple DNS servers Limiting DNS Interface ◦ Limit the network interfaces over which the server can receive name resolution requests. ◦ If you are using multiple IP addresses, specify 1 IP over which DNS client can use to contact server.

22. Securing DNS Securing Zone Replication ◦ Deploy all your DNS servers on your domain controllers & store all your zones in active directory which will perform all zone replication. ◦ Performs mutual authentication procedure before they exchange data. Preventing Cache Corruption ◦ Check box ’secure cache against pollution’ in the DNS server’s property dialogue box. ◦ Prevents the server from caching unrelated resource records included in reply messages. ◦ Ignores all records for names in other domains.

23. Securing DNS Using secure dynamic update  Dynamic update feature will trigger the DNS clients to send message to DNS servers during start-up  Message contains the IP addresses the DHCP has assigned to their client, & these information is used to update its resource records, making it possible for intruders to send fake message saying that the IP address of your internet web server is changed.  This forces your DNS server to add a counterfeit address to the resource records, redirecting the traffic to server under intruders.  Solution: create active directory-integrated zones & configure them to accept only secure dynamic updates  Zone properties dialog box, general tab, dynamic updates drop down list, select Secure Only !

24. Troubleshooting DNS server problem Non functioning DNS server ◦ If client can ping the DNS server but not receiving replies to name resolution requests, then DNS service is not running.  Display services console & check whether status is started.  Check the logs in event viewer console Troubleshooting DNS server health  Dcdiag/test:DNS, dcdiag/test:CheckSecurityError  Tests your DNS & returns a summary of the results.

25. Troubleshooting DNS server problem Troubleshooting incorrect name resolution 3 possibilities; ◦ Incorrect resource records – for manual updates by the administrator, possibility for typographical errors exists. ◦ Dynamic updates failed to occur – sometimes the update is not recognized. ◦ Zone transfers fail to occur – if DNS is incorrectly resolving names then problem may be with the zone tranfers.

26. Troubleshooting DNS server problem Troubleshooting outside Name resolution failures Can resolve names for which it is authority but fails to resolve names in other names. Problem arises when the server is not forwarding queries correctly.