DNS zones are a very important concept in DNS infrastructure, as they allow DNS domains to be logically separated and manageable. This lesson provides a foundation for understanding how zones are associated with DNS domains and information about the different types of DNS zones available in a Windows Server 2008 DNS role. What is […]
What is a DNS zone?
A DNS zone hosts all or only a part of a domain and its subdomains. The next slide illustrates how subdomains can belong to the same zone as their parents or how they can be delegated to a different zone. The Microsoft.com domain is divided into two zones. The first zone hosts www.microsoft.com and ftp.microsoft.com. Example.microsoft.com is delegated within a new zone that hosts example.microsoft.com and its subdomainsftp.example.microsoft.com and www.example.microsoft.com.
Important: The zone hosting the Root domain (Microsoft.com) must delegate example.microsoft.com to another zone. If this is not done, example.microsoft.com will be treated as part of the first zone.
Zone data can be replicated to more than one server which adds redundancy because the information needed to locate resources in a zone now exists on two servers. The level of redundancy we need is reason enough to create zones. If we have a zone where critical servers are defined, most likely that zone will have a higher level of redundancy than a zone where critical servers are not defined.
A zone can hold records for a single domain or it can hold records for multiple domains. Zones can host more than one domain only if the domains are associated with a direct Parent-Child relationship.
A zone is also a physical representation of one or more DNS domains. For example, if we have a DNS domain address space prodaja.linkgroup.com, we can create a zone on the DNS server prodaja.linkgroup.com and this zone can contain all records (Resources Records) located in the linkgroup domain.
DNS allows the DNS address space to be divided into zones. For each DNS domain name that is included in a zone, the zone becomes the authoritative source for information related to that domain.
Zone files are maintained on DNS servers. We can configure a single DNS server to host none, one or more zones. Each zone can be authoritative for one or more than one DNS domain. Zones can be placed either in text files or in the active directory database.
Zone characteristics include the following:
- A zone is a collection of translations (Host name to IP address) for all hosts in the DNS address space.
- Zone data is maintained on a DNS server and is stored in one of two ways: as a zone text file containing a list of translations; in the active directory database.
- A DNS server is an authoritative DNS server for a zone if it hosts records for names and addresses requested by clients in the zone file.
By using different zones, we can configure our DNS solution to best meet the needs of our organization. For example, it is recommended that we configure the primary zone and the secondary zone on different servers, in order to have fault tolerance if one of those two servers stops working normally. We can configure a Stub zone if the zone is maintained on a separate DNS server.
Primary zone: the primary zone is an authoritative copy of the DNS zone, in which records (Resources Records) are created and maintained. When we set up DNS servers to host a zone for a domain, the primary server is normally online and accessible for zone file administration.
Secondary zone: the secondary zone is a copy of the DNS zone that contains a copy of the record, and it cannot be modified, only read. Records in the secondary zone cannot be changed or deleted; administrators can modify and delete records only in the primary zone. At least one secondary zone is configured when we want to enable fault tolerance. However, multiple secondary servers can be configured in other locations so that zone records can be resolved without using expensive WAN links.
Pillar zone: zone stubs are copies that contain only the records needed to identify the authoritative DNS server for that zone. The zone column contains the following zone data: SOA, NS & A records. The zone stub is like an indicator that simply shows which DNS server is authoritative for the zone. Stub zones can be used when Root Hints point to an Internal DNS server rather than Root servers on the Internet. For security reasons, the DNS server is designed to resolve only certain zones.
AD-integrated zone: AD-Integrated zones are characterized by two main advantages: Multimaster zone replication, as well as the fact that the DDNS (dynamic DNS) registration process is now characterized by both a balanced load and a satisfactory level of security. However, these zones also have their drawbacks: they deviate somewhat from what is prescribed by the RFC documents for DNS. In addition, we need to convert all domain controllers into DNS servers as well. When we configure a domain controller, Active Directory requires the installation of a DNS service. Zones that are created on a DNS server that is also a domain controller in Active Directory can be AD-integrated DNS zones.
AD-integrated DNS zones have several advantages compared to regular zones (primary, secondary, and stub). AD-integrated zones can use active directory:
- to place the zone configuration data in the active directory, instead of placing the zone configuration data in the zone file
- uses Active Directory Replication instead of zone transfer
- it only allows secure dynamic update (instead of secure and non-secure update on a regular primary DNS zone).
What are Forward and Reverse Lookup Zones?
What are Forward and Reverse Lookup zones: after deciding whether our zone will be a primary, secondary or stub zone, we need to decide the type of Lookup zone in which the records will be placed. Records can be placed in either the Forward Lookup zone or the Reverse Lookup zone. Forward Lookup zones resolve hostnames to IP addresses and host the following records most often: A, CNAMES, SRV, MX, SOA, NS. Reverse Lookup zones resolve IP addresses to domain names and host SOA, NS & PTR records.
Administrators can host translations (hostname to IP address) that will translate hostname to IP address or IP address to hostname. We can choose the type of translation we need for a zone, depending on how we want our clients and services to send requests for DNS zone records.
Forward Lookup Zone: in DNS, forward lookup is a query process in which the Display name for the host computer's DNS Domain is looked up to find the corresponding IP address. In DNS Manager, forward lookup zones are based on DNS domain names and typically contain Host Address (A) records.
Reverse Lookup Zone: in DNS, a reverse lookup is a query process in which the host computer's IP address is searched to find the appropriate Display Name for the DNS domain. In DNS Manager, Reverse Lookup zones are mapped to the in-addr.arpa domain name and typically contain PTR records.
In the picture below we see what Reverse and Forward Lookup zones are:
What are pillar zones?
A stub zone is a copy of a zone that contains only those resource records that are needed to identify the authoritative DNS servers for that zone. A stub zone resolves names between separate DNS address spaces, which may be necessary when two companies that are integrating (merging) require the DNS servers for two separate DNS address spaces to resolve names for clients in both address spaces.
DNS Zone Delegation
DNS is a hierarchical system and zone delegation connects the DNS layers together. Zone Delegation indicates the next hierarchical level below and identifies the Name Servers (NS) that are responsible for the Lower-level domain. DNS offers the option to divide the address space into one or more zones, which we can then place, distribute and replicate to other DNS servers.
When deciding whether to split the DNS address space (Namespace) and create additional zones, we need to pay attention to the following reasons for using additional zones:
- The need to delegate the management of part of the DNS address space to another location or another department within the organization.
- The need to divide one large zone into smaller zones to distribute the traffic load between multiple servers, which improves DNS name-resolution performance and creates a fault-tolerant DNS environment.
- The need to expand the address space by adding many subdomains at once to support the opening of a new smaller office or a new site.
