Contents
Overview 1

Introducing DNS 2
Designing a Functional DNS Solution 7
Discussion: Designing DNS Solutions 20
Securing DNS 22
Enhancing a DNS Design for Availability 28
Optimizing a DNS Design for Performance 31
Discussion: Enhancing DNS Solutions 35
Lab A: Designing a DNS Solution 37
Review 49

Module 4: DNS as a
Solution for Name
Resolution Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Manager: Ken Rosen
Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 4: DNS as a Solution for Name Resolution iii Instructor Notes
This module provides students with the knowledge and decision-making skills
that are necessary to design a functional name resolution service by using DNS
within a Microsoft
® Windows® 2000 networking infrastructure. In the module,
students will make DNS technology decisions to enhance the design’s security,
availability, and performance based on the organization’s requirements.
At the end of this module, students will be able to:
 Recognize DNS as a solution for name resolution.
 Evaluate and create a DNS solution to support an organization’s namespace
requirement.
 Select appropriate strategies to secure DNS.
 Select appropriate strategies to improve the availability of DNS.
 Select appropriate strategies to improve DNS performance.

Upon completion of the design lab, students will be able to design DNS
solutions that meet the name resolution requirements of a variety of


Module Strategy
Use the following strategy to present this module:
 Introducing DNS
Emphasize the importance of name resolution in a network. Give some
examples of user-friendly addresses and numerical Internet Protocol (IP)
addresses. After the students understand the importance of name resolution,
give a brief overview of Windows 2000 DNS. Explain how DNS resolves
names. For an overview of DNS, you can ask the students to view the DNS
video on the Student CD.
In this section:
• Emphasize that the first step in designing a DNS solution is to identify
the design decisions that influence the design. Point out that it is
essential to determine the network configuration and the number of
hosts, locations, subnets, and routers, before starting the design.
• Describe the solutions provided by DNS. Emphasize that DNS can
integrate with other products. Discuss the impact of DNS on network
management.
• Emphasize that integration of DNS with WINS, DHCP, and the Active
Directory
™
directory service helps in name resolution by obtaining IP
configuration and DNS server authentication.
 Designing a Functional DNS Solution
Explain that DNS functionality can be established by selecting appropriate
zone types, determining server placements, and integrating DNS with other
Windows 2000 services. Provide an overview of the decisions involved in
establishing a functional design.
In this section:
• Explain what a zone is and how zones work. Give a brief overview of

that they need to integrate the DNS zones into the existing namespace if
they are unable to specify a computer running Windows 2000 as the
DNS root server for the organization.
• Ensure that students understand the scenario description and directions
for the Discussion. Direct them to read through the scenario and answer
the questions. Be prepared to clarify if necessary. Lead a class
discussion on the students’ responses.
 Securing DNS
Because DNS servers are exposed to the network, you need to secure DNS
access from private and public networks. In this section, explain the use of
restricted updates, Internet Protocol Security (IPSec), virtual private
network (VPN) tunnels, Active Directory, and screened subnets to secure
DNS.
In this section:
• Emphasize that unauthorized updates to the dynamically updated DNS
servers are prevented to avoid impersonation of DNS servers.
• Point out that names and IP addresses replicated over public networks
can be protected against unauthorized access by using IPSec, VPN
tunnels, and Active Directory.
• Point out that when integrating DNS into screened subnets, you must
restrict Internet-based user access and encrypt any zone replication
within the private network. Describe the placement and interaction of
DNS services within screened subnets.
 Enhancing a DNS Design for Availability
Describe the usage of replicated DNS zones and server clusters to enhance
the availability of a DNS design.
In this section:
• Emphasize that implementing multiple DNS servers that have replicated
zones at local and remote locations can enhance the availability of DNS.
By adding additional DNS servers at remote locations, DNS availability

outlined in the given scenario.
Students will review the scenario and the design requirements, and read any
supporting materials. They will use this information, and the knowledge gained
from the module, to develop a detailed design that uses DNS as the solution.
To conduct the lab:
 Read through the lab carefully, paying close attention to the instructions and
to the details of the scenario.
 Divide the class into teams of two or more students.
 Present the lab and make sure students understand the instructions and the
purpose of the lab.
 Explain that the planning worksheet is to be used to develop the design of
their solution.
 Remind students to consider any functionality, security, availability, and
performance criteria that are provided in the scenario, and how they will
incorporate strategies to meet these criteria in their design.
 Take the opportunity to assess each student’s comprehension of the design
strategies presented in the module while students are completing the lab.
 Allow some time to discuss the solutions after the lab is completed. A
solution is provided on the Instructor CD to help you review the lab results.
Encourage students to critique each other’s solutions and to discuss any
ideas for improving the designs.
Module 4: DNS as a Solution for Name Resolution 1 Overview
 Introducing DNS
 Designing a Functional DNS Solution

you will evaluate and design
a DNS solution for name
resolution.
2 Module 4: DNS as a Solution for Name Resolution


 Introducing DNS
 Design Decisions for a DNS Solution
 Microsoft DNS Features
 Integrating DNS with Other Windows 2000 ServicesWhile designing a network, you must identify solutions for name resolution to
locate computers and services on the network. The large number of available
network resources creates the need for meaningful resource names to simplify
the user’s access to resources.
Windows 2000 DNS allows users to refer to network resources with names
complying with the DNS standard. You can use DNS to resolve names to IP
addresses. DNS can also integrate with other Windows 2000 services to extend
the name resolution capabilities.
To design a strategy for locating network resources by using DNS, you must:
 Collect information about network and host configuration, and the number
of locations.
 Identify the features provided by DNS and how these features support the
design requirements.
 Identify the benefits provided by integrating DNS with other services in
Windows 2000.

UNIX
DNS
Firewall
Internet
DNSThe design of your DNS solution is based on criteria that you collect during the
design process. After you have collected the criteria, you can begin designing
your DNS solution.
Some of the criteria that affects your DNS design includes the:
 Number of locations. The number of locations determines the minimum
number of DNS servers because each location typically has at least one
DNS server.
 Number of users at each location. The number of users at each location
determines the number of DNS clients that must be supported within the
location.
 Existence of any prior DNS servers, such as UNIX or DNS servers in
Microsoft Windows NT
® version 4.0. Existing DNS servers may limit the
use of DNS features such as incremental zone transfers.
 Existence or plans to include an Active Directory
™
directory service
infrastructure. Active Directory provides the option of including Active
Directory integrated zones in your DNS design.

Slide Objective
To identify the design
decisions that influence a

The solutions provided by DNS include:
 Resolving traditional fully qualified domain names (FQDNs).
 Resolving network basic input/output system (NetBIOS) names by
forwarding queries to WINS.

Integrating with Active Directory
The integration of the DNS service with Active Directory enhances a DNS
design by:
 Reducing network management. Network management is reduced because
DNS uses Active Directory replication to replicate DNS zone databases.
 Providing secured and automatic maintenance of DNS zone databases by
using dynamically updated DNS.

Slide Objective
To introduce the key
features of DNS.
Lead-in
When designing a DNS
name resolution service,
you must understand the
features available to support
the needs of your
infrastructure.
Module 4: DNS as a Solution for Name Resolution 5
Integrating into Existing Network Designs
The DNS service in Windows 2000 is a superset of the Internet Engineering
Task Force (IETF) standards. You can integrate DNS with other products that

Active
Directory
DHCP
ServerDNS integrates with other networking services to take advantage of their
features. These features require you to include additional specifications in the
design, such as forwarding name resolution queries to a WINS server.
The following table describes the benefits of integrating DNS with other
networking services.
DNS integrates with To

DHCP Automatically update DNS entries when DHCP
addresses are assigned to DHCP client computers.
WINS Resolve DNS queries by forwarding the queries to a
WINS server and resolving the queries from the WINS
database entries.
Active Directory Provide multiple master DNS zones, secured zone
updates, and encrypted DNS replication.

Slide Objective
To describe how DNS
integrates with other
Windows 2000 networking
services.
Lead-in
DNS integrates with other
Windows 2000 networking
services such as DHCP and

 How the DNS services in Windows 2000 integrate into an organization’s
existing namespace.

Slide Objective
To provide an overview of
the decisions involved in
establishing a functional
DNS design.
Lead-in
To establish DNS
functionality, you must
consider a number of
configuration and design
issues.
8 Module 4: DNS as a Solution for Name Resolution
Selecting the Appropriate Zone Types
 Chosen When Integrating into
Existing Active Directory
 Single Point of Support for DNS and
Active Directory
 Chosen for Integration into Existing
Infrastructure
 Separate Support for DNS and Active
Directory
 Chosen When Root Server is
Traditional DNS
 Supports Active Directory Integrated

 Replicated by Active Directory. Because Active Directory integrated zones
store the zone information in Active Directory, the zone information is
replicated along with other Active Directory data.
 Required for secured, dynamically updated DNS zones. Because Active
Directory integrated zones store the zone information, you can establish
permissions for the computer, group, or user who can update the DNS zone
information.
Slide Objective
To describe the various
zone types that you can
select for DNS services.
Lead-in
There are three approaches
to zone types. You can base
DNS services on Active
Directory integrated zones,
on traditional DNS zones, or
on a combination of both.
Note
Module 4: DNS as a Solution for Name Resolution 9
 Replicated only within an Active Directory domain. However, you can
replicate Active Directory integrated zone information outside the domain to
traditional secondary zones.
 Treated as a traditional primary zone from another BIND-based DNS server.
To a BIND-based DNS server, Active Directory integrated zones appear as
traditional primary zones. You can replicate to other Active Directory
integrated zones or to traditional secondary zones.

on Active Directory replication
Yes No
Improves availability because each DNS server
contains a read/write copy of the zone information
Yes No
Allows updates to the zone information, even with
the failure of a single DNS server
Yes No
Supports incremental zone transfers Yes Yes
10 Module 4: DNS as a Solution for Name Resolution
Server Placement by Zone Type
Recommend one
DNS server at
each remote
location
Add secondary
or delegated
zones for
availability and
performance
Requires one
primary zone
Traditional
DNS zone
Recommend one
DNS server at
each remote

Secondary Improves the availability of primary zones by providing
a complete copy of the primary zone.
Has a read-only copy of the zone information.
Improves performance at local and remote locations by
providing a local copy of a primary zone.
Is placed in screened subnets and accessed by Internet-
based users.
Delegated domain Contains a subset of the domain namespace in an Active
Directory integrated zone or a primary zone.
Improves performance by reducing the number of
records to be searched to a subset of the namespace.
Slide Objective
To describe when to use
certain zone types in
creating a DNS design.
Lead-in
To define namespace
design, you need to
determine the server
placement in a network
design.
Module 4: DNS as a Solution for Name Resolution 11
Reverse Lookup Zone Design
 Reverse Lookup Zone Types
 Dynamic Updates and Reverse Lookup Zones
 Reverse Lookup Zone Types
 Dynamic Updates and Reverse Lookup Zones

when including reverse
lookup zones.
Lead-in
If applications or network
security requires the ability
to convert an IP address to
a domain name, you can
include reverse lookup
zones in your design.
12 Module 4: DNS as a Solution for Name Resolution
The following table lists the approaches to dynamically updating DNS and
when to select which approach.
Select this approach When you want to dynamically create

Windows 2000–based DNS
clients directly updating DNS
Forward lookup records, host (A) records.
Reverse lookup records, pointer (PTR) records.
DHCP directly updates DNS
on behalf of the DNS clients
Only forward lookup records, host (A) records. If you enable DNS clients running Windows 2000 to dynamically update
DNS directly, establishing permissions for secured updates to DNS becomes
more complex because you must assign permissions for each DNS client.


The DNS servers within the organization may forward requests to:
 DNS servers provided by the Internet Service Provider (ISP) that the
organization uses.
 Internet root DNS servers provided by the Internet.

Responding to DNS Queries from the Internet
When organizations expose resources, such as www.microsoft.com, to the
Internet, the names and IP addresses of the servers hosting these resources must
be listed in a DNS server that is accessible from the Internet. You can provide
name resolution to these requests by:
 Placing a DNS server in a screened subnet that contains the DNS entries for
the resources. Use this method if the resource names may change frequently
and the organization wants to make the changes itself.
 Demanding that the ISP for the organization place the DNS entries in a DNS
server that the ISP supports. Use this method if the resource names change
infrequently and the organization does not need to make the changes itself.
‘
Slide Objective
To describe the interaction
between DNS servers within
the organization and
between Internet-based
DNS servers.
Lead-in
DNS servers in a private
network need to forward
queries to and respond to
queries from Internet-based
DNS servers.
14 Module 4: DNS as a Solution for Name Resolution

Dynamic DNS zone updates allow DNS client computers or DHCP servers to
dynamically update DNS zone entries. Dynamic DNS zone updates reduce the
administration of DNS zones and eliminate errors that manually updating DNS
zones introduce.
The most common reason for including dynamic DNS zone updates in your
network design is to support Active Directory. Although not required, dynamic
DNS zone updates are recommended if your DNS solution must support Active
Directory.
Slide Objective
To describe the decisions
involved in integrating DNS
with BIND and Windows NT
4.0 DNS servers.
Lead-in
You can integrate DNS
services in Windows 2000
with BIND and Windows NT
4.0 DNS servers if you
cannot replace the DNS
servers.
Module 4: DNS as a Solution for Name Resolution 15
If your design includes dynamic DNS zone update, remember:
 BIND versions 8.1.2 and later support dynamic DNS zone updates.
 Windows NT 4.0 DNS servers do not support dynamic DNS zone updates. RFC 2136 documents dynamic DNS zone update support.

The DNS service in Windows 2000 and Windows NT 4.0 supports WINS
forward lookup and reverse lookup record types (WINS and WINS-R). WINS
and WINS-R record types enable the DNS server to submit queries to a WINS
server and attempt resolution through WINS. Normally, when you replicate
these records to BIND DNS servers, they see the WINS and WINS-R records as
invalid, non-RFC-compliant records.
If your design includes the DNS service in Windows 2000 or Windows NT 4.0
that replicates to a BIND DNS server, you can specify that the WINS and
WINS-R records are not replicated to the BIND DNS server.
Note
Note
16 Module 4: DNS as a Solution for Name Resolution
Integrating DNS and WINS
wins.private.nwtraders.msft
public.nwtraders.msft
nwtraders.msft
private.nwtraders.msft
WINS
 Designate a Subdomain for WINS Resolution
 Delegate Unresolved DNS Queries to a Subdomain
 Specify WINS Server in Zone Configuration
 Designate a Subdomain for WINS Resolution
 Delegate Unresolved DNS Queries to a Subdomain
 Specify WINS Server in Zone ConfigurationIn your network design, you can allow DNS clients to resolve host names found

network design can allow
DNS clients to resolve host
names found in WINS.
Module 4: DNS as a Solution for Name Resolution 17
Specifying WINS Server in Zone Configuration
To forward unresolved DNS queries to a WINS server, you enable WINS
resolution on a zone. A zone can resolve queries by using more than one WINS
server. You can specify the IP address of the WINS servers in the order that the
servers are to be contacted. To improve the availability of your DNS solution,
include more than one WINS server in the list.
Your organization may not replicate all WINS records between all WINS
servers. If your organization’s WINS database is divided across multiple WINS
servers, you can create a unique DNS zone for each WINS server.
For example, consider an organization that has a WINS server that includes
WINS records only for Paris and another WINS server that includes WINS
records only for London. You can create a DNS zone for Paris and a DNS zone
for London so that you can create different subdomain names for the Paris
WINS server versus the London WINS server. Conversely, you can create one
DNS zone that could list both WINS servers so that the WINS resolution occurs
beneath a single subdomain name.