Get IT Done: Understand advanced DNS zone properties in Windows 2000

Understand Disable Recursion, BIND Secondaries, Fail On Load If Bad Zone Data, and other DNS settings in Windows 2000.

As a Microsoft Certified Trainer, I’ve been asked numerous times, “What is the most important thing to learn in Windows 2000?” And my answer is always the same: "Learn DNS." In Windows NT 4.0 (and earlier) environments, an administrator could easily "get by" knowing only the bare essentials when it came to DNS. However, the release of Windows 2000 represents a major shift in the DNS paradigm in Windows networks.

With the arrival of Active Directory came a new necessity to understand DNS, because Active Directory relies heavily on DNS. Consequently, a firm foundation in DNS is a must, and an advanced knowledge of its various intricacies is even better.

I am going to look at an extremely important niche of a Windows DNS server: understanding the advanced DNS zone properties. This article assumes that the reader has a fundamental understanding of Windows 2000’s implementation of DNS.

Refresher course
For those readers who wish to refresh their DNS knowledge before reading this article, here are a few links to DNS-related information:

The role of DNS in Windows 2000
Installing and configuring a DNS server in Win2K
Solve problems with Windows 2000 DNS servers” (subscription content)
Customize your Windows 2000 DNS implementation” (subscription content)
Windows 2000 DNS Whitepaper
DNS-related RFCs

First things first
Before I can get to meat of this topic, there are a few terms that are worth defining:
  • Zone: Microsoft defines a zone as a contiguous portion of the domain namespace for which a DNS server has authority to answer queries.
  • Recursion: In DNS vernacular, there are two major methods by which a DNS query can be identified: iterative and recursive. In the former method, a client will issue a request for resolution to its DNS server, whereby the DNS server provides the best possible match it can find, or a pointer to a server that is authoritative for the domain name requested. A recursive query, on the other hand, is where the client will issue a lookup to its server and the server will return the exact answer or nothing at all—there will be no pointing to another authoritative server.
  • BIND: Berkeley Internet Name Domain, or BIND, is a UNIX-based DNS server, and is the most popular DNS software in use on the Internet today. Windows 2000’s DNS and BIND have the ability to play nicely together (much to the chagrin of many UNIX administrators). To learn more about BIND, check out the book “DNS and BIND” by Paul Albitz and Cricket Liu.

Advanced DNS options
If you're following along with a real Windows 2000 DNS server (I’d highly recommend a lab server), open your DNS MMC by going to Start | Programs | Administrative Tools and selecting DNS. From within the DNS console, select and right-click your DNS server. From the menu, choose Properties. From the Properties dialog box, choose the Advanced tab.

These are the settings that allow you to take your DNS server to a higher level, and, depending on your environment and the needs of your network, some of these settings may be very important. Understanding these settings is crucial to becoming a DNS expert.

From the Advanced tab you will notice the following settings:
  • Disable Recursion
  • BIND Secondaries
  • Fail On Load If Bad Zone Data
  • Enable Round Robin
  • Enable Netmask Ordering
  • Secure Cache Against Pollution

In the following sections I have provided a detailed description of each of these settings and where they may be applicable.

Disable Recursion
Configuring this setting will disable recursion for all clients that use this DNS server. If you wish to only allow iterative queries, then configure this setting. Sometimes, accepting a recursive query from the Internet might be a bad thing and could lead to hackers knowing more about your network than they should. Many IT pros suggest disabling recursion on servers that are available to the Internet, for security purposes.

BIND Secondaries
Microsoft fully supports the use and integration of BIND into its DNS scheme. As with any product integration, however, there are some limitations and configuration issues that must be addressed.

Normally, when two Windows 2000 DNS servers replicate data (more commonly known in DNS circles as performing a zone transfer) this replication will occur in “fast zone transfer” mode, in which the data is compressed. If you are integrating BIND into your network, there may be times when you will wish to replicate data in its uncompressed mode to an older BIND server running a secondary zone. The BIND Secondaries option turns off the fast zone transfers. Unless your BIND server runs version 4.9.4 or earlier, you should deselect this check box to enable the fast zone transfer. For more info on BIND interoperability, check out Microsoft’s interoperability page.

Fail On Load If Bad Zone Data
By default, Windows 2000 DNS servers will skip errors or incorrect data in the zone file. If you want the DNS server to fail when loading a zone with bad data, select this check box. Generally, this is a setting you would not enable.

Enable Round Robin
RFC 1794 defines round robin as a sort of “manual” method of load balancing. The round robin feature rotates the order of resource record data returned in a query-answer in which multiple resource records of the same type exist for a queried DNS domain name. Meaning, if you have more than one “A” (host) record defined for a host, the server will rotate through them as client requests come in. This avoids overloading one of the hosts with all the requests. Occasionally, the round robin technique will be used with Exchange servers; however, the one major drawback to this technique is that it is not intelligent enough to recognize a server failure on one of the hosts and stop directing clients to it.

Enable Netmask Ordering
According to the Configuring Subnet Prioritization section in this Microsoft link, if the resolver client issuing the query “receives multiple A resource records from a DNS server, and some have IP addresses from networks to which the computer is directly connected to, the resolver orders those resource records first. This reduces network traffic across subnets by forcing computers to connect to network resources that are closer to them.”

If you have computers that have more than one NIC (aka multihomed), this setting allows your DNS server to answer with the address that is on the same subnet of the client. By the way, this is a default setting, and if you should disable it, the Round Robin Policy mentioned above will be used.

Secure Cache Against Pollution
If you review Carnegie Mellon’s Vulnerability Note #109475, you will see that pollution of the DNS cache can be a serious security issue. Essentially, the concept of cache pollution involves servers that will cache bad queries, which can in turn disrupt your network’s functionality and cause inaccurate resolutions. By configuring this option, you can enable or disable the method of adding resource records to the cache. If enabled, the DNS server will prevent the caching of resource records that were not answers for the originally issued query. See Microsoft Knowledge Base article Q241352 for more information.

In this article, I have touched on some of the advanced configuration parameters that are available in Windows 2000 DNS. Hopefully, you now have a better understanding of the robustness of a Windows 2000 DNS server, and have a few extra tools in at your disposal in managing it. Microsoft’s current implementation of DNS is quite powerful and flexible, and is worth a deeper look.

About Jeremy Smith

Jeremy L. Smith, CISSP, is a cybersecurity and public safety professional who has worked with a variety of agencies to improve the security of their call centers and execute their public safety initiatives more effectively, including 911 call taking,...

Editor's Picks

Free Newsletters, In your Inbox