Design%20the%20DNS%20namespace - PowerPoint PPT Presentation

About This Presentation
Title:

Design%20the%20DNS%20namespace

Description:

Helps to secure against rogue DNS referrals to a slight degree ... entries for same name in round robin fashion, going from first to last in order ... – PowerPoint PPT presentation

Number of Views:121
Avg rating:3.0/5.0
Slides: 34
Provided by: cltAs
Category:

less

Transcript and Presenter's Notes

Title: Design%20the%20DNS%20namespace


1
Goals
  • Design the DNS namespace
  • Design the DNS zone and replication models
  • Plan DNS interoperability
  • Specify DNS features
  • Design the physical DNS structure
  • Design the WINS infrastructure

2
(Skill 1)
Designing the DNS Namespace
  • Domain Name System (DNS) namespace design
  • Critically important in Active Directory design
    due to use of DNS in Active Directory domain
    naming
  • Examine organizations need for public name
    resolution
  • Determine if the organization has any public or
    private resources that need to be resolved by
    external clients
  • If so, choose strategy for separation of internal
    and external resources

3
(Skill 1)
Designing the DNS Namespace (2)
  • Strategies for separating internal and external
    resources
  • Use one zone for both internal and external
    resources
  • Use the same namespace for both internal and
    external resources, but separate them into
    different zones
  • Use completely separate DNS namespaces for
    internal and external resources
  • Use a subdomain for internal resources

4
(Skill 1)
Designing the DNS Namespace (3)
  • Use one zone for both internal and external
    resources (single zone)
  • Advantages
  • Users do not have to make a distinction between
    internal and external resources
  • Administrators do not need to maintain separate
    public and private DNS infrastructures
  • Possible reduction in number of domain names that
    must be registered
  • Disadvantages
  • Decreased security
  • Rarely recommended

5
(Skill 1)
Figure 4-1 Using a single DNS zone
6
(Skill 1)
Designing the DNS Namespace (4)
  • Use the same namespace for both internal and
    external resources, but separate them into
    different zones (split DNS)
  • Advantages
  • Simplicity of resource resolution
  • Reduction of number of registered names
  • Increased security
  • Disadvantages
  • Additional administrative overhead since two
    completely separate DNS infrastructures must be
    maintained
  • Duplication of effort when adding or changing
    external resources

7
(Skill 1)
Figure 4-2 Using the same namespace but different
zones
8
(Skill 1)
Designing the DNS Namespace (5)
  • Use completely separate DNS namespaces for
    internal and external resources
  • Advantage
  • Provides complete separation of internal and
    external resources
  • Disadvantages
  • Requires maintenance of two separate DNS
    infrastructures
  • Users must make distinction between public and
    private resources
  • May need to register additional domain names

9
(Skill 1)
Figure 4-3 Using completely separate namespaces
10
(Skill 1)
Figure 4-5 An example domain model
11
(Skill 1)
Figure 4-6 An example of using the same
namespaces but different zones for the domain
model
12
(Skill 1)
Figure 4-7 An example of using completely
separate namespaces for the domain model
13
(Skill 2)
Designing the DNS Zone and Replication Models
  • Placement of zones
  • Place a copy of zone for each domain on at least
    one DNS server within that domain
  • Place a copy of other DNS zones on a different
    server to reduce query traffic and provide
    increased redundancy

14
(Skill 2)
Designing the DNS Zone and Replication Models (3)
  • Standard primary zone
  • A writeable copy of the zone stored in a text
    file
  • Supported by all DNS servers
  • Only one server hosts the standard primary zone

15
(Skill 2)
Designing the DNS Zone and Replication Models (4)
  • Standard secondary zone
  • A read-only copy of the zone stored in a text
    file
  • Typically used to resolve the majority of queries
    and provide redundancy
  • No limit on number of servers than can host a
    standard secondary zone
  • Supported by all DNS servers

16
(Skill 2)
Designing the DNS Zone and Replication Models (5)
  • Active Directory integrated zone
  • A writeable copy of the zone stored in Active
    Directory
  • In Windows Server 2003, can be hosted in an
    application data partition or domain partition
  • No limit on number of Active Directory zones in a
    network, but each copy must be hosted on a domain
    controller
  • Available only in Windows Server 2003 and Windows
    2000 Server

17
(Skill 2)
Designing the DNS Zone and Replication Models (8)
  • Factors of zone and replication topology
    affecting the design choice
  • Server hardware resources available
  • Server operating systems in use
  • Level of redundancy required
  • Available WAN bandwidth between sites
  • Estimated query volume from each site to each
    zone
  • Estimated number of record modifications that
    must be replicated across WAN links

18
(Skill 2)
Figure 4-9 Scenario for DNS replication topology
design
19
(Skill 3)
Planning DNS Interoperability
  • Integration with other services
  • Dynamic Host Configuration Protocol (DHCP)
  • Windows Internet Name Service (WINS)
  • Active Directory
  • Berkeley Internet Name Daemon (BIND) DNS servers

20
(Skill 3)
Planning DNS Interoperability (2)
  • Dynamic Host Configuration Protocol (DHCP)/DNS
    integration provides Dynamic DNS (DDNS), a
    mechanism for dynamically updating DNS records
  • WINS/DNS integration
  • Can configure DNS to perform WINS lookups
  • Useful when network primarily uses legacy systems
    that rely on NetBIOS as primary name resolution
    mechanism
  • Active Directory/DNS integration
  • Enables all zone information to be transferred
    into the Active Directory database
  • Highly recommended by Microsoft

21
(Skill 3)
Planning DNS Interoperability (3)
  • Features of Active Directory/DNS integration
    (Active Directory integrated zones)
  • Multimaster update model and enhanced security
  • Automatic replication and synchronization of
    zones based on changes in the Active Directory
    domain
  • Simplification of DNS and Active Directory
    maintenance
  • More efficient and secure Active Directory
    replication
  • Secure dynamic updates

22
(Skill 3)
Planning DNS Interoperability (4)
  • BIND/DNS integration
  • BIND version 4.9.7 is the minimum version that
    includes support for SRV records
  • Use BIND version 8.1.2 if you want to use a BIND
    DNS server as the primary server for a zone and
    take advantage of dynamic updates
  • BIND does not support
  • WINS lookup record types
  • Active Directory integrated zones

23
(Skill 3)
Figure 4-13 An example of WINS lookups in DNS
24
(Skill 3)
Figure 4-14 The features of Active Directory
integration
25
(Skill 4)
Specifying DNS Features (2)
  • Disable recursion
  • Recursion occurs when a DNS server attempts to
    recursively resolve a name it is not
    authoritative for by querying the server that is
    authoritative and returning an answer to the
    client
  • Disable recursion option is disabled by default
  • Normally want to leave recursion enabled

26
(Skill 4)
Specifying DNS Features (6)
  • Secure cache against pollution
  • Determines whether referrals to domain trees not
    related to the original query are retained in
    cache or discarded
  • Enabled by default
  • When enabled, referrals to hosts outside of the
    original domain structure are not cached
  • Helps to secure against rogue DNS referrals to a
    slight degree
  • Can also increase traffic due to additional DNS
    referrals

27
(Skill 4)
Specifying DNS Features (7)
  • Round robin
  • Allows the DNS server to process multiple host
    entries for same name in round robin fashion,
    going from first to last in order
  • Enabled by default
  • Should generally be left enabled to make use of
    load balancing abilities

28
(Skill 4)
Specifying DNS Features (8)
  • Automatic scavenging
  • Automatically removes stale resources from zone
  • Applies only to dynamically created records
    manually created entries must be removed manually
  • Disabled by default
  • Enabling is typically a good idea for dynamically
    created records

29
(Skill 4)
Figure 4-15 The default DNS options in Windows
Server 2003
30
(Skill 4)
Figure 4-16 Round robin functionality
31
(Skill 5)
Designing the Physical DNS Structure
  • Considerations for the physical DNS structure
  • DNS servers themselves
  • Server placement
  • Hardware configuration

32
(Skill 5)
Designing the Physical DNS Structure (2)
  • Caching-only DNS server
  • DNS server without a zone database
  • Entire function is to resolve names for clients
    and cache those resolutions
  • Useful when client resolution traffic impacts the
    performance of a WAN link, but traffic from zone
    transfers would impact the WAN link even more
    severely, making installing a secondary or Active
    Directory integrated server unreasonable

33
(Skill 5)
Designing the Physical DNS Structure (3)
  • Hardware configuration
  • Pilot is the best way to accurately determine
    hardware needs
  • DNS not typically a processor-intensive service
  • Disk and networking subsystems most important
  • Disk subsystem should use some form of disk
    striping
  • RAID 5 array ideally suited to needs of most DNS
    servers
  • RAM also an important consideration
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Design%20the%20DNS%20namespace" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!