Enterprise Design for DNS

In an IP-based network, computers and other devices are referred to either by name or by IP address. From a user’s perspective, it is easier if these resources are referred to using simple permanent names rather than the numerical IP addresses that may change over time. A name resolution service provides the mapping between such names and addresses.

This section describes the most common name resolution service, DNS. DNS design consists of the following steps:

During each of these steps, the DNS design needs to meet specific service-level design goals such as availability, security, and scalability.

The following section provides a description of the DNS service and explains the options for each step and each design goal together with the advantages and disadvantages of each option.

On This Page

	Service Definition
	Service Design
	Logical Design
	Hardware Requirements
	Availability
	Security
	Scalability
	Manageability
	Performance
	Consolidation
	Interoperability
	Localization
	Best Practices
	Service Modification List
	Service Dependencies
	Standards and Guidelines

Service Definition

DNS is a hierarchical distributed database used for locating domain names on the Internet and private TCP/IP networks. DNS refers both to the hierarchical namespace and to the Internet service used to resolve domain names to IP addresses. Hence, DNS provides a service for mapping DNS domain names to IP addresses and vice versa. This service allows users, computers, and applications that query DNS to specify remote systems by fully qualified domain names (FQDNs) rather than by IP addresses. Clients and servers use DNS for several purposes including:

In an enterprise organization, clients and servers also use DNS for:

Several additional services can be used to increase the functionality of DNS. These include:

Assigning DNS Names

All nodes on a network that need to be resolved to an IP address must be assigned a DNS name that includes the top-level Internet DNS domain name of the organization or part of the organization. Because DNS is hierarchical, DNS domain names increase in length when subdomains are added to the organization. If possible, you should use short domain names; doing so makes fully qualified computer names easier to remember and facilitates resource access.

A DNS namespace that is connected to the Internet must be a subdomain of a top level or second-level domain of the Internet DNS namespace. If you are deploying a new Windows Server 2003 DNS namespace, you must select a top-level or second-level Internet DNS domain to register your own Internet DNS domain name. For example, you can register your domain as a subdomain of a top-level domain such as .com, .org, or .net, or as a subdomain of the domain name that is assigned to your country or region, such as .au (Australia), .fr (France) or .ca (Canada). Some country registrars, such as the .uk domain, do not allow subdomains to be registered at the top level; instead you are allowed to register the subdomain at the second level, such as .co.uk. When you register your DNS domain name, the Internet registrar creates a delegation in the DNS zone that is authoritative for the high-level domain you selected (for example, the .com domain in the case of .com names). Contact information is also registered in the global WHOIS database.

Once the domain name has been registered with an Internet registrar, at least two authoritative DNS servers must be assigned to host the DNS zone for the domain. These root DNS servers might be located on your network or on your Internet service provider’s (ISP’s) network. This design choice is discussed in more detail later in this blueprint.

Namespace Planning

DNS namespaces should be planned in a flexible, yet logically hierarchical fashion, which will allow a DNS administrator to add new zones to the namespace environment without negatively affecting the existing namespace services. The design must be able to meet the security and naming requirements of all relevant clients and business units in the enterprise.

When starting a DNS namespace design, a good practice is to draw a graphical representation of the base namespace and then define any other zones beneath the root zone to accommodate their varying security and view requirements. This initial view should represent namespace services strictly from a logical perspective; any concerns about actual physical equipment and flow of data should be secondary. The focus here is to ensure that the logic behind the design fulfills the requirements for providing stable, redundant, and secure domain name services to clients in the networking environment. As DNS administrators begin to work out the details of this diagram, they will most likely find that various segments of the drawing need to be modified, moved, or deleted for various reasons. The initial design of a workable DNS namespace plan is often the most difficult part of establishing a DNS environment.

Naming Design Guidelines

Once you have decided on a namespace design, it is necessary to determine DNS names for the internal domains and computer names.

Internal Subdomain Naming Guidelines

When creating names for your internal domains, use the following guidelines:

Computer Naming Design Guidelines

Use the following guidelines when creating names for computers:

The following table lists the different character sets that are supported by standard DNS, Windows Server 2003 DNS, and NetBIOS.

Table 1. Character Set Restrictions

For information on integrating DNS with WINS, refer to the "DNS Interoperability" section in this blueprint.

Top of page

Service Design

The decision to use a specific IP name service such as DNS is one step in the network architecture design process for the enterprise. Generally, DNS will be the most appropriate option for most organizations; however it is not the only one. Therefore, the first step is to decide which name service is the most appropriate.

For more information on design of the network architecture and the decision steps it follows, refer to the Network Architecture Blueprint.

Design Inputs

As the requirement for IP address management is established, a number of additional factors that influence its design should be taken into account. To determine an appropriate configuration for a given situation, the following questions should be asked:

With this information, it is possible to define an appropriate set of options for IP address management.

Design Options for Name Service Technology

Internet name resolution can be provided in one of the following ways:

These name resolution options are described in the following sections.

Option 1—Static HOSTS Files

The simplest method of managing IP device names is through the use of HOSTS files. A HOSTS file is a simple text file installed on every client that contains name-to-address mappings. HOSTS files were the first name resolution technology used on the Internet and in the early days of TCP/IP networking; a single HOSTS file was maintained centrally and was downloaded to each client, either manually or automatically, through technologies such as Network Information Service (Yellow Pages) on UNIX.

Advantages

The advantages of using static HOSTS files include:

Disadvantages

The disadvantages of using static HOSTS files include:

Option 2—DNS Service

DNS replaces the HOSTS file with a distributed database that implements the DNS hierarchical naming system. In a DNS system, host records are held in a zone file. Zones correspond to administrative boundaries within the DNS namespace, and for each zone there is at least one DNS server that holds a copy of the zone file. For example, if the domain wingtiptoys.com has a subdomain corp.wingtiptoys.com, the complete namespace can be hosted on a single DNS server with a single zone file containing all the records. Alternatively, wingtiptoys.com and corp.wingtiptoys.com can be hosted in separate zones, so that different administrators can be responsible for each zone, different settings can be applied to each, and zone files can be hosted on different servers.

Advantages

The advantages of using the DNS service include:

Disadvantages

The disadvantages of using the DNS service include:

Recommendation for Best Practice

For most enterprise environments, Internet name resolution should be provided through DNS, which provides centralized management and control. The use of HOSTS files can be justified in specific situations, such as when resolution of critical network names on key servers or workstations must be ensured even if the DNS service is unavailable.

Top of page

Logical Design

Implementing an effective DNS service requires decisions on the following issues:

Once these issues have been addressed more detailed planning can be done, particularly in the case of more complex namespaces such as those required for an enterprise. Additional design choices include:

Design Options for Namespace Design

The first step in designing a DNS namespace is to determine whether you need a new namespace for your organization or whether you can retain an existing Windows or third-party DNS namespace.

The following table below summarizes the DNS namespace design requirements for each possible scenario.

Table 2. DNS Namespace Design Requirements

When considering namespaces, two key decisions are:

The following options describe how an enterprise can choose to design its namespace. Later sections in the blueprint consider the additional issues of whether to create a subdomain structure and how to name computers and servers.

The cases presented here assume a single public domain name, but the same options work even if the enterprise includes multiple business units with their own domain names. However, the design will become more complex to deploy if there are multiple public or internal namespaces. In particular, it becomes important to plan how to ensure that DNS queries are correctly handled across the domains. For more details, refer to the “Design Options for Optimizing DNS Queries—Server Configuration” section in this blueprint.

Option 1—Single Namespace for the Enterprise

In this design option there is only one namespace, for example wingtiptoys.com. In this namespace, an externally accessible Web server may have the DNS name www.wingtiptoys.com and an internal server may have the DNS name server1.wingtiptoys.com, with both these records defined in the same DNS zone. More details on the design options for DNS zones are provided later in this blueprint. This design is common in smaller organizations where there is limited internal TCP/IP networking and therefore minimal internal DNS requirements. It may also be found in organizations with no current public Internet presence.

Advantages

The advantages of a single namespace for the enterprise include:

Disadvantages

The disadvantages of a single namespace for the enterprise include:

Option 2—Internal Domain as a Subdomain of External Domain

In this design option there are in effect two namespaces, with all internal domains being subdomains of the publicly resolvable external domain name. For example, an organization that has an external namespace domain name of wingtiptoys.com may use corp.wingtiptoys.com as the internal namespace domain name.

You can use your internal subdomain as a parent for the additional child domains that you create to manage divisions within your company. Child domains have DNS names that are immediate subordinates to the DNS domain name of the parent. For example, a child domain for the human resources department that is added to the us.corp.wingtiptoys.com namespace may have the domain name hr.us.corp.contoso.com.

If this configuration is used, computers in the external domain that are accessible from the Internet must be deployed outside the firewall. The computers that you do not want to be accessible from the Internet are deployed within the internal subdomain, behind the firewall.

Advantages

The advantages of having the internal domain as a subdomain of the external domain include:

Disadvantages

The disadvantages of having the internal domain as a subdomain of the external domain include:

Option 3—Unrelated Names for Internal and External Domains

This configuration involves two namespaces. The domain names used for internal and external resources are completely different. For example, an organization uses the domain name wingtiptoys.com for their external namespace but uses the name wingtiptoys.local for their internal namespace. This example uses “.local” as a non-publicly resolvable suffix; such domains are known as internal stand-alone domains. As an alternative to using a non-publicly resolvable suffix, the internal domain could use a variant of the public domain with a slight change to the names, such as adding “-corp” to the domain name as in domain-corp.com.

Advantages

The advantages of using unrelated names for internal and external domains include:

Disadvantages

The disadvantages of using unrelated names for the internal and external domains include:

Option 4—Same Name for Internal and External Domains

In this configuration, the internal private namespace and the external public namespace share the same domain name. However, they are still completely separate and distinct namespaces.

You can use one of the following methods to enable the use of the same domain name for your internal and external DNS namespace:

The method that you choose depends on your client software proxy capabilities. The following table lists the possible methods for enabling the use of the same domain name for internal and external namespaces, and the client software proxy capabilities that are possible for each.

Table 3. Using the Same Name for Internal and External Namespaces and Compatible Proxy Capabilities

Advantages

The advantages of using the same name for the internal and external domains include:

Disadvantages

The disadvantages of using the same name for the internal and external domains include:

Additional Option—Use of Subdomains

Subdomains can be used in any of the four design options, and are fundamental to the option where the internal domain is a subdomain of the external domain (Option 2). The term subdomains refers to child namespaces set up within zones. For example, a subdomain of the corp.wingtiptoys.com namespace might have the domain name us.corp.wingtiptoys.com. This subdomain can contain additional subdomains, such as hr.us.corp.wingtiptoys.com. Subdomains are a level at which many critical DNS decisions are handled. When looking at different subdomain schemas consider the following:

Advantages

The advantages of using subdomains include:

Disadvantages

The disadvantages of using subdomains include:

Recommendation for Best Practice

Consider the following guidelines when using subdomains:

Design Options for DNS Hosting

The DNS root is the topmost level of the DNS that is within your control and ownership. For example, if your domain is wingtiptoys.com the “wingtiptoys” domain root is within your control; whereas the “com” domain root is currently managed and controlled by the domain name registrar, Verisign Global Registry Services.

The following design options are applicable whether your organization has a single domain or multiple top-level domains. Multiple top-level domains are required in cases where the enterprise is made up of business units with their own domain names or where businesses acquired through acquisitions and mergers need to be supported within the enterprise DNS.

Option 1—External Root

An external root is where an external system (such as that run by an ISP or third-party DNS host) is responsible for hosting your DNS, which may include your top-level domain and your internal DNS depending on your namespace design. (ISPs usually provide DNS as part of their services.)

Advantages

The advantages of using an external root include:

Disadvantages

The disadvantages of using an external root include:

Option 2—Internal Root

If you use an internal DNS root, a private DNS root zone is hosted on a DNS server on your internal network. Just as the Internet root zone contains delegations to all the top-level domain names on the Internet, such as .com, .net, and .org, a private root zone contains delegations to all of the top-level domain names on your network. The DNS server that hosts the private root zone is authoritative for all of the names in the internal DNS namespace. Internal clients can query the internal DNS for all private names and can be configured to query a different set of DNS servers for external name resolution. More details on this area of DNS design are provided later in this blueprint.

Advantages

The advantages of using an internal root include:

Disadvantages

The disadvantages of using an internal root include:

Recommendation for Best Practice

Use internal DNS roots isolated from public networks if you have a large distributed network and a complex DNS namespace. Using internal DNS roots streamlines the administration of your DNS namespace by enabling you to administer your DNS infrastructure as if the entire namespace consists of the DNS data within your network. You should also consider enabling your DNS clients and servers to use DNS servers of an ISP to perform name resolution for external hosts. This configuration can improve bandwidth utilization across your network. More details on this type of design are provided in the next section.

Design Options for Hosting Internal and External Namespaces

This set of options and all the remaining design options are applicable if your organization hosts its own DNS and has one or more of the following:

The key decision involves which clients will benefit from the services of this DNS implementation. For example, will the DNS provide enterprise name resolution services for all clients both internal and external, or will it provide services only to one or the other? If a DNS server is restricted to providing DNS services for only a part of the internal or external network, careful attention will need to be focused on the interfaces on the server that need to be enabled for DNS. For example, in the case of a DNS server put in place only to handle the resolving of public Internet names on behalf of internal clients (not advertising), there is no need to enable DNS on the network interface facing the Internet.

The next decision is about how to divide the services between internal and external clients:

Option 1—Complete DNS

The same DNS server can provide services for internal and external clients. Because this DNS server hosts zones for internal private records as well as external public records, it must be accessible from both internal and external networks to be able to provide name resolution for both internal and external clients.

Advantages

The advantages of complete DNS include:

Disadvantages

There are inherent security problems in allowing the same DNS to support both external and internal name resolution. There are no security boundaries within DNS to prevent external access to internal DNS records.

Option 2—Split DNS

Split DNS architecture consists of external-facing DNS servers that provide name resolution for external Internet clients and internal DNS root servers that provide name resolution for internal clients. The internal DNS services may be behind the enterprise firewall, and can be configured to forward all DNS queries to the external DNS servers for resolution. Alternatively, internal clients can be configured to query different DNS servers, depending on whether the request is for an internal or an external name. To be able to do this, clients must have proxy capabilities. The table below lists the types of client proxy capabilities and whether clients can be configured to query an internal DNS root for internal names.

Table 4. Client Proxy Capabilities

Advantage

Zone transfers are not allowed between the internal and external DNS servers. This configuration allows internal DNS namespace information to remain isolated and unavailable to the Internet. Zone transfers are also not allowed between the external DNS servers and any DNS server on the Internet.

Disadvantage

The disadvantage of split DNS is that resolving external names requires computers that support either software proxy or Proxy Local Address Tables (LATs); alternatively, you must configure one or more internal DNS servers to forward queries that cannot be resolved locally to the Internet.

Option 3—Split-Split DNS

This design is similar to the split DNS design in that external DNS servers provide name resolution for public Internet clients, but in this case the external DNS servers are either advertisers or resolvers; they do not act (as is usual) in both roles. As with the split DNS design, there is also a separate set of DNS servers for internal clients.

Advantages

The advantages of split-split DNS include:

Disadvantages

The disadvantages of split-split DNS include:

Recommendation for Best Practice

If possible, avoid the complete DNS design because this allows DNS traffic to pass between internal and external DNS servers. For security reasons a split DNS design is a better choice in most situations because it reduces the risk of external attack on the internal namespace. For large organizations, the security benefits of a split-split DNS design may often outweigh the additional resource requirements.

Design Options for DNS Technology

As DNS technology has evolved, new features have been added that are appropriate for some enterprises and inappropriate for others. The following options categorize DNS technology into four levels; it is important to choose the correct DNS for your enterprise requirements. If your DNS deployment involves DNS implementations from different vendors or uses different service versions, interoperability issues may need to be addressed. For more details on these issues, refer to the "DNS Interoperability" section in this blueprint.

Option 1—Standard DNS

Standard DNS as specified in RFC 1035 is supported by the Windows Server 2003 DNS service as well as previous versions of Windows and other platforms. For more details, refer to the "DNS Interoperability" section in this blueprint.

Advantages

The file-based zone replication method of standard DNS provides interoperability as it allows Windows 2000 and Windows Server 2003 DNS servers to replicate with other DNS servers such as Windows NT 4.0 and Berkeley Internet Name Daemon (BIND). It also allows Windows Server 2003 DNS servers to replicate with stand-alone servers running any DNS.

Disadvantages

The disadvantages of standard DNS include:

Option 2—Dynamic DNS

The DNS dynamic update protocol provides automatic registration of host names into the DNS database. The dynamic update mechanism enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations or use DHCP to obtain an IP address.

The Windows Server 2003 DNS Server service allows dynamic updates to be enabled or disabled on a per-zone basis at each server configured to load either a standard primary or directory-integrated zone. By default, the DNS Client service dynamically updates host (A) resource records (RRs) in DNS when configured for TCP/IP for clients running Windows 2000 or greater.

If you are using the DNS service on a Windows Server 2003 domain controller, you have the choice of creating standard or Active Directory-integrated zones. If you create standard zones, they will be enabled for dynamic update by default and zone replication will operate in exactly the same way as for standard DNS servers.

Advantages

The advantages of DNS dynamic updates include:

Disadvantages

The disadvantage of DNS dynamic updates is that they do not add any security to the zone replication process; it remains inherently insecure.

Option 3—Active Directory-integrated DNS

Active Directory-integrated DNS adds to the services that DNS dynamic update provides. In particular, it adds support for all Active Directory record types by making use of Active Directory security and replication mechanisms. Active Directory-integrated DNS runs on Windows 2000 and Windows Server 2003 domain controllers, and is not available on computers running Windows Server 2003 Web Edition.

Active Directory-integrated zones are located in the Active Directory tree. In Windows 2000 this means within the domain partition, but in Windows Server 2003 you must decide whether to store it in the application directory partition or in the domain partition. A partition is a data structure within Active Directory that is used to differentiate data for different replication purposes. Each directory-integrated zone is stored in a dnsZone container object identified with the name chosen when it was created. Active Directory-integrated primary zones are replicated with other Active Directory-integrated primary zones in a multimaster topology.

You can use the DNS service running on a Windows Server 2003 domain controller to host both Active Directory-integrated zones and file-based zones. However, you cannot store an Active Directory-integrated as well as a file-based primary copy of a zone on the same domain controller.

In this design, because Active Directory holds all DNS data, Active Directory replication automatically propagates zone changes between domain controllers. If you are using Active Directory-integrated zones in a Windows Server 2003 domain, you can select an Active Directory-integrated zone replication scope using the DNS Microsoft Management Console (MMC). This cannot be done in Windows 2000 domains where the replication scope is always to all domain controllers in a domain.

Advantages

The advantages of Active Directory-integrated DNS include:

Disadvantages

The disadvantages of Active Directory-integrated DNS include:

Option 4—Active Directory-integrated Primary Zones with File-based Secondary Zones

A secondary zone contains a complete read-only copy of a zone. Secondary zones can be used to improve zone availability at remote sites if you do not want zone data to be replicated across a wide area network (WAN) link by means of Active Directory replication. With this option, secondary zones are added for most, if not all, of the Active Directory-integrated primary zones. You would not choose this option if all your DNS servers were running on domain controllers, because in such a case Active Directory would handle the replication and zone transfers.

Advantages

The advantage of this option is its flexible deployment. This design enables secondary zones to be hosted on DNS servers that are not serving as domain controllers, providing fault tolerance, geographical distribution of network hosts, and load balancing without needing to configure all DNS servers as domain controllers.

Disadvantages

The disadvantages of this option include:

Recommendation for Best Practice

Use Windows Server 2003 DNS with Active Directory-integrated zones wherever possible, unless the network is small or involves supporting clients and services that are incompatible with Windows Server 2003 DNS. Windows Server 2003 DNS with Active Directory-integrated zones provides automatic registration of name records in the DNS database along with secure database updates and replication across the enterprise. Use of the Active Directory multimaster replication topology means that administrators do not need to support, manage, and secure separate replication services for DNS and directory services.

If necessary, you can combine Active Directory-integrated zones and file-based zones in the same design. For example, if the DNS server that is authoritative for the private root zone is running on an operating system other than Windows Server 2003 or Windows 2000, it cannot act as an Active Directory domain controller. Therefore, you must use file-based zones on that server. However, you can delegate this zone to any domain controller running either Windows Server 2003 or Windows 2000. For example, if the authoritative DNS server for the name wingtiptoys.com is running on a BIND 4.9.7 server that does not support Active Directory, you can add a delegation from this file-based zone that refers to the authoritative DNS server for the corp.wingtiptoys.com subdomain running on Windows Server 2003 DNS. In this way, the zone, corp.wingtiptoys.com, is now Active Directory-integrated.

Design Options for DNS Zones

Several types of DNS zones can be deployed, but the types you can deploy are dependent on the DNS technology options you select; not all zone types are available for each DNS technology.

Zones are either forward lookup zones or reverse lookup zones. For either type of zone, the zone file can be one of three types; primary, secondary, or stub. The replication between zones can be planned once the zone types have been decided.

Zone Replication

Designing zone replication involves identifying where to use replicated zones for availability and redundancy. After careful analysis, you can partition and delegate your DNS zones based on what is required for providing efficient and fault tolerant name service to each location or site.

Windows Server 2003 and Windows 2000 DNS support both incremental and full zone transfer of file-based zones. Incremental zone transfer is the default method, but if this method is not supported by a non-Microsoft DNS server that is involved in the transfer, Windows Server 2003 and Windows 2000 DNS default to the full zone transfer method.

Incremental zone transfer (described in RFC 1995 "Incremental Zone Transfer in DNS") provides better use of available network bandwidth. Rather than send the entire contents of the zone file, the master server only transfers the incremental changes in the zone. This reduces the effect of DNS zone transfers on network traffic. Without incremental zone transfers, the master server transfers the entire zone file to the secondary server every time a DNS zone is updated.

File-based primary zones can be hosted on any standard DNS server; this makes them interoperable with other platforms and DNS server versions. File-based zone files are simple files that can be easily copied for backup and migration purposes and easily modified with command-line tools, scripts, and text editors. DNS administrators with skills on non-Windows platforms can perform similar management procedures on Windows-based DNS by using zone files.

The following guidelines will help you select the appropriate zone replication method:

Recommendation for Best Practice

Use Active Directory-integrated zones if possible, as Active Directory distributes data using a multimaster replication model that provides more security than the standard DNS. Add secondary zones at remote sites where network bandwidth limitations do not allow Active Directory replication for zone file updates. If you cannot use Active Directory-integrated zones throughout the enterprise, you can also consider:

Design Options for Number of DNS Servers to Deploy

A working DNS requires a single DNS server, but if this server becomes unavailable or overloaded, name resolution will fail. The following design options consider the appropriate number of DNS servers to deploy in an enterprise, and consider the advantages and disadvantages of each.

Option 1—Single DNS Server per Zone

In this design, a single DNS server is deployed for each DNS zone. It is possible to host more than one zone of the same type (such as forward lookup or reverse lookup) on the same server; however, doing so may negate some of the benefits of using DNS zones, such as spreading the load across multiple servers. Tests have shown that one Windows Server 2003 DNS server can easily host 200,000 zones containing six resource records. If you have a routed LAN with reliable and high-speed links, one DNS server may be sufficient even for a large network area that includes multiple subnets. In a common configuration, a single DNS server hosts both forward and reverse lookup zones.

Advantages

The advantages of using a single DNS server per zone include:

Disadvantages

The disadvantage of using a single DNS server per zone is that there is no fault tolerance in this design. If the single DNS becomes unavailable, all name resolution (except from temporary client DNS caches) will fail. There is also no scope for distributing DNS load across the network in this design.

Option 2—Single DNS Server with Network Load Balancing

This design option is a variation of the single DNS server per zone design. In this design a Network Load Balancing cluster is used for the “single” DNS server and clients are configured with the address of the Network Load Balancing cluster.

Advantages

The advantages of using a single DNS with Network Load Balancing include:

Disadvantages

The disadvantages of using a single DNS with Network Load Balancing include:

Option 3—Two DNS Servers per Zone

In this design, a second DNS server is deployed for each DNS zone; this second server can be on the same subnet or placed in another location. If the zones are file-based, the second server will host a secondary zone file that is a read-only copy of the primary zone file. If the zones are Active Directory-integrated, both servers will hold primary copies of the data.

Advantages

The advantages of using two DNS servers per zone include:

Disadvantages

The disadvantages of using two DNS servers per zone include:

Option 4—Multiple DNS Servers per Zone

In this design, more than two DNS servers are deployed for each zone. In the case of file-based zones, there will be two or more secondary zones for each primary zone. If the zones are Active Directory-integrated, all servers hold primary copies of the data. The additional DNS servers can be configured as stand-alone servers to handle large numbers of client queries. A stand-alone server can be set up as a caching only server, which forwards non-cached queries to another DNS server, or as a secondary server for an Active Directory-integrated zone.

Advantages

The advantages of using multiple DNS servers per zone include:

Disadvantages

The disadvantages of using multiple DNS servers per zone include:

Recommendation for Best Practice

To reduce administrative overhead, it is best to use the minimum number of DNS servers; however, the minimum must be at least two DNS servers authoritative for each zone to enable fault tolerance and load sharing. A single DNS server is not recommended because it provides no fault tolerance at all.

If you support a large number of clients, add additional DNS servers. Use expected number of queries and dynamic updates per second to determine the number of DNS servers that you need and whether these additional servers need to be standard servers or caching only.

If you have an Internet presence, DNS must work properly so that clients may access your Web servers, send mail, and locate other services without interruptions; therefore, it is recommended that you run a secondary DNS server offsite. If you have a business relationship with an organization on the Internet such as a business partner or ISP, they might agree to run a secondary server for you; however, ensure that the data on the organization's server is secure against Internet attackers.

Design Options for Optimizing DNS Queries—Client Configuration

The design options involve decisions on how clients are informed of DNS server addresses and how clients are configured for DNS dynamic update support and search suffix lists.

Clients can be configured to use DNS in several ways, including the following:

Clients are mainly configured for DNS dynamic update support and search suffix lists in the following two ways:

Windows Server 2003 includes a new set of Group Policies to simplify the rollout of Windows Server 2003 DNS clients. For more information about these Group Policies, refer to the “Networking Guide” of the Windows Server 2003 Resource Kit at the following URL:

http://www.microsoft.com/windowsserver2003/techinfo/reskit/resourcekit.mspx

Recommendation for Best Practice

Configure your clients' DNS server lists and suffix search lists by including at least two DNS server IP addresses on the clients and domain controllers; the IP address for a preferred server and the IP address for an alternate server. Use a server in the local site as the preferred server. The alternate server may be in a local or remote site.

By default, the DNS suffix search list is populated based on the client's primary DNS suffix and any connection-specific DNS suffixes. You can modify the DNS suffix search list using the DNS manager or Group Policy. You should limit the size of your suffix search list, because a large list increases network traffic.

Design Options for Optimizing DNS Queries—Server Configuration

Large enterprises often have multiple internal namespaces, and your DNS design must be able to provide effective name resolution for any of these namespaces. There are several DNS server configuration options that can be used to provide name resolution across namespaces and efficient name resolution for external names, if required.

Option 1—Delegations

Once you have an internal DNS root you can add delegations within each top-level DNS zone; for example, corp.wingtiptoys.com as the root with a delegation of na.corp.wingtiptoys.com to another primary DNS server. In this way, the corp.wingtiptoys.com zone is aware of the na.corp.wingtiptoys.com zone and specifically knows the name servers responsible for the other zone. Depending on whether queries for the other zone are iterative or recursive, the DNS server can either return information on the relevant authoritative name server or carry out a query on the client's behalf.

Advantages

The advantages of using delegations include:

Disadvantage

The disadvantage of using delegations relates to traceability; in more complex configurations, records of which domains are aware of which others may be difficult to maintain.

Option 2—Forwarding

If a non-root server attempts to resolve a name for which it is neither authoritative nor has a delegation, and which it does not already have in its cache, it can attempt one of the following:

Forwarding can be turned off by either leaving the list of forwarders blank so that there is no information on how to do forwarding or by disabling recursion. If recursion is disabled, the DNS server will only respond directly to a client’s DNS query, either with an authoritative answer or a failure; it will not attempt to query or forward the query to any other server.

Forwarding can be used for offsite or Internet traffic. For example, a branch office DNS server can forward all offsite traffic to a forwarder at the company headquarters, and an internal DNS server can forward all Internet traffic to a forwarder on the Internet. Forwarders also provide additional network security by minimizing the list of DNS servers that can communicate across a firewall.

In the case of multiple internal namespaces, the DNS servers that host the top-level DNS zones of one namespace can forward name resolution queries for a second namespace to the DNS servers that host the top-level DNS zones for that second namespace. Similarly, the DNS servers that host the top-level DNS zones of the second namespace can forward name resolution queries for the first namespace to the DNS servers that host the top-level DNS zones for the first namespace.

This forwarding can be achieved in three ways; by using standard forwarders, conditional forwarders, or stub zones.

Standard Forwarders

A standard forwarder design is where a DNS server is configured to forward all queries that cannot be resolved locally to another designated DNS server or servers. In this case, when the DNS client issues a recursive query (the default type of client query) the DNS server attempts to provide the client with an answer even if it cannot provide an authoritative answer itself.

Advantage

The advantage of standard forwarder design is that it can be configured on all DNS servers regardless of platform or version, which means that a forwarding design can be implemented in any DNS design.

Disadvantage

The disadvantage of standard forwarder design is that it is inefficient. In this design, it is not possible to control the forwarding; either the query is resolved by the local DNS server or it is forwarded to another server. Therefore, standard forwarding can generate additional network traffic. For example, a non-root server in Site A is configured to forward queries to a forwarder in Site B and it needs to resolve a name in a zone hosted by a server in Site C. Because the non-root server in Site A can forward queries only to Site B, it cannot directly query the server in Site C. Instead, it forwards the query to the forwarder in Site B and the forwarder queries the server in Site C. (This is the only forwarding method available if you are not running Windows Server 2003 DNS.)

Conditional Forwarders

With a conditional forwarding design you can control the name resolution process at a more granular level. When configuring the DNS server, you can specify the names of domains for which queries can be forwarded and the DNS servers to which the forwarding is to happen. For example, you can specify that queries for any name in the wingtiptoys.com domain are to be forwarded to DNS server A whereas queries for names in the tailspintoys.com are to be forwarded to DNS server B; all other queries are to be forwarded to DNS server C and so on. DNS servers that are configured to use conditional forwarding can perform name resolution without using recursion.

Advantages

The advantages of using conditional forwarder design include:

Disadvantages

The disadvantages of using conditional forwarder design include:

Forwarding Guidelines

If you are using standard or conditional forwarding, the following guidelines illustrate some examples of best practices:

Stub Zones

You can use Windows Server 2003 DNS stub zones to facilitate DNS data distribution between separate namespaces. A stub zone is a partial copy of a zone that can be hosted by a DNS server and used to resolve recursive or iterative queries. With stub zones, authoritative DNS servers for the parent zones automatically learn about new authoritative DNS servers for the child zones and can perform recursion to them. Stub zones can also be used as an alternative to other forwarding methods to allow DNS servers to be aware of other external namespaces. However, this is not their primary purpose. For more information on stub zones, refer to the Windows 2003 Server DNS Help files.

Advantages

The advantages of using stub zones include:

Disadvantages

The disadvantages of using stub zones include:

Option 3—Secondary Zones

In this configuration, the DNS servers that host the top-level DNS zones in the first and second namespaces also host secondary zones of each other's top-level DNS namespaces. For example, the root name server for wingtiptoys.com would host a secondary zone for tailspintoys.com (if the enterprise has two distinct public namespaces).

Advantages

The advantage of the secondary zones in this configuration is that the DNS servers that host the top-level DNS zones in each namespace are automatically aware of the DNS servers in the other namespace.

Disadvantages

The disadvantages of using secondary zones include:

Recommendation for Best Practice

Use delegation if you can; this is the simplest to manage and configure. If you cannot use delegation and do not run Windows Server 2003 DNS, use standard forwarding. However, if you are using Windows Server 2003 DNS, use stub zones to ensure that the parent zone's authoritative DNS server automatically receives updates about any child zone's authoritative name servers.

Secondary zones are not recommended because they require additional storage space for hosting secondary copies of top-level zones in different namespaces; they also generate increased zone transfer traffic.

Logical Design Example

The following figure illustrates how Active Directory-integrated zones and file-based secondary zones can be deployed together to provide enterprise DNS services.