Tony Piltzecker, Brien Posey, in The finest Damn home windows Server 2008 Book period (Second Edition), 2008

Reverse Lookup Zones

As stated earlier, a reverse lookup ar is an authoritative DNS zone the is used mainly to deal with IP addresses come network source names. This zone type can be primary, secondary, or active Directory—integrated. Turning back lookups traverse the DNS hierarchy in exactly the same way as the an ext common front lookups.

You are watching: What resource records appear in the new zone you created by default?

To handle reverse lookups, a unique root domain referred to as in-addr.arpa was created. Subdomains in ~ the in-addr.arpa domain are created using the reverse ordering the the octets that kind an IP address. Because that example, the reverse lookup domain because that the 192.168.100.0/24 network would certainly be 100.168.192.in-addr.arpa. The factor the IP addresses are inverted is the IP addresses, once read indigenous left come right, get more specific; the IP resolve starts with the much more general information first. FQDNs, in contrast, get much more general when read indigenous left to right; the FQDN starts with a details host name.

In order for reverse lookup zones to job-related properly, they usage a one-of-a-kind RR dubbed a PTR record that provides the mapping of the IP address in the zone come the FQDN.


Reverse lookup zones are supplied by details applications, such as NSLookup (an necessary diagnostic tool that need to be part of every DNS administrator's arsenal). If a reverse lookup zone is not configured ~ above the server come which NSLookup is pointing, you will acquire an error message when you invoke the nslookup command.


Configuring & Implementing…

Security Considerations because that the existence of a turning back Lookup Zone

Being may be to do NSLookup work against your DNS servers is no the only, or most important, reason why you need to configure reverse lookup zones. Applications ~ above your internal network, such together DNS client that room trying to register PTR documents in a reverse lookup zone, can “leak” information about your internal network out to the net if castle cannot find a reverse lookup zone ~ above the intranet. To avoid this details from leaking from her network, you should configure reverse lookup area for the addresses in usage on your network.


Configuring turning back Lookup Zones

Now, we need to create a corresponding reverse lookup zone. This will manage reverse resolution for our subnet. In this case, the is 192.168.1.x.

1

Choose Start | governmental Tools | DNS.

2

In the console tree, click Reverse Lookup Zones.

3

Right-click Reverse Lookup Zones, and also then click New Zone.

4

When the New zone Wizard appears, click Next.

5

On the Zone Type page, pick Primary Zone, and then click Next.

6

On the Reverse Lookup ar Name page, make sure IPv4 is selected, and then click Next.

7

On the Reverse Lookup ar Name web page (Figure 1.11), in the Network ID field, type the start of the subnet variety of your network (in this case, 192.168.1.x), and then click Next.


*

First, we require to set an IPv6 deal with for our server. To perform so, perform the following steps:

1

Choose Start and also right-click Network.

2

Select Properties native the drop-down menu.

3

Click Manage Network Connections.

4

Right-click the Network connection and also choose Properties.

5

Double-click internet Protocol variation 6 (TCP/IPv6).

6

Click the radio button for Use The complying with IPv6 Address. If you room not acquainted with IP addressing, you deserve to use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403.

7

Enter a Subnet prefix length of 64.

8

Your preferred DNS server would be the very same as that mentioned earlier (your IPv6 address).

9

Close the Network Connections window and re-open the DNS administrator console.

10

In the console tree, click Reverse Lookup Zones.

11

Right-click Reverse Lookup Zones, and also then click New Zone.

12

When the New region Wizard appears, click Next.

13

On the Zone Type page, choose Primary Zone, and then click Next.

14

On the Reverse Lookup region Name page, make certain IPv6 is selected, and also then click Next.

15

In the Reverse Lookup ar Name field, form in the prefix 2001:0db8:29cd:1a0f::/64, and also then click Next.

16

On the Dynamic Update page, pick Allow Both Nonsecure and Secure Dynamic Updates (for experimentation purposes in this book only—normally, you must use certain Only), and also click Next.

17

Click Finish to produce the new Zone.

18

To develop an IPv6 record, right-click the major Lookup zone for your domain (in our lab, it is uccentral.ads), and then click New Host.

19

In the Name field, go into the name of her server. Ours server name is dc1.

20

In the IP address field, enter the IPv6 resolve we set for the server.

21

Verify that Create connected Pointer (PTR) Record is checked, and also click Add Host.


You need to now check out a brand-new AAAA document for the server, and also a new PTR record in the reverse Lookup Zone we created.


Configuring & Implementing…

Developing the DNS design for her Network

There are few limitations to emerging DNS designs and also deploying the company thereafter. You should take into consideration the complying with points throughout your style process:▪Each domain includes a set of source records. Source records map names come IP addresses or vice versa depending upon which kind of document it is. Special source records exist to identify varieties of servers ~ above the networks. For example, an MX resource record identifies a letter server.

If the organization has a huge number the hosts, use subdomains to speed up the DNS response.

The only limitation to utilizing subdomains top top a single DNS server is the server's very own memory and also disk capacity.

A zone contains one or an ext domains and also their resource records. Zones deserve to contain multiple domains if they have actually a parent and child relationship.

A DNS server v a main zone is authoritative because that the zone, and updates can be do on the server. There can only be one major zone for each region defined.

A DNS server with a an additional zone includes a read-only copy the the zone. Secondary zones provide redundancy and speed increase query responses by being placed near the computer systems that location DNS queries.

DNS servers deserve to use main and second zones whether they are running windows Server 2008 or space a third-party DNS server.


Now you deserve to double-click the Forward Lookup Zones and also Reverse Lookup Zones and view the area you have actually created. The zones will certainly be displayed in the console pane under the proper zone type. Native here, girlfriend can add records by right-clicking the zone and also selecting the type of record you want to create. Likewise, you deserve to right-click the zone and also select Properties to modify the properties of the zone. Several of the nature you deserve to modify include:

Dynamic Updates: The capacity for client to automatically update DNS records.

Zone Type: girlfriend can adjust a zone type from Primary, to Secondary, or come Stub Zone. If energetic Directory is installed, girlfriend can additionally make the zone active Directory—integrated.

WINS integration: we will talk about this later in the chapter, yet this is wherein you deserve to involve WINS resolution through DNS resolution.

Name Servers: you can include the names and IP addresses the servers that have actually the civil liberties to create duplicates of the DNS zone.

Zone Transfer: Here, you deserve to specify whether the zone can be moved to another DNS server. Friend can likewise specify even if it is it deserve to be moved to any type of server, just the servers in the name Servers tab (discussed earlier), or to only certain DNS servers by IP resolve or FQDN.


Follow these measures to develop a reverse lookup zone:

1

Open DNS Manager by clicking Start | governmental Tools | DNS

2

In the left pane, increase the node representing the server you want to configure, right-click Reverse Lookup Zones, and click New Zone…

3

Read the welcome web page of the New zone Wizard dialog box and also click Next

4

On the Zone Type wizard page, choose Secondary zone and also click Next. See number 5.11.

5

On the Reverse Lookup zone Name wizard page, select the proper zone type:▪IPv4 turning back Lookup Zone. choose this option if you want the region to track IPv4 attend to information. This choice is the default.

IPv6 reverse Lookup Zone. select this alternative if you want the region to track IPv6 deal with information. This is a new option in windows Server 2008.

6

Click Next

7

On the 2nd Reverse Lookup Zone name wizard page, select and also configure the suitable option (See figure 5.20):▪Network ID. This alternative helps you to appropriately name the zone. Enter the network section of the IP address selection you desire the zone come service. A suitable zone surname will instantly be filled in under Reverse lookup region name: for you. This must enhance the configuration information used when producing the main reverse lookup zone.

Reverse lookup ar name. If friend would favor to get in the zone surname manually, you can do so making use of this option. You must follow the encourage DNS naming criter for reverse lookup file names.

8

Click Next

9

On the Master DNS Servers magician page, enter the name of one or an ext DNS servers that this second zone will certainly take transfers from. Get in the master server's IP attend to or FQDN by click secondary zones can be transferred from conventional primary, ad Integrated, and also other an additional zones. For fault tolerance, more than one grasp server can be specified. All servers space not provided by default. If the first server ~ above the list is effectively contacted, for example, the rest of the list will be ignored. Servers have the right to be ordered utilizing the Up and also Down buttons, and removed native the list making use of the Delete button. See figure 5.16.

10

Click Next

11

On the Completing the new Zone Wizard page, evaluation the information noted and click Finish


Forward lookup zones solve names come IP addresses and also Reverse lookup zones deal with IP addresses to names.

Forwarders deserve to be supplied on her DNS server to forward requests for which her DNS server does not have actually an decisive answer. You deserve to also set up your forwarders come conditionally front requests to different forwarders based on domain names.

Scavenging that stale records have to be set up ~ above both the server and also the ar to occupational correctly.

By default, region transfers space not allowed. Microsoft recommends permitting zone transfers only to details server IP addresses; best practice is come use energetic Directory combined zones, i m sorry use active Directory replication come copy zone data.


DNS Servers host zones which in turn organize records that settle a name to an IP address. The zone is the authoritative resource for information about the domain name regulated by that zone. A DNS zone is typically the very same as the domain surname being held on the DNS Server. For example, if the DNS Server will be hosting the domain syngress.com, climate the ar syngress.com should be produced on the DNS Server. There room two primary zone species that deserve to be collection up on a DNS Server—Forward Lookup Zones and Reverse Lookup Zones.

Forward Lookup Zones—Forward Lookup Zones permit the DNS Server to solve queries whereby the client sends a surname to the DNS Server to inquiry the IP address of the asked for host.

Reverse Lookup Zones—Reverse DNS zones do the opposite task as forward Lookup Zones. Lock return the fully qualified domain name (FQDN) of a offered IP address. Because that example, a client could send the IP deal with of 69.163.177.2 come a DNS Server. If the server hosted a reverse zone that included that IP address, it would certainly return the FQDN for the address, such as www.syngress.com.


In addition to the traditional zone types, DNS zones deserve to be further damaged down right into the adhering to zone types:

Primary zone (stored in AD)—These zones are stored in ad and replicated via normal ad replication. This offers an optimized way to replicate the zones within your corporate network. Major zones save on computer in ad follow the exact same multimaster rules as other advertisement services. This means that you deserve to perform updates on any advertisement Domain Controller and they will certainly replicate come the other Domain Controllers.

Primary zone (standard)—Standard major zones room stored in a flat file on the DNS Server. The main zone is considered the master copy the the ar database file. Every updates to the zone should be carry out on the major zone server.

Secondary zone—Secondary zones room read-only copies of the major zones. An additional zones replicate a copy of the zone from the primary zone server to carry out redundancy. Any updates to the zone must be perform on the primary zone server.

Stub zone—Stub area are similar to secondary zones in the they space read-only copies of the zone database file. Stub zones, however, contain only the name Server (NS), start of authority (SOA), and also host (A) documents for the name Servers.


Best practices

Create turning back Lookup Zones

Some applications call for the capability to execute Reverse DNS Lookups. Together a ideal practice, you should set up turning back Lookup area for IP subnets on your network.


Global naming Zones

Before home windows networks relied so heavily on DNS, they offered the Windows web Naming company (WINS) to provide name resolution. WINS provides the capability to resolve a NETBIOS name to one IP address. If friend support legacy applications that count on NETBIOS names, the is highly possible that you space still sustaining WINS on her network. To assist organizations move away indigenous WINS, Microsoft developed global Naming area (GNZs). GNZs, in windows Server 2008 R2, allow companies come decommission WINS if still sustaining NETBIOS names. GNZs require that her domain controllers be at home windows Server 2008 or later. Home windows Server 2003 DCs execute not assistance GNZs.


View chapterPurchase book

Windows Server 2003 provides three command-line utilities for maintaining and monitoring DNS servers:

NSLookup This is a typical tool offered for monitoring and also troubleshooting DNS servers. It offers a method to attain detailed outcomes for queries performed versus a DNS server. NSLookup has actually two modes: interactive and also noninteractive. Interactive mode permits you enter much more than one command in ~ an NSLookup prompt. Noninteractive setting is invoked as a solitary command with alternatives from a command prompt. For NSLookup to work properly, the DNS server the NSLookup is pointing come must have a PTR document for that in a turning back lookup zone.

Dnscmd This utility is discovered in the \Support\Tools folder ~ above the home windows Server 2003 installation CD. The Dnscmd tool deserve to be used as an alternative to the DNS MMC. V DNScmd, you have the right to create and delete zones, view records, update zone records, and perform other administrative tasks the you would typically perform making use of the DNS console. Dnscmd have the right to be used to script batch operations and also perform remote administration, providing an efficient means to regulate multiple, far DNS servers.

DNSLint This energy is found in the \Support\Tools folder ~ above the windows Server 2003 installation CD. DNSLint is brand-new to windows Server 2003. Its main purpose is to aid in troubleshooting problems emerging from lame (incorrect) delegations and common ad DNS problems, such together verifying documents for ad replication. A vital advantage that the device is that it have the right to examine many servers in a single operation and also display the calculation as an HTML file. For example, if you to be trying to troubleshoot a problem with delegation, friend would have to traverse the DNS namespace in lot of steps. Through DNSLint, you can diagnose the problem in a solitary operation. Girlfriend can likewise use DNSLint v the /c move to test popular e-mail harbor on all e-mail servers that it find in the zone records of the DNS servers it check in the domain.


These tools deserve to be used for a range of purposes, such together verifying the presence of RRs, checking for lame delegations, checking for lacking AD replication records, configuring DNS server setups on multiple servers, and also so on.


View chapterPurchase book

Deborah Littlejohn Shinder, ... Laura Hunter, in MCSA/MCSE (Exam 70-291) research Guide, 2003

Exam Objectives generally Asked Questions

The following commonly Asked Questions, reply by the authors of this book, are designed come both measure up your knowledge of the Exam missions presented in this chapter, and to help you with real-life implementation of these concepts. You will also gain access to thousands of various other FAQs at ITFAQnet.com.

Q: Aren’t hold names and NetBIOS name the same thing in home windows Server 2003?

A: through default, the hold name assigned to the computer is used as the NetBIOS surname in windows Server 2003. However, an alternate NetBIOS name deserve to be assigned come the computer, if desired. Also if the host name and NetBIOS name are the same, your functions and also the methods whereby they are solved is different.

Q: on the exam, am ns going come be meant to recognize all the different top level domains?

A: No. It’s vital that you understand what the top level domain designations are and how they’re supplied on the Internet. However, questions on the test will emphasis on applying knowledge around top level domain names to scenarios. In those cases, you’ll require to understand that the root is unnamed and also is designated with the dot (.).You’ll additionally need to understand that top level domains as well as the second level domains are regulated so that each mix is guarantee to be unique worldwide.

Q: those the relationship in between recursive and also iterative queries and forward and also reverse lookups?

A: Recursive and iterative queries point out what outcomes are acceptable. A recursive query needs that one of two people the info or an error it is in returned. An iterative query requires that one of two people the info or a tip be returned. Once a DNS server is attempting to solve a query, even if it is recursive or iterative, it will certainly query its very own cache and zone fries first. There might be forward and also reverse lookup defined. Front lookup zones provide information required to deal with names within the domain and reverse lookup zones administer information on reverse lookups, resolving an IP address to a name.

Q: What specifically is a stub zone?

A: A stub ar is a copy of a region that consists of only three source records: SOA, NS, and glue A because that the delegated zone. The stub zone commonly is supplied to save a parental zone conscious of the decisive DNS servers for kid zones to maintain DNS surname resolution efficiency. Just as a an additional zone is a copy of the major zone, a stub zone is a copy together well, however it does not contain every the RRs, just those used to define authoritative DNS servers for son zones.

Q: will I be meant to recognize BIND because that the exam?

A: Microsoft exams focus on Microsoft innovations and, in particular, what’s new in the technology. In the regard, you would certainly not mean to watch questions around BIND. However, Microsoft technologies frequently are provided in conjunction through non-Microsoft technologies. Where these 2 overlap or interact, you’ll be intended to have a basic knowledge. What’s important to understand about the BIND format is the although Microsoft does not use it, UNIX and also Linux DNS servers do. If you room importing files, you’ll must understand just how these interact and also relate come the Microsoft convention.

Q: how much carry out I should know about the varieties of resource records supported in home windows Server 2003?

A: It’s essential to understand the standard zone RRs such as A, PTR, CNAME, SOA, NS, MX, and also SRV. Table 5.5 lists the an ext commonly provided RRs. Understanding what every of this does and what information is included in them will aid you not only on the exam but on the job as well. You could be referred to as upon to include manual RRs and also you’ll need to recognize what impact they will have. The DNS administration Console provides the parameters because that each RRs type, so you won’t have to memorize that data. You’ll need to have the ability to recognize and also understand the typical RRs offered in home windows Server 2003.

See more: 22 Christian Missionaries Sentenced, The Sommerfeld Mennonite Church

Q: execute I need to understand much about Internet Protocol version 6 because that this exam?

A: internet Protocol variation 6 (IPv6) is the latest IP protocol version that gives support because that 128-bit IP addresses, therefore you’ll require to know this protocol and how it’s enforced in home windows Server 2003. That topic is exterior the limit of this chapter. In ~ the scope, you’ll require to recognize the RR varieties used to support IPv6 and additionally how IPv6 addresses are addressed (using one of two people AAAA for name lookups or IP6.ARPA for reverse lookups). For more information around IPv6, you have the right to visit the IETF web site for information around the IPv6 criter or visit the Microsoft home windows Server 2003 net site for information around IPv6 and how come install and also route IPv6.