Sunday, April 13, 2008

DNS QUERIES & TYPES IN ACTIVE DIRECTORY



Two type of queries most of the DNS clients will send when they resolve IP address to a name. Below is the little summary is showing. The most command queries iterative and recursive query is explained in the following article. The Stub zone is introduced with windows 2003 AD and it is not a replacement for forwarding.

Common DNS Queries

  • Iterative (DNS Servers will use this type of query, some applications may also use this type of query, all heavy lifting is handled by a client.
  • Recursive Query (Windows Clients uses this type of query, and they expect certain answer); All heavy lifting is done by DNS Serves this time unlike the iterative query.
  • Forward lookup zone (Standard primary DNS zone), when DCPromo runs, with DNS installation option the forward lookup zone gets created. It contains DNS records to support Active Directory operations. Active directory operations works closely with DNS, forward lookup zone and its records. In most DNS lookups, clients typically perform a forward lookup, which is a search based on the DNS name of another computer as stored in an address (A) resource record. This type of query expects an IP address as the resource data for the answered response.
  • The Reverse Lookup zone is created based on subnet. The records get created in reverse lookup zone called PTR (Pointer) records. DNS also provides a reverse lookup process, enabling clients to use a known IP address during a name query and look up a computer name based on its address. A reverse lookup takes the form of a question, such as "Can you tell me the DNS name of the computer that uses the IP address 192.168.1.2?" DNS was not designed to support Reverse lookup queries. AD does not rely on reverse lookup zone, this type of zone is optional but strongly recommended by me and anyone out there, and who works with active directory.
  • Stub Zone (read only zone, it has just enough information for the authoritative DNS servers, it is a little zone)


Iterative query (DNS Server will use this)


Client expects the best answer from the server, DNS Server does not query other DNS servers, may refer client to another DNS server.


Client will ask to its configured DNS Server ( client know the DNS server it simply defined with DHCP lease, most likely),

Let's say Client will perform a query to its configured DNS servers and will try to locate the web server resource called hosted on this name space "Sales.Smtp25.org"

Example Query:

Client DNS name Space "fabrikam.local"

Client DNS server is authoritative for DNS name space "fabrikam.local"


Client will ask to its configured DNS servers


  • who is Sales.Smtp25.org (I need to know the IP address, for this resource so that I can open direct TCP/IP connection to this server),
  • the client DNS server ("fabrikam.local") is not authoritative for Sales.Smtp25.org, So Client DNS server will tell client
  • Hey I am not authoritative for this DNS name space, don't ask me go ask .ORG domains and advices client to go talk to .ORG DNS servers (it gives client the IP address of the .ORG DNS server.
  • Client goes out and finds out .ORG DNS server and asks the same question.
  • Hey I need to access the resources on Sales.Smtp25.org; I was given your IP by my local DNS server.
  • Do you know the IP address of the Sales.Smtp25.org?
  • .ORG Server says to the client, sorry body I do not know the answer to your question but, I know the IP address of the SMTP25.org server, do you want it
  • Client says sure, and client goes and ask this time the server who owns "SMTP25.org"
  • Hey I really need to get to sales.SMTP25.org, I am tired everyone is referring me one step at a time, do you know the IP Address of the "sales.SMTP25.org" resources.
  • Server this time says sure, here is the IP Address for the resource you have been trying to access X.X.X.X
  • Finally client gets the IP address of the resources, client has been trying to access and client opens direct TCP/IP connection and start seeing the website for the requested name space.

As you see the client had to do a lot of work to get to sales.SMTP25.org. It was not easy was it?

Recursive queries (windows Client typical send recursive query)

The same story is valid for recursive queries, expect the heavy lifting I this time s going to be done by DNS server, instead of client; client will get certain answer about the resource client is trying to access. The DNS server will perform all iteration behalf of client.

Let's imagine for a second, (iterative imagination)

  • This much like staying at the very expensive hotel and you are from Kolkata. As nature right in the middle of the night you need to smoke and figured out you are out of cigarette. You ran the bell for bellboy and ask him to get you a pack.
  • Bellboy told you hey the store is down the street you go get it by yourself I am busy and don't bother me next time.
  • You walked down the street and store attendant told you , we don't sell it, here but here is the address for the next store who sells it, and the store is in walking distance. Now you have another address, you took another 15 minutes and finally get there, the store attendant says, again; sorry body we don't sell it here, but I am sure this store has it and directs you to another store, and again you are on the way, finally get there and get your pack, go back to hotel and you are finally happy, you light one up and thinking, this was hard to get here. (

PS: One of my best friend is from Kolkata (Pushpendu Biswas smart as hell), I know one thing about Kolkata for sure, it they cannot smoke the air will poison him and he would die, therefore smoking is the most important thing for him (- :

  • Let's imagine for a second, (Recursive imagination)
  • This time, surprisingly bellboy has done all the hard work for you, you got you pack without any hassle.
  • STUB ZONE (will enhanced the delegation it is not a replacement)
  • Zone that contains specific information for specific zone, it is a little zone. It contains NS record, SOA record, A record as know as glue record, NS record is exist in the stub zone ( Stub zone is read only), the changes must be done in the Authoritative server.
  • Disjoint name space scenario the Stub zones can be very effective, the Stub zone do get updates automatically unlike the delegation.
  • Stub zone may increase the efficiency; we can reduce the traffic and increase the DNS. The Subzone can reduce the recursive query and give direct answer to the requester.
  • Subzones get updated automatically, unlike the delegations (delegations are static, name servers for the domain must be updated.
  • Forwarding in DNS
  • When the query comes to your DNS server, basically if your server does not know about the answer this will tell your DNS server where to forward the query too.
  • Forwarders are single point of failure, high load and heavy load for the forwarder DNS server, most likely this is going to be your IP DNS servers and this would make you say, so who cares?

Conditional Forwarding (new future in windows 2003)

The DNS server is aware about the specific DNS name space and the corresponding IP address of the destination DNS servers name specified. When query comes in for the requested DNS name space the DNS server looks at the forwarders and it knows where to forward the DNS query too. It is very useful in the complicated DNS scenario

  • Some of the best practices
  • Most of the times recommended setting being defined by the need of the business needs.
  • DO NOT turns on scavenging from multiple domain controllers
  • Configure it on the one DC only.
  • Turn recursion of if you sure you know how your DNS traffic flows
  • Use forwarder for internet name resolution; let the ISP DNS servers to handle the heavy lifting.
  • On the interfaces tab, in DNS make sure you select the option "Only the following IP address), most of the cases more than one interface is no good for Domain controllers.
  • Enable "Fail on load if the bad zone data
  • Enable round robin
  • Enable secure cache against pollution
  • Name Checking
  • Enable net mask ordering "Multibyte (UTF8
  • Load zone data on startup (from Active directory registry)
  • Use monitoring tab to test the query (recursive and simple)

Oz ozugurlu,

Systems Engineer

MCITP (EMA), MCITP (SA),

MCSE 2003 M+ S+ MCDST

Security Project+ Server+

oz@SMTp25.org

http://smtp25.blogspot.com

No comments: