DNS on Windows 2000, 2nd Edition

Preface
Versions
What's New in This Edition
Organization
Audience
Otaining the E!a"#$e Progra"s
%on&entions 'sed in This (oo)
*ow to %ontact 's
+uotations
Ac)now$edg"ents
,- (ac)ground
,-, A .Ver/0 (rief *istor/ of the 1nternet
,-2 On the 1nternet and 1nternets
,-2 The Do"ain Na"e S/ste", in a Nutshe$$
,-3 The *istor/ of the 4icrosoft DNS Ser&er
,-5 4ust 1 'se DNS6
2- *ow Does DNS Wor)6
2-, The Do"ain Na"es#ace
2-2 The 1nternet Do"ain Na"es#ace
2-2 De$egation
2-3 Na"e Ser&ers and 7ones
2-5 8eso$&ers
2-9 8eso$ution
2-: %aching
2- Where Do 1 Start6
2-, Which Na"e Ser&er6
2-2 %hoosing a Do"ain Na"e
3- Setting '# the 4icrosoft DNS Ser&er
3-, Our 7one
3-2 The DNS %onso$e
3-2 Setting '# DNS Data
3-3 8unning a Pri"ar/ 4aster Na"e Ser&er
3-5 8unning a S$a&e Na"e Ser&er
3-9 Adding 4ore 7ones
3-: DNS Pro#erties
3-; What Ne!t6
5- DNS and E$ectronic 4ai$
5-, 4< 8ecords
5-2 Adding 4< 8ecords with the DNS %onso$e
5-2 What's a 4ai$ E!changer, Again6
5-3 The 4< A$gorith"
5-5 DNS and E!change
9- %onfiguring *osts
9-, The 8eso$&er
9-2 8eso$&er %onfiguration
9-2 Ad&anced 8eso$&er =eatures
9-3 Other Windows 8eso$&ers
9-5 Sa"#$e 8eso$&er %onfigurations
:- 4aintaining the 4icrosoft DNS Ser&er
:-, What Aout Signa$s6
:-2 >ogging
:-2 '#dating 7one Data
:-3 7one Data =i$e %ontro$s
;- ?rowing @our Do"ain
;-, *ow 4an/ Na"e Ser&ers6
;-2 Adding 4ore Na"e Ser&ers
;-2 8egistering Na"e Ser&ers
;-3 %hanging TT>s
;-5 P$anning for Disasters
;-9 %o#ing with Disaster
A- Parenting
A-, When to (eco"e a Parent
A-2 *ow 4an/ %hi$dren6
A-2 What to Na"e @our %hi$dren
A-3 *ow to (eco"e a ParentB %reating Sudo"ains
A-5 Sudo"ains of inCaddr-ar#a Do"ains
A-9 ?ood Parenting
A-: 4anaging the Transition to Sudo"ains
A-; The >ife of a Parent
,0- Ad&anced =eatures and Securit/
,0-, DNS NOT1=@ .7one %hange Notification0
,0-2 W1NS >in)age
,0-2 S/ste" Tuning
,0-3 Na"e Ser&er Address Sorting
,0-5 (ui$ding '# a >arge Sitewide %ache with =orwarders
,0-9 A 4ore 8estricted Na"e Ser&er
,0-: A Nonrecursi&e Na"e Ser&er
,0-; Securing @our Na"e Ser&er
,,- New DNS =eatures in Windows 2000
,,-, Acti&e Director/
,,-2 D/na"ic '#date
,,-2 Aging and Sca&enging
,,-3 1ncre"enta$ 7one Transfer
,,-5 'nicode %haracter Su##ort
,2- ns$oo)u#
,2-, 1s ns$oo)u# a ?ood Too$6
,2-2 1nteracti&e Versus Noninteracti&e
,2-2 O#tion Settings
,2-3 A&oiding the Search >ist
,2-5 %o""on Tas)s
,2-9 >essC%o""on Tas)s
,2-: Trou$eshooting ns$oo)u# Pro$e"s
,2-; (est of the Net
,2- Trou$eshooting DNS
,2-, 1s DNS 8ea$$/ @our Pro$e"6
,2-2 %hec)ing the %ache
,2-2 Potentia$ Pro$e" >ist
,2-3 1ntero#erai$it/ Pro$e"s
,2-5 Pro$e" S/"#to"s
,3- 4isce$$aneous
,3-, 'sing %NA4E 8ecords
,3-2 Wi$dcards
,3-2 A >i"itation of 4< 8ecords
,3-3 DNS and 1nternet =irewa$$s
,3-5 Dia$Cu# %onnections
,3-9 Networ) Na"es and Nu"ers
,3-: Additiona$ 8esource 8ecords
A- DNS 4essage =or"at and 8esource 8ecords
A-, 4aster =i$e =or"at
A-2 DNS 4essages
A-2 8esource 8ecord Data
(- 1nsta$$ing the DNS Ser&er fro" %DC8O4
%- %on&erting fro" (1ND to the 4icrosoft DNS Ser&er
%-, Ste# ,B %hange the DNS Ser&er Startu# 4ethod to =i$e
%-2 Ste# 2B Sto# the 4icrosoft DNS Ser&er
%-2 Ste# 2B %hange the 7one Data =i$e Na"ing %on&ention
%-3 Ste# 3B %o#/ the =i$es
%-5 Ste# 5B ?et a New 8oot Na"e Ser&er %ache =i$e
%-9 Ste# 9B 8estart the DNS Ser&er
%-: Ste# :B %hange the DNS Ser&er Startu# 4ethod to 8egistr/
D- To#C>e&e$ Do"ains
%o$o#hon
Preface
@ou "a/ not )now "uch aout the Do"ain Na"e S/ste"D/etDut whene&er /ou
use the 1nternet, /ou use DNS- E&er/ ti"e /ou send e$ectronic "ai$ or surf the We,
/ou re$/ on the Do"ain Na"e S/ste"-
@ou see, whi$e /ou, as a hu"an eing, #refer to re"e"er the na"es of co"#uters,
co"#uters $i)e to address each other / nu"er- On an internet, that nu"er is 22 its
$ong, or etween zero and four i$$ion or so- , That's eas/ for a co"#uter to re"e"er
ecause co"#uters ha&e $ots of "e"or/ idea$ for storing nu"ers, ut it isn't near$/
as eas/ for us hu"ans- Pic) ,0 #hone nu"ers out of the #hone oo) at rando", and
then tr/ to reca$$ the"- Not eas/6 Now f$i# to the front of the oo) and attach rando"
area codes to the #hone nu"ers- That's aout how difficu$t it wou$d e to re"e"er
,0 aritrar/ internet addresses-
This is #art of the reason we need the Do"ain Na"e S/ste"- DNS hand$es "a##ing
etween hostna"es, which we hu"ans find con&enient, and internet addresses, which
co"#uters dea$ with- 1n fact, DNS is the standard "echanis" on the 1nternet for
ad&ertising and accessing a$$ )inds of infor"ation aout hosts, not Eust addresses- And
DNS is used / &irtua$$/ a$$ internetwor)ing software, inc$uding e$ectronic "ai$,
re"ote ter"ina$ #rogra"s such as te$net, fi$e transfer #rogra"s such as ft#, and we
rowsers such as Netsca#e Na&igator and 4icrosoft 1nternet E!#$orer-
Another i"#ortant feature of DNS is that it "a)es host infor"ation a&ai$a$e a$$ o&er
the 1nternet- Fee#ing infor"ation aout hosts in a for"atted fi$e on a sing$e co"#uter
he$#s on$/ users on that co"#uter- DNS #ro&ides a "eans of retrie&ing infor"ation
re"ote$/ fro" an/where on the networ)-
4ore than that, DNS $ets /ou distriute the "anage"ent of host infor"ation a"ong
"an/ sites and organizations- @ou don't need to su"it /our data to so"e centra$ site
or #eriodica$$/ retrie&e co#ies of the G"asterG dataase- @ou si"#$/ "a)e sure /our
section, ca$$ed a zone, is u# to date on /our na"e ser&ers- @our na"e ser&ers "a)e
/our zone's data a&ai$a$e to a$$ the other na"e ser&ers on the networ)-
(ecause the dataase is distriuted, the s/ste" a$so needs to e a$e to $ocate the data
/ou're $oo)ing for / searching a nu"er of #ossi$e $ocations- The Do"ain Na"e
S/ste" gi&es na"e ser&ers the inte$$igence to na&igate through the dataase and find
data in an/ zone-
Of course, DNS does ha&e a few #ro$e"s- =or e!a"#$e, the s/ste" a$$ows "ore than
one na"e ser&er to store data aout a zone for redundanc/'s sa)e, ut inconsistencies
can cro# u# etween co#ies of the zone data-
The worst #ro$e" with DNS is that des#ite its wides#read use on the 1nternet, there's
rea$$/ &er/ $itt$e docu"entation aout "anaging and "aintaining it- 4ost
ad"inistrators on the 1nternet "a)e do with the docu"entation their &endors see fit to
, And, with 1P Version 9, it's soon to e a who##ing ,2; its $ong, or etween zero and a
2ACdigit deci"a$ nu"er-
#ro&ide and with whate&er the/ can g$ean fro" fo$$owing the 1nternet "ai$ing $ists
and 'senet newsgrou#s on the suEect-
This $ac) of docu"entation "eans that the understanding of an enor"ous$/ i"#ortant
internet ser&iceDone of the $inch#ins of toda/'s 1nternetDis either handed down fro"
ad"inistrator to ad"inistrator $i)e a c$ose$/ guarded fa"i$/ reci#e or re$earned
re#eated$/ / iso$ated #rogra""ers and engineers- New zone ad"inistrators suffer
through the sa"e "ista)es "ade / count$ess others-
Our ai" with this oo) is to he$# re"ed/ this situation- We rea$ize that not a$$ of /ou
ha&e the ti"e or the desire to eco"e DNS e!#erts- 4ost of /ou, after a$$, ha&e #$ent/
to do esides "anaging /our zones and na"e ser&ersB s/ste" ad"inistration, networ)
engineering, or software de&e$o#"ent- 1t ta)es an awfu$$/ ig institution to de&ote a
who$e #erson to DNS- We'$$ tr/ to gi&e /ou enough infor"ation to a$$ow /ou to do
what /ou need to do, whether that's running a s"a$$ zone or "anaging a "u$tinationa$
"onstrosit/, tending a sing$e na"e ser&er or she#herding a hundred of the"- 8ead as
"uch as /ou need to )now now, and co"e ac) $ater if /ou need to )now "ore-
DNS is a ig to#icDig enough to reHuire two authors, an/wa/Dut we'&e tried to
#resent it as sensi$/ and understanda$/ as #ossi$e- The first two cha#ters gi&e /ou
a good theoretica$ o&er&iew and enough #ractica$ infor"ation to get /, and $ater
cha#ters fi$$ in the nitt/Cgritt/ detai$s- We #ro&ide a road"a# u# front to suggest a
#ath through the oo) a##ro#riate for /our Eo or interest-
When we ta$) aout actua$ DNS software, we'$$ concentrate on the 4icrosoft DNS
Ser&er, which is a #o#u$ar i"#$e"entation of the DNS s#ecs inc$uded in Windows
2000 Ser&er .and Windows NT Ser&er 3-0 efore it0- We'&e tried to disti$$ our
e!#erience in "anaging and "aintaining zones into this oo) .One of our zones,
incidenta$$/, was once one of the $argest on the 1nternet, ut that was a $ong ti"e ago-0
We ho#e that this oo) wi$$ he$# /ou get acHuainted with DNS on Windows 2000 if
/ou're Eust starting out, refine /our understanding if /ou're a$read/ fa"i$iar with it,
and #ro&ide &a$ua$e insight and e!#erience e&en if /ou )now it $i)e the ac) of /our
hand-
Versions
This oo) dea$s with na"e ser&ers that run on Windows 2000 Ser&er, #articu$ar$/ the
4icrosoft DNS Ser&er- We wi$$ a$so occasiona$$/ "ention other na"e ser&ers that run
on Windows 2000, es#ecia$$/ #orts of (1ND, a #o#u$ar i"#$e"entation of the DNS
s#ecifications- *owe&er, if /ou need a oo) on (1ND, we suggest this oo)'s sister
edition, DNS and (1ND / Pau$ A$itz and %ric)et >iu .O'8ei$$/0- This oo) is
essentia$$/ a Windows 2000 edition of DNS and (1ND-
We use ns$oo)u#, a na"e ser&er uti$it/ #rogra", a great dea$ in our e!a"#$es- The
&ersion of ns$oo)u# we use is the one shi##ed with Windows 2000 Ser&er- Other
&ersions of ns$oo)u# #ro&ide si"i$ar functiona$it/ to that in the Windows ns$oo)u#-
We ha&e tried to use co""ands co""on to "ost ns$oo)u#s in our e!a"#$esI when
this was not #ossi$e, we tried to note it-
What's New in This Edition
The first edition of this oo) was ca$$ed DNS on Windows NT and dea$t with
4icrosoft's DNS i"#$e"entation for that o#erating s/ste"- This new edition has een
co"#rehensi&e$/ u#dated to docu"ent the "an/ changes to DNS, $arge and s"a$$,
found in Windows 2000- The "ost significant new feature in Windows 2000 is Acti&e
Director/, and this edition descries how Acti&e Director/ de#ends on DNS,
inc$uding the e!tra DNS resource records reHuired for a do"ain contro$$er to function
#ro#er$/- Other new DNS features e!#$ained are d/na"ic u#date, incre"enta$ zone
transfer, and storing DNS zone infor"ation in Acti&e Director/ itse$f rather than in a
te!t fi$e on dis)- The new "ateria$ a##ears throughout the oo), ut "an/ features are
descried in a new cha#ter for this edition, %ha#ter ,,- The reso$&er, or c$ient side of
DNS, has a$so changed in Windows 2000, and %ha#ter 9 has een u#dated to
docu"ent the eha&ior of the Windows 2000 and Windows A; reso$&ers-
Organization
This oo) is organized, "ore or $ess, to fo$$ow the e&o$ution of a zone and its
ad"inistrator- %ha#ter , and %ha#ter 2 discuss Do"ain Na"e S/ste" theor/- %ha#ter
2 through %ha#ter 9 he$# /ou to decide whether to set u# /our own zones, then
descrie how to go aout it, shou$d /ou choose to- The "idd$e cha#ters, %ha#ter :
through %ha#ter ,,, descrie how to "aintain /our zones, configure hosts to use /our
na"e ser&ers, #$an for the growth of /our zones, create sudo"ains, secure /our na"e
ser&ers, and integrate DNS with Acti&e Director/- The $ast cha#ters, %ha#ter ,2
through %ha#ter ,3, dea$ with co""on #ro$e"s and trou$eshooting too$s-
*ere's a "ore detai$ed, cha#terC/Ccha#ter rea)downB
J %ha#ter , #ro&ides a $itt$e historica$ #ers#ecti&e and discusses the #ro$e"s
that "oti&ated the de&e$o#"ent of DNS, then #resents an o&er&iew of DNS
theor/-
J %ha#ter 2 goes o&er DNS theor/ in "ore detai$, inc$uding the DNS
na"es#ace, do"ains, and na"e ser&ers- We a$so introduce i"#ortant conce#ts
such as na"e reso$ution and caching-
J %ha#ter 2 co&ers how to choose and acHuire /our DNS software if /ou don't
a$read/ ha&e it and what to do with it once /ou'&e got itI that is, how to figure
out what /our do"ain na"e shou$d e and how to contact the organization
that can de$egate /our do"ain to /ou-
J %ha#ter 3 detai$s how to set u# /our first two na"e ser&ers, inc$uding creating
/our na"e ser&er dataase, starting u# /our na"e ser&ers, and chec)ing their
o#eration-
J %ha#ter 5 dea$s with DNS's 4< record, which a$$ows ad"inistrators to
s#ecif/ a$ternate hosts to hand$e a gi&en destination's "ai$- The cha#ter co&ers
"ai$Crouting strategies for a &ariet/ of networ)s and hosts, inc$uding networ)s
with securit/ firewa$$s and hosts without direct 1nternet connecti&it/-
J %ha#ter 9 e!#$ains how to configure a Windows reso$&er-
J %ha#ter : descries the #eriodic "aintenance ad"inistrators "ust #erfor" to
)ee# their do"ains running s"ooth$/, such as chec)ing na"e ser&er hea$th
and authorit/-
J %ha#ter ; co&ers how to #$an for the growth and e&o$ution of /our do"ain,
inc$uding how to get ig and how to #$an for "o&es and outages-
J %ha#ter A e!#$ores the Eo/s of eco"ing a #arent do"ain- We e!#$ain when to
eco"e a #arent .i-e-, create sudo"ains0, what to ca$$ /our chi$dren, how to
create the" .K0, and how to watch o&er the"-
J %ha#ter ,0 goes o&er $ess co""on na"e ser&er configuration o#tions that can
he$# /ou tune /our na"e ser&er's o#eration, secure /our na"e ser&er, and ease
ad"inistration-
J %ha#ter ,, descries the new e$$s and whist$es in 4icrosoft's DNS
i"#$e"entation for Windows 2000 that weren't #resent in Windows NT-
J %ha#ter ,2 shows the ins and outs of the "ost #o#u$ar too$ for doing DNS
deugging, inc$uding techniHues for digging oscure infor"ation out of
re"ote na"e ser&ers-
J %ha#ter ,2 co&ers "an/ co""on DNS #ro$e"s and their so$utions and then
descries a nu"er of $ess co""on, harderCtoCdiagnose scenarios-
J %ha#ter ,3 ties u# a$$ the $oose ends- We co&er DNS wi$dcardingI s#ecia$
configurations for networ)s that connect to the 1nternet through firewa$$sI
hosts and networ)s with inter"ittent 1nternet connecti&it/ &ia dia$Cu#I networ)
na"e encodingI and new, e!#eri"enta$ record t/#es-
J A##endi! A contains a /teC/C/te rea)down of the for"ats used in DNS
Hueries and res#onses as we$$ as a co"#rehensi&e $ist of the current$/ defined
resource record t/#es-
J A##endi! ( descries how to $oad the 4icrosoft DNS Ser&er fro" the
Windows 2000 Ser&er %DC8O4-
J A##endi! % co&ers "igrating fro" an e!isting (1ND 3 na"e ser&er to the
4icrosoft DNS Ser&er-
J A##endi! D $ists the current to#C$e&e$ do"ains in the 1nternet do"ain
na"es#ace-
Audience
This oo) is intended #ri"ari$/ for Windows 2000 s/ste" ad"inistrators who
"anage zones and one or "ore na"e ser&ers, ut it a$so inc$udes "ateria$ for networ)
engineers, #ost"asters, and others- Not a$$ the oo)'s cha#ters wi$$ e eHua$$/
interesting to a di&erse audience, though, and /ou don't want to wade through ,3
cha#ters to find the infor"ation #ertinent to /our Eo- We ho#e this road "a# wi$$
he$# /ou #$ot /our wa/ through the oo)-
S/ste" ad"inistrators setting u# their first zones shou$d read %ha#ter , and %ha#ter 2
for DNS theor/, %ha#ter 2 for infor"ation on getting started and se$ecting a good
do"ain na"e, then %ha#ter 3 and %ha#ter 5 to $earn how to set u# a zone for the first
ti"e- %ha#ter 9 e!#$ains how to configure hosts to use the new na"e ser&ers- Soon
after, the/ shou$d read %ha#ter :, which e!#$ains how to Gf$esh outG their
i"#$e"entation / setting u# additiona$ na"e ser&ers and adding additiona$ zone
data- %ha#ter ,2 and %ha#ter ,2 descrie usefu$ trou$eshooting too$s and techniHues-
E!#erienced ad"inistrators "a/ enefit fro" reading %ha#ter 9 to $earn how to
configure DNS reso$&ers on different hosts and %ha#ter : for infor"ation on
"aintaining their zones- %ha#ter ; contains instructions on how to #$an for a zone's
growth and e&o$ution, which shou$d e es#ecia$$/ &a$ua$e to ad"inistrators of $arge
zones- %ha#ter A e!#$ains #arentingDcreating sudo"ainsDwhich is essentia$
reading for those considering the ig "o&e- %ha#ter ,0 co&ers securit/ features of the
4icrosoft DNS Ser&er, "an/ of which "a/ e usefu$ for e!#erienced ad"inistrators-
The newCtoCWindows 2000 features co&ered in %ha#ter ,, wi$$ e he$#fu$ to
e!#erienced ad"inistrators "a)ing the Eu"# fro" Windows NT- %ha#ter ,2 and
%ha#ter ,2 descrie too$s and techniHues for trou$eshooting, which e&en ad&anced
ad"inistrators "a/ find worth reading-
S/ste" ad"inistrators on networ)s without fu$$ 1nternet connecti&it/ shou$d read
%ha#ter 5 to $earn how to configure "ai$ on such networ)s and %ha#ter ,3 to $earn
how to set u# an inde#endent DNS infrastructure-
Networ) ad"inistrators not direct$/ res#onsi$e for an/ zones shou$d sti$$ read
%ha#ter , and %ha#ter 2 for DNS theor/, then %ha#ter ,2 to $earn how to use
ns$oo)u#, #$us %ha#ter ,2 for trou$eshooting tactics-
Post"asters shou$d read %ha#ter , and %ha#ter 2 for DNS theor/, then %ha#ter 5 to
find out how DNS and e$ectronic "ai$ coe!ist- %ha#ter ,2, which descries ns$oo)u#,
wi$$ a$so he$# #ost"asters dig "ai$ routing infor"ation out of the do"ain na"es#ace-
1nterested users can read %ha#ter , and %ha#ter 2 for DNS theor/, and then whate&er
e$se the/ $i)eK
Note that we assu"e /ou're fa"i$iar with asic Windows 2000 s/ste" ad"inistration
and T%PL1P networ)ing- We don't assu"e /ou ha&e an/ other s#ecia$ized )now$edge,
though- When we introduce a new ter" or conce#t, we'$$ do our est to define or
e!#$ain it- Whene&er #ossi$e, we'$$ use ana$ogies fro" Windows .and fro" the rea$
wor$d0 to he$# /ou understand-
Otaining the E!a"#$e Progra"s
The e!a"#$e #rogra"s in this oo) are a&ai$a$e fro" this '8>B
htt#BLLwww-orei$$/-co"Lcata$ogLdnswin2L
E!tract the fi$es fro" the archi&e using Win7i# / t/#ingB
%BMte"#N
winzi# dns-zi#
1f Win7i# is not a&ai$a$e on /our s/ste", get a co#/ fro" htt#BLLwww-winzi#-co"L-
%on&entions 'sed in This (oo)
We use the fo$$owing font and for"at con&entionsB
1ta$ic
'sed for new ter"s where first defined, 8egistr/ &a$ues, do"ain na"es,
fi$ena"es, and co""and $ines when the/ a##ear in the od/ of a #aragra#h
e!act$/ as a user wou$d t/#e the" .for e!a"#$eB run dir to $ist the fi$es in a
director/0- 1ta$ic is a$so used for Windows co""ands when the/ are
"entioned in #assing and not as #art of a co""and $ine .for e!a"#$eB to find
"ore infor"ation on ns$oo)u#, a user cou$d consu$t the Windows he$#
s/ste"0-
(o$d
'sed for "enu na"es and for te!t a##earing in windows and dia$og o!es,
such as na"es of fie$ds, uttons, and "enu o#tions- =or e!a"#$eB enter a
do"ain na"e in the Ser&er na"e fie$d and then c$ic) the OF utton-
%onstant width
'sed for e!cer#ts fro" scri#ts or configuration fi$es- =or e!a"#$e, a sni##et of
Per$B
if . C! LwinntLs/ste"22Ldns-e!e 0
O
s/ste". LwinntLs/ste"22Ldns-e!e 0I
P
Sa"#$e interacti&e sessions showing co""andC$ine in#ut and corres#onding
out#ut are a$so shown in a constant width font, with userCsu##$ied in#ut in
constant width o$d B
%MN
"ore QMwinntMs/ste"22Mdri&ersMetcMhosts
R %o#/right .c0 ,AA2C,AAA 4icrosoft %or#-
R
R This is a sa"#$e *OSTS fi$e used / 4icrosoft T%PL1P for
Windows-
R
1ndicates a ti#, suggestion, or genera$ note-
1ndicates a warning or caution-
*ow to %ontact 's
P$ease address co""ents and Huestions concerning this oo) to the #u$isherB
O'8ei$$/ S Associates, 1nc-
,0, 4orris Street
Seasto#o$, %A A53:2
.;000 AA;CAA2; .in the 'nited States or %anada0
.:0:0 ;2AC05,5 .internationa$L$oca$0
.:0:0 ;2AC0,03 .fa!0
There is a we #age for this oo), which $ists errata, e!a"#$es, and an/ additiona$
infor"ation- @ou can access this #age atB
htt#BLLwww-orei$$/-co"Lcata$ogLdnswin2L
To co""ent or as) technica$ Huestions aout this oo), send e"ai$ toB
oo)HuestionsTorei$$/-co"
=or "ore infor"ation aout oo)s, conferences, software, 8esource %enters, and the
O'8ei$$/ Networ), see the O'8ei$$/ we site atB
htt#BLLwww-orei$$/-co"L
+uotations
The >ewis %arro$$ Huotations that egin each cha#ter are fro" the 4i$$enniu"
=u$cru" Edition 2-A of the ProEect ?utenerg e$ectronic te!t of A$ice's Ad&entures in
Wonder$and and Through the >oo)ingC?$ass- +uotations in %ha#ter ,, %ha#ter 2,
%ha#ter 5, %ha#ter 9, %ha#ter ;, %ha#ter ,,, and %ha#ter ,3 co"e fro" A$ice's
Ad&entures in Wonder$and, and those in %ha#ter 2, %ha#ter 3, %ha#ter :, %ha#ter A,
%ha#ter ,0, %ha#ter ,2, and %ha#ter ,2 co"e fro" Through the >oo)ingC?$ass-
Ac)now$edg"ents
The authors wou$d $i)e to than) their technica$ re&iewer for this edition, >e&on
Esio&, as we$$ as Uon =orrest and Da&id ($an)CEde$"an, technica$ re&iewers for DNS
on Windows NT, for their in&a$ua$e contriutions to this oo)- Pau$ 8oichau!
#ro&ided assistance fro" his wea$th of E!change )now$edge for %ha#ter 5, and Uohn
Peterson offered he$#fu$ suggestions ased on his #roduction Windows 2000
en&iron"ent-
4att wou$d $i)e to than) his wife, SonEa, for her su##ort and unf$agging #atience, and
%ric)et for as)ing hi" to he$# with this oo)- *e'd a$so $i)e to than) his "anager at
VeriSign ?$oa$ 8egistr/ Ser&ices, Aristot$e (a$ogh, for his su##ort-
%ric)et wou$d $i)e to than) his wife, Paige, for her su##ort during the writing of this
oo)- Than)s a$so to Wa$ter ( and Da)ota and Annie, for #ro&iding occasiona$ ut
"uchCneeded re$ief fro" writing-
We wou$d a$so $i)e to than) the fo$)s at O'8ei$$/ S Associates for their hard wor)
and #atience- %redit is es#ecia$$/ due to our editors, 4i)e >ou)ides and De
%a"eron-
%ha#ter ,- (ac)ground
The White 8ait #ut on his s#ectac$es- GWhere sha$$ 1 egin, #$ease
/our 4aEest/6G he as)ed-
G(egin at the eginning,G the Fing said, &er/ gra&e$/, Gand go on ti$$
/ou co"e to the endB then sto#-G
1t's i"#ortant to )now a $itt$e A8PANET histor/ to understand the Do"ain Na"e
S/ste" .DNS0- DNS was de&e$o#ed to address #articu$ar #ro$e"s on the
A8PANET, and the 1nternetDa descendant of the A8PANETDre"ains its "ain
user-
1f /ou'&e een using the 1nternet for /ears, /ou can #roa$/ s)i# this cha#ter- 1f /ou
ha&en't, we ho#e it'$$ gi&e /ou enough ac)ground to understand what "oti&ated the
de&e$o#"ent of DNS-
,-, A .Ver/0 (rief *istor/ of the 1nternet
1n the $ate ,A90s, the '-S- De#art"ent of Defense's Ad&anced 8esearch ProEects
Agenc/, A8PA .$ater DA8PA0, egan funding an e!#eri"enta$ wide area co"#uter
networ) that connected i"#ortant research organizations in the '-S-, ca$$ed the
A8PANET- The origina$ goa$ of the A8PANET was to a$$ow go&ern"ent contractors
to share e!#ensi&e or scarce co"#uting resources- =ro" the eginning, howe&er,
users of the A8PANET a$so used the networ) for co$$aoration- This co$$aoration
ranged fro" sharing fi$es and software and e!changing e$ectronic "ai$Dnow
co""on#$aceDto Eoint de&e$o#"ent and research using shared re"ote co"#uters-
The T%PL1P .Trans"ission %ontro$ Protoco$L1nternet Protoco$0 #rotoco$ suite was
de&e$o#ed in the ear$/ ,A;0s and Huic)$/ eca"e the standard hostCnetwor)ing
#rotoco$ on the A8PANET- The inc$usion of the #rotoco$ suite in the 'ni&ersit/ of
%a$ifornia at (er)e$e/'s #o#u$ar (SD 'ni! o#erating s/ste" was instru"enta$ in
de"ocratizing internetwor)ing- (SD 'ni! was &irtua$$/ free to uni&ersities- This
"eant that internetwor)ingDand A8PANET connecti&it/Dwere sudden$/ a&ai$a$e
chea#$/ to "an/ "ore organizations than were #re&ious$/ attached to the A8PANET-
4an/ of the co"#uters eing connected to the A8PANET were eing connected to
$oca$ area networ)s .>ANs0, too, and &er/ short$/ the other co"#uters on the >ANs
were co""unicating &ia the A8PANET as we$$-
The networ) grew fro" a handfu$ of hosts to tens of thousands of hosts- The origina$
A8PANET eca"e the ac)one of a confederation of $oca$ and regiona$ networ)s
ased on T%PL1P, ca$$ed the 1nternet-
1n ,A;;, howe&er, DA8PA decided the e!#eri"ent was o&er- The De#art"ent of
Defense egan dis"ant$ing the A8PANET- Another networ), funded / the Nationa$
Science =oundation and ca$$ed the NS=NET, re#$aced the A8PANET as the ac)one
of the 1nternet-
E&en "ore recent$/, in the s#ring of ,AA5, the 1nternet "ade a transition fro" using
the #u$ic$/Cfunded NS=NET as a ac)one to using "u$ti#$e co""ercia$ ac)ones,
run / $ongCdistance carriers such as 4%1 and S#rint, and $ongCti"e co""ercia$
internetwor)ing #$a/ers such as PS1Net and ''NET-
Toda/, the 1nternet connects "i$$ions of hosts around the wor$d- 1n fact, a significant
#ro#ortion of the nonCP% co"#uters in the wor$d are connected to the 1nternet- So"e
of the new co""ercia$ ac)ones can carr/ a &o$u"e of se&era$ gigaits #er second,
tens of thousands of ti"es the andwidth of the origina$ A8PANET- Tens of "i$$ions
of #eo#$e use the networ) for co""unication and co$$aoration dai$/-
,-2 On the 1nternet and 1nternets
A word on Gthe 1nternet,G and on GinternetsG in genera$, is in order- 1n #rint, the
difference etween the two see"s s$ightB one is a$wa/s ca#ita$ized, one isn't- The
distinction etween their "eanings, howe&er, is significant- The 1nternet, with a
ca#ita$ G1,G refers to the networ) that egan its $ife as the A8PANET and continues
toda/ as, rough$/, the confederation of a$$ T%PL1P networ)s direct$/ or indirect$/
connected to co""ercia$ '-S- ac)ones- Seen u# c$ose, it's actua$$/ Huite a few
different networ)sDco""ercia$ T%PL1P ac)ones, cor#orate and '-S- go&ern"ent
T%PL1P networ)s, and T%PL1P networ)s in other countriesDinterconnected / highC
s#eed digita$ circuits-
A $owercase internet, on the other hand, is si"#$/ an/ networ) "ade u# of "u$ti#$e
s"a$$er networ)s using the sa"e internetwor)ing #rotoco$s- An internet .$itt$e GiG0
isn't necessari$/ connected to the 1nternet .ig G1G0, nor does it necessari$/ use T%PL1P
as its internetwor)ing #rotoco$- There are iso$ated cor#orate internets, and there are
<ero! <NSCased internets and DE%netCased internets-
The new ter" GintranetG is rea$$/ Eust a "ar)eting ter" for a T%PL1PCased G$itt$e iG
internet, used to e"#hasize the use of techno$ogies de&e$o#ed and introduced on the
1nternet within a co"#an/'s interna$ cor#orate networ)- An Ge!tranet,G on the other
hand, is a T%PL1PCased internet that connects #artner co"#anies, or a co"#an/ to its
distriutors, su##$iers, and custo"ers-
,-2-, The *istor/ of the Do"ain Na"e S/ste"
Through the ,A:0s, the A8PANET was a s"a$$, friend$/ co""unit/ of a few hundred
hosts- A sing$e fi$e, *OSTS-T<T, contained a na"eCtoCaddress "a##ing for e&er/ host
connected to the A8PANET- The fa"i$iar 'ni! host ta$e, LetcLhosts, was co"#i$ed
fro" *OSTS-T<T ."ost$/ / de$eting fie$ds 'ni! didn't use0-
*OSTS-T<T was "aintained / S81's Networ) 1nfor"ation %enter .dued Gthe
N1%G0 and distriuted fro" a sing$e host, S81CN1%- 2 A8PANET ad"inistrators
t/#ica$$/ e"ai$ed their changes to the N1% and #eriodica$$/ ft#ed to S81CN1% and
graed the current *OSTS-T<T fi$e- Their changes were co"#i$ed into a new
2 S81 is the for"er Stanford 8esearch 1nstitute in 4en$o Par), %a$ifornia- S81 conducts
research into "an/ different areas,
inc$uding co"#uter networ)ing-
*OSTS-T<T fi$e once or twice a wee)- As the A8PANET grew, howe&er, this sche"e
eca"e unwor)a$e- The size of *OSTS-T<T grew in #ro#ortion to the growth in the
nu"er of A8PANET hosts- 4oreo&er, the traffic generated / the u#date #rocess
increased e&en fasterB e&er/ additiona$ host "eant not on$/ another $ine in
*OSTS-T<T, ut #otentia$$/ another host u#dating fro" S81CN1%-
When the A8PANET "o&ed to the T%PL1P #rotoco$s, the #o#u$ation of the networ)
e!#$oded- Now there was a host of #ro$e"s with *OSTS-T<TB
Traffic and $oad
The to$$ on S81CN1%, in ter"s of the networ) traffic and #rocessor $oad
in&o$&ed in distriuting the fi$e, was eco"ing uneara$e-
Na"e co$$isions
No two hosts in *OSTS-T<T cou$d ha&e the sa"e na"e- *owe&er, whi$e the
N1% cou$d assign addresses in a wa/ that guaranteed uniHueness, it had no
authorit/ o&er hostna"es- There was nothing to #re&ent so"eone fro" adding
a host with a conf$icting na"e and rea)ing the who$e sche"e- Adding a host
with the sa"e na"e as a "aEor "ai$ hu, for e!a"#$e, cou$d disru#t "ai$
ser&ice to "uch of the A8PANET-
%onsistenc/
4aintaining consistenc/ of the fi$e across an e!#anding networ) eca"e
harder and harder- (/ the ti"e a new *OSTS-T<T fi$e cou$d reach the farthest
shores of the en$arged A8PANET, a host across the networ) "a/ ha&e
changed addresses or a new host "a/ ha&e s#rung u#-
The essentia$ #ro$e" was that the *OSTS-T<T "echanis" didn't sca$e we$$-
1ronica$$/, the success of the A8PANET as an e!#eri"ent $ed to the fai$ure and
oso$escence of *OSTS-T<T-
The A8PANET's go&erning odies chartered an in&estigation into a successor for
*OSTS-T<T- Their goa$ was to create a s/ste" that so$&ed the #ro$e"s inherent in a
unified host ta$e s/ste"- The new s/ste" shou$d a$$ow $oca$ ad"inistration of data,
/et "a)e that data g$oa$$/ a&ai$a$e- The decentra$ization of ad"inistration wou$d
e$i"inate the sing$eChost ott$enec) and re$ie&e the traffic #ro$e"- And $oca$
"anage"ent wou$d "a)e the tas) of )ee#ing data u#CtoCdate "uch easier- 1t shou$d
use a hierarchica$ na"es#ace to na"e hosts- This wou$d ensure the uniHueness of
na"es-
Pau$ 4oc)a#etris, then of 'S%'s 1nfor"ation Sciences 1nstitute, was res#onsi$e for
designing the architecture of the new s/ste"- 1n ,A;3, he re$eased 8=%s ;;2 and ;;2,
which descrie the Do"ain Na"e S/ste"- These 8=%s were su#erseded / 8=%s
,023 and ,025, the current s#ecifications of the Do"ain Na"e S/ste"- 2 8=%s ,023
2 8=%s are 8eHuest for %o""ents docu"ents, #art of the re$ati&e$/ infor"a$ #rocedure
for introducing new techno$og/ on
the 1nternet- 8=%s are usua$$/ free$/ distriuted and contain fair$/ technica$ descri#tions
of the techno$og/, often intended for
i"#$e"enters-
and ,025 ha&e since een aug"ented / "an/ other 8=%s, which descrie #otentia$
DNS securit/ #ro$e"s, i"#$e"entation #ro$e"s, ad"inistrati&e gotchas,
"echanis"s for d/na"ica$$/ u#dating na"e ser&ers and for securing zone data, and
"ore-
,-2 The Do"ain Na"e S/ste", in a Nutshe$$
The Do"ain Na"e S/ste" is a distriuted dataase- This structure a$$ows $oca$
contro$ of the seg"ents of the o&era$$ dataase, /et data in each seg"ent is a&ai$a$e
across the entire networ) through a c$ientLser&er sche"e- 8oustness and adeHuate
#erfor"ance are achie&ed through re#$ication and caching-
Progra"s ca$$ed na"e ser&ers constitute the ser&er ha$f of DNS's c$ientLser&er
"echanis"- Na"e ser&ers contain infor"ation aout so"e seg"ents of the dataase
and "a)e that infor"ation a&ai$a$e to c$ients, ca$$ed reso$&ers- 8eso$&ers are often
Eust $irar/ routines that create Hueries and send the" across a networ) to a na"e
ser&er-
The structure of the DNS dataase, shown in =igure ,C,, is si"i$ar to the structure of
the Windows fi$es/ste"- The who$e dataase .or fi$es/ste"0 is #ictured as an in&erted
tree, with the root node at the to#- Each node in the tree has a te!t $ae$, which
identifies the node re$ati&e to its #arent- This is rough$/ ana$ogous to a Gre$ati&e
#athna"eG in a fi$es/ste", $i)e in- One $ae$Dthe nu$$ $ae$, or GGDis reser&ed for
the root node- 1n te!t, the root node is written as a sing$e dot .-0- 1n the Windows
fi$es/ste", the root is written as a ac)s$ash .M 0-
=igure ,C,- The DNS dataase &ersus a Windows fi$es/ste"
Each node is a$so the root of a new sutree of the o&era$$ tree- Each of these sutrees
re#resents a #artition of the o&era$$ dataaseDa Gdirector/G in the Windows
fi$es/ste", or a do"ain in the Do"ain Na"e S/ste"- Each do"ain or director/ can
e further di&ided into additiona$ #artitions, ca$$ed sudo"ains in DNS, $i)e a
fi$es/ste"'s Gsudirectories-G Sudo"ains, $i)e sudirectories, are drawn as chi$dren
of their #arent do"ains-
E&er/ do"ain has a uniHue na"e, $i)e e&er/ director/- A do"ain's do"ain na"e
identifies its #osition in the dataase, "uch as a director/'s Gaso$ute #athna"eG
s#ecifies its #$ace in the fi$es/ste"- 1n DNS, the do"ain na"e is the seHuence of
$ae$s fro" the node at the root of the do"ain to the root of the who$e tree, with dots
.-0 se#arating the $ae$s- 1n the Windows fi$es/ste", a director/'s aso$ute #athna"e is
the $ist of re$ati&e na"es read fro" root to $eaf .the o##osite direction fro" DNS, as
shown in =igure ,C20, using a s$ash to se#arate the na"es-
=igure ,C2- 8eading na"es in DNS and in a Windows fi$es/ste"
1n DNS, each do"ain can e ro)en into a nu"er of sudo"ains, and res#onsii$it/
for those sudo"ains can e do$ed out to different organizations- =or e!a"#$e, the
1nterN1% runs the edu .educationa$0 do"ain, ut de$egates res#onsii$it/ for the
er)e$e/-edu sudo"ain to '-%- (er)e$e/ .=igure ,C20- This is si"i$ar to re"ote$/
"ounting a fi$es/ste"B certain directories in a fi$es/ste" "a/ actua$$/ e fi$es/ste"s
on other hosts, "ounted fro" re"ote hosts- The ad"inistrator on host win)en, for
e!a"#$e .again, =igure ,C20, is res#onsi$e for the fi$es/ste" that a##ears on the $oca$
host as the director/ LusrLnfsLwin)en-
=igure ,C2- 8e"ote "anage"ent of sudo"ains and of fi$es/ste"s
De$egating authorit/ for er)e$e/-edu to '-%- (er)e$e/ creates a new zone, an
autono"ous$/ ad"inistered #iece of the na"es#ace- The zone er)e$e/-edu is now
inde#endent fro" edu, and contains a$$ do"ain na"es that end in er)e$e/-edu- The
zone edu, on the other hand, contains on$/ do"ain na"es that end in edu ut aren't in
de$egated zones $i)e er)e$e/-edu- er)e$e/-edu "a/ e further di&ided into
sudo"ains, $i)e cs-er)e$e/-edu, and so"e of these sudo"ains "a/ the"se$&es e
se#arate zones, if the er)e$e/-edu ad"inistrators de$egate res#onsii$it/ for the" to
other organizations- 1f cs-er)e$e/-edu is a se#arate zone, the er)e$e/-edu zone
doesn't contain do"ain na"es that end in cs-er)e$e/-edu .=igure ,C30-