3.2.1 Create and configure DNS Resource Records (RR) including A, AAAA, PTR,
SOA, NS, SRV, CNAME, and MX records
SOA - Start of Authority - specifies primary name server, e-mail of domain admin, domain serial, timers
NS - identifies an authoritative name server
A - host record
AAAA - ipv6 host record
CNAME - alias
PTR - ip address to domain or host name
MX - mail server host
SRV - service record, used for AD.
fields of an SOA record:
Serial number - version of zone, to determine when to zone transfer
primary authoritative server
responsible person - zone admin
refresh interval - how often secondary servers check for updates
retry interval - how long to wait before a secondary server sends another request
expires after - after zone transferring, secondary server will hold that date until this time if it's not renewed.
minimum TTL - default time an RR remains in a DNS cache after a query. a RR TTL overrides this setting.
MX records - specify a priority when you have multiple records. The lower priority MX records are preferred.
dnscmd /recordadd contoso.com myworkstation A 192.168.134.30
dnscmd /recordadd contoso.com myworkstation AAAA fc00::199:45
dnscmd /recordadd contoso.com myalias CNAME myworkstation.contoso.com
dnscmd /recordadd contoso.com . MX 10 mymailserver.contoso.com
dnscmd /recordadd contoso.com . NS nameserver.contoso.com
dnscmd /recordadd 134.168.192.in-addr.arpa 30 PTR myworkstation.contoso.com
dnscmd /recorddelete contoso.com myworkstation A
Add-DnsServerResourceRecordA -name "myworkstation" -zonename "contoso.com" -IPv4Address "192.168.134.30"
Add-DnsServerResourceRecordAAAA -name "myworkstation" -zonename "contoso.com" -IPv6Address "fc00::199:45"
Add-DnsServerResourceRecordCNAME -name "myalias" -hostnamealias "myworkstation.contoso.com" -zonename "contoso.com"
Add-DnsServerResourceRecordMX -name "." -MailExchange "mymailserver.contoso.com" -Zonename "contoso.com" -preference 20
Add-DnsServerResourceRecordPTR -name "30" -zonename "134.168.192.in-addr.arpa" -ptrdomainname "myworkstation.contoso.com"
Remove-DnsServerResourceRecord -zonename "contoso.com" -RRtype -"A" -name "myworkstation"
Get-DnsServerResourceRecord -zonename "contoso.com" -rrtype "A"
3.2.2 configure zone scavenging
Zone scavenging removes "stale", old, records. Aging is the process of timing out records.
Scavenging is disabled by default, so it must be enabled to work.
RRs must be added dynamically or manually modified in order to be aged/scavenged.
In order to manually modify scavenging settings on records, go to View and select advanced in the DNS Manager. Now you can right click a record and check "Delete this record when it becomes stale" Hitting apply adds a timestamp, rounded from the current hour, used in scavenging.
Dynamic records will attempt to update themselves every 24 hours by default. These records are automatically set to scavenge
Scavenging settings on a zone:
right click zone, properties. Hit Aging button.Check the "Scavenge stale resource records".
No-refresh interval & refresh interval - both must expire before record will be scavenged.
No-refresh - record cannot be "refreshed", which is when a dynamic update does not change the host/ip record but tries to change the timestamp. A client changing the IP address will be exempt from this interval
After a record goes beyond "record timestamp + no-refresh interval", it enters refresh interval. During this time, refreshes to timestamp are allowed. If the timestamp is updated by a client, the no-refresh interval begins again. If it does not get updated, the record is eligible for scavenging.
You can also create a default scavenging settings, for any zone
created on this dns server, by right clicking the DNS server and
selecting "Set Aging/Scavenging for All Zones". Note that this will not
update current zones, only future zones that are created on this
specific server. However, there is an option after you click ok, "Apply
these settings to the existing AD-integrated zones". This will update
current AD-integrated zones with these settings.
The final thing to do to setup scavenging is to set it on the DNS server, under properties/Advanced. Check the "Enable automatic scavenging of stale records". This controls when scavenging will be done. Note that if a record is still in no-refresh/refresh intervals, it will not be scavenged when this process runs. When scavenging is run it creates event id 2501/2502 in event logs.
Set-DnsServerResourceRecordAging -nodename myserver.contoso.com. -zonename contoso.com
Get-DnsServerResourceRecord -zonename contoso.com -name myserver
Get-DnsServerZoneAging contoso.com
Set-DnsServerZoneAging contoso.com -aging $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
Set default scavenging settings on a DNS server:
Set-DnsServerScavenging -scavengingstate $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
(Note that -scavengingstate $true will apply to new zones created on this server. You can use -applyonallzones to update all current zones)
Only enable scavenging on a dns server and set the interval between scavengings (this does not affect other default DNS server scavenging settings as the above command.)
Set-DnsServerScavenging -scavenginginterval (New-TimeSpan -days 3)
Get-DnsServerScavenging
3.2.3 configure record options including Time To Live (TTL) and weight
In order to see TTL and change in the gui, you need to go to View/Advanced. Now you can double-click a RR and change the TTL in the properties.
Weight could have multiple meanings. MX records can be set with a priority to determine which mail server is preferred. Lower is preferred.
SRV records also have a weight in addition to a priority. Lower priorities are preferred. However, if multiple SRV records have equal priority, the weight determines how often(%) a SRV resource will be used in relation to others with the same priority. This is a basic load balance.
Powershell/dnscmd
3.2.4 configure round robin
Round robin is used by DNS by default to return resource records with the same name and same type. Round robin can be disabled on a server by right clicking on the DNS server and properties, clicking the advanced tab, and unselecting "Enable round robin option"
Get-DnsServerSetting -all | select roundrobin | ft -auto
3.2.5 configure secure dynamic updates
Secure dynamic updates are set per zone. Right click the zone and properties. Then on General, you have a dropdown for none, nonsecure and secure, and secure only. You can also setup secure updates when creating a new zone.
By default in an AD domain, authenticated users and computers can create new dnsNode records in dnsZones. You can alter specific permissions on the Security tab in the properties of a Zone. You can also set security on individual dnsNode records. ACLs are set on records by name so two records pointing to the same FQDN will have the same ACL.
No comments:
Post a Comment