cQ7yXYMX

1Server 2016: Networking: DNS Configuration
2Discover Domain Name System (DNS), which is used to resolves names to IP addresses. Explore the options for DNS deployments in Windows Server 2016 to provide name resolution on a Network.
3
4Prerequisites for DNS
5[Video description begins] Topic title: Prerequisites for DNS. The presenter is Jacob Moran. [Video description ends]
6
7Let's talk a little bit about understanding the prerequisites for working with DNS. So really, what's going on behind the scenes in DNS?
8
9[Video description begins] A diagram explaining the working of DNS is displayed. A DNS Server and a client on the left-hand side are connected to a Web Server on the right-hand side through the Internet. [Video description ends]
10
11How does it work? Clients are going to connect to servers and services by name, but unfortunately names are not routable. We need IP addresses instead. So the client will query this central,
12
13[Video description begins] He writes name and IP on the screen. [Video description ends]
14
15almost phone book, if you will, of a DNS server, using its name, the name of the server they would like to retrieve, and receiving in return the IP address, the numeric value that I can use to connect. And that is how TCP/IP packets are built, when an application knows a name but routing and delivery requires an IP address. So, this is important. And it is so important that, in fact, Active Directory domain controllers rely upon having an infrastructure of DNS in order for clients to find a logon server using the Kerberos protocol. Or to be able to find a server to list the users that might be put in a group using LDAP services. And so they will use specific records to track those down. It's so important that DNS is automatically installed whenever you set up a new server to function as a domain services domain controller. By default, unless you choose
16
17[Video description begins] He encircles AD DS domain controllers. [Video description ends]
18
19otherwise, they're all running DNS too, to be able to facilitate that. The clients are going to look up, in many cases, service locator records and A records to track down what they need. And if they have to do that by going across a wide area network link, it's gonna slow the whole process down. So it's gonna be important that clients access a local DNS server to try and facilitate a record lookup whenever possible. Whether that's for web services, Active Directory services, file and print services, mail, whatever it might be.
20
21[Video description begins] A diagram displaying a Web1 server and a SQL1 server on one side and a Mail1 server, a single server and a DNS1 server on the other side is displayed. Both sides are connected to two laptops. [Video description ends]
22
23So there's different records, different pieces of information that are held in the DNS database,
24
25[Video description begins] He encircles DNS1. [Video description ends]
26
27which is called a zone of authority that DNS keeps track of. So something like earthfarm.com is the name of a domain that would be a zone, that would have records like www, or Web1, or Mail1, or whatever SQL1, as you see here. So name two IP address, let's say it was 10.0.0.1 was SQL's address, that would be what is stored in A, or if it was IPv6, a AAAA address.
28
29[Video description begins] A, AAAA. [Video description ends]
30
31However, when I send email to jacob@earthfarm.com, although there will need to be an A record for Mail1, which is the mail server for earthfarm.com in my case. I would also need an MX record,
32
33[Video description begins] He connects A, AAAA and the Mail1 server. [Video description ends]
34
35which basically says mail exchange is available at Mail1.earthfarm.com. Then I need to look up, well, where's Mail1? Mail1 is at, and look up the A record that would identify the IP address, like 10.0.0.2, for example, for Mail1. Domain controllers are found using a more indirect method, so if we have a DC, maybe it's DC1.earthfarm.com.
36
37[Video description begins] He labels the unnamed server in the diagram as DC1. [Video description ends]
38
39And it has its IP address identified once again by an A record.
40
41[Video description begins] He draws a line connecting AAAA to DC1. [Video description ends]
42
43I'm going to find a generic service locator record for Kerberos, for LDAP, for Global Catalog Services, and all that sort of thing. You're gonna use something called the SRV record. And like the mail exchange record, though it's simply gonna say LDAP, that's located at DC1. Kerberos, that's located at DC1. To actually get the IP address, I then need to get the facilitating record, the host record that says DC1 is at 10.0.0.3. Sometimes we use aliases. That's where a name points to another name. A lot of times, for example, when we connect to www., let's say, earthfarm.com,
44
45[Video description begins] He writes www near the Web1 server. [Video description ends]
46
47that's not actually the name of the server, that's just a name that points to another server like Web1.earthfarm.com. So I don't actually have to maintain separate A records for every possible name. Just maintain the actual A record for the true name itself, and then aliases that point to that for alternative names. Also, DNS servers maintain some records in their zone file, in addition to all these A
48
49[Video description begins] He draws a line connecting SOA, NS to the DNS1 server. [Video description ends]
50
51and MX and SRV and CNAME records, to reference the authoritative servers. So who's supposed to be in charge of this? And that's important because we will usually have multiple DNS servers.
52
53[Video description begins] Two diagrams denoting two methods of storage and replication of DNS zone data are displayed. The first diagram displays the Active Directory Integrated DNS. The second diagram displays the classic method. [Video description ends]
54
55We want to have the potential for failover, for load balancing the workload across multiple servers. The classic method of doing that is for a particular zone to be replicated from a read, write text file called the primary zone copy, and to be replicated to a read only secondary zone copy through a replication process called Zone Transfer.
56
57[Video description begins] He draws the flow from a primary server to a secondary server. [Video description ends]
58
59That's great, but, and it's interoperable with every version of DNS, but there's also a method available on Windows 2016 and other Microsoft servers called Active Directory Integrated DNS. And so, we store the zone records inside the Active Directory database. And so, it just piggybacks along the way for replication, and it's multi-master in that case, it can be edited in all locations. That's going to give you high availability and better performance, which is exactly what we're looking for.
60
61DNS and Nano Server
62[Video description begins] Topic title: DNS and Nano Server. The presenter is Jacob Moran. [Video description ends]
63
64If you're a Windows Server 2016 administrator, one of the things you might be looking forward to is deploying yourself some Nano Servers. Some typically VMs, that are super low footprint and are useful for things like DNS. Because every Nano Server is using fewer resources, less disk space, less processing. It's simply running fewer services and components. It doesn't have a local sign-in, that makes it less vulnerable. It only runs 64 bit apps, tools, and agents, which makes it again, a little more resilient, secure, and dependable. And again, it is designed to be made more functional with the installation of various packages. And there's a package for DNS that we can install to allow you to have a Nano DNS server just like IIS and some other services. So again, once there, we'll manage it remotely, typically starting off our configuration with PowerShell and then fleshing it out with other WMI connections like we would for a standard DNS server.
65
66Now we're going to build a VHD, a Nano VHD, just like we would in any other Nano Server installation. But we're going to specifically add the DNS package to put the DNS binaries in there. Then that image is actually derived from a Nano WIM file, that then gets turned into a VHD file, the VHD needs to be brought into Hyper-V. We build a new VM around it. Once we've done that, we can configure it and specifically turn on the DNS service. But remember, we can't connect to there locally, there's no Remote Desktop. So we'll be using remote PowerShell in order to enable the WindowsOptionalFeature of the DNS-Server-Full-Role. Let's take a look at this process here, gang. Got a server here,
67
68[Video description begins] Code starts, Enable-WindowsOptionalFeature -Online -FeatureName DNS-Server-Full-Role. Code ends. He opens the Windows File Explorer. [Video description ends]
69
70and on this server if we navigate, I want you to see the ISO
71
72[Video description begins] He clicks This PC. [Video description ends]
73
74for Windows Server 2016 has been mounted as a G drive.
75
76[Video description begins] The second section displays two subsections. The first subsection is titled Folders and the second subsection is titled Devices and drives. He double-clicks the DVD Drive (G:). [Video description ends]
77
78We just double-clicked that and mounted it up. And there's actually a directory here called NanoServer. If we open that up, we can see the image generator, which we're going to use to build the VHD, and the packages, including the one for DNS is all right here.
79
80[Video description begins] The Microsoft-NanoServer-DNS-Package.cab and Microsoft-NanoServer-DSC-package.cab. [Video description ends]
81
82So that's already in place. So what I'm going to need is, I copy that, this whole directory here to my D drive. So I've got some working editable directory that has all the same content. And then I'm going to open up PowerShell, so let's go ahead and open up the PowerShell ISE. And I've got a script here to speed this process. So the first thing we're going to want to do is import the module that lets us run Nano commands. If I run get-command that has Nano in the name,
83
84[Video description begins] He clicks the Run selected button to execute the command get -command *Nano*. [Video description ends]
85
86you notice there is no results here. Well, let's go ahead and first go to the D drive, then to the image generator directory and run import-module against the NanoServerImageGenerator.psd1 file. And let's run that get-command again after we've imported the module.
87
88[Video description begins] The module is, code starts: d:, cd D:\NanoServer\NanoServerImageGenerator, import-module .\NanoServerImageGenerator.psd1 -Verbose. Code ends. [Video description ends]
89
90And voila, you see we have a new image. We can Edit a NanoServerImage and we can Get the NanoServerPackages that we might apply to that image. All very useful. So now that we've done that, let's take out the New-NanoServer cmdlet that we would apply.
91
92[Video description begins] Code starts: New-NanoServerImage -ComputerName DNSNANO2 -DeploymentType Guest -MediaPath G:\ ', -Edition Standard -TargetPath d:\vhD\DNSNANO2.vhdx -BasePath .\base ', -DomainName earthfarm.com -Ipv4Address 192.168.5.116 -Ipv4Dns 192.168.5.254 ', -Ipv4Gateway 192.168.5.1 -Ipv4SubnetMask 255.255.255.0 ', -InterfaceNameOrIndex Ethernet ', -Package Microsoft-NanoServer-DNS-Package. Code ends. [Video description ends]
93
94So some key things here, we're going to reference the computer names with the name of the server that we're going to build out. Deployment type is Guest rather than Host, meaning it's being deployed to a VM, not VM booting directly on a host. Where is the Windows Server 2016 media? Might be in a directory, a network path, mine's on the G drive. Standard edition of Windows Nano Server will be installed, not Enterprise. The target path, we're going to build a VHDX file, so we put in that path. There's a base path, this is optional. This is pointing to a working directory that'll be used for WIM and package installation. Then, we optionally can provide all of this information if we want ahead of time, rather than having to use DHCP or manual configuration after the fact. So again, we have access to setting the IP address, DNS server, and all of that and apply it to the Ethernet interface. Then lastly, we have the ability to reference the package. And this is where we install DNS as binaries that we'd like to have available. All right, so let's execute that chunk of code. We'll put in the AdministratorPassword that we'd like for the server. So it'll put that in there as well. And essentially, this is going to now build a VHDX image with the operating system already pre-configured on it, including DNS installation. And again, it's a Nano Server installation. So once that process is done, we'll bring the file
95
96[Video description begins] He switches to the Hyper-V manager window. [Video description ends]
97
98that it generates over into a Hyper-V server and generate a new virtual machine.
99
100[Video description begins] He launches the New Virtual machine Wizard. [Video description ends]
101
102We'll call this, again, DNSNano2, in this case. And the key thing would be here to reference, again, give it a network interface to be able to support that. And reference that hard drive file that I copied
103
104[Video description begins] He selects External in the Connection drop-down list box. [Video description ends]
105
106over here. So let's see, that's over in my C drive. This was copied, vhd. There it is, DNSNANO2. All right, so we're going to create this and this will now give us our Nano Server.
107
108Install DNS Server Role
109[Video description begins] Topic title: Install DNS Server Role. The presenter is Jacob Moran. [Video description ends]
110
111If you'd like to install the DNS Server Role onto a Windows Server 2016 environment, you can launch the PowerShell ISE or
112
113[Video description begins] The Windows PowerShell ISE is open. [Video description ends]
114
115PowerShell as an administrator. Use the cmdlet Install-WindowsFeature, reference the feature name of DNS. And if you're going to be managing it locally, of course, use IncludeManagementTools. Now, in addition to installing this way,
116
117[Video description begins] He clicks the Run selected button. [Video description ends]
118
119of course, we also could use Server Manager. And in Server Manager,
120
121[Video description begins] He switches to the Server Manager window. The window includes buttons for manage, Tools, View, and Help. Below this, the window is divided into two sections. The first section displays nodes such as Dashboard, Local Server, All Servers, and DHCP. The second section displays information relating to the selection made in the first section. Dashboard is selected by default in the first section and the ROLES AND SERVER GROUPS section is displayed in the second section. [Video description ends]
122
123go to Add Roles and Features, Next, Next, and reference
124
125[Video description begins] He launches the Add Roles and Features Wizard. [Video description ends]
126
127the server you want to install it onto, and add a check mark to DNS. Again, DNS itself does not have any required sub services or features that go along with it. And if you go through the graphical environment, it just tells you that if you are also running DNS on a domain controller, that there's some default synchronization that occurs. So you may see some population of DNS happening automatically if, as we said, you're running DNS on an Active Directory domain controller. But if you're not, then you'll be starting with just the bare bones minimum installation. And again, it does not require a restart. All right, that's been successful. So if we do a get-command and reference DNS, you'll see that we have quite a few different functions here that are available. Again, look for the key reference of DnsServer. In fact, let me go ahead and run that cmdlet that I just ran again, this time use the catchphrase of dnsserver. That'll filter it down to really the key scripts that we want to see here,
128
129[Video description begins] He executes the command get-command *dnsserver*. [Video description ends]
130
131that allow us to define root hints, zones, forwarding, the cache, and all the key properties that we'd like to set. Again, that's how DNS is mostly going to function, is with set commands, we also do have get commands. We can import and export some of our content. And we'll, of course, have some add to add records, to add zones, to be able to manage some of those top-level components. We also, of course, now have access to the management tool of the DNS Console.
132
133[Video description begins] He clicks the Tools button. [Video description ends]
134
135So we can access that now through Tools, standard MMC-style console.
136
137[Video description begins] He opens the DNS Manager window. [Video description ends]
138
139And in here we'll have Forward Lookup Zones, to look up named IP.
140
141[Video description begins] The STORAGE205 node displays four subnodes: Forward Lookup Zones, Reverse Lookup Zones, Trust Point, and Conditional Forwarders. [Video description ends]
142
143Reverse Lookup Zones, to look up IPs and find the names. Trust Points that are associated with security. Conditional Forwarders, and of course various properties and resource records within all of that.
144
145DNS Forwarders
146[Video description begins] Topic Title: DNS Forwarders. The presenter is Jacob Moran. [Video description ends]
147
148One of the main tools available to DNS server administrators to help control the flow of traffic is the use of DNS forwarders. DNS forwarders, allowing a DNS server to pass requests to another DNS server for resolution. Passing the buck very effectively and centrally in your environment so as to ensure that you are able to actually get more expedient results down the road. So what we'll do is we'll designate a particular DNS server as another DNS server's forwarder. It's helper to handle DNS queries rather than requiring every DNS server to go up to the root Internet servers to answer their issues for things that they cannot resolve themselves. Again, that can handle your external name resolution, possibly your parent to child domain namespace resolution. But remember, it's always for namespaces that you do not already own. So for example, let's look down here. I've got a local DNS server.
149
150[Video description begins] A diagram displaying central forwarding is displayed. The following servers are displayed: Forwarder, Root hint (.), Earthfarm.com, and Local DNS Server. The client and a .com server are also displayed. A recursive query exists between the client and The Local DNS Server and between the Local DNS Server and Forwarder. The Iterative Query is between Forwarder and Root Hint (.). [Video description ends]
151
152And that DNS server might be authoritative for a domain called brockadero.com, all right? So we've got brockadero.com, right, life is good there.
153
154[Video description begins] He writes broacdero.com. [Video description ends]
155
156But unfortunately, although we have brockadero.com and we've got that built in with a local DNS server, that's not what my query is for, right? So although, I've got a local zone file, my client is making a query from mail1.earthfarm.com and so my local DNS server doesn't know. Now normally, each and every DNS server without configuration will have to manually contact the root hint server of the Internet for anything it is not authoritative for, unless we override that property.
157
158[Video description begins] He draws a line connecting Local DNS Server and Root Hint (.). [Video description ends]
159
160One way to override that property is with a forwarder, where I'd specify go contact this DNS server. This might be a DNS server in my DMZ or any one
161
162[Video description begins] The Forwarder. [Video description ends]
163
164particular DNS server that I'd like to use to have this extra responsibility. So now, instead of my DNS server asking the root server, my forwarder does that on my behalf. So as you can see, the forwarder contacts root hints, gets the address of a com server. We ask the com server our query for mail1.earthfarm.com again, and we are told go contact an earthfarm.com server. We contact the earthfarm.com server, and hopefully we get the IP address of Mail1.earthfarm.com. Because at this point, we're contacting a server that own the exact zone for the namespace we're querying, so we can't get any closer than that. That information will now be held in this cache, here on the forwarder, and then returned back to the local DNS server who can then return that to the client. Remember, technically, the client issues what's called a Recursive Query. That Recursive Query means that only a positive or negative response can be given. Either you found the IP address or you did not. When my local DNS server uses a forwarder, it also uses a Recursive Query. Meaning it's waiting for the forwarder to give it either the IP address it was looking for or to be told that that IP address cannot be found. My forwarder issues what are called iterative queries.
165
166Whatever we contact, the root hints, and work our way down through the DNS hierarchy, we're using iterative queries. Iterative queries allow for a response other than an IP address or failure, it'll allow for a redirection. The forwarder can contact the root hints, which redirects it to a com server, which redirects it to an earthfarm.com server, which gives it the answer, which is cached and sent forwarded on. This also means that central cache, if I have, let's say, 20 local DNS servers. Then, once one DNS server has found the record that a client might query for, the next client that queries for that same record will find it right out of cache instead of requiring all of these iterative queries to be redone. So that it's found on the LAN locally, in a centrally cached location, that's going to give us better performance over time for all of our processes. Also helps to simplify troubleshooting if things are cached incorrectly. Again, we can work our way down from the forwarder and clean up those processes. And it can help to ensure security. Because not all DNS servers need to be given access to the Internet and to the Internet DNS servers. We can say that DNS queries from here to here can cross this firewall. But that DNS queries from here out to the Internet are not available. So the forwarder's available but not root hints. And so, we can secure our internal resources. The configuration, if we look at the
167
168[Video description begins] He switches to the Server Manager window. The SERVERA node is displayed. It includes subnodes such as Forward Lookup Zones, Reverse Lookup Zones, Trust Points, and Conditional Forwarders. [Video description ends]
169
170DNS console, is just as simple as looking at the Server Properties, heading to the Forwarders tab and editing the list of forwarders and adding the DNS name of a particular server that you'd like to function as the standard forwarder. And once that is in there,
171
172[Video description begins] He enters dc0.earthfarm.com. [Video description ends]
173
174okay, we've got an entry in place, OK. And okay, we didn't find an IPv6,
175
176[Video description begins] 192.168.5.254. [Video description ends]
177
178so we'll delete that extra reference. So there we go, so there's a valid forwarder. We could have multiple forwarders for failover if necessary.
179
180DNS Root Hints
181[Video description begins] Topic title: DNS Root Hints. The presenter is Jacob Moran. [Video description ends]
182
183Every DNS server, Windows Server 2016 or any other flavor of DNS is going to start off with something called Root Hints. Root Hints is how every DNS
184
185[Video description begins] A diagram is displayed. It includes a DNS server in the center connected to other DNS Servers, the Root (.) Servers and a client. The global com is connected to Microsoft. [Video description ends]
186
187server knows how to look up the information found on the Internet.
188
189[Video description begins] He draws a line between the central DNS Server and the Root (.) Servers. [Video description ends]
190
191And that's because the IP addresses of the clusters of the Root DNS Servers are automatically prebuilt into each and every DNS server. So when a DNS server does not have a forwarder configured, the default behavior is for it to say, well if you're asking me for something that I don't know, I'll go ask the Root Server for that information. The Root Server is authoritative for the entire Internet. If the Root Server doesn't know it, it can't be found. Now, what a Root Server is actually configured with is just a list of delegations for the top level domains.
192
193[Video description begins] He encircles the com domain. [Video description ends]
194
195Like com, gov, edu, net, the country codes, and so forth. And the iterative query that will be performed by a DNS Server allows for the Root Server to respond back. Not with here's the address of let's say,
196
197[Video description begins] He draws the two way flow between the DNS Server and the Root (.) Servers. [Video description ends]
198
199www.Microsoft.com, but here's the address of a com server that's responsible for anything that ends in .com.
200
201[Video description begins] He draws a line between Root (.) Servers and com. [Video description ends]
202
203So now my DNS Server can send the query to the .com server saying I'm looking for www.Microsoft.com can you help me? And the com server can likewise reply with an iterative response. It says, well no, but I'll tell you who can, you need to go contact one of these Microsoft DNS Servers, where this domain has been delegated. So now my DNS Server can go through the process of finding the Microsoft.com DNS Server. Asking for the record www, and getting the resource records that are associated with that. And then caching it locally and then, providing the answer back to the recursive query sent by the Client.
204
205[Video description begins] He draws a cloud connected to the DNS server. [Video description ends]
206
207So there's 13 Root Servers to find by default. They're identified by a period and they are loaded into our DNS Servers by default. They're actually copied out of a local cache.dns text file and so, we can see that and potentially edit that ourselves. Though typically what we'll do is actually whatever we need to work with our process, we can actually upgrade those if needed. The DNS Server uses an iterative query when querying a root hint server, remember that means that it can look up another server as necessary. You can disable iterative queries, use root hints if no forwarders are available. And again, Recursion is the overall process of DNS using DNS to answer DNS queries. It includes root hints. It includes forwarders. Recursive queries are specifically used by clients and forwarders when they require a complete answer to a query and cannot handle a redirection. A client is never redirected to another DNS Server for example, because they only issue recursive queries. But the recursive query may trigger recursion, which simply means DNS Server doesn't know it, it's got to go find it out on your behalf. That's Recursion. If we take a look at our DNS Manager here, and we head
208
209[Video description begins] He switches to the DNS Manager window. [Video description ends]
210
211to our root of the server. You can see there's a Root Hints node here,
212
213[Video description begins] He right-clicks Root Hints. [Video description ends]
214
215which actually brings up SERVERA properties. And we can see the fully qualified domain name of each of the ROOT-SERVERS. They're identified by letter, to represent the fully qualified domain name of the root server itself. But they are represent of course, in DNS namespace. Because these servers host a namespace of just dot, all right, a period represents their namespace. So, these IP addresses actually represent clusters and when we update our DNS properties and/or go through Windows updates. These will be updated automatically. If you right-click on the Server and choose Configure a DNS Server to launch this Wizard. One of the tools we can use is Configure root hints only which will automatically update those with the latest identifiers from the Internet. So if there's been any change, we will now have those changes immediately.
216
217DNS Delegation
218[Video description begins] Topic title: DNS Delegation. The presenter is Jacob Moran. [Video description ends]
219
220As a DNS administrator, it's important to get really comfortable with the idea of the fact that DNS is a hierarchical namespace system.
221
222[Video description begins] A diagram depicting the hierarchy of DNS is displayed. The parent node Earthfarm.com is connected to two nodes Sales and Marketing. Sales is labeled DNS Subdomain and Marketing is labeled DNS Zone. The marketing node also includes a DNS Server. [Video description ends]
223
224That we have a domain, such as Earthfarm.com, and that underneath that there can be child domains, such as Sales.Earthfarm.com, and Marketing.Earthfarm.com. And, of course, that means that the computers in the parent domain might be things like computer1.Earthfarm.com, right, www.Earthfarm.com, but in a child domain the names will be even longer. It could be desktop5.Sales.Earthfarm.com, right? The names just keep extending out further and further. So that gives us the ability, though, to reference different definitions, right? To say, okay, there's different parts of my namespace that are used and a parent-child relationship between them. Sales doesn't exist outside of Earthfarm.com. It is a subsidiary of Earthfarm.com in some way, shape, or form, logically. And I want to illustrate that by using a namespace that makes that obvious, and pairs it with all of the other devices that work in that same namespace. The idea of delegation is regarding the fact that sometimes what we'll want to do is actually have child namespaces be managed by the same DNS Server. One DNS Server with a zone could manage all of this.
225
226[Video description begins] He encircles earthfarm.com and Sales. [Video description ends]
227
228Or I may want to say, okay, well, here's Marketing. And Marketing is so big and involves so many resources, that I want to have a separate DNS Server to keep track of all the resource records for everything in that domain. So even though Marketing.Earthfarm.com ends in earthfarm.com, and it is therefore under the domain and the authority of this Earthfarm.com DNS Server, we can create a delegation where this Server, that is normally in charge of that domain, gives up that authority and says, you know what? Authority for everything in Marketing, I don't have to keep track of it anymore. This other DNS Server is doing it instead. And then in the iterative process, where a client might query the DNS Server, or another server might query this server, we can hand off the responsibility and track those records in the child Server location.
229
230[Video description begins] He points to DNS Server. [Video description ends]
231
232We don't have to put all of our eggs in one basket. So why do that, again? Remember it's all about putting somebody else in charge of those records. Maybe there's security reasons, or administrative reasons, why we want to create this separation of management. Performance and fault tolerance, maybe we don't want to have to replicate these over in a poorly performing link. And so if you keep track of your records, and I keep track of my records, if Marketing's over in Asia and I'm in North America, well then I only have to deal with those Asia records when I make a specific query for those records. We don't need to replicate those back and forth between multiple DNS Servers. And of course, just to extend the namespace, to be able to have different portions of the namespace. For example, in Active Directory. We might build a new child domain that needs a new namespace, and we want to facilitate that with its own separate delegation, so that the separate servers could keep track of all of those records. Again, the process is very straightforward, as we look at it in a Windows Server 2016 environment. If we have a domain like brocadero.com
233
234[Video description begins] He switches to the DNS Manager window. Nodes such as SERVERA, Reverse Lookup Zones, Trust Points, and Conditional Forwarders are displayed. The SERVERA node includes subnodes such as Forward Lookup Zones and brocadero.com. [Video description ends]
235
236and we want to have a subdomain that is managed in the same zone file, I can simply create a new domain. And this allows me to create resource records right in there.
237
238[Video description begins] He right-clicks the subnode brocadero.com and the New DNS Domain dialog box opens. [Video description ends]
239
240But if you notice in the icon, this is the only icon with a piece of paper indicating it's a zone. Child is a subdomain within the same zone file. So all the resource records
241
242[Video description begins] Under the brocadero.com subnode. [Video description ends]
243
244in child will replicate and be managed by the same server in the same file as everything else. But if I right-click and say New Delegation,
245
246[Video description begins] He opens the New Delegation Wizard. [Video description ends]
247
248that means I'm pointing another domain. We'll call this sibling, just for our parent-child namespace relationships here. And we'll add the IP address, or a fully qualified domain name of a server in charge of that domain. So let's say it was dc0.earthfarm.com. I'll resolve that, and it'll validate the IP addresses. But what it'll tell me is the fact that those addresses have do not actually have that zone in place. Now, again, all I'm saying is it's up to the administrator of dc0.earthfarm.com to build a zone for sibling.brocadero.com. Delegating doesn't create anything, it only releases responsibility from one server and points to where that responsibility is on another server.
249
250DNS Policies
251[Video description begins] Topic title: DNS Policies. The presenter is Jacob Moran. [Video description ends]
252
253If you've ever been frustrated by trying to put some intelligence behind DNS processing, congratulations, you've stepped up to Windows Server 2016. And you now have access to something new called DNS Policies. DNS Policies are going to filter the processing of DNS responses based upon certain conditions. It's an if-then statement, and that means you've got controls. We're going to be able to build out certain Policy Objects which will be used to facilitate those controls, like Client subnets so we can see certain subnets are defined in DNS. And then those can be used, if you will, as the IF portion of a statement. There's other things that can be used, but this is a part of the IF. If you're a particular client from a certain subnet, then, then what? The THEN side of our policy processing would be on the side of Recursion scopes or Zone scopes potentially being applied. So a Recursion scope indicates how we perform Recursion. If I'm not authoritative for something, if I don't have a Zone, who should I forward the request on to? And so, you can create a list of forwarders that are used only for certain clients. Or we could set up for where I am authoritative, we could take our Zone and partition it so that we've got our default answers.
254
255[Video description begins] He draws a diagram of a zone partitioned in two zones. [Video description ends]
256
257But then we have our Zone scoped answers, resource records that are only given if, for example, you come from a particular Client subnet and therefore those particular resource records, those addresses, should apply. So this gives us some great controls. We can use this for high availability, find the healthy client, find the best, not client, find the best server to direct clients to. We can use this for Traffic management because of those client references we could actually specifically forward clients to a server. Give them the resource records, in other words, give them the IP address of a server that is close to them. Now we've been able to do that with site-aware applications through Active Directory, but this will work regardless of the intelligence of the application, because we're adding the intelligence to DNS itself. Split-brain DNS, which is where I have an external, typically Internet-facings Zone for a domain, and I have an internal Zone that has the exact same name for my enterprise data center. And so, in that environment,
258
259[Video description begins] He draws a cloud and a data center. [Video description ends]
260
261I traditionally have had to maintain two separate Zone files. And manually make sure that certain records that are on the Internet that I want my internal clients to find are added to both locations. Now, I could potentially create a single Zone that is stored in both places but external clients only get to see external resource records. Internal clients get to see all of the records. So we can filter, all right.
262
263[Video description begins] He draws a data center which overlaps both the cloud and the internal data center. [Video description ends]
264
265Queries can be blocked based upon the client that's requesting that, so I could totally filter the client out entirely and say you don't have access to anything or only access to a certain set of records. I could change the address, that maybe my external clients are looking for or maybe some internal clients. I could have a client reference that's specific to a particular IP address and send it to a sinkhole. Send it to a server that is logging access without actually giving them access to the resource. And we can do Time-of-day restrictions, so that certain clients are sent to a particular server during the day. And maybe there's a backup during the day and a secondary server that's used at night and you could swap the two. So again, changing which resource record you get based upon time of day. Now the processing for all of this is based upon standard kind of policy workflow.
266
267[Video description begins] A flowchart depicting the DNS Server policy processing is displayed. [Video description ends]
268
269We first check to see if there are any server level policies, so high level,
270
271[Video description begins] The process object is: Server Policies checked one by one until a match is found. [Video description ends]
272
273server level policies that will affect all queries and if so, we'll apply those. But if not, then we go to asking the question,
274
275[Video description begins] The decision object is: Is server Authoritative? [Video description ends]
276
277are we Authoritative for a particular Zone? If the answer is yes, we are Authoritative, we have, you know, you're asking about earthfarm.com, I've got a Zone for earthfarm.com. Then we see are there any Policies on earthfarm.com records that apply to you because of a time a day, because of a Client subnet. So I am Authoritative,
278
279[Video description begins] The process object is: Check Recursion Policies one by one looking for a match. [Video description ends]
280
281so we check the Zone level policies for that Zone and if they do apply,
282
283[Video description begins] The process object is: Check Zone level policies one by one looking for a match. The decision object is: A Zone Policy is Matched? [Video description ends]
284
285then you get the Zone based policies. If not, then you just get normal lookup, right? Brainless processing, standard processing,
286
287[Video description begins] The terminal object is: Do not apply a policy. [Video description ends]
288
289default processing as we might call it. But if I'm not Authoritative for the Zone, it's in that case that we say well you're asking for www.brockadear.com, my server only is Authoritative for earthfarm.com,
290
291[Video description begins] Check Recursion Policies one by one looking for a match. [Video description ends]
292
293so therefore let's see if any Recursion Policies apply. If you're connecting a time of day or if it's a particular subnet or whatever it might be, then I'll send you to this forwarder, right? That's the Recursion policy. So if there is a matching policy, we will apply that type of policy here.
294
295[Video description begins] The decision object is: A Recursion Policy is Matched? [Video description ends]
296
297If not, that's the last of our policies that we have the potential to apply. So these are DNS Server policies and that we configure here in our Windows 2016 DNS.
298
299Configure DNS: Windows PowerShell
300[Video description begins] Topic Title: Configure DNS: Windows PowerShell. Your host for this session is Michael Murphy. [Video description ends]
301
302In this demonstration, we want to take a look at configuring DNS using PowerShell.
303
304[Video description begins] A command prompt window appears. The directory name is: PS C:\Users\mlmurphy>. [Video description ends]
305
306And I think it's important to look at both the client configuration and the server configuration. And the reason for that is because there's a whole separate set of DNS cmdlet available for server management. Than there are for client management. And so for example, if I'm here on this Windows 10 machine, I can open a PowerShell window. Which means, of course, that if I've set a PowerShell script execution policy. Then as part of my group policy objects, I can run a PowerShell script against a client machine at startup, and it'll get these settings, right? And so I can write PowerShell scripts, import them into group policy, and then automate the DNS configuration across all the clients. Now, of course, that can happen too with DHCP and commonly does. So you might ask the question, when would I prefer to do this kind of thing for my clients? Well, I think about my remote client. My remote clients, very much like the clients you're looking at here, starts up. And I can call, in the PowerShell window, you can call the commands that we all know, right? So I could call ipconfig, for example.
307
308[Video description begins] The presenter enters the following command: ipconfig. A result is displayed with the following 3 sections: Ethernet adapter vEthernet (DockerNAT), Ethernet adapter Ethernet 2 and Ethernetadapter vEthernet (Default Switch) [Video description ends]
309
310And I can see right off the bat that there's a locally assigned IP address from my router here in the house that's connected to the public Internet. As a remote client, that's the world that I live in. And then I can see other addresses, and I see a 172.18 address.
311
312[Video description begins] Under the Ethernetadapter vEthernet (Default Switch) section, he cursors over the IPv4 Address 172.18.186.129. [Video description ends]
313
314And that's in that private IP range, right, 172.16 through 172.31 is a private IP address range, class B. And do an ipconfig /all, l get all the classic IP configuration information.
315
316[Video description begins] The presenter enters the following command: ipconfigure/all. All the IP configuration information appears. [Video description ends]
317
318I can see the DNS servers that are assigned here.
319
320[Video description begins] He highlights the following DNS servers: 23.235.16.2 and 23.235.16.3. [Video description ends]
321
322And then up here, I see these other DNS servers with internal private IP addresses, right?
323
324[Video description begins] The presenter highlights theDNS servers with the following IP addresses: 10.20.1.86 and 10.20.116.54, 10.20.1.86 and 10.20.116.54. [Video description ends]
325
326Non-routable on the public Internet class A addresses. And so I can see the remote client configuration, and I can see the configuration that's assigned from the local router.
327
328[Video description begins] The presenter highlights the following text: Cisco AnyConnect Secure Mobility Client Virtual Miniport [Video description ends]
329
330And for those remote clients, there's a whole host of things that I might want to configure in a script. Will automate those remote client configurations, right? Now, I do want to point out, there's a couple of other cmdlets that you should know in here just before we get to the DNS command. get-netipconfiguration on your client machine gives you essentially an ipconfig report.
331
332[Video description begins] The presenter enters the following command: get-netipconfiguration. AnIP configuration report appears in the result. [Video description ends]
333
334Now, there's also the get-dnsclient, and that's where we really want to start with. If I run get-netadapter cmdlet,
335
336[Video description begins] The presenter enters the following command: get-netadapter. A table is displayed with the following columns: Name, InterfaceDescription, ifIndex Status and MacAddress. The following items are listed under the Name column: vEthernet(DockerNAT), vEthernet(Default Switch), Ethernet 2, and Ethernet. [Video description ends]
337
338you will note that its output is very similar to the get-dnsclient cmdlet.
339
340[Video description begins] He enters the following command: get-dnsclient. A table is displayed with the following columns: InterfaceAlias, Interface ConnectionSpecificSuffixIndex, ConnectionSpecificSuffixSearchList, and RegisterThisConnectionAddress. The following items are listed under the InterfaceAlias column: Ethernet, vEthernet(DockerNAT), Ethernet 2, Loopback Pseudo-Interface 1, and vEthernet(Default Switch) [Video description ends]
341
342And so I see the interfaces, their aliases, right, which I can call the interface aliases part of a command line. The Internet connection specific suffix, and the interface index. Now, the index number is going to be important. If I wanted to set the DNS client configuration, I would need to reference the interface index number. So before running a set-dnsclient command, you'd want to call, or in the case of a script, set a variable that calls a get-dnsclient command. And then pipes the appropriate interface into your set-dnsclient configuration cmdlet. Now, before running any set-dnsclient cmdlet, then, I would want to call the get-dnsclient. Or I would want to call the get-netadapter so that I could get the index, the interface index that I see there. And now we can, of course, in addition to getting the DNS client configuration, I can get the DNS client cache. And then this will give me a list of everywhere that I've been lately, right? Everything that's currently in the DNS cache I see here.
343
344[Video description begins] The presenter enters the following command: get-dnsclientcache. A table is displayed with the following columns: Entry, RecordName, Record Type, Status, Section, TimeTo Live, Data Length and Data [Video description ends]
345
346You can see later today i'm planning on going mushroom hunting.
347
348[Video description begins] He highlights the following text in the table: themushroomforager.com [Video description ends]
349
350And I wanted information on lion's mane and sheep's head, which should be coming into season around here, and are delicious. And chicken of the woods, and a bunch of other ones, and of the woods we get here too. And so on the client side, I can also, of course, do a get-command. And then I want to see all the DNS cmdlets that are available to me on this client machine.
351
352[Video description begins] The presenter enters the following command: get-command *dns*. A table is displayed with the following columns: CommandType, Name, Version and Source. [Video description ends]
353
354And we can see here, for example, is the clear DNS client cache.
355
356[Video description begins] He cursors over the following text in the table: Clear-DnsClientCache. [Video description ends]
357
358So if I ran clear-dnsclientcache, this is the same
359
360[Video description begins] The presenter enters the following commands: clear-dnsclientcache and get-dnsclientcache. A table is displayed with the following columns: Entry, RecordName, Record Type, Status, Section, TimeTo Live, Data Length and Data [Video description ends]
361
362as an ipconfig flush dns, right? Same as an ipconfig flush dns. Now, let's just take a look at the server side configuration. So I'm just going to switch over to my server that I'm RDP'd into.
363
364[Video description begins] The presenter opens a window titled: Administrator: Windows PowerShell. The following command has been entered:get-command *dns*. A table is displayed with the following columns: CommandType, Name, Version and Source. [Video description ends]
365
366And you can see I've already run the get-command *dns*, which gives me all the cmdlets that include this text string. So I also get this for
367
368[Video description begins] He cursors over the following item in the table: dnsn -> Disconnect-PSSession. [Video description ends]
369
370disconnecting this alias name, for disconnecting a PSS session. Not particularly related to what we're doing here, but the text string appears there, right? So you do want to be able to differentiate between the outputs that you'll get in these get commands. Now, if I look over here at the source, I can clearly see which ones are DNS server cmdlets, right? Which ones are DNS client cmdlets, like we just looked at on the Windows 10 machine.
371
372[Video description begins] He mouses over the items listed under the Source column. [Video description ends]
373
374Now, in here what you'll find is you can script the server configuration. If you're managing a DNS server farm, and you've got 24 load balanced DNS servers that service the needs of your 30,000 remote employees. And your 30,000 on-campus employees, right? I can script configuration to add resource records, right? Reverse look-up records in this example here. Mail exchanger records, right? Whatever record type you need to add. You can do an Add-DnsServerResourceRecord and then specify the type of record you want to add. You're managing your own root hints, or there is an unprecedented update to the root hints file. Or the cache.dns file that you find on every DNS server down there in the Windows installation directory, system32 DNS, there's the cache.dns file. And that cache.dns file, of course, contains the IP addresses of the root servers on the public Internet. Addresses and server names that haven't really changed much in 40 years. There were some recent name updates, as well as the addition of IPv6 addresses to that file, which was very exciting. But at any rate, I can see in here everything that I want to do from setting up DNSSEC, adding trust anchors. Adding stub zones, adding Active Directory integrated zones, primary zones. Or setting zone transfers, can all be accomplished in a scripted form using PowerShell.
375
376[Video description begins] He highlights the following lines of text under the Name column: Add-DnsServerResourceRecordPtr, Add-DnsServerResourceRecordMX, Add-DnsServerResourceRecordDnsKey, Add-DnsServerRootHint, Add-DnsServerTrustAnchor, Add-DnsServerStubZone [Video description ends]
377
378And this is a look at configuring DNS settings, both on the clients' and on your DNS servers using PowerShell.
379
380Configure DNS Global Settings
381[Video description begins] Topic Title: Configure DNS Global Settings. Your Host for this session is Michael Murphy. A command prompt window appears. The directory name is: PS C:\Users\mlmurphy>. The following command has been entered:get-command *dnsclient*. A table is displayed with the following columns: CommandType, Name, Version and Source [Video description ends]
382
383In this demonstration, I want to take a look at the DNS global setting. And the DNS global setting is primarily of concern for those of us in multi-domain environment. And so the first thing to be aware of, if I'm looking at this property in here, this DNS global setting, what I'm interested in is the suffix search list. Now, think about this with me. How often do you name a server server1, let's say? Or DNSServer1, or ActiveDirectoryServer1, or whatever it is you do. You have some convention, and you reuse these names all the time. And when you're living in a single-domain environment, that's no big deal. When you address it by its UNC path name, or you use any kind of single label addressing, it can find it because there's only one repository to look in, agreed? But if we take a look at, say, the network configuration for this machine, for example.
384
385[Video description begins] The presenter opens the Network Configuration window. The following options are displayed in the navigation pane: Status, Ethernet, Dial-up, VPN, Data usage and Proxy. Under network status, he clicks the Change Connection Properties option. The Ethernet tab opens. He clicks the Change adapter options. [Video description ends]
386
387And then if I were to look here on the Properties for this, and here we are on the client machine, right?
388
389[Video description begins] The Network Connections window opens.He right clicks theEthernet 2. He clicks the Properties option. The Ethernet2 Properties window opens. He clicks the Internet Protocol Version 4 (TCP/IPv4). The Internet Protocol Version 4 (TCP/IPv4)window opens. It has 2 tabs: General and Alternate Configuration. He clicks the Advanced button at the bottom of the window. The Advanced TCP/IP Settings window opens. It has 3 tabs: IP Settings, DNS and WINS. He clicks on the DNS tab. It has 2 radio buttons: Append primary and connection specific DNS suffixes Append these DNS suffixes (in order). [Video description ends]
390
391These are your client's settings. If I look in the Advanced tab down here under DNS, there is this choice to append these DNS suffixes.
392
393[Video description begins] He mouses over the following DNS suffixes: skillsoft.com, amr.smtf.ds, norwood.books24x7.com, etc. [Video description ends]
394
395And then I see a list of the DNS suffixes there. And I'm laughing a little bit, because I went to a great deal of trouble,
396
397[Video description begins] The command window is open. The directory name is: PS C:\Users\mlmurphy>. [Video description ends]
398
399not thinking that they would be exposed in that interface, of making this picture in paint, where I had wiped them all out and given the phony one. And if I look here, the get-dnsclientglobalsetting returns to me the list of the suffix searches, right?
400
401[Video description begins] The following command is entered: get-dnsclientglobalsetting. In the result, the following text is highlighted: EarthFarm.com, UnitoGames.com, NA.UnitoGames.com, EMEA.Unito...} [Video description ends]
402
403So we start out in the EarthFarm.com domain looking for server1. And then if we don't find it there, then we go to the UnitoGames.com domain, do you see, and we look for server1. And then if we can't find it there, we go etc., we keep looking through the various domains. So when I evolve the network from single domain to a multi-domain or multi-label environment, to support those single label searches where I'm just calling it by the server name, not giving the fully qualified domain. I want to use the suffixed search list, and I want to define that search list with the order preference. Look, if all of the machines that everybody's going to need are housed in a single infrastructure as a service domain, probably in the cloud somewhere today, then I give that label as the second entry and I'm done, right? Or maybe as the first entry if that's where they go most of the time. They don't even look in their home domain, and so I can manipulate that search order on the client in this fashion. Now, of course, we can do that as well for the server. Just before we do that, I do want to highlight for everybody. In the previous, if you watched the last demonstration, around writing scripts to support remote clients with your local office configuration information to support those clients. One of the things that l did not mention was NRPT, the DnsClientNrptGlobal settings.
404
405[Video description begins] The commandget-command *dnsclient*is entered. In the displayed result, the presenter highlights the following text: Set-DnsClientNrptGlobal. [Video description ends]
406
407Now, the NRPT is the name resolution policy table that your remote clients get directed to. So that they can make decisions about that name resolution policy table is what the remote clients use to determine, should they send a DNS request to the internal servers? Or should they send the DNS lookup request to external servers? So that I get intelligent use out of my machine, right? If I'm connected to my work domain as a remote client, and I need firewood here at the house. I don't want to go to Craigslist for where my office is located. I want to go to the Craigslist locally. So when I open the browser and I type in there Craigslist, I want to know that I'm going to go to the local one. And with the name resolution policy table, we can prefer for particular names when they go to www.mycompany.com. Well, does that take them to the intranet site or does it take them to the world wide website? And I can set those settings in that name resolution policy table.
408
409[Video description begins] The presenter opens a new Administrator: Windows PowerShell window. The commandget-command *dnsserver* is entered, In the result, a table is displayed with the following 4 columns: CommandType, Name, Version and Source. [Video description ends]
410
411Now, coming over to the DNS server side of things, here you can see I've run a get-command for the dnsServer so that I can see those. And then if I come down here to the gets, I've got, So these are the two here.
412
413[Video description begins] He highlights the following text: Set-DnsServerGlobalNameZone and Set-DnsServerGlobalQueryBlockList. [Video description ends]
414
415These should not be confused with the global setting. That global setting gives me a search preference order for multi-domain environment. Here we're creating a GlobalNameZone, completely different thing, and then GlobalQueryBlockList. So if I want to subscribe to blacklist kind of service, that gives me the names of the domains that the bad guys are using this week and their IP addresses. I can add that as a GlobalQueryBlockList. But those are separate and distinct from the global setting. And this is a look at setting that global setting using PowerShell.
416
417Secure DNS (DNSSEC)
418[Video description begins] Topic title: Secure DNS (DNSSEC). The presenter is Jacob Moran. The DNS Manager window is open. [Video description ends]
419
420One of the concerns for any DNS administrator is the inherent lack of security with regard to DNS. In other words, I query for a DNS record, but how do I know that record really is the one that I'm looking for, that I asked for, that it hasn't been altered in transit? Is there any kind of way to get a signature or a validation mechanism that's associated with this connection to DNS? The answer is yes, we can use the protocol called DNSSEC,
421
422[Video description begins] He right-clicks the subnode earthfarm.com and clicks DNSSEC from the shortcut menu. [Video description ends]
423
424which allows us to sign zones. And in particular, we're going to want to sign
425
426[Video description begins] The Zone Signing Wizard opens. [Video description ends]
427
428those zones that are used with secure information. And when we do that, we can create a key signing key which will sign other keys.
429
430[Video description begins] in the Key Signing Key (KSK) page in the wizard. [Video description ends]
431
432We can Add here, generate a new key, come up with a unique Guid for it. We will then have zone signing keys to sign this particular zone on this server. We'll create one of those as well. And then we'll use the default NSEC protocol. All right, and let's go ahead and use the default values for our record, polling and properties and things of this nature. So it says it signed this. Watch what happens to my resource records when I refresh. Now for all of these records, not only do I have the A and the AAAA records here, for example, for this server. But now I have signatures on those records, and even values to indicate the next secure value. So in other words, ways to track the overall connection process that'll be used when working with these different services. Very, very cool stuff. So the way this is gonna function, DNSSEC as a protocol, is by cryptographically signing. You saw there were these zone signing keys and key signing key that are created. This helps to protect the integrity of the records, to ensure that what I send, because it has been signed, if it is modified in transit, the signature will be considered invalid. We can recognize, hey, if I add up all the ones and zeroes, the bits that were sent, they don't add up to the signature. And therefore, since that signature is based upon a unique key from its source and can be validated, we know the data's been modified. So spoofing and cache tampering are protected against. That's good news, those are some of the major ways that DNSSEC works. Now the components of this include the trust anchors, all right, the authoritative entity represented by that public key. So we actually have resource records that are associated with that. And then we can build trust chains to be able to work with the individual records that are within that particular zone. We also have the NRPT, all right? So the NRPT, the Name Resolution Policy Table, is used to know when we should require these signatures out of DNSSEC. Let me show you that. I've jumped over to a domain controller.
433
434[Video description begins] He switches to the Group Policy management Editor. [Video description ends]
435
436We're editing group policy. And in a group policy for a set of clients, for example, I can configure a policy here under Computer, Windows Settings Name Resolution Policy, to indicate when DNSSEC should be used. So in other words, if we're querying about something in earthfarm.com,
437
438[Video description begins] He enters earthfarm.com in the text box. [Video description ends]
439
440then that is the trigger that I want to enable DNSSEC. Require DNS clients check that name and address data has been validated by the DNS server. And that would apply, by the way, to my querying a DNS server and making sure that the DNS server goes out to another DNS server and requires the DNSSEC process to be in place. We don't have to add IPsec to this, that's all that's needed in order to create and
441
442[Video description begins] He clicks the Create button. [Video description ends]
443
444define this Name Resolution Policy Table entry right here.
445
446[Video description begins] in the Group Policy Management editor. [Video description ends]
447
448So that's defined through group policy in Windows. So a query response contains the signatures if the zone was signed. Anchors keep track of the keys associated with those signatures that are used to validate the signature and ensure that it's true. Resolvers use the trust anchors to build the trust chain. If you trust the anchor, then you will trust everything created by that anchor, which is essentially the root of the site, typically. All DNS servers participating in DNSSEC have a configured trust anchor, all right? So each one of them has that key signing key, the root key for all of the signatures. And then clients sending queries are required to follow rules from the Name Resolution Policy Table for DNSSEC. Otherwise, they do not require any validation, the assumption is, don't worry about it. So these are some of the steps that you'll go through for configuring secure DNS. It's extra work, it's extra network traffic. Only do it when you need the extra security.
449
450DNS-based Authentication of Named Entities (DANE)
451[Video description begins] Topic title: DNS-based Authentication of Named Entities (DANE). The presenter is Jacob Moran. [Video description ends]
452
453In this day and age, most of our security over the Internet, and even in our local environments, is based upon the ability to validate connections by use of certificates. All right, there's our little certificate icon there. We use certificates in order to validate everything we do.
454
455[Video description begins] He draws a certificate on the screen. [Video description ends]
456
457To provide authentication, integrity, encryption. But what if the certificate that I'm receiving from a particular server, although it says it came from a trusted authority, what if that
458
459[Video description begins] He draws an icon for a Certificate Authority. [Video description ends]
460
461authority is an impostor? We could have a man-in-the-middle attack, where someone presents themselves as the valid, say, web server, to provide a certificate to allow for a client-to-server web connection, but it's really an impostor. And so in order to ensure that impostor
462
463[Video description begins] He draws an icon for an impostor connected to a client and then joins the impostor with the certificate. [Video description ends]
464
465situation doesn't happen, we could go to DNS. And DNS, using a new future in 2016 called DNS-based Authentication of Named Entities, can validate, when I connect to this server, which says its Certificate Authority is from here, I could double check that with DNS. Which would have the valid entry to indicate where the Certificate Authority is for a particular domain name. If it's in this domain,
466
467[Video description begins] He draws an icon for the DANE and connects it to the impostor icon. A diagram explaining how DANE protects from a man-in-the-middle attack is displayed. A desktop is shown checking the certificate credentials of many certificates and finally selecting one genuine one and discarding the remaining. [Video description ends]
468
469then the Certificate Authority that we should be using is X, all right? So think of it this way, you connect to a secure website, it's using SSL/TLS, www.earthfarm.com. You receive a certificate, and that certificate is signed by ca.earthfarm.com, right? So that's good. Someone could get a certificate that says it's for www.earthfarm.com from another Certificate Authority, all right? We'll call it CA2. Then the entity that is trying to provide a man-in-the-middle attack, by hosting a fake www site, could corrupt the DNS cache of the client to point to the new IP address, right? So you get your clients to be redirected to the false server. Your false server has a certificate. The certificate says it's valid, so you got a secure connection. Remember, everyone feels good when they get a secure connection. They get presented with a certificate from the other authority. And it might mention, hey, now that you trust this or not, but users will usually just click OK and move on. And then you end up connecting to the fake site. With the use of DNS-based Authentication of Named Entities, right, when the client makes a request to DNS it asks for a special kind of record. That record is the TLSA Record, all right? The TLSA Record is going to indicate you should only trust, essentially, the client finds out the Certificate Authority.
470
471And so when they connect to the spoofed site that is signed by a different Certificate Authority, it'll actually break the connection, right? When you get a certificate presented to you on this site that you think is good, but is from a cached address and that's false, you don't actually connect, because it seemed to have come from an incorrect location. By the way, TLSA is for Transport Layer Security, right, what we use in our standard X.509 certificate base, what we use for SSL connection right? We're using TLSA for authority. So it's indicating here's the record where Certificate Authority should be found. If you get a certificate that's for a particular name in a particular domain and it comes from a different authority, don't allow the connection. Very cool security feature, now found in DNS in Server 2016.
472
473DNS Socket Pool, Cache Locking, RRL, and Logging
474[Video description begins] Topic title: DNS Socket Pool, Cache Locking, RRL, and Logging. The presenter is Jacob Moran. [Video description ends]
475
476I want to look at several different security tools that you have to protect your DNS server in Server 2016. The first of those is the DNS cache pool. So a pool of addresses, or really ports, that are available for when DNS goes out to the Internet, for example, to make recursive queries on behalf of clients that contact this server.
477
478[Video description begins] He draws a diagram depicting a client connected to a DNS, which in turn, is connected to the Internet. [Video description ends]
479
480In other words, I'm connecting to port 53 to pull information. Just like my client connected to my port 53. But what is the port that I'm going to use to establish that connection for my server? The answer is, it varies. We have a port pool that we're going to use to keep it variable. So that we can't have any kind of cache attacks made by attacking certain ports running at a known port 53 and trying to inject information there. So, to manage that we use DNS command, there's no PowerShell cmdlet to directly configure it /config/socketpoolsize. By default there's a pool of 2500 ports, but you could change that to, for example, 5000. And we also can use the socketpoolexcludedportranges, maybe in my case port 50000-50001, and say those are ports to never use. So I've got 5000 ports but don't use those two ports, because typically the expectation is I've got a particular service running there.
481
482Now the next DNS protection we can implement is the cache locking mechanism. Now cache locking says that as we have, from DNS sources on the Internet, learned information here on my local DNS server. Well, I will cache that information on my server based upon a value called the time to live. That's just standard operating procedure. So I've got an A, a host record there. I'll cache it maybe for 24 hours because that's the time to live. And so I'll be able to provide that information in my clients without having to go look it up again. But here's the real question. Could there be an update to that information without my having to purge the cache? The answer is by default, no. But if new information comes to my DNS server, and I would like to be able to overwrite that, well then I need to be able to support that change. So that update coming to my DNS server to change it to a new IP address, right? And so if I want to allow that during the time to live period, I need to make a security exception and kind of change my default properties. So let me show you, dnscmd/config/cachelockingpercent. And the default value is 100, which means I will keep it in cache and not allow it to be overwritten until the time to live has expired. But if you want it to be more flexible, you could set it to 50% of the caching interval.
483
484So if it was 24 hours, you can start overwriting that with a new value after only 12 hours, or even 0. At any point, you could overwrite those records. Notice that I have to set this holistically though, I cannot set this for a particular domain. And for good security, it is recommended you leave it at 100, because you can always manually purge the cache if necessary. Next, let's talk about response rate limiting. Response rate limiting is used so that if a malicious person out there was to configure a botnet attack, where they got multiple networks in place, maybe they got 30,000 clients to all contact your DNS server. But forging their IP addresses so that your DNS
485
486[Video description begins] He draws a diagram to depict a botnet client connected to the DNS server. [Video description ends]
487
488server thinks that the source of that information was an internal device. Maybe it was your internal web server. So what if we've had, so what happens? Instead of 30,000 individual responses, you get one server getting hit with 30,000 requests simultaneously. Which then overwhelms it, and it's a distributed denial of service attack. The Spamhaus attack was a very famous example of this. So, this is not enabled by default, but we can use set-dnsserverrrl, sorry, Set-DnsServerRRL and enable that feature, to stop responding to clients if we see the key thing being a flurry of similar requests, right?
489
490[Video description begins] The warning message is: Response rate limiting can lead to denial of service to clients if a flurry of similar requests are found to be originating from a common source. [Video description ends]
491
492This looks like a denial of service attack, don't respond. If necessary, you have a cmdlet that you can use to create exceptions called Add-DnsServerResponseRateLimitingExceptionlist, which will allow you to create lists of safe domain names or interfaces that you want to trust. Finally gang, the last thing to look at is in your server properties,
493
494[Video description begins] He switches to the DNS Manager window. [Video description ends]
495
496one of the things you can do that can help with security is you can go to the Debug Logging tab, and by default it'll be disabled. You can enable debug logging,
497
498[Video description begins] He selects the Log packets for debugging checkbox. [Video description ends]
499
500specify a file path and a size, potentially enable details.
501
502[Video description begins] The file path chosen is c:\windows\system32\DNS\debuglog.txt and the size is 500000000. [Video description ends]
503
504And you will get, essentially, a Wireshark level of information in a text file that shows you everything coming in and out of the DNS server that is a DNS related query or response. So this is a great way to really get the lowdown on what's going on on your DNS servers.
505
506DNS Recursion Settings
507[Video description begins] Topic title: DNS Recursion Settings. The presenter is Jacob Moran. The DNS Manager window is open. [Video description ends]
508
509I want to talk about recursion for just a minute. And sometimes people get a little confused about what recursion is and how it functions in our network. So let's make sure that it is as clear as possible as we discuss this. The basic idea of recursion is that you're going to have clients issuing queries to your DNS server, all right? So there's DNS here in the middle. If your DNS server does not have a zone
510
511[Video description begins] He draws a diagram of a client connected to a DNS server. [Video description ends]
512
513of authority for the domain that they're querying, then DNS doesn't have the answer locally. So it must perform recursion, which in this case just means it's going to use DNS to answer your DNS query. It's using the same service, but it's just going out in this direction. Now, what is this direction? That could be a stub zone. That could be for conditional forwarding. That could be just wild card standard forwarding that doesn't reference a particular domain. So I simply say, okay, move just I don't know the answer, so I just forward it on to this server. Or you can use what DNS servers have always classically used and is kind of the baseline here behind the scenes, is calling upon the root servers. And then root gets you in contact with child-level domains like com and edu. And those servers can get you into contact with the particular domain names that you're looking for, and you get the answer hopefully, and then you cache it, right? So all of these processes though, aggregate together, and they're called recursion. Now, two specific places where we can manage recursion are at the server level, managing it for all of DNS, and at the standard forwarder level. So let me show you what this looks like. Here in the DNS server properties, bring up properties on the server, I can go to Forwarders.
514
515[Video description begins] He right-clicks the subnode STORAGE205. [Video description ends]
516
517And I want you to see that we have a forwarder already configured here, so 192.168.5.254. Now, this property right here used to be called, do not use recursion. However, this has changed. We no longer use that phrase, do not use recursion. Instead, it simply says, use root hints if no forwarders are available. So if I try and forward to 192.168.5.254 but it's offline, can I still use the root hints that I have here?
518
519[Video description begins] He selects the Root Hints tab. [Video description ends]
520
521Can I try and look up whatever DNS query has come my way using root hints? And you'll notice that the default is yeah.
522
523[Video description begins] He selects the Forwarders tab. [Video description ends]
524
525But if there's no point, because maybe you have firewalls in place that would prevent you from being able to reach these root hint servers, then you could disable recursion here, not use root hints.
526
527[Video description begins] He deselects the Use root hints if no forwarders are available checkbox. [Video description ends]
528
529Saying, if I can't reach 5.254, I'm not going to reach anything anyway, so I can limit it in that way. We can even do a more complete form of recursion by going to the Advanced tab of disabling recursion, I should say. And you see that's the name of the check mark right here,
530
531[Video description begins] In the Advanced tab. [Video description ends]
532
533a complete disabling of recursion also disables forwarders. So if you disable recursion here, that means that all of the tools that you would normally use for recursion are going to be unavailable to you. They're no longer on the hit list. So that means forwarders are out, it means conditional forwarders are out, it means root hints are out. The only thing that works is going to be something that is stored as a zone. So that would mean your forward lookup zones and reverse lookup zones are of course there, whether they are primary, whether they are secondary, if they could be Active Directory integrated, and they also could be stub. Just so you know, stub zones are not affected by a disabling of recursion because, again, a stub zone actually gives you a zone file, and therefore kind of is a bypass around this process of looking up another server to track it down. Gang, why would I want to do this? Well, it's pretty straightforward. I have a server, for example, that maybe is hosted in a DMZ, it's being used to support Internet-based queries that are trying to reach my DNS server in order to find out about the server that's right next door in that DMZ, my web server.
534
535[Video description begins] He draws a diagram depicting a server hosted in the DMZ receiving internet queries along with a webserver. [Video description ends]
536
537So if that's the case, should my server be used by some client, right, finds my server and then uses that to go look up other things on the Internet? No, that's not what my DNS server was ever intended for.
538
539[Video description begins] He encircles the Server options subsection in the Advanced tab. [Video description ends]
540
541So in especially Internet-facing DNS servers, you're going to want to disable recursion, because they're not really intended for client use as a stepping stone to finding other DNS servers on the Internet for working the DNS Internet hierarchy. They're designed to be the end result of using that hierarchy and getting access to a particular record.
542
543DNS Performance Tuning
544[Video description begins] Topic title: DNS Performance Tuning. The presenter is Jacob Moran. The DNS Manager window is open. [Video description ends]
545
546I want to open up the DNS server advanced properties and talk about some of the settings that we can manage that can help us to get the best performance and availability out of our DNS servers. So in Windows Server 2016,
547
548[Video description begins] The STORAGE205 Properties dialog box is open and the Advanced tab is selected. [Video description ends]
549
550we see the advanced tab starts off with our disabling of recursion. Again, that's the ability to avoid dealing with any type of external servers. So essentially, whatever is in the box, we can respond to queries with, but anything outside the box that we might learn through root hints or through forwarders or anything like that is off the table if we disable recursion. That can be good if, for example, firewalls would prevent that in any case. And we're keeping this a localized and isolated environment. What about BIND secondaries? Well, this determines whether or not to disable the fast transfer format of DNS zones. Enabling BIND secondaries enables BIND servers that run 4.9.4 or later to function correctly without changing anything. So in other words, fast zone transfer is a more efficient way to communicate. We can reduce performance but enable support for legacy BIND servers, BIND version 4.9.4, less than that value, yeah, we can go ahead and support that if we want. But, again, it takes a hit on performance, we can't deliver multiple records per TCP message. All right, but wait, there's more.
551
552Fail on load if bad zone data. So if you have a particular zone file and you find there are some records in there that are corrupt for whatever reason, maybe through disk corruption or maybe somebody actually opened up the DNS file and made a change. Should we go ahead and cancel the whole file, or should we just cancel that one invalid record not loaded into play? So for better stable performance, we may want to have a strict parsing on that file. And rather than ignoring errors, just go ahead and say, no, we're going to fail it if there's bad data. Round robin and net mask ordering are very important to know about. They are associated with the process of ensuring that when we have multiple records. So let's go over here and let's take a look at our zone. Here's www.
553
554[Video description begins] He clicks the brocadero.com subnode. He right-clicks in the second section and clicks New Host (A or AAAA) in the shortcut menu to open the New Host dialog box. [Video description ends]
555
556And let's put another record for www in there at a different IP address. Let's say this one was 192.168.5.254, okay.
557
558[Video description begins] He clicks the Add host button. [Video description ends]
559
560So now if we look, the same name, www.brocadero.com has two different possible IP addresses that it can be resolved at, the assumption being that there really are web servers at both of those locations. So how does the response work? Well, when DNS is queried for www.brocadero.com, all of the IP addresses are going
561
562[Video description begins] The IP addresses listed are: 192.0.2.1 and 192.168.5.254 [Video description ends]
563
564to be supplied in the response back to the client. But how will that client list be organized, which number will be on top, if you will? Two properties manage that. The round robin property says that the first client who makes this request will get the records like this. Here's record one, here's record two. But the next client that makes a request will have the same process, but they will get the second record first and the first record second. Because of that, when the records are retrieved out of the DNS cache and the client and presented to the application, it will initiate an attempt against a different host. All right, so round robin does a type of load balancing, but more specifically, netmask ordering ensures that if, for example, this client had the IP address of 192.168, let's say it was 5.10. Well, when they make a request, because that client belongs to one of these IP subnets, this will always be the first.
565
566[Video description begins] He encircles the IP address 192.168.5.254. [Video description ends]
567
568So even if they come in later, that's not going to be the second record. It'll always be the first record for this client, no matter what. So it overrides round robin to ensure that we contact the local network. So again, here we see that, Enable round robin. That's enabled by default.
569
570[Video description begins] He opens the STORAGE205 Properties dialog box. [Video description ends]
571
572You can disable that. You can disable net mask ordering. That changes the processing on the DNS server. It's faster in the sense that it doesn't have to do any processing, but it is not going to give me access, it's not going to provide load balancing and localized resource accessibility. So those are a couple of things to be aware of with regard to managing performance and getting the best processing out of our servers.
573
574Exercise: Configure DNS Settings to Secure DNS
575[Video description begins] Topic title: Exercise: Configure DNS Settings to Secure DNS. The presenter is Jacob Moran. [Video description ends]
576
577In this DNS exercise for Server 2016, you're going to configure and deploy a secure DNS server. So that's going to mean installing a DNS server and setting up a forward lookup zone. Then you're going to want to configure a DNS record for a web server, standard host record for a web server entry of your choice. Then you're going to need to implement a DNSSEC record configuration, including setting up the trust anchor. And you're going to need to set up the NRPT for a client computer to know that it should reference and require a lookup of the DNS record. And then validate that you are in fact getting that DNS record from the client. Why don't you go ahead and pause the video, do those tasks, and then we will review the process together. All right, so let's take a look at this process together. We're on Server 2016 and our first step is to install a DNS server. Let's go and do this with PowerShell. We'll run this as an administrator and simply say that we would like to install the feature of DNS. So for that, we'll just use Install-WindowsFeature, name of DNS, and of course, we'll want to include all management tools. All right, so that will get us installed. All right, so now that we've got that installed, let's go ahead and add a DnsServerPrimaryZone. And for that, we will name that, let's do it exercise.earthfarm.com. We'll make that a subdomain. Hopefully, we'll get a delegation from earthfarm.com to this server.
578
579And our type here, we're going to put that in a zone file. All right, so -ZoneFile ''exercise.earthfarm.com.dns''. All right, so let's go ahead and execute that. Why didn't that work? Hold on. Here we go, just re-entered it all in one line. Took it like a champ. And let's add a resource record for web server. And, of course, we need a resource record for a web server. So we'll do Add-DnsServerResourceRecordA. So, again, rather than being ambiguous with the resource record, ResourceRecordA is a cmdlet that already knows we're talking about an IPv4 record. So we'll name it, put it in that zone file, and reference the IP address. All right, so done those steps. So now that we've installed and configured a DNS record for a web server, we're ready to implement a DNSSEC record and configuration for that web server. Let's take a look at the process of signing our DNS environment then. Here's our DNS management console. And we can see, if we go to Forward Lookup Zones, we have exercise.eartfarm.com, currently Not Signed. And we see the records that are in it. So we want to sign it, right? Let's take a look. Right-click on our zone and under DNSSEC, we can say that we would like to Sign the Zone, create those records. So, that'll add the appropriate DNS extensions set for
580
581[Video description begins] The Zone Signing Wizard opens. [Video description ends]
582
583security. Let's see, we will use our, let's just use the default settings to sign the zone in this case. So standard cryptographic key properties are going to be used, no need to customize those currently. And it signs the zone. All right, so let's refresh. And we have all of our key signatures, including specifically, the R signature on webserver1. Now, as other servers need to trust this server's signatures, what they're going to need access to is the keyset file,
584
585[Video description begins] He opens the dns folder in File Explorer. [Video description ends]
586
587which is associated with the DNS key file type to be able to trust this record. So we could copy this particular file out of our server and bring it to those servers that need to have trustworthy environment. And then, on those other servers that need to trust my server signed records, we can right-click and say Import > DNSKEY. Now we could add it manually, but it's much easier if we can just import the file directly because we will have all the properties in place. So, for example, here we bring in the exercise.earthfarm.com trust point or trust anchor, based upon the DNS key file type. And we have the RSA/SHA keys in place here. All right, so these are going to then enable remote authenticity of the records that I'm signing right here.
588
589That they can be validated when they are pulled into the cache on a remote server. But what triggers a client getting it in the first place? That takes us to the next step of our process. We need to set up the NRPT. To configure the Name Resolution Policy Table, we're going to use Group Policy. So on a client machine, you could edit gpmc.msc and that will take us into the Group Policy Management environment. And if we take a look at our domain, we can see our ability to start configuring our environment. So we could say for our, let's just do it domain-wide. All right, we'll Create a GPO, call this the DNSSEC NRPT. Why be coy, right? And we'll Edit that policy. And let's get into our configurate. So when we drill down to Computer Configuration > Policies > Windows Settings > Name Resolution Policy Table.
590
591Then we can come in here and say, when we see the suffix exercise.earthfarm.com, we want to Enable DNSSEC and require that clients check that the name and address has been validated by the DNS server. Where that is the key DNSSEC policy that we've just created now. So now, to validate this on a Windows client, we can use the PowerShell cmdlet Resolve-DnsName for our resource record in question, webserver1.exercise.earthfarm.com in my case. And what I want you to notice is we have both the A record and the signature record right there. Now if you're wondering, okay, but is it always going to use that? Does it actually require that? And we can validate also that we are required to use a particular name policy table. For that we'll use get-, let's see, what is that cmdlet, "nrpt". So that was Get-DnsClientNrptPolicy. And we can actually look at specifically the effective policy.
592
593[Video description begins] -Effective. [Video description ends]
594
595And there it is, for exercise.earthfarm.com, this client system is required to perform DnsSecValidation. So we would have gotten an error message when we did our Resolve-DnsName earlier, if we did not have our policy in place and our signed records in place. Great job working through that exercise. Hopefully that helps some of the steps involved in secure DNS management for you.