DNS zones

Hi all,

DNS is one thing i'm just not ever going to get a grasp of...

Two situations

1)

If you have the zone ABC.com to which there is 123.ABC.com, for 123.ABC.com to resolve records in ABC.com something has to be done i..e stub zone, delegation..etc correct?

2)

This is my my sticking point; If you have another setup with ABC.com, which also has Wales.abc.com. England.abc.com, Sales.Wales.abc.com, and sales.England.abc.com

Server config  = Server1 hosting secondary zones for abc.com, wales.abc.com and england.abc.com

Server2 hosts secondary zone for sales.wales.abc.com

server3 hosts secondary zone for sales.england.abc.com

there are no delegate records in abc.com, wales.abc.com or engalnd.abc.com and the other servers in sales.wales.abc.com only use server2 as the DNS server

Where I get lost is, when configuring forwarding for sales.wales.abc.com you only forward to wales.abc.com, engalnd.abc.com and sales.england.abc.com. Why wouldn't abc.com need forwarding to? How would it resolve names in there?

Been told "To configure the forest with forwarding makes no sense. It's not practical. To who would forwarding occur".....I dont get it. My argument was it's forwarding to abc.com  so it can resolve names in there

Please can someone explain
LFC1980Asked:
Who is Participating?
 
ChiefITConnect With a Mentor Commented:
This is how it works:

Client sends out a DNS query. It looks at it's own records (cache and the host file). If it can't find anything there, it goes to YOUR server. The server looks through the host files. If the server can't find it, it will send a request to the FORWARDING server.

This process passes the buck until DNS resolution is provided. How your client gets ABC.com is your server send out a request to a server that is outside your domain. So, if you are in a forest, your forwarding server might be the forest server. EXAMPLE

mydomain.forest.com>>forest.com
yourdomain.forest.com>>forest.com

you see forest.com is the top-level domain controller for mydomain and your domain.
0
 
ChiefITCommented:
There is one thing I found out about IT that is consistent with any other job. To learn things all you have to do is put things into a persepective that you can understand. DNS is really one of the easiest services to grasp, if you can follow the path a DNS query takes. The path is drawn out and all functions of DNS are described on this thread I wrote.

http://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html

Since it seems like you have a firm grasp on all that information, let's move into the delgation records.

Upon setting up a domain, the first domain server within the Forest will set up a delegation record. Now, that record points to an MSDCS zone. It's just a pointer. The MSDCS zone that is set up, is used to easily transfer that zone to other DCs on the forest. So, it is hanging out there to be easily replicated.

The only problem with that delegation record that points to the MSDCS zone is, that delegation record doesn't dynamically update itself. So, all of a sudden, you loose track of the SeRVice (SRV) recrods in that MSDCS zone. What happens when the delegation record expires is, you loose track or pointers to domain SeRVices.

This is what it looks like, when this happens:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

Yep, I ran into this issue, too.

Delegation records only point to the MSDCS zone where your SRV records reside.
0
 
LFC1980Author Commented:
Thanks for those articles. First one as you say reinforces, what little I do know. But I'm still non the wiser to my question :(

Why is it impracticable to forward requests to ABC.com from Sales.wales.abc.com. Without doing so, how would the Sales.wales.abc.com resolve anything in ABC.com
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
ChiefITCommented:
First off, let's separate your domain, from any outside domain. What you want is your local machines to look towards your DNS server first. Then, the server forwarders will look outside the domain for any other resolution.

For instructive purposes, let's call your domain (yourdomain.com). Let's call an outside server (outside.com)

Upon logging on, All clients on yourdomain.com will go to a preferred DNS server. That server is passed down by DHCP or manually configured by you for fixed IP clients. So, let's say you have two DNS servers on yourdomain.com. their IPs will be 192.168.1.5 and 192.168.1.6. As clients perform a DNS query, it will check within their DNS cache first, then any configured host record. If the clients can not resolve the query themselves, they will look towards those two servers to resolve for yourdomain.com. So, you are looking at the top level domain servers for your domain. If your server can not provide DNS resolution. It will start looking outside your network, to forwarded servers. This is the only place that outside.com comes into play.

outside.com could be public servers, like google. Google's IPs are 8.8.8.8 and 4.4.8.8, (or something like this). These are public DNS servers that resolve DNS and can be used as forwarding servers.

A delegation record is a pointer to the forest server's SRV record. THESE records are very important to the domain. They point to DOMAIN services. So, if you point your clients to outside.com to find these SRV records, they can not be found. In other words, if your client computers are pointed to outside.com to find services for yourdomain.com, you will not be able to find domain services.

On a home computer, domain services are NOT NEEDED, unless you VPN into your domain for domain services. So, you can point your home clients to an outside DNS server for DNS resolution.

The differences between going to an outside server and an inside server is DOMAIN SERVICES. This is why you have to point your clients to an inside server for Domain services and DNS.  
0
 
LFC1980Author Commented:
Everything you say makes sense. But I can't put that together to make sense of what i'm stuck on. Let me break it down into questions to see where I'm not getting it

Look to internal DNS servers then external (should that be configured) - This i get

Lets say I have yourdomain.com then there is another zone XXX.yourdomain.com So, to let youdomain.com users resolve in XXX there needs to be a delgation or stub zone in yourdomain.com for XXX

Q1) Is my statement above correct?

2nd scenario

This has nothing to do with above domain. so consider I have

ABC.com, which also has Wales.abc.com. England.abc.com, Sales.Wales.abc.com, and sales.England.abc.com

In this network

DNS01 hosts secondary zones for abc.com, wales.abc.com and england.abc.com
DNS02 hosts secondary zone for  sales.wales.abc.com
DNS03 hosts secondary zone for sales.england.abc.com

so for sales.wales.abc.com to resolve names in others you need to configure forwarding to for the following domains wales.abc.com, engalnd.abc.com and sales.england.abc.com

Q2) how would sales.wales.abc.com resolve names in abc.com if there is no seting that references it to forward to abc.com
0
 
LFC1980Author Commented:
Q3)
I was told "abc.com is the forest, to configure the forest with forwarding makes no sense. It's not practical. To who would forwarding occur".....I just do not get it.

My argument was it's forwarding to abc.com  so it can resolve names in there. Why is this incorrect. how would sales.wales.abc.com resolve in abc.com without that forwarding

:(
0
 
ChiefITCommented:
I think you are interchanging terms. A forwarding server is a server that can not provide DNS resolution on the local domain. So, the server points in the direction of a forwarding server or a root hints server. SOOOO. If the local domain controller can't resolve, the next best step is your forest server. From there, your ISP's server for outside the forest resolution.

Client>>>Domain Server>>>Forest Server>>>ISP's server

A forwarding server is just a referal to another server to get DNS resolution. In other words, it's passing the buck to resolve a DNS query. EXAMPLE  yourdomain.com server can't resolve, so let's go to the forest server to see if it can resolve for somewhere within the forest.

A forwarding server is NOT forwarding all of its records to lower level domain controllers within the forest. That's up to your ZONE TRANSFERS. EXAMPLE: I have a list of DNS zones, that I would like to see on many of my servers. So, let's zone transfer those zones to all DNS servers within the Forest.

Don't mix up the terms 'Zone Transfers' and 'Forwarding'.
0
 
LFC1980Author Commented:
hmmmmmmm

so what process would sales.wales.abc.com use to resolve in abc.com?
0
 
LFC1980Author Commented:
Think it makes sense. Will have to come back to this as i've been side tracked
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.