Types of DNS Zones
When we need to put pen on paper and plan you DNS server you need to know all the Zones you can use to take all the benefits from this wonderful tool.
For example you can use Zone transfer to establish you Naming Servers or you can use Active Directory Integrated Zones if you want that all Zones will replicate automatically to each DNS server over your environment.
Firs before we begin you must understand how DNS server works; you always need to remember that DNS resolve queries in Hierarchical way, Because of that you must know how levels to implicate in your Zones.
Here you have easy Example of DNS Hierarchically:
1. ‘ . ‘- DNS Default Root hints.
2. .COM – This called Top Level Domain (TLD).
3. Planning-tech.com - Planning-tech will be my Main Zone.
4. Creative.Planning-tech.com – Creative will be our Subzone.
Dns Zone Directions possibilities
Actually it’s very simple and I already explain it in my first post but for you who still don’t understand here us goes.
One thing you always need to remember when you configure your DNS server is that you have or can play with only two Zone Directions for each Zone.
Forward Lookup Zone
In that case you already know the Hostname and your DNS server will tell you the IP address of the Host you requested. When using Forward Lookup we get the option to find Hosts (A) and Name Servers (NS).
Reverse Lookup Zone
Here we have the opposite; we know the IP address and the DNS server will resolve it to Hostname. You also need to know that Reveres Zone is a security problem and you need to use it for particular assignments, for example, if you need to establish connection to an SMTP mail relay or you want to use NS lookup.
Now after you got the basics let’s see what kind of Zones you can use.
Active Directory – Integrated Zone
This is the most relevant option to use for most organizations, it’s recommended to use when you have only DNS servers and not UNIX servers around your environment, if this is the case you found the best solution to use in that case.
The main reason to use the Active Directory – Integrated Zone is because the replication benefits you receive when you use it. I will explain it in few words so you can understand.
If you have DNS1 server that holds your DNS zones and you install second DNS2 server for redundancy all the changes you made in one of the servers will replicate automatically to the other DNS server (Remember Active Directory Sites Servers to determine the replica configuration).
In other words Active Directory – Integrated Zone is unique Primary Zone that can function only if all the servers she resides on are Domain-Controllers.
The primary zone is the Main authoritative Zone (Copy of our DNS zone), her e we have the place that all records are created and manage by the server and the administrator. On this zone type you can create, change or delete all records because Primary Zone is a Writable Zone.
Not like the Primary Zone, The Secondary Zone is Read-Only copy and record changes are not possible on these types of zones. Because we cannot chnge the records directly all records changes create from the Primary Zone Replication.
For me the only time I want to use this option is when I want to create Domain-Trusts or when I want to create redundancy.
The Stub Zone is a copy of your Zones but it’s unique because the only records that this zone can supply for you are the records that can resolve the authoritative DNS server for that zone. The Stub Zone contains records types of SOA, NS and A records.
Secure and Non Secure Dynamic Updates
Dynamic Updates was first available from Win2000, has you already know we talking about Hugh advantage and pure benefits to the IT guys. Just imagine the times before Win2000 in the “Stone Age” where you suppose to update all your DNs records manually.
When we talking about Secure Updates help us to make our DNS server much more secure than before, when using secure updates only computers that have Object created in Active-Directory can Update or Add their record in the org DNS server (We talking about the A record in case you miss it …).
Microsoft recommends that when using Active-Directory Integrated Zones Enable the “Secure only” for Dynamic Updates.