This tutorial will cover the installation of DNS on a Windows 2003 system. By reading through this tutorial you will learn about caveats that need to be noted when installing one of the most important services on a Windows network.
Key points will be highlighted that will help to make the installation of DNS on Windows 2003 effective. This article will have a security slant to it as security is a compelling part of any well built network. Planning of the DNS installation is beyond the scope of this article and will be covered in later articles.
The installation of DNS in itself is not at all complicated but mitigating aspects and considerations need to be addressed so that security is taken into account as well as planning and redundancy has been factored in to allow for normal operational downtime without disruption to the clients. Specific rules like where to place such a server and how to secure it needs to be taken into consideration and adequate planning will result in successful role out of the service.
TCP/IP uses an IP addresses to locate and connect to hosts, people are not partial to remembering numbers and prefer friendly names and thus the need for DNS (Domain Name Service). For example, users prefer the friendly name www.windowsecurity.com, instead of its IP address, 69.20.*.*. DNS is defined in RFCs 1034 and 1035, is used to provide a typical naming convention for locating IP-based computers.
Historically files located on the local machine were used these files were known as host files and need to be maintained and updated by an administrator on every machine so that the resolution of names could be easily facilitated. Imagine maintaining the hosts file for all of the internet domain names and sub domains today. Hence the birth of a distributed database that is around today called DNS, a wonderful service run by a myriad of ISP’s and internet authorities that facilitate the resolution of IP addresses into friendly names that users can type into their browsers or connect to resources with. For more information on the process refer to RFCs 1034 and 1035.
If you are running Windows 2003 you will soon realize that a vital service that the active directory can not function without is DNS. The reason for this is that instead of using alternate methods like WINS (Windows Internet Naming Service) DNS is used as it is more versatile and platform independent. DNS is necessary as you already know to resolve names and the interoperation of active directory and other services and applications have come to rely if not take DNS for granted.
DNS is very useful and necessary in all functional active directory networks for this reason it is recommended that the server computer where DNS is installed is secured and isolated from radical change. To insure that the server is always available be certain that no one makes changes to the server without testing and backing up the configuration. In most cases a successful backup strategy ensures that in the event of a minor mishap or disaster the configuration can be restored on an alternate system. Do not overlook DNS as complex configurations can be difficult to restore without documentation and prior knowledge of destroyed systems. It is always a good idea to mitigate your risk but splitting the DNS function onto two servers’ one primary and one secondary so that if the one goes down DNS has not lost availability. In terms of integrity you need to ensure that no one but authorized users have access and control over the DNS sever this is important as you do not want your resources abused and miss-configured by intruders that have other plans for you vital naming service. If you are in a high security environment it is essential that this server be locked down as it is an easy target for intruders that want to cause a denial of service on you active directory. It may be a good idea to only let LAN users that are part of the domain to query your DNS server to ensure confidentiality of your naming conventions and other sensitive information. By adding these additional layers to your DNS server you can be assured of.
DNS uses TCP and UDP port 53 for lookups and transfers. This needs to be opened on the firewall if you need to use your internal DNS for lookups. Note: this decision will be defined in the planning phase and should be carefully calculated. From a security perspective only publish services to the public domain if it is necessary. If you would like to administer the DNS server remotely you will need to open RCP port 135 only do this is it is necessary and if you have secured the server. If you are using ISA there are predefined protocol filters that have been define that you can enable.
Most network professionals use DHCP when assigning dynamic IP addresses. In this exercise only use DHCP to assign the DNS server address dynamically to the client but do not assign the server a DHCP address, this will not only break your DNS configuration but will also render your DNS server non functional as the clients will be confused, and will not know where to find the DNS server as the address keeps changing.
Please make sure that all of the Windows updates are done and the latest drivers and Rom packs have been loaded on the server and applied to the hardware this is essential as you do not want to be applying these changes at a later stage when the machine goes into production. Skipping this step will cause unnecessary down time in future. Please make sure that the static IP address is assigned to the server before beginning the installation process.
After the entire preamble we are now ready to start installing DNS on our newly configured and prepared server.
Ensure that you have Windows Server 2003 Std is installed and that a static IP address has been assigned. Figure 1.1 depicts how DNS should be configured and under the advanced TCP/IP settings. In the DNS settings you must point the server to itself for DNS resolution. If external internet names need to be resolved you can configure a forwarder so that the requests are sent to the DNS server of the ISP or an external DNS server. Selecting a DNS server that is consistently up is paramount as external name resolution rests on this resource.
Figure 1.1
Click on Start, Control Panel, Add or Remove Programs and then on Add or RemoveWindows Components. Then click on Components list, then click on Networking Services and then click Details, select the Domain Name System (DNS) check box, and then click OK. Follow the below figure 1.2 for guidance.
Figure 1.2
After installing DNS you will need to test if the installation was successful and if you are able to resolve names. Nslookup is a built-in utility that can be used to test if the service has been installed and configured correctly. Remember to test both internal and external names before concluding your tests. After typing Nslookup it connects to the configured server within your TCP/IP properties or if you run this command form a client it will connect to the DNS server handed out by DHCP. You will then be able to type in the name you want to lookup i.e. www.google.com or machine.localdomain.net it will then resolve the name to an IP address if this happens you have installed and configured DNS correctly.
C:\>nslookup
*** Default servers are not available
Default Server: UnKnown
Address: 127.0.0.1
help
Commands: (identifiers are shown in uppercase, [] means optional)
NAME |
- print info about the host/domain NAME using default server |
NAME1 NAME2 |
- as above, but use NAME2 as server |
help or ? |
- print info on common commands |
set OPTION |
- set an option |
All |
- print options, current server and host |
[no]debug |
- print debugging information |
[no]d2 |
- print exhaustive debugging information |
[no]defname |
- append domain name to each query |
[no]recurse |
- ask for recursive answer to query |
[no]search |
- use domain search list |
[no]vc |
- always use a virtual circuit |
domain=NAME |
- set default domain name to NAME |
srchlist=N1[/N2/.../N6] |
- set domain to N1 and search list to N1,N2, etc. |
root=NAME |
- set root server to NAME |
retry=X |
- set number of retries to X |
timeout=X |
- set initial time-out interval to X seconds |
type=X |
- set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV) |
querytype=X |
- same as type |
class=X |
- set query class (ex. IN (Internet), ANY) |
[no]msxfr |
- use MS fast zone transfer |
ixfrver=X |
- current version to use in IXFR transfer request |
server NAME |
- set default server to NAME, using current default server |
lserver NAME |
- set default server to NAME, using initial server |
finger [USER] |
- finger the optional NAME at the current default host |
root |
- set current default server to the root |
ls [opt] DOMAIN [> FILE] |
- list addresses in DOMAIN (optional: output to FILE) |
-a |
- list canonical names and aliases |
-d |
- list all records |
-t TYPE |
- list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.) |
view FILE |
- sort an 'ls' output file and view it with pg |
exit |
- exit the program. |
If all is well when you type in nslookup in a command prompt you will be connected to the DNS configured either by DHCP or statically.
In this article I covered important stages of DNS installation and basic recommendations relating to security and architecture. It is important to understand these processes before installing DNS and to take the security recommendations into consideration before installing DNS. Remember that DNS is your central point of failure as it is the naming system that Windows uses.
writer: Ricky M. Magalhaes