Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
1. DNS Forwarding, Forwarders and Slave Servers
DNS Servers provide core name resolution functionality for your Microsoft networks. These servers are tasked with the duty to resolve host names to IP addresses, so that when a request from an application that includes a Fully Qualified Domain Name is passed to lower layers of the TCP/IP protocol stack, they will have an IP address to which to connect.
In this two part series we'll cover two important roles a DNS Server can play on your network. These include:
- DNS Forwarder
- DNS Slave Server
Before getting into the specifics of these types of DNS Servers, let's do a quick review of how DNS queries are answered.
Formulating a DNS Query
When a DNS client sends a query to a DNS Server for resolution, it includes in the request the entire Fully Qualified Domain Name (FQDN) of the host it needs to resolve. For example, if you type in your browser's address bar: www.windowsnetworking.com, a request is sent to the DNS Server to resolve that name to an IP address.
An FQDN consists of two parts: a host name and a domain name. In the example www.windowsnetworking.com, the host name portion is "www" and the domain name portion is "windowsnetworking.com". The host name portion is always the leftmost entry to the leftmost period in the name.
What if you just typed "www" in the address bar instead of the entire FQDN? As I said earlier, the DNS client must send an entire FQDN to the DNS Server for resolution. In this case, where you make a request for an "unqualified" name (a host name without a domain name), the DNS resolver (DNS client service) will append to the request a domain name that you've configured in your TCP/IP settings. If you did not configure a particular domain name in the TCP/IP settings, the resolver will append the domain name of the domain to which the computer sending the request belongs.
For example, if the computer sending the request belongs to "fooey.net", the resolver on the computer would formulate a query for www.fooey.net and then send a request to have that FQDN resolved by the DNS Server.
Answering a DNS Query
When the DNS Server receives the request for name resolution, the first thing it will do is check its DNS cache and see if it has recently tried to resolve the same query. If there is an entry in the cache, the DNS Server will retrieve this information and return the result to the DNS client that made the request.
If the entry is not in cache, the DNS Server will check to see if it contains a zone that is authoritative for the domain included in the query. If so, the DNS Server checks for a Host (A) address record for that host, and returns the results to the DNS client.
But what happens when the DNS Server does not contain a record, either in its cache or in a zone file that can resolve the name? Does it just give up? Maybe. It depends on how the DNS Server is configured.
Performing Iterative Queries
If you have not configured your DNS Server to be a root server in your domain, it will have access to the root hints file, which contains entries for the root DNS Servers on the Internet. Your DNS Server can use these entries to resolve names for hosts for which it is not authoritative.
When your DNS Server cannot resolve a host name, it will send a request to one of the root DNS Servers. For example, it needs to resolve the FQDN www.windowsnetworking.com. It sends a query to the root DNS Server for this name. However, the root Server does not contain authoritative entries from the windowsnetworking.com domain. However, it does contain NS (Name Server) records that point to DNS Servers that are authoritative for the "com" domain. The root Server returns to your DNS Server the IP address(s) of the DNS Servers for the "com" domain. This sending of information about another DNS Server that can "help" with name resolution is called a "referral".
Your DNS Server then queries the "com" domain DNS Server for an IP address for www.windowsnetworking.com. The "com" DNS Server is not authoritative for the windowsnetworking.com domain. However, the "com" DNS Servers contain NS records that point to the DNS Servers that are authoritative for the windowsnetworking.com domain. So, the "com" DNS Server returns the IP address of a DNS Server that is authoritative for the windowsnetworking.com domain to your DNS Server.
You DNS Server now sends a request to the DNS Server that is authoritative for the windowsnetwoking.com domain. In this case, the windowsnetworking.com domain's DNS Server is authoritative for the windowsnetworking.com domain. And, it even has a resource record for a machine with the host name of "www". The windowsnetworking.com domain's DNS Server retrieve the information regarding the IP address of the host www.windowsnetworking.com, and sends that back to your DNS Server.
Now that your DNS Server has the IP address of www.windowsnetworking.com, it puts this information in its cache, and sends it back to you. Now you can begin to establish a session with the machine www.windowsnetworking.com.
These queries, that are sent to multiple servers that respond with referral answers, are known as iterative queries. When your DNS Server sends an iterative query, it will accept referral answers. The query that your computer sent to its DNS Server is called a recursive query, and it must be answered definitively. Your computer won't accept a referral; its wants a yes or no answer. It's up to the DNS Server to "complete the recursion" either by answering from cache, zone file, or by performing a set of iterative queries to Internet servers.
Now that we have the basics of DNS queries down, next month I'll get into the details of DNS forwarding, DNS forwarders, and DNS slave servers. See you then! -Tom.
A Gift for Our Faithful Newsletter Subscribers
I have got some great news for you! We at WindowsNetworking.com have partnered up with SolarWinds to make available to you a fully functional, 21-day trial version of their fantastic ipMonitor product. ipMonitor won the WindowsNetworking.com Readers' Choice Award for Network Monitoring this year!
SolarWinds ipMonitor gives you out-of-the-box, entry-level monitoring that is perfect for keeping up with your network devices, servers, and applications. Plus, ipMonitor includes a built-in database and Web server, so you do not need to install anything but ipMonitor - making it fast, affordable, and easy to use in any environment.
ipMonitor's network monitoring highlights include:
- Quickly discovers IP-based network devices and automatically recommends SmartMonitor settings for each device -- a huge time savings as no manual configuration is required
- Performs out-of-the-box monitoring of Active DirectoryR, DNS, MicrosoftR Exchange, FTP, Web, IMAP, MS SQL ServerT, SMTP, and more
- Monitors end-user experience with synthetic transactions
- Creates customizable network maps that enable you to visually monitor network data and to drill down to take immediate corrective actions
- Automates recovery and remediation actions to reduce downtime
- Provides a cutting-edge user interface and dashboard that enable you to quickly get a clear view of the health of your network and application infrastructure
- Leverages SNMP, WMI, and RPC for agent-less network monitoring of critical applications and systems
Download your copy of SolarWinds ipMonitor here!
Also, as a newsletter subscriber, you will be able to download a free copy of SolarWind's new Exchange Monitor! Exchange Monitor works with both Exchange 2000 and Exchange 2003 and enables you to quickly troubleshoot Exchange server problems, spot mail queue problems, prevent potential bottlenecks and more.
Download your free copy of SolarWinds Exchange Monitor here!
Want to know more? We are preparing some great reviews of these products and will post them to the blogs, so make sure you have the WindowsNetworking.com and the MSExchange.org RSS feeds configured in your RSS reader.
If you have any questions about WINS or Windows Networking or Windows Network Services, let me know! My answers will show up in next month's newsletter in the Q&A section. Write me at email@example.com.
Quote of the Month - "Those who are too smart to engage in politics are punished by being governed by those who are dumber"-- Plato (427 BC - 347 BC)
2. ISA Server 2006 Migration Guide - Order Today!
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall..
Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did.
Click here to Order
your copy today
3. WindowsNetworking.com Articles of Interest
4. KB Articles of the Month
5. Windows Networking Tip of the Month
Here's an oldie but goodie. Do you need to hide a shared folder on your network so that you can share the contents of the folder but not make that share available to users who do not know about it? It is easy! All you need to do is put a dollar sign ($) at the end of the share name. For example, if you need access to a share with the name LogFiles, just rename the share to LogFiles$. Then you can map a network drive to that share name without anyone else on the network being able to see it.
6. WindowsNetworking Links of the Month
7. Ask Dr. Tom
I need to allow inbound L2TP/IPsec connections through my wireless router. I have a router that connects my network to the Internet and then I have a firewall behind the router. The firewall is also an RRAS L2TP/IPsec VPN server. I thought I had the right settings, but it is not working. Thanks! -Charlie.
Since you have a NAT device in front of your firewall and VPN server, you will need to configure the router to allow IPsec NAT traversal through the router. IPsec NAT traversal requires that you allow inbound UDP port 4500 through the router. You will also need to allow the IKE protocol through the router, which is UDP port 500. That all you need to do on the router.
However, the VPN clients need to be configured as well, and this is where a lot of Windows networking admins get caught up. After Windows XP SP2, a "bug" was introduced that broken NAT traversal for Windows clients. This "bug" was carried over to Windows Vista as well. You can fix the problem by editing a Registry entry.
For information related to Vista and Windows Server 2008, see http://support.microsoft.com/kb/926179
For Windows XP SP2 and above, see http://support.microsoft.com/kb/885407/en-us
We have a fairly small network here in my office and since we had a few Windows Server 2003 licenses that we are not using and some old hardware, we decided to see how the Windows Routing and Remote Access service would work as a router. To our pleasant surprise, it seems to work pretty good! We have several GB NICs in the machine and it seems to work almost as good as our dedicated routers, although it doesn't provide any of the sophisticated routing features and port controls that our real routers have.
Anyhow, I was wondering if the RRAS service has anything like BOOTP relay to support DHCP clients on segments remote from the DHCP server? Thanks! - Roberto.
You bet! The Windows Server 2003 RRAS service supports the DHCP Relay Agent, which is one of the routing protocols available with the RRAS server. After you enable the DHCP Relay Agent routing protocol, you configure the hop count you want to support (the default is 4) and the IP address or addresses of your DHCP servers. I commonly use the DHCP Relay Agent on my multihomed ISA firewalls where I have a variety of production and guest network segments connected to the firewall.
Let me know if you have any problems with the DHCP relay agent configuration. Just write to me at firstname.lastname@example.org
Got a question for Dr. Tom? Send it to email@example.com.