What is a DNS server and their addresses: from theory to fine tuning. What is a DNS server, how to find out your preferred provider address, replace it with Google Public DNS or alternative options Additional DNS

DNS (or also known as the Domain Name System) is a system that matches domain names such as Google.com or Yandex.ru with the correct IP addresses. This system is a database of domain names and IP addresses. It is used to maintain a directory of domain names and helps resolve those domain names into correct IP addresses.

Domain names are human-readable addresses that we use every day. For example, Domain name Yandex - yandes.ru. If you want to visit the Yandex website, simply enter yandex.ru into the address bar of your web browser.

But your computer does not know where “yandex.ru” is located. Behind the scenes, your computer will contact the DNS servers and ask what IP address is associated with yandex.ru.

It will then connect to that web server, download the content and display it in your web browser.

In this case, yandex.ru is located at IP address 77.88.55.70 on the Internet. You can enter this IP address in your web browser to visit the Yandex website. However, instead of 77.88.55.70 we use "yandex.ru" because it is easier to remember.

Without DNS, the entire Internet will not be accessible. We'll go back to a time before the Internet was born. And your computer can only be used to create documents or play offline games.

Of course, this is just a simple explanation, in fact, it is a little complicated. For getting additional information, I would recommend you read this article or watch the video below.

Different Internet Service Providers (ISPs) use different DNS servers. By default, unless you have configured specific DNS servers on your computer (or router), the default DNS servers from your ISP will be used.

If these DNS servers are unstable, you may be experiencing some problems while using the Internet on your computer. For example, cannot load websites completely or does not have access to the Internet. To avoid unwanted DNS errors, switch to public DNS servers such as Google DNS and OpenDNS.

Here are some common DNS related errors that you can look into:

• Fixed DNS lookup error in Google Chrome
• How to fix Err_Connection_Timed_Out error
• How to fix Err_Connection_Refused error
• Fix Dns_Probe_Finished_Nxdomain Error
• Fix DNS Server Not Responding on Windows

You can fix these errors by switching to third-party DNS servers in the list below.

Benefits of using public DNS servers

You may ask if your ISP has default DNS servers, why do you need these public DNS servers? Here are the reasons why you should use these alternative DNS servers:

• Some default DNS servers are not fast enough and sometimes they time out. However, your Internet connection is not stable. Switching to these fastest DNS servers will help improve your internet speed.
• Using these public DNS servers will help improve stability.
• Some third-party DNS servers have security and filtering features. These features will help you protect your computer from phishing attacks.
• This will help you get past geographic content restrictions and web inspections. For example, you can easily watch a YouTube video when it says, “This video is not available in your country.”

List of Top 10 Public DNS Servers

After reading the explanation of what a DNS server is, third party DNS servers are useful, check out the list below. This is a list of the top 10 best third party DNS servers:

1. Google Public DNS Server

This is one of the fastest DNS servers that many users use on their computers. By using Google's DNS servers, you'll enjoy greater security and a better experience on your computer.

To use Google's public DNS servers, configure your network settings with the following IP addresses:

8.8.8.8 as preferred DNS server

8.8.4.4 as your alternate DNS server

2.OpenDNS

Apart from Google DNS servers, OpenDNS is one of the best cloud DNS servers. This will help protect your computer from malicious attacks.

To use OpenDNS, let's configure your network settings with the following IP addresses:

208.67.222.222

208.67.222.220

OpenDNS also offers two free solutions for private customers: OpenDNS Family Shield and OpenDNS Home.

The OpenDNS Shield family comes pre-configured to block adult content. To use it, you need to configure different DNS servers with the following IP addresses in your network settings.

Preferred DNS Server: 208.67.222.123

Alternate DNS server: 208.67.220.123

Meanwhile, OpenDNS Home comes with custom theft and phishing protection.

3. Norton ConnectSafe

Norton offers not only antivirus programs and Internet security software. It also offers a DNS server service called Norton ConnectSafe. This cloud DNS service will help protect your computer from phishing sites.

Norton ConnectSafe comes with three predefined content filtering policies. This is safety, safety + Pornography and safety + Pornography + other.

You can take a look at the image below for more information about each predefined policy. Visit for more information.

4. Comodo Secure DNS

Comodo Secure DNS is a domain name server service that resolves your DNS queries through multiple global DNS servers. It provides a much faster and better internet experience than using the standard DNS servers provided by your ISP.

If you want to use Comodo Secure DNS, you do not need to install any hardware or software. Simply change your primary and secondary DNS servers to 8.26.56.26 and 8.20.247.20.

5. Level 3

Level3 is the next free one DNS service on this list. It operates on layer 3 communications. To take advantage of this free service, simply configure your network settings using the following DNS IP addresses:

209.244.0.3

208.244.0.4

Visit for more details.

6. DNS Advantage

It is one of the fastest DNS servers providing best performance when working on the Internet. This will help you load sites faster and more securely. To use DNS Advantage, configure your preferred/alternate DNS servers with the following details:

156.154.70.1

156.154.71.1

7.OpenNIC

Like many other DNS servers above, OpenNIC is a good alternative to replace your default DNS servers. This will protect your computer from the government and protect your privacy. To use this DNS service, configure your preferred and alternate DNS servers as follows:

46.151.208.154

128.199.248.105

To find more reliable DNS servers.

8. Dean

Dyn is the next best free third-party DNS server on the list. It provides an amazing browsing experience and protects your information from most phishing attacks. Configure your network settings with the following DNS IP addresses to use the Dyn DNS server.

216.146.35.35

216.146.36.36

9. SafeDNS

SafeDNS is another cloud-based DNS service. This will help you protect your computer and also provide a better web browsing experience. To use SafeDNS, use the following DNS information below:

195.46.39.39

195.46.39.40

About free and premium DNS services from SafeDNS.

10. DNS.Watch

DNS.Watch is the last free public DNS service on this list. It provides an uncensored, fast and reliable website browsing experience for free. To configure your PC or router using "DNS.Watch", use two IP DNS addresses below:

84.200.69.80

84.200.70.40

Sometimes, if you are unable to browse the web properly, you can try changing the default DNS servers on your computer or router to these DNS servers. This will provide you with a better web browsing experience and also protect you from possible attacks.

Don't know how to change DNS servers on Windows, Mac or Android? Just read .

Greetings! Today we will discuss everything important points about the DNS server. From what it is to setting up and choosing alternative DNS... Let's take our seats and don't forget to buckle up!

If you have any questions or have anything to add, PLEASE write in the comments to this article. You will greatly help both us and other readers!

What is DNS?

Let's start with a distant theory. For those who are not interested, go to the desired chapter below - all the settings and choices will be there. And here we will talk about the DNS phenomenon itself.

DNS – Domain Name System – domain name system

Are you scared? Let's try to confuse it even more... i.e. unravel. Let's go point by point:

1. While using the Internet, you type the name of a site into your browser window. For example, GUGL.FU (may they forgive us and also give us traffic).
2. In networks, all addressing occurs via IP addresses. Those. hardware can search for routes only by numbers. For example, 7.7.7.7. But it’s inconvenient for users to remember these numbers (remember at least the numbers of 50 of your contacts from your phone).
3. And here's the analogy with the telephone. You don't have to know the numbers, but you roughly remember the names. Those. you enter a name in the phone, and the call goes to the number. It’s the same on the Internet - you enter a symbolic name (domain name), and the browser, bypassing your eyes, goes to look for the desired site by IP address.

The DNS server is responsible for converting the domain name into an IP address. Receives letters - gives numbers.

To verify this transformation, you can ping any site:

The ya.ru domain has a current IP of 87.250.250.242

Servers - theory

We won’t delve too deeply into the architecture of DNS servers, but for a general understanding it’s worth knowing:

1. There are many of them - there is no single correct one, as a rule, you get a DNS provider, but this is not always the best solution.
2. They have a nested structure - root, countries, providers, routers (very roughly). In the sense that all DNS inherit information from each other, and if something is not on the current one, the request will be sent higher.
3. They have an IP address - you knock on it, and it already gives out the necessary IP addresses of the sites.

As a rule, after connecting to the Internet, if you do nothing with the settings, you will receive DNS from your ISP.

How to find out the current one?

Before proceeding with the installation, you may need to find out the current DNS server. To avoid further questions, I’ll show you how to do it quickly:

1. We need to open the command line (there are other opening options, you can Google it). Press the keys Win+R(the “Run” utility opens, enter into it cmd

1. Enter nslookup

In my case, the current DNS is 192.168.0.1. For advanced users, this is the router address. All requests are addressed to it, and it sends it further (Google DNS is currently running on it).

Provider

You can dereference sites through your provider, but this does not always work as expected. For an ordinary home user, everything can go unnoticed for the rest of your life, but if you work very closely with the Internet, trouble can come unexpectedly. My theses about provider servers:

1. Stability leaves much to be desired - in the sense that once a year the stick shoots, and here once every couple of years their servers crash, sites do not open properly. An unpleasant moment, a home user might think that the Internet had fallen off, and the problem was buried on the surface. For some, falling once every couple of years is enough to make them happy.
2. Territorial restrictions - some site will be banned from the DNS and the carcass will be lost. In fact, people rarely ban anything through it now, but, by the way, there were precedents for this.
3. Slow zone updates (for me this is the most important point). Providers' servers update very slowly. The owner of the site changed his server (he wanted to move to more powerful hardware), changed his DNS settings to a new IP address, and such information can only reach a user in the region in a couple of days. And he will knock on a non-existent address, receive an inaccessible site, or a site with a violation of security certificates and a sea of ​​other problems.

In summary, everything works, sometimes for a very long time and well, but there are disadvantages that can be easily replaced with alternative DNS.

Alternative DNS

IN Windows settings, which we will look at below, there is a field with an alternative DNS. So, in that case we're talking about just about the backup DNS server address if the main one is unavailable. In this same chapter, “alternative” only means that it is not issued by the provider.

Here is a table of the main current DNSs:

Service	DNS 1	DNS 2
Google Public DNS	8.8.8.8 2001:4860:4860::8888 (IPv6)	8.8.4.4 2001:4860:4860::8844 (IPv6)
Open DNS	208.67.222.222	208.67.220.220
Yandex	77.88.8.8 77.88.8.88 (without scam sites) 77.88.8.7 (no adult sites)	77.88.8.1 77.88.8.2 (without scam sites) 77.88.8.3 (no adult sites)
DNS WATCH	82.200.69.80	84.200.70.40
Norton Connect Safe	198.153.192.1 198.153.192.40 (secure sites only) 198.153.192.50 (no porn) 198.153.192.60 (full security)	198.153.194.1 198.153.194.40 (secure sites only) 198.153.194.50 (no porn) 198.153.194.60 (full security)
Level 3 DNS	209.244.0.3 4.2.2.1 4.2.2.3	209.244.0.4 4.2.2.2 4.2.2.4
Comodo Secure DNS	8.26.56.26	8.20.247.20
Open NIC DNS	Choose from the list https://servers.opennic.org	Choose from the list https://servers.opennic.org

I'll go through each one briefly:

• Google Public DNS – I use it myself and recommend it until it’s banned. Works like a charm and updates quickly. Addresses are easy to remember - “eights”. There are also IPv6 versions.
• Open DNS is the second most popular service. I used it for a while and didn’t notice much of a difference from Google. It works and oh well.
• Yandex - as a bonus, there are additional servers with site filters - without known phishing and fraudulent sites, and without sites for adults - they simply will not open. A kind of parental control.
• The rest are also working. I don’t see any point in describing it, it will be watery water. For the house, the first one is enough, and if necessary, the second one. The rest is surplus for technical specialists. Unfortunately or fortunately, our WiFiGid is not for specialists.

Settings

Now I’ll show you where to insert these addresses so that everything works like an expensive Swiss watch.

1. Go to “Network and Sharing Center” (Windows 7) or “Network and Internet Settings” (Windows 10). You can do this by right-clicking on the network icon and selecting this item:

1. Next, “Configuring adapter settings” (or “Changing adapter settings”):

1. And here we are already looking for our adapter, through which we connected to the network, right-click - “Properties” and do everything as in the diagram:

Here I set the Google addresses - first and second (first and second columns of the table above, respectively). You can do the same, or you can experiment with other services.

These actions are performed identically in operating rooms. Windows systems 7, Windows 8, Windows 10.

This can be done on every device, including phones (see instructions for setting up DNS for your model). One example that can be done:

It’s better to do everything right away on the router in the settings of the DHCP server (which distributes network settings to connected devices). Then all devices connected to it will immediately go through normal servers. Using TP-Link as an example, look for settings for your model through the search on our website:

Some programs, applications and mobile devices in their configurations they ask for the DNS Address field - IP addresses from the table above are also suitable.

Possible mistakes

There is no way to list everything possible mistakes, related to DNS bugs - you can search for them by name on our website, we really sorted out the main ones. But the essence of solving any of them is very simple:

1. We reboot the router and computer, laptop, phone - to try again to obtain network settings.
2. While everything is rebooting, we check the wires to see if everything is working properly, if there is a break anywhere.
3. If it doesn’t help, enter the DNS addresses manually as in the section above.
4. If this doesn’t help, there is an error somewhere on the provider’s side or on the site itself (that same possible move). If nothing opens at all, just in case, we try to disable antiviruses, firewalls, proxies, VPNs and other software that uses the network.

If everything is really bad and you haven’t found anything, write a comment below!

Want to quickly test your system administrator's knowledge? Ask him for the Google public DNS IP address. Any self-respecting system administrator will answer: “8.8.8.8”, and an advanced one will add “... and 8.8.4.4”.

What's happenedDNS?

DNS is an acronym for Domain Name System. Translated as a domain name system, it is a system that matches a domain name and a host’s IP address. So, knowing the host name, you can get its address and vice versa. What is it for? World Wide Web The Internet is designed in such a way that each device (computer, phone, tablet, router) has its own unique address (in fact, addresses can be repeated if we are talking about different LAN networks, but in this article we are talking about global network and we will not go into details of NAT, PAT and routing), and you can access this device only by knowing its address on the network. Working on the Internet, we access dozens of sites every day. It would be difficult to remember all their addresses, consisting of a sequence of numbers and dots, for example, what is easier to remember 77.222.61.238 or integrus.compumur.ru? Of course, the second one. And the domain name system will remember the address for you.

DNS is available on every computer, on every network and on every provider; in addition, it has a hierarchical form and in the case when the domain name system cannot determine the address of the requested resource from the domain name, it passes the request to a higher-level DNS server. The request can be transmitted up to one of the 13 “world’s most important” root DNS servers.

How to install a DNS server?

The server can perform various functions, it can act as a global catalog, store file information, work with databases, and work with several users simultaneously. Depending on the purpose of the server, roles are installed on it - a special set of programs that allow the server to perform the necessary functions.

How to install a roleDNS servers? We will carry out the installation at Windows Server 2012 R2.

Most often, the DNS server role is installed with a domain controller. But if during installation Active Directory If you unchecked the “DNS server” checkbox, or AD is simply not needed, then you only need to install the DNS server. To do this, go to Server Manager and click the “Add Roles and Features” button.

The Add Roles and Features Wizard window opens. Read the wizard's introductory text and click Next.

Make sure Install Roles and Features is selected and click Next.

Select a server from the server pool. In our case there is only one server, you may have more.

Select Role DNS Server.

By checking the required box, we will see the “Add Roles and Components Wizard” window appear. These components are required to manage the installed role. If you are going to administer the DNS server from another server, you can skip adding these components.

Back in the window with DNS Server checked, click Next, then Next, and Next again until the Install button becomes active.

Click the "Install" button.

The installation will begin.

After the installation is complete (the installation will take less than 5 minutes), the following message will appear: “Installation completed on YourServerName.” You can click the “Close” button. Now a new line “DNS” will appear in the Server Monitoring Panel, as well as in the Start Menu. If you click on this line, the “DNS Manager” will launch.

It looks like this.

On this moment No zones are configured on the DNS server. Such a server is called a caching server. Zones are parts of the namespace for which the server is responsible. Forward lookup zones involve resolving a name to an IP address. A reverse lookup zone, on the other hand, matches an IP address to a name.

Let's create a direct viewing zone and make it easy setup.

To do this, right-click on the inscription “Forward viewing zones” and then “Create a new zone”.

The “New Zone Creation Wizard” window will open, click “Next”. The zone type selection window will open. If you do not have another DNS server, select “Main zone” and “Next”.

In the next window you need to specify the zone name. It is recommended to use your domain. In our case, the name would be: . Click “Next”.

In the next window, select the dynamic update type. It is recommended to allow dynamic updates, but only if DNS will be used exclusively in your local network. Otherwise, this item may entail security risks, which the “New Zone Wizard” will warn you about.

Click “Next” and “Finish”. The direct viewing zone has been successfully created, let's carry out its simple configuration. Setting up a browsing zone is done by adding DNS records to the zone. There are several types of DNS records. Let's look at the main types:

• A-record. Correlates Hostname and IPV Protocol Address
• AAAA record. Correlates Hostname and IPV Protocol Address
• CNAME record. Alias, used to redirect to another name.
• MX record. Mail record, points to mail servers.
• NS record. Points to the domain's DNS server.

Let's create an A record for our new forward lookup zone. To do this, right-click on the zone and select the appropriate context menu item, as shown in the figure.

In the “New Node” window that opens, enter the Node Name, for example GateWay, and its IP address, for example 192.168.0.1. Click the "Add Node" button.

Ready! The entry has been successfully created!

In this article, we tried to explain in the most understandable language to an ordinary person without deep IT knowledge what DNS is, how to install the DNS server role on Windows Server 2012, got acquainted with the main types of records and showed in pictures how these records are made. And if all of the above seemed difficult to you, then our specialists will set up a server for you in less than an hour.

A zone is a database containing authoritative information about a region of the DNS namespace. When you install a DNS server with a domain controller, a DNS zone is automatically created to support the Active Directory domain. If the DNS server was installed on a domain controller, domain member server, or standalone server, zones must be created and configured manually.

This lesson describes how to create and configure a zone and provides the information needed to correctly configure a zone.

Creating zones

Zone DNS is a database containing records thatassociate names with addresses in the described region of the DNS namespace. Althoughto answer name queries, the DNS server can use cachedinformation from other servers, he is authorized to respond to requests only inlocally controlled area. For any scope of the DNS namespace,represented by a domain name (for example, google .ru), there is only oneauthoritative source of zone data.
If you need to create a new zone on the DNS server, you can use the New Zone Wizard in the DNS Manager. To launch the wizard, right-click the server icon in the DNS Manager console tree and use the New Zone command.

The New Zone Wizard contains the following configuration pages:

■ Zone Type;

■ Zone replication area, integrated V Active Directory (Active Directory Zone Replication Scope);

■ Forward or Reverse Lookup Zone;

■ Zone Name;

■ Dynamic update (Dynamic Update).

The following sections describe the configuration concepts associated with these five wizard pages.

Selecting a zone type

On the Zone Type page of the New Zone Wizard, you can choose to create a primary zone, a secondary zone, or a stub zone. By creating a primary or stub zone on a domain controller, you can store zone data in Active Directory.

* Main areas

The most common type of DNS zone is the Primary zone. It provides the source read/write data that grants the local DNS server the authority to respond to DNS namespace scope DNS queries.

The local DNS server that manages the primary zone serves as the primary source of data about that zone. The server stores a master copy of zone data in a local file or in Active Directory Domain Services (AD DS). If the zone is saved to a file rather than to Active Directory, the default file name is zone_name.dns and is stored in the %systemroot%\System 32\Dns folder on the server.

*Additional zones

Provides an authoritative, read-only copy of the primary zone or one additional zone.

Secondary zones provide the ability to reduce the amount of DNS query traffic in areas of the network where zone data is heavily queried and used. Additionally, if the server that manages the primary zone is unavailable, the secondary zone can provide name resolution until the primary server becomes available again.

The source zones from which additional zones receive information are called master zones, and the data copying procedures that ensure zone information is regularly updated are called zone transfers. A master zone can be a main zone or another additional zone. A master zone can be assigned to an additional zone being created in the New Zone Wizard. Because a secondary zone is a copy of the primary zone managed by another server, it cannot be stored in Active Directory.

* Stub zones

Similar to a secondary zone, but contains resource records necessary to identify authoritative DNS servers in the main zone. Stub zones are often used to allow a parent zone (for example, google .ru) to use an updated list of name servers available in a delegated child zone (for example: translate .google .ru). They also serve to improve name resolution and simplify DNS administration.

* Storing zones inActiveDirectory

When you create a primary zone or a stub zone on a domain controller, on the Zone Type page of the wizard, you can select the option to save the zone in Active Directory. Active Directory-integrated zone data is automatically replicated to Active Directory according to the settings selected on the Active Directory Zone Replication Scope page. Thanks to this option, there is no need to configure zone transfer to additional servers.

Integrating a DNS zone into Active Directory provides several benefits. First, because Active Directory services perform zone replication, there is no need to configure a separate DNS zone transfer mechanism between the primary and secondary servers. Multiple network replication automatically provides fault tolerance and improved performance due to the availability of multiple read/write primary servers. Second, Active Directory allows you to update and replicate individual resource record properties on DNS servers. Because many complete resource records are not transferred, the load on network resources during zone transfers is reduced. Finally, Active Directory-integrated zones also provide optional dynamic update security requirements, which can be configured on the Dynamic Update page of the New Zone Wizard.

NOTE: Read-only domain controllers and zones integrated with Active Directory

On traditional domain controllers, a copy of the zone is granted read/write permission. On read-only domain controllers (RODCs), the zone copy is assigned read-only permission.

* Standard zones

When you create a zone on a domain controller, the option to save the zone in Active Directory on the Zone Type page is selected by default. However, you can clear this checkbox and create a so-called standard zone. On a server that is not a domain controller, you can only create standard zones, and the checkbox on this page is grayed out.

Unlike an Active Directory-integrated zone, a standard zone stores its data in text file on the local DNS server. Additionally, if you use standard zones, you can configure only the primary copy with read and write permissions for the zone data. All other copies of the zone (additional zones) are assigned read-only permission.

The standard zone model assumes a single point of failure for the writable version of the zone. If the main zone is unavailable on the network, no changes can be made to the zone. However, requests for names in a zone may not be interrupted while additional zones are available.

Selecting the zone replication scope integrated inActiveDirectory

On the Active Directory Zone Replication Scope page of the New Zone Wizard, you can select the domain controllers on your network to save zone data to. This page appears only when you select the option to save the zone and Active Directory. The zone replication scope selection options determine the domain controllers among which zone data will be replicated.

This page provides the following options:

■ Zone persistence on all domain controllers, which are also DNS servers, throughout the entire Active Directory forest;

■ Preservation of the zone on all domain controllers, which also serve as DNS servers and the local Active Directory domain;

■ Preservation of the zone on all domain controllers and the local Active Directory domain (used for compatibility with Windows 2000);

■ Preserves the zone on all specified domain controllers and the scope of the custom Active Directory directory partition.

These options are described in more detail in the second topic.

Creating Forward and Reverse Lookup Zones

On the Forward or Reverse Lookup Zone page of the New Zone Wizard, you must select the type of zone to be created; Forward Lookup Zone or Reverse Lookup Zone.

In forward lookup zones, DNS servers map FQDNs to IP addresses. In reverse lookup zones, DNS servers map IP addresses to FQDNs. Thus, forward lookup zones respond to requests to resolve FQDNs to IP addresses, and reverse lookup zones respond to requests to resolve IP addresses to FQDNs. Note that forward lookup zones are named according to the D NS domain names for which permission is executed, for example google .com. Reverse lookup zones are named in reverse order of the first three octets of the address space for which name resolution is provided, plus an additional in-addr.arpa tag. For example, if you resolve names for the 192.168.1.0/24 subnet, the reverse lookup zone will be named 1.168.192.in-addr.arpa. In the forward lookup zone, the individual database record that maps a host name to an address is called a record node(A). In a reverse lookup zone, the individual database entry that maps an IP address to a hostname is called pointer or PTR record.

The operating principle of my forward and reverse lookups is demonstrated in the figure.

Forward View Zone

Reverse Lookup Zone

NOTE: DNS Server Setup Wizard

You can use the Configure A DNS Server Wizard to create forward and reverse lookup zones simultaneously. To start the wizard, in the DNS Manager console tree, right-click the server icon and choose Configure A DNS Server.

Selecting a zone name

On the Zone Name page of the New Zone Wizard, you can select a name for the forward lookup zone to be created. Reverse lookup zones are given special names based on the range of IP addresses for which they are authoritative.

If you are creating a zone for name resolution in an Active Directory domain, it is best to specify a zone name that matches the Active Directory domain name. For example, if an organization contains two Active Directory domains named google.ru and translate.google.ru, the name resolution infrastructure must include two zones named after those domain names.

If you are creating a zone for a DNS namespace that is not in an ActiveDirectory environment, you must specify the organization's Internet domain name, such as wikipedia .org.

NOTE: AdditionDNS server per domain controller

To add a DNS server to an existing domain controller, you typically add a copy of the primary zone to provide name resolution to the on-premises Active Directory domain. To do this, you simply create a zone whose name matches the name of an existing zone in the local Active Directory domain. The new zone will be populated with data from other DNS servers in the domain.

Configuring dynamic update settings

DNS client computers can register and dynamically update their resource records using a DNS server. By default, DNS clients with static IP addresses update host (A or AAAA) and pointer (PTR) records, while DNS clients that are DHCP clients only update host records. In a workgroup environment, the DHCP server updates index entries on behalf of the DHCP client whenever the IP configuration is updated.

For dynamic DNS updates to succeed, the zone in which clients register or update records must be configured to accept dynamic updates. There are two types of this update:

■ Safeupdate (Secureupdates)

Allows you to perform registration only from computers in the Active Directory domain and update only from the computer that initially performed the registration.

■ Unsafeupdates (Nonsecureupdates)

Allows you to update from any computer.

On the Dynamic Update page of the New Zone Wizard, you can allow secure, insecure dynamic updates, or disable updates altogether for the zone you are creating.

Analyzing Built-in Resource Records

When you create a new zone, two types of records are automatically created. First, such a zone always includes an initial SOA (Start Of Authority) zone record that defines the basic properties of the zone. In addition, new zones contain at least one NS (Name Server) record that specifies the name of the zone's authoritative server(s). The following describes the functions of these two resource records.

Initial zone entries

When loading a zone, the DNS server uses the zone's SOA (Start Of Authority) record to determine the basic properties and authorities of the zone. These parameters also characterize the frequency of zone transfers between the main and additional servers. Double-clicking an SOA entry opens the Start Of Authority (SOA) tab of the zone properties dialog box.

■ Serialnumber (Serial Number)

This text field on the Initial Zone Record (SOA) tab contains the revision number of the zone file. The number specified here increases each time the resource records in the zone change. It can also be increased manually using the Increment button.

If zones are configured to perform zone transfers to one or more secondary servers, those secondary servers periodically query the primary server for the zone serial number. These requests are called SOA requests. If the SOA request receives a primary zone serial number that is equal to the secondary zone serial number, the transfer fails. If the zone serial number on the main server is greater than the corresponding value on the requesting secondary server, the latter initiates a zone transfer.

NOTE: Transferring zones on the main server

Clicking the Increment button initiates zone transfer.

■ Basicserver (PrimaryServer)

■ ResponsibleResponsible Person

This field is where you enter the Responsible Person (RP) name that corresponds to the zone administrator's domain mailbox. The name entered in this field must always end with a period. The default name is hostmaster.

■ Intervalupdates (Refresh Interval)

The value in this field determines how long the secondary DNS server waits before requesting a zone update on the primary server. After the update interval expires, the secondary DNS server queries the primary server for a copy of the current SOA record. After receiving the response, the secondary DNS server compares the serial number of the current SOA record of the primary server (specified in the response) with serial number your local SOA entry. If these values ​​differ, the secondary DNS server requests a zone transfer from the primary DNS server. The default update interval is 15 minutes.

■ IntervalRetry Interval

■ TermexpiresAfter (Expires After)

The value in this field determines the amount of time that the secondary server continues to perform DNS client queries without contacting the primary server. After this time, the data is considered unreliable. By default, this setting is set to one day.

■ Minimumtermlife TTL (Minimum (Default)TTL)

TTL values ​​do not apply to resource records in authoritative zones. And these zones use the resource write cache lifetime on non-authoritative servers for TTL values. The DNS server that cached the resource record from the previous request resets that record, but the TTL of the record has expired.

■ Term life(TTL)records(TTL For This Record)

The value specified in this field determines the lifetime of the current SOA entry. This value replaces the default value specified in the previous field.

Nameserver records

The name server (NS) record specifies the authoritative server for the zone. When you create a zone in Windows Server 2008, each server that manages a primary copy of an Active Directory-integrated zone will receive its own NS record in the new zone by default. When you create a standard primary zone, the local server NS record will be added by default.

For servers that manage additional zones, you must manually add NS records to the master copy of the zone.

NS records are created using a different procedure than when creating other types of resource records. To add NS records, in DNS Manager, double-click any existing entry NS. The Name Servers tab of the zone properties dialog box opens. On the Name Servers tab, click the Add button to add the FQDN and IP address of the server that manages the secondary zone of the local primary zone. By adding new server, click OK - it will appear in DNS Manager new entry NS indicating this server.

NOTE: Enable transmission to additional zones

The secondary zone does not recognize this entry as a valid name server as long as it contains a valid copy of the zone data. For an additional zone to receive this data, zone transfers must be enabled for that server on the Zone Transfers tab of the zone's properties dialog box. This tab is described in more detail in the next topic.

Below is an example of an entry created in a standard zone file:

@NS dns1.lucernepublishing.com.

The @ symbol represents the zone defined by the SOA entry in the zone file. The full record then maps the wikipedia.org domain to the DNS server dns1.wikipedia.org.

Creating Resource Records

In addition to the SOA and NS records, several other resource records are automatically created. For example, during the installation of a new DNS server, when the server is designated as a domain controller, many Active Directory Domain Services (AD DS) SRV records are created automatically in the locally managed zone. In addition, through dynamic updating, many DNS clients automatically register host (A and AAAA) and pointer (PTR) records in the zone by default.

Although many resource records are created automatically, enterprise environments typically require some resource records to be created manually, such as MX (Mail Exchangers) for mail servers, aliases (CNAME) for web and application servers, and host records for servers and clients , which cannot perform their own updates.

To manually add a resource record for a zone, in the DNS Manager console, right-click the zone icon and context menu select the type of record to create.

After you select an entry from the context menu, a dialog box opens where you can specify the entry name and the computer associated with it. Note that only host records associate a computer name with an IP address. Most record types associate a service name or alias with the original host record. Thus, the MX record relies on the presence of the SRV node 12.nwtraders .msft in the record's area.

Post types

The following are common resource records that are created manually:

■ node(AorALAA);

■ nickname (CNAME);

■ mailexchanger (MX);

■ pointer (PTR);

■ locationservices (SRV).

Knot (A or AAAA)

For most networks, the bulk of the resource records in the zone database are host resource records. These records are used in a zone to associate computer names (hostnames) with IP addresses.

Even with dynamic updates enabled for zones, some host entry scenarios will require you to manually add entries to the zone. In the figure below, Contoso, Inc. uses the domain name contoso.com in the public namespace and internal Active Directory domain. In this case, the public web server www.contoso.com is located outside the Active Directory domain and only makes updates to the public authoritative DNS server contoso.com. But internal clients forward their DNS requests to internal DNS servers. Because the www .contoso .com A record is not dynamically updated on internal DNS servers, it is added manually so that internal clients can resolve names and connect to the public Web server.

Host entries can be added manually if the network uses a UNIX server. For example, Fabrikam, Inc. has one Active Directory domain in its private network named fabrikam,com. This network also includes a UNIX server, App1.fabrikam, com, which runs critical applications for the company's daily operations. Since UNIX servers cannot perform dynamic updates, you will have to manually add the App1 server host record to the DNS server that manages the fabrikam.com zone. Otherwise, users will not be able to connect to the application server by specifying its FQDN.

Alias ​​(CNAME)

These entries are sometimes called canonical names. They allow multiple names to be used to refer to a single node. For example, well-known server names (ftp, www) are typically registered using CNAME records. These records map the hostnames corresponding to their services to the actual record of the AComputer that controls the service.

■ When you want to rename a node specified in the A record of the same zone.

■ When a well-known server's generic name (eg www) needs to be resolved into a group of individual computers (each containing individual A records) providing the same service (eg a group of redundant web servers).

Postal exchanger (MX)

These records are used by applications Email for localization mail server in the zone. They allow you to match the domain name specified in the email address with the record of the Computer that controls the mail server in the domain. Thus, this record type allows the DNS server to handle email addresses that do not have a mail server specified.

Often MX records are created to provide failover to another mail server in case the preferred server is unavailable.

Multiple servers are assigned preference values. The lower this value, the higher the server's preference order.

NOTE: Symbol @

In this example, the @ symbol represents the local domain name contained in the email address.

PointerPTR

This entry is used only in reverse lookup zones to support the reverse lookup that occurs when resolving IP addresses to hostnames or FQDNs. Reverse lookups are performed on the root zones of the in -addr .arpa domain. PTR records can be added to zones manually or automatically.

Below is an example text representation in a zone file of a PTR record created in DNS Manager that maps the IP address 192.168.0.99 to the hostname server 1.google.ru:

99 PTRserver 1.google.ru.

NOTE: Record number 99PRT

In the reverse lookup zone, the last octet of the IPv 4 address is equivalent to the hostname. Therefore, the number 99 represents the name assigned to the node inside the 0.168.192.in -addr .arpa zone. This zone corresponds to the 192.168.0.0 subnet.

Service locationSRV

Posts SRV is used to indicate the location of services in a domain. Client applications that use SRV can retrieve the SRV records of application servers through DNS.

An application that uses SRV is Windows Server 2008 Active Directory. The Netlogon network logon service uses SRV records to locate domain controllers by searching for an Active Directory Lightweight Directory Access Protocol (LDAP) domain. DNS to improve fault tolerance or troubleshoot network services.

InclusionDNS for resolutionWINS

On the WINS tab of the zone properties window, you can specify the WINS server that the DNS Server service will contact to look up names that are not found by DNS queries. When you specify a WINS server on the WINS tab of the Forward Lookup Zone Properties dialog box, a special WINS entry is added to that zone that references that WINS server. When you specify a WINS server on the WINS tab of the reverse lookup zone properties dialog box, a special WINS -R entry is added to the zone to identify that WINS server.

For example, if a DNS client requests the name ClientZ .contoso .com and the preferred DNS server cannot find the answer from normal sources (cache, local zone data, and by polling other servers), the server requests the name CLIENTZ . on the WINS server specified in the WINS record. If the WINS server responds to the query, the DNS server returns its response to the client.

Cleaning and deleting obsolete records

Time stamps are used in DNS to track the age of dynamically registered resource records. Stale record purging is the process of removing obsolete records with timestamps. Clearing can only be performed if timestamps are used. Time stamps and scrubbing work together to remove old recordings that may have accumulated in a zone over time. By default, timestamps and scrubbing are disabled.

Enable cleaning

To enable scrubbing for an individual zone, you must enable the feature at the server level and the zone level.

To enable server-level scavenging, in the DNS Manager console tree, right-click the server icon and use the Set Aging /Scavenging For All Zones command. Then, in the Server Aging / Scavenging Properties dialog box that opens, select the Scavenge Stale Resource Records check box. Although this setting enables server-level timestamping and cleanup for all new zones, it does not enable timestamping and cleanup of existing Active Directory-integrated zones.

To enable them, click OK, and then in the Server Aging/Scavenging Confirmation dialog box that opens, select the check box to apply these settings to existing Active Directory-integrated zones.

To enable timestamps and zone-level cleanup, open Zone Properties, and then on the General tab, click the Aging button. In the Zone Aging/Scavenging Properties dialog box that opens, select the Scavenge Stale Resource Records check box.

Timestamps The DNS server performs scavenging by using the timestamps that are set on the resource records in the zone. Active Directory-integrated zones set timestamp values ​​for dynamically logged entries by default before scrubbing is enabled. However, basic standard zones set timestamps for dynamically logged entries in the zone only after scrubbing is enabled. Resource records created manually for all zone types are assigned a timestamp of 0; this means that their age will not be determined.- this is the time between latest update stamp and its possible next update. Blocking prevents the server from processing unnecessary updates and reduces the amount of traffic. The default blocking interval is 7 days.

■ Modificationintervalupdates

The update interval is the interval between the earliest time the timestamp was updated and the earliest time record cleanup started. After blocking and updating intervals, entries may be removed from the zone. By default, the interval is 7 days. Therefore, if timestamps are enabled, dynamically logged resource records may be deleted after 14 days.

Performing a cleanup

Cleaning is performed in the zone automatically or manually. To automatically perform cleanup, you must enable automatic deletion of obsolete resource records on the Advanced tab of the DNS server properties dialog box.

If this option is not enabled, you can manually perform zone cleanup by right-clicking the server icon in the DNS Manager console tree and using the Scavenge Stale Resource Records command.

Zone GlobalNames

Windows Server 2008 includes a new feature that allows all DNS clients in an Active Directory forest to use names from the same label, such as Mail, to connect to server resources. This component is useful if the default DNS suffix lookup list for DNS clients does not allow users to quickly (or at all) connect to a resource using that single-label name.

The DNS server in Windows Server 2008 allows you to create a GlobalNames zone. By default, the GlobalNames zone does not exist, but by deploying a zone with this name, you can provide access to selected resources using single-label names without using WINS. Typically, single-label names are assigned to important and widely used servers that are already assigned static IP addresses. GlobalNames on remote server, instead of a dot, enter the name of the remote server.

■ CreationGlobalNames zones

The next step in deploying the GlobalNames zone is to create a zone for the DNS server that serves as the Windows Server 2008 domain controller. The GlobalNames zone is not a special type of zone, but rather an Active Directory-integrated forward lookup zone called GlobalNames. When you create a zone, choose to replicate zone data for all DNS servers in the forest. This option is located on the Active Directory-integrated zone replication scope page (to enable single-label name resolution, create a resource alias (CNAME) record in the GlobalNames zone. The name assigned to each CNAME record represents the single-label name that users can use to connect to a resource.Note that each CNAME record specifies a host record in yet another zone.

At one time, I discovered a simple truth: if you want to remember something, take notes (even when reading a book), but if you want to consolidate and systematize it, convey it to people (write an article). Therefore, after two years of working in system integration (an area in which I system administrator, considered simply a cornucopia for specialists hungry for leveling up), when I realized that knowledge was gradually being replaced by the skills of editing documentation and configuring according to manuals and instructions, to keep in shape I began to write articles about basic things. For example, here is about DNS. Back then I did it more for myself, but I thought maybe it would be useful to someone.

Service in modern networks is, if not key, then one of them. Those for whom the DNS service is not new can safely skip the first part.

(no anchors, so content without links)

1. Basic information

DNS is a database containing mainly information about mapping the names of network objects to their IP addresses. “Basically” - because some other information is stored there. More precisely, resource records (RR) of the following types:

A- the same mapping of a symbolic domain name to its IP address.

AAAA- the same as A, but for IPv6 addresses.

CNAME- Canonical NAME - alias. If you want a server with an unreadable name, such as nsk-dc2-0704-ibm, on which the corporate portal runs, to also respond to the name portal, you can create another record of type A for it, with the name portal and the same IP address. But then, if the IP address changes (anything can happen), you will need to re-create all such records again. And if you make a CNAME with the name portal, pointing to nsk-dc2-0704-ibm, then you won’t have to change anything.

MX- Mail eXchanger - pointer to the mail exchanger. Like CNAME, it is a symbolic pointer to an existing record of type A, but in addition to the name it also contains a priority. There can be several MX records for one mail domain, but first of all mail will be sent to the server for which the lower value is specified in the priority field. If it is unavailable - to the next server, etc.

N.S.- Name Server - contains the name of the DNS server responsible for this domain. Naturally, for each record of type NS there must be a corresponding record of type A.

SOA- Start of Authority - indicates which of the NS servers stores reference information about a given domain, contact information of the person responsible for the zone, timings for storing information in the cache.

SRV- a pointer to a server, the holder of a service (used for AD services and, for example, Jabber). In addition to the server name, it contains such fields as Priority (priority) - similar to the same for MX, Weight (weight) - used to balance the load between servers with the same priority - clients select a server randomly with a probability based on weight and Port Number - port number, on which the service “listens” for requests.

All of the above record types are found in the forward lookup zone of the DNS. There is also a reverse lookup zone - records like PTR- PoinTeR - a record opposite to type A. Stores the mapping of an IP address to its symbolic name. Needed to process reverse requests - determining the host name from its IP address. It is not required for DNS to function, but is needed for various diagnostic utilities, as well as for some types of anti-spam protection in email services.

In addition, the zones themselves, which store information about the domain, are of two types (classically):

Primary- is a text file containing information about the hosts and services of the domain. The file can be edited.

Secondary- also a text file, but, unlike the main one, cannot be edited. Pulls automatically from the server storing the main zone. Increases availability and reliability.

To register a domain on the Internet, information about it must be stored on at least two DNS servers.

In Windows 2000, a zone type appeared: integrated into AD- the zone is stored not in a text file, but in the AD database, which allows it to be replicated to other domain controllers along with AD, using its replication mechanisms. The main advantage of this option is the ability to implement secure dynamic registration in DNS. That is, only computers that are members of the domain can create records about themselves.

Also appeared in Windows 2003 stub zone - stub zone. It stores information only about DNS servers that are authoritative for a given domain. That is, NS records. Which is similar in meaning to conditional forwarding ( conditional forwarding), which appeared in the same Windows versions Server, but the list of servers to which requests are forwarded is updated automatically.

Iterative and recursive queries.

It is clear that a single DNS server does not know about all domains on the Internet. Therefore, when a request is received to an address unknown to it, for example metro.yandex.ru, the following sequence of iterations is initiated:

The DNS server accesses one of the Internet root servers, which store information about the authorized holders of first-level domains or zones (ru, org, com, etc.). He reports the received address of the authoritative server to the client.

The client contacts the ru zone holder with the same request.

The DNS server of the RU zone looks for a corresponding entry in its cache and, if it does not find it, returns to the client the address of the server that is authoritative for the second-level domain - in our case, yandex.ru

The client contacts the DNS yandex.ru with the same request.

Yandex DNS returns the required address.

Such a sequence of events is rare in our time. Because there is such a thing as a recursive query - this is when the DNS server, which the client initially contacted, performs all iterations on behalf of the client and then returns a ready-made answer to the client, and also stores the received information in its cache. Support for recursive queries can be disabled on the server, but most servers support it.

The client, as a rule, makes a request that has the “recursion required” flag.

2. A little about the DNS message format

The message consists of a 12-byte header followed by 4 variable-length fields.

The header consists of the following fields:

DNS message format

Identification - the client generates a certain identifier in this field, which is then copied into the corresponding field of the server response so that you can understand what request the response came to.

Flags - a 16-bit field divided into 8 parts:

• QR(message type), 1-bit field: 0 means request, 1 means response.
• opcode(opcode), 4-bit field. Normal value is 0 (standard request). Other values ​​are 1 (inverse request) and 2 (server status request).
• A.A.- 1-bit flag that means “authoritative answer”. The DNS server has authority for this domain in the questions section.
• TC- A 1-bit field that means “truncated”. In the case of UDP, this means that the total response size exceeded 512 bytes, but only the first 512 bytes of the response were returned.
• R.D.- A 1-bit field that means “recursion desired”. The bit can be set in a request and then returned in a response. This flag requires the DNS server to process this request itself (that is, the server must determine the required IP address itself, and not return the address of another DNS server), which is called a recursive query. If this bit is not set and the queried DNS server does not have an authoritative answer, the queried server will return a list of other DNS servers that must be contacted to obtain the answer. This is called an iterative query. We'll look at examples of both types of queries in the following examples.
• R.A.- 1-bit field that means “recursion available”. This bit is set to 1 in the response if the server supports recursion. We will see in our examples that most DNS servers support recursion, with the exception of a few root servers (root servers are not able to handle recursive queries due to their workload).
• 0 - This 3-bit field must be equal to 0.
• rcode this is a 4-bit return code field. Common values ​​are 0 (no error) and 3 (name error). A name error is returned only from an authoritative DNS server and means that the domain name specified in the request does not exist.

The next four 16-bit fields indicate the number of items in the four variable-length fields that complete the record. In a request, the number of questions is usually 1, and the remaining three counters are 0. In a response, the number of answers is at least 1, and the remaining two counters may or may not be zero.

Example (obtained using WinDump when executing the ping www.ru command):

IP KKasachev-nb.itcorp.it.ru.51036 > ns1.it.ru.53: 36587+ A? www.ru. (24)
IP ns1.it.ru.53 > KKasachev-nb.itcorp.it.ru.51036: 36587 1/2/5 A 194.87.0.50 (196)

The first line is the request: the name of my PC, 51036 is a randomly selected sending port, 53 is a pre-known DNS server port, 36587 is the request ID, + is “recursion required”, A is a request for a type A record, the question mark means that this a request, not an answer. In parentheses is the length of the message in bytes.

The second line is the server response: to the specified source port with the specified request ID. The response contains one RR (DNS resource record), which is the response to the request, 2 authority records and 5 additional records. The total length of the response is 196 bytes.

3. TCP and UDP

There is information that DNS operates over the UDP protocol (port 53). This is indeed the case by default - requests and responses are sent via UDP. However, the presence of the TC (Truncated) flag in the message header is mentioned above. It is set to 1 if the size of the response exceeded 512 bytes - the limit for a UDP response - which means it was cut off and only the first 512 bytes were sent to the client. In this case, the client repeats the request, but via TCP, which, due to its specifics, can safely transfer large amounts of data.

Also, the transfer of zones from the main servers to the additional ones is carried out via TCP, since in this case much more than 512 bytes are transferred.

4. DNS in Windows Server 2008 and 2012

Windows 2008 introduced the following features:

Background loading of zones

In very large organizations with extremely large zones that use Active Directory Domain Services to store DNS data, restarting the DNS server may take an hour or more while the DNS data is retrieved from the directory service. In this case, the DNS server is unavailable to serve client requests as long as Active Directory Domain Services zones are loading.
The Windows Server 2008 DNS server now loads zone data from Active Directory Domain Services into the background, thanks to which it can at the same time process data requests from other zones. When the DNS server starts, the following actions are performed:

• all zones that must be loaded are determined;
• Root links are loaded from files or Active Directory Domain Services storage;
• All file-backed zones are loaded, that is, zones stored in files rather than in Active Directory Domain Services;
• processing of requests and remote procedure calls (RPC) begins;
• One or more threads are created to load zones stored in Active Directory Domain Services.

Because the task of loading zones is performed in separate threads, the DNS server can process queries while the zone is loading. If a DNS client requests data for a host in a zone that is already loaded, the DNS server responds with the data (or, if appropriate, a negative response). If a query is made for a host that is not yet loaded into memory, the DNS server reads the host's data from Active Directory Domain Services and updates the host's list of records accordingly.

Support for IPv6 addresses

Internet Protocol version 6 (IPv6) defines addresses that are 128 bits long, as opposed to Internet Protocol version 4 (IPv4) addresses, which are 32 bits long.
DNS servers running Windows Server 2008 now fully support both IPv4 and IPv6 addresses. Means command line dnscmd also accepts addresses in both formats. The list of forwarders can contain both IPv4 addresses and IPv6 addresses. DHCP clients can also register IPv6 addresses along with (or instead of) IPv4 addresses. Finally, DNS servers now support the ip6.arpa domain namespace for reverse mapping.

DNS Client Changes

LLMNR Name Resolution
DNS client computers can use LLMNR (Link-local Multicast Name Resolution), also called multicast DNS or mDNS, to resolve names on a local network segment where a DNS server is not available. For example, if a subnet is isolated from all DNS servers on the network due to a router failure, clients on that subnet that support LLMNR name resolution can still resolve names using a peer-to-peer scheme until connectivity to the network is restored.
In addition to resolving names in the event of network failure, LLMNR can also be useful in peer-to-peer network deployments, such as in airport lounges.

Windows 2012 changes in terms of DNS, they affected mainly DNSSEC technology (ensuring DNS security by adding digital signatures To DNS records), in particular - providing dynamic updates that were not available when DNSSEC was enabled in Windows Server 2008.

5. DNS and Active directory

Active Directory relies heavily on DNS for its operations. With its help, domain controllers look for each other for replication. With its help (and the Netlogon service), clients identify domain controllers for authorization.

To ensure search, during the process of raising the role of a domain controller on the server, its Netlogon service registers the corresponding A and SRV records in DNS.

SRV records registered by the Net Logon service:

_ldap._tcp.DnsDomainName
_ldap._tcp.SiteName._sites.DnsDomainName
_ldap._tcp.dc._msdcs.DnsDomainName
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName
_ldap._tcp.pdc._msdcs.DnsDomainName
_ldap._tcp.gc._msdcs.DnsForestName
_ldap._tcp.SiteName._sites.gc._msdcs. DnsForestName
_gc._tcp.DnsForestName
_gc._tcp.SiteName._sites.DnsForestName
_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName
_kerberos._tcp.DnsDomainName.
_kerberos._udp.DnsDomainName
_kerberos._tcp.SiteName._sites.DnsDomainName
_kerberos._tcp.dc._msdcs.DnsDomainName
_kerberos.tcp.SiteName._sites.dc._msdcs.DnsDomainName
_kpasswd._tcp.DnsDomainName
_kpasswd._udp.DnsDomainName

The first part of the SRV record identifies the service that the SRV record points to. The following services exist:

_ldap - Active Directory is an LDAP compliant directory service with domain controllers functioning as LDAP servers. The _ldap SRV records identify the LDAP servers present on the network. These servers can be Windows Server 2000+ domain controllers or other LDAP servers;

_kerberos - _kerberos SRV records identify all key distribution centers (KDC - Key Distribution Centers) in the network. They may be domain controllers running Windows Server 2003 or other KDC servers;

_kpassword - identifies kerberos password change servers on the network;

_gc - An entry related to the global catalog feature in Active Directory.

Only domain controllers are registered in the _mcdcs subdomain Microsoft Windows Server. They make both main records and records in a given subdomain. Non-Microsoft services only make basic entries.

DomainGuid - global domain identifier. A record containing it is needed in case of domain renaming.

How does the DC search process work?

During user login, the client initiates a DNS locator using a Remote Procedure Call (RPC) by the NetLogon service. The computer name, domain name, and website name are passed into the procedure as input data.

The service sends one or more requests using the DsGetDcName() API function

The DNS server returns the requested list of servers, sorted according to priority and weight. The client then sends an LDAP request using UDP port 389 to each of the entry addresses in the order they were returned.

All available domain controllers respond to this request, reporting their health.

After discovering a domain controller, the client establishes an LDAP connection to it to gain access to Active Directory. As part of their conversation, the domain controller determines which site the client is hosted in, based on its IP address. And if it turns out that the client did not contact the nearest DC, but, for example, recently moved to another site and, out of habit, requested a DC from the old one (information about the site is cached on the client based on the results of the last successful login), the controller sends him the name of it (the client) new site. If the client has already tried to find a controller in this site, but was unsuccessful, it continues to use the one found. If not, a new DNS request is initiated indicating the new site.

The Netlogon service caches domain controller location information so that it does not have to initiate the entire process every time it needs to contact a DC. However, if a "suboptimal" DC (located in another site) is used, the client clears this cache after 15 minutes and initiates the search again (in an attempt to find its optimal controller).

If a computer does not have information about its site in its cache, it will contact any domain controller. In order to stop this behavior, you can configure NetMask Ordering on DNS. DNS will then list the DCs in such an order that controllers located on the same network as the client are listed first.

Example: Dnscmd /Config /LocalNetPriorityNetMask 0x0000003F will indicate the subnet mask 255.255.255.192 for priority DCs. The default mask is 255.255.255.0 (0x000000FF)