What is a DNS server and their addresses: from theory to fine-tuning. What is a DNS server, how to find out the provider's preferred address, replace it with Google Public DNS or alternative options Additional dns

DNS (or also known as the Domain Name System) is a system that matches domain names such as Google.com or Yandex.ru with the correct IP addresses. This system is a database of domain names and IP addresses. It is used to maintain a directory of domain names and help resolve those domain names to the correct IP addresses.

Domain names are human-readable addresses that we use every day. For example, Domain name Yandex - yandes.ru. If you want to visit the Yandex website, simply enter yandex.ru into the address bar of your web browser.

But your computer does not know where "yandex.ru" is located. Behind the scenes, your computer will contact the DNS servers and ask what IP address is associated with yandex.ru.

After that, it will connect to that web server, download the content, and display it in your web browser.

In this case, yandex.ru is located at the IP address 77.88.55.70 on the Internet. You can enter this IP address in your web browser to visit the Yandex website. However, instead of 77.88.55.70 we use "yandex.ru" because it's easier to remember.

Without DNS, the entire Internet will not be accessible. We will return to the time when the Internet was not yet born. And your computer can only use to create documents or play offline games.

Of course, this is just a simple explanation, in fact, it's a bit complicated. For getting additional information, I would recommend you to read this article or watch the video below.

Different Internet Service Providers (ISPs) use different DNS servers. By default, if you haven't set up specific DNS servers on your computer (or router), the default DNS servers from your ISP will be used.

If these DNS servers are unstable, you may be experiencing some issues while using the Internet on your computer. For example, cannot load websites completely or does not have access to the Internet. To avoid unwanted DNS errors, switch to public DNS servers such as Google DNS and OpenDNS.

Here are some common DNS related errors you can look into:

• Fixed DNS lookup error in Google Chrome
• How to fix Err_Connection_Timed_Out error
• How to fix Err_Connection_Refused error
• Fix Dns_Probe_Finished_Nxdomain Error
• Fix DNS Server Not Responding on Windows

You can fix these errors by going to the third party DNS servers listed below.

Benefits of Using Public DNS Servers

You may ask if your ISP has default DNS servers, why do you need these public DNS servers? Here are the reasons why you should use these alternative DNS servers:

• Some default DNS servers are not fast enough, and sometimes they time out. However, your internet connection is not stable. Switching to these fastest DNS servers will help boost your internet speed.
• Using these public DNS servers will help improve stability.
• Some third party DNS servers have protection and filtering features. These features will help you protect your computer from phishing attacks.
• This will help you get through the content restrictions of geography and web inspections. For example, you can easily watch a YouTube video when it says "This video is not available in your country."

List of Top 10 Public DNS Servers

After reading the explanation of what a DNS server is, third-party DNS servers are useful, check out the list below. This is a list of top 10 best third party DNS servers:

1. Google public DNS server

It is one of the fastest DNS servers that many users use on their computers. By using Google's DNS servers, you will get a better security and better experience on your computer.

To use Google's public DNS servers, configure your network settings with the following IP addresses:

8.8.8.8 as preferred DNS server

8.8.4.4 as your alternate DNS server

2.OpenDNS

Apart from Google DNS servers, OpenDNS is one of the best cloud DNS servers. This will help protect your computer from malicious attacks.

To use OpenDNS, let's configure your network settings with the following IP addresses:

208.67.222.222

208.67.222.220

OpenDNS also offers two free solutions for private customers: OpenDNS Family Shield and OpenDNS Home.

The OpenDNS Shield family comes pre-configured to block adult content. In order to use it, you need to configure different DNS servers with the following IP addresses in your network settings.

Preferred DNS Server: 208.67.222.123

Alternate DNS Server: 208.67.220.123

Meanwhile, OpenDNS Home comes with customizable anti-theft and anti-phishing protection.

3. Norton ConnectSafe

Norton not only offers antivirus programs and Internet security programs. It also offers a DNS server service called Norton ConnectSafe. This cloud-based DNS service will help protect your computer from phishing sites.

Norton ConnectSafe comes with three predefined content filtering policies. These are safety, safety + Pornography and safety + Pornography + other.

You can take a look at the image below for more information on each predefined policy. Visit for more information.

4. Comodo Secure DNS

Comodo Secure DNS is a domain name server service that resolves your DNS queries through many global DNS servers. It provides a much faster and better Internet experience than using standard DNS servers provided by your ISP.

If you want to use Comodo Secure DNS, you do not need to install any hardware or software. Just change your primary and secondary DNS servers to 8.26.56.26 and 8.20.247.20.

5. Level 3

Level3 - the next free DNS service in this list. It works on layer 3 communication. To take advantage of this free service, just configure your network settings with the following DNS IP addresses:

209.244.0.3

208.244.0.4

Visit for more details.

6. Advantage of DNS

It is one of the fastest DNS servers providing best performance when working on the Internet. This will help you load websites faster and more securely. To use DNS Advantage, set up preferred/alternate DNS servers with the following details:

156.154.70.1

156.154.71.1

7.Open NIC

Like many other DNS servers above, OpenNIC is a good alternative to replace your default DNS servers. This will protect your computer from the government and keep your privacy. To use this DNS service, configure your preferred and alternate DNS servers as follows:

46.151.208.154

128.199.248.105

To find more reliable DNS servers.

8. Dean

Dyn is the next best free third party DNS server on the list. It provides an amazing online experience and protects your information from most phishing attacks. Configure your network settings with the following DNS IP addresses to use the Dyn DNS server.

216.146.35.35

216.146.36.36

9.SafeDNS

SafeDNS is another cloud-based DNS service. This will help you protect your computer as well as provide the best web browsing experience. To use SafeDNS, use the following DNS information below:

195.46.39.39

195.46.39.40

About free and premium DNS services from SafeDNS.

10.DNS Watch

DNS.Watch is the last free public DNS service on this list. It provides a censored, fast and reliable browsing experience for free. To set up your PC or router with "DNS.Watch", use the two DNS IP addresses below:

84.200.69.80

84.200.70.40

Sometimes, if you are unable to surf the web properly, you can try changing the default DNS servers on your computer or router to these DNS servers. This will provide you with the best web browsing experience and also protect you from potential attacks.

Don't know how to change DNS servers on Windows, Mac or Android? Just read .

Greetings! Today we will discuss everything important points about the DNS server. From what it is to setting up and choosing alternative DNS .. We sit down in our seats and do not forget to buckle up!

If you have any questions or have something to add - BE SURE to write in the comments to this article. You will help us and other readers a lot!

What is DNS?

We start with a distant theory. Who is not interested, go to the desired chapter below - all the settings and choices will be there. And here we will talk about the DNS phenomenon itself.

DNS - Domain Name System - domain name system

Was it scary? Let's try to confuse even more ... i.e. unravel. Let's point by point:

1. While using the Internet, you drive the name of the site into the browser window. For example, GUGL.FU (may they forgive us and also throw traffic).
2. In networks, all addressing is based on IP addresses. Those. iron is able to search for routes only by numbers. For example, 7.7.7.7. But it is inconvenient for users to remember these numbers (remember at least the numbers of 50 of your contacts from the phone).
3. And then as an analogy with the phone. You don't have to know the numbers, but remember the names. Those. you fill in the name in the phone, and the call goes to the number. So it is on the Internet - you enter a symbolic name (domain name), and the browser, bypassing your eyes, goes to look for the desired site by IP address.

The DNS server does the job of converting a domain name into an IP address. Receives letters - gives numbers.

To verify this transformation, you can "ping" any site:

The current IP of the ya.ru domain is 87.250.250.242

Servers - Theory

We will not delve too deeply into the architecture of DNS servers, but for a general understanding, it is worth knowing:

1. There are many of them - there is no one right one, as a rule you get a DNS provider, but this is not always the best solution.
2. They have a nested structure - root, countries, providers, routers (very roughly). In the sense that all DNS inherit information from each other, and if something is not on the current one, the request will be sent higher.
3. They have an IP address - you knock on it, and it already gives the necessary IP addresses of sites.

As a rule, after connecting to the Internet, while doing nothing with the settings, you will receive DNS from your ISP.

How to find out the current one?

Before proceeding with the installation, you may need to find out the current DNS server. So that there are no further questions, I show how to do it quickly:

1. We need to open the command line (there are other opening options, you can google it). We press the keys win+R(the utility "Run" opens, we drive into it cmd

1. Enter nslookup

In my case, the current DNS is 192.168.0.1. For advanced users, this is the address of the router. All requests are addressed to him, and he sends further (at the moment, Google DNSs work on it).

Provider

It is possible to dereference sites through your provider, but this does not always work as it should. For an ordinary home user, everything can go unnoticed for a lifetime, but if you work very closely with the Internet, trouble can come unexpectedly. My theses about provider servers:

1. Stability leaves much to be desired - in the sense that once a year the stick shoots, so here once every couple of years their servers fall, the sites do not open tightly. An unpleasant moment, a home user might think that the Internet had fallen off, and the problem was buried on the surface. For someone, a fall once every couple of years is enough for happiness.
2. Territorial restrictions - some site will be banned in the DNS and the carcass is gone. In fact, they rarely ban anything through it now, but so, by the way, there were precedents.
3. Slow updating of zones (for me this is the most important point). Provider servers are updated very slowly. The owner of the site changed his server (he wanted to move to more powerful hardware), changed his DNS settings to a new IP address, and such information can reach a user in the region only after a couple of days. And he will knock on a non-existent address, get an inaccessible site, or a site with a violation of security certificates and a sea of ​​​​other sores.

In total - everything works, sometimes for a very long time and well, but there are disadvantages that are easy to replace with alternative DNS.

Alternative DNS

IN Windows settings, which we will look at below, there is a field with an alternative DNS. So, in that case we are talking just about the backup DNS server address if the main one is unavailable. In the same chapter, "alternative" only means that it is not issued by the provider.

Here is a table of the main current DNS now:

Service	DNS 1	DNS 2
Google Public DNS	8.8.8.8 2001:4860:4860::8888 (IPv6)	8.8.4.4 2001:4860:4860::8844 (IPv6)
Open DNS	208.67.222.222	208.67.220.220
Yandex	77.88.8.8 77.88.8.88 (no scam sites) 77.88.8.7 (no adult sites)	77.88.8.1 77.88.8.2 (no scam sites) 77.88.8.3 (no adult sites)
DNS WATCH	82.200.69.80	84.200.70.40
Norton Connect Safe	198.153.192.1 198.153.192.40 (secure sites only) 198.153.192.50 (no porn) 198.153.192.60 (complete security)	198.153.194.1 198.153.194.40 (secure sites only) 198.153.194.50 (no porn) 198.153.194.60 (complete security)
Level 3 DNS	209.244.0.3 4.2.2.1 4.2.2.3	209.244.0.4 4.2.2.2 4.2.2.4
Comodo Secure DNS	8.26.56.26	8.20.247.20
Open NIC DNS	Choose from the list https://servers.opennic.org	Choose from the list https://servers.opennic.org

Let me briefly go over each:

• Google Public DNS - I use it myself and recommend it until it's banned. Works like a clock, quickly updated. Addresses are easy to remember - "eights". There are also IPv6 versions.
• Open DNS is the second most popular service. I used it for a while, I didn’t notice much difference from Google. It works and it's okay.
• Yandex - as a bonus, there are additional servers with site filters - without known phishing and fraudulent sites, and without adult sites - they simply will not open. Kind of parental control.
• The rest also work. I don’t see the point in describing, there will be water water. For the house, the first is enough, and in which case the second. The rest is excess for technical specialists. Unfortunately or fortunately, our WiFiGid is not for specialists.

Setting

And now I'll show you where you need to insert these addresses so that everything works like an expensive Swiss watch.

1. Go to "Network Center" (Windows 7) or "Network and Internet Settings" (Windows 10). To do this, right-click on the network icon and select this item:

1. Next, "Configure adapter settings" (or "Change adapter settings"):

1. And here we are already looking for our adapter, through which we connected to the network, right-click - "Properties" and do everything as in the diagram:

Here I set the Google addresses - the first and second (the first and second columns of the table above respectively). You can do the same, or you can experiment with other services.

These steps are performed in the same way in operating rooms. Windows systems 7, Windows 8, Windows 10.

This can be done on every device, including phones (see instructions for setting up DNS for your model). One example to make possible:

And it’s better to do everything at once on the router in the DHCP server settings (which distributes network settings to connected devices). Then all devices connected to it will immediately go through normal servers. Using the example of TP-Link, look for settings for your model through the search on our website:

Some programs, applications and mobile devices in their configurations they ask for the DNS Address field - IP addresses from the table above are also suitable.

Possible mistakes

There is no way to list all the possible errors associated with DNS bugs - you can search for them by name on our website, we really sorted out the main ones. But the essence of solving any of them is very simple:

1. We reboot the router and the computer, laptop, phone - to try again to get the network settings.
2. While everything is rebooting, we check the wires - does everything enter, is there a fracture anywhere.
3. If it does not help, enter the DNS addresses manually as in the section above.
4. If this does not help, the error is somewhere on the side of the provider or on the site itself (the same possible move). If absolutely nothing opens, just in case, we try to disable antiviruses, firewalls, proxies, VPNs and other software that the network uses.

If everything is really bad and did not find anything - write a comment below!

Want to quickly test your system administrator's knowledge? Ask him for the IP address of Google's public DNS. Any self-respecting system administrator will answer: "8.8.8.8", and the advanced one will add "... and 8.8.4.4".

What's happenedDNS?

DNS is an acronym for Domain Name System. Translated as the domain name system, and is a system that matches a domain name and an IP address of a host. So, knowing the host name, you can get its address and vice versa. What is it for? World Wide Web The Internet is designed in such a way that each device (computer, phone, tablet, router) has its own unique address (in fact, addresses can be repeated when it comes to different LOCAL networks, but in this article we are talking about global network and we will not go into the details of NAT, PAT and routing), and you can access this device only by knowing its address on the network. As we work on the Internet, we access dozens of sites every day. It would be difficult to remember all their addresses, consisting of a sequence of numbers and dots, for example, which is easier to remember 77.222.61.238 or integrus.compumur.ru? Of course, the second. And the domain name system will remember the address for you.

DNS is available on any computer, in every network and every provider, in addition, it has a hierarchical form, and in the case when the domain name system cannot determine the address of the requested resource by the domain name, it passes the request to the higher DNS server. The query can be sent up to one of the 13 "world's most important" root DNS servers.

How to install a DNS server?

The server can perform various functions, it can act as a global catalog, store file information, work with databases, work simultaneously with several users. Depending on the purpose of the server, roles are installed on it - a special set of programs that allow the server to perform the necessary functions.

How to install a roleDNS servers? We will install on Windows Server 2012R2.

Most often, the DNS Server role is installed with a domain controller. But if during installation Active Directory If you unchecked the “DNS server” checkbox, or AD is simply not needed, then you need to install only the DNS server. To do this, go to the server manager and click the "Add roles and features" button.

The Add Roles and Features Wizard window opens. Read the introductory text of the wizard and click Next.

Make sure Install Roles and Features is selected and click Next.

Select a server from the server pool. In our case, there is only one server, you may have more.

Select the Role of the DNS server.

By ticking the required item with a checkmark, we will see the “Add Roles and Features Wizard” window that appears. These components are required to manage the role being installed. If you are going to administer the DNS server from another server, then you can skip adding these components.

Returning to the window with the DNS Server checkbox checked, click the Next button, then Next and Next again until the Install button becomes active.

Click the "Install" button.

Installation will begin.

After the installation is completed (the installation will last less than 5 minutes), the following message will appear: "Installation completed on YourServerName". You can click the "Close" button. Now a new line "DNS" will appear in the Server Monitoring Panel, as well as in the Start Menu. If you click on this line, then the "DNS Manager" will start.

It looks like this.

On this moment No zones are configured on the DNS server. Such a server is called a caching server. Zones are parts of the namespace that the server is responsible for. Forward lookup zones involve the translation of a name into an IP address. A reverse lookup zone, in contrast, maps an IP address to a name.

Let's create a forward lookup zone and make it simple setup.

To do this, right-click on the inscription "Forward lookup zones" and then "Create a new zone."

The "New Zone Wizard" window will open, click "Next". The zone type selection window will open. If you do not have another DNS server, select "Primary zone" and "Next".

In the next window, you need to specify the name of the zone. It is recommended to use your domain. In our case, the name would be: . Click "Next".

In the next window, select the type of dynamic update. It is recommended to enable dynamic updates, but only if DNS will be used exclusively in your local network. Otherwise, this item may entail security risks, about which the New Zone Wizard will warn you.

Click "Next" and "Finish". The forward lookup zone has been successfully created, let's carry out its simple configuration. The browse zone is configured by adding DNS records to the zone. There are several types of DNS records. Consider the main types:

• A-record. Maps Hostname and IPV protocol address
• AAAA record. Maps Hostname and IPV protocol address
• CNAME record. Alias, used to redirect to another name.
• MX record. Mail entry, points to mail servers.
• NS record. Points to the domain's DNS server.

Let's create an A-record for our new forward lookup zone. To do this, right-click on the zone and select the appropriate item from the context menu, as shown in the figure.

In the New Node window that opens, enter the Node name, for example GateWay, and its IP address, for example 192.168.0.1. Click the Add Node button.

Ready! Entry created successfully!

In this article, we tried to explain in the most understandable language to a simple person without deep knowledge of IT what DNS is, how to install the DNS server role on Windows Server 2012, got acquainted with the main types of records and showed in pictures how these records are made. And if all of the above seemed difficult for you, then our specialists will set up a server for you in less than an hour.

A zone is a database that contains authoritative information about a region of the DNS namespace. When you install a DNS server along with a domain controller, a DNS zone is automatically created to support the Active Directory domain. If the DNS server was installed on a domain controller, a domain member server, or a standalone server, the zones must be created and configured manually.

This lesson explains how to create and configure a zone, and provides the information required to properly configure a zone.

Creating zones

Zone DNS is a database containing records thatassociate names with addresses in the described region of the DNS namespace. AlthoughThe DNS server can use cached information to answer name queries.information from other servers, he is authorized to respond to requests only inlocally managed zone. For any scope of the DNS namespace,represented by a domain name (for example, google .ru ), there is only oneauthoritative data source for the zone.
If you need to create a new zone on the DNS server, you can use the New Zone Wizard in DNS Manager. To launch the wizard, right-click the server icon in the DNS Manager console tree and use the New Zone command.

The New Zone Wizard contains the following configuration pages:

■ Zone Type;

■ Zone replication scope, integrated V Active Directory (Active Directory Zone Replication Scope);

■ Forward or reverse lookup zone (Forward or Reverse Lookup Zone);

■ Zone name (Zone name);

■ Dynamic update (Dynamic Update).

The following sections describe the configuration concepts associated with these five wizard pages.

Zone type selection

On the Zone Type page of the New Zone Wizard, you can choose to create a primary, secondary, or stub zone. By creating a primary zone or a stub zone on a domain controller, you can store zone data in Active Directory.

* Main zones

The most common type of DNS zone is the Primary zone. It provides the initial source read/write data that grants the local DNS server the authority to respond to DNS queries on the domain of the DNS namespace.

The local DNS server that manages the primary zone serves as the primary source of information about that zone. The server stores a master copy of the zone data in a local file or in Active Directory Domain Services (AD DS). If a zone is stored in a file and not in Active Directory, that file is named by default zone_name.dns and is stored in the %systemroot%\System 32\Dns folder on the server.

* Additional zones

Provides a read-only authoritative copy of the primary zone or another secondary zone.

Secondary zones provide an opportunity to reduce the amount of DNS query traffic in areas of the network where there is heavy request and use of zone data. Also, if the server that manages the primary zone becomes unavailable, the secondary zone can provide name resolution until the primary server becomes available again.

The source zones from which additional zones receive information are called master zones, and the data copying procedures that ensure that zone information is updated regularly are called zone transfers. The master zone can be the main zone or another secondary zone. A master zone can be assigned to an additional zone to be created in the New Zone Wizard . Because the secondary zone is a copy of the primary zone managed by another server, it cannot be stored in Active Directory.

* Stub zones

Similar to the secondary zone, but contain the resource records needed to identify the authoritative DNS servers of the primary zone. Stub zones are often used so that the parent zone (for example, google .ru ) can use an up-to-date list of name servers available in the delegated child zone (for example: translate .google .ru ). They also serve to improve name resolution and simplify DNS administration.

* Storage zones inActiveDirectory

When creating a primary or stub zone on a domain controller, on the Zone Type page of the wizard, you can select the option to store the zone in Active Directory. Data from Active Directory-integrated zones is automatically replicated to Active Directory according to the settings you select on the Active Directory Zone Replication Scope page. This option eliminates the need to configure zone transfers to additional servers.

Integrating a DNS zone into Active Directory provides several benefits. First, because Active Directory performs zone replication, there is no need to set up a separate DNS zone transfer mechanism between the primary and secondary servers. Multiple network replication automatically provides fault tolerance and improved performance by having multiple read/write master servers available. Second, Active Directory allows you to update and replicate individual properties of resource records on DNS servers. Because many complete resource records are not transferred, the load on network resources during zone transfers is reduced. Finally, Active Directory-integrated zones also provide the option to implement dynamic update security requirements, which are configured on the Dynamic Update page of the New Zone Wizard.

NOTE: Readable Domain Controllers and Active Directory Integrated Zones

On traditional domain controllers, the zone copy is granted read/write access. On Read-O nly Domain Controllers (RODCs), the zone copy is assigned only read access.

* Standard zones

When you create a zone on a domain controller, the option to store the zone in Active Directory on the Zone Type page is selected by default. However, you can uncheck this box and create a so-called standard zone. On a server that is not a domain controller, only standard zones can be created, and the check box on this page is disabled.

Unlike an Active Directory-integrated zone, a standard zone stores its data in text file on the local DNS server. Also, if you use standard zones, you can only configure the master copy with read/write access to zone data. All other copies of the zone (secondary zones) are assigned read-only access.

The standard zone model assumes a single point of failure for the writable version of the zone. If the primary zone is not available on the network, no changes can be made to the zone. However, queries for names in a zone may not be interrupted while additional zones are available.

Selection of the replication scope of the zone integrated inActiveDirectory

On the Active Directory Zone Replication Scope page of the New Zone Wizard, you can select domain controllers on your network to store zone data. This page only appears if you select the Save zone and Active Directory option. The zone replication scope selection options determine the domain controllers among which zone data will be replicated.

This page contains the following options:

■ Keeping the zone on all domain controllers that are also DNS servers in the entire Active Directory forest;

■ Keeping the zone on all domain controllers that also serve as DNS servers and the local Active Directory domain;

■ Save the zone on all domain controllers and the local Active Directory domain (used for compatibility with Windows 2000);

■ Retain the zone on all specified domain controllers and scope the custom Active Directory directory partition.

These options are described in more detail in the second topic.

Creating Forward and Reverse Lookup Zones

On the Forward or Reverse Lookup Zone page of the New Zone Wizard, you must select the type of zone to be created; Forward Lookup Zone or Reverse Lookup Zone.

In forward lookup zones, DNS servers map FQDNs to IP addresses. In reverse lookup zones, DNS servers map IP addresses to FQDNs. Thus, forward lookup zones respond to requests to resolve FQDNs to IP addresses, and reverse lookup zones respond to requests to resolve IP addresses to FQDNs. Note that forward lookup zones are named according to the D NS domain names for which resolution is performed, such as google .com. Reverse lookup zones are also named in reverse order of the first three octets of the address space for which name resolution is provided, plus an additional in-addr.arpa tag. For example, if you resolve names for subnet 192.168.1.0/24, the reverse lookup zone would be named 1.168.192.in-addr.arpa. In a forward lookup zone, a single database entry that maps a hostname to an address is called a knot(A). In a reverse lookup zone, a single database entry that maps an IP address to a hostname is called pointer or PTR record.

The principle of operation of my forward and reverse lookups is shown in the figure.

Forward Lookup Zone

Reverse Lookup Zone

NOTE: DNS Server Setup Wizard

You can use the Configure A DNS Server Wizard to create forward and reverse lookup zones at the same time. To start the wizard, right-click the server icon in the DNS Manager console tree and use the Configure A DNS Server command.

Choosing a zone name

On the Zone Name page of the New Zone Wizard, you can select the name of the forward lookup zone to create. Reverse lookup zones are given specific names according to the range of IP addresses for which they are authoritative.

If you are creating a zone to resolve names in an Active Directory domain, it is best to specify a zone name that matches the name of the Active Directory domain. For example, if an organization has two Active Directory domains named google .ru and translate .google .ru , the naming infrastructure must include two zones with names that match those domain names.

If you create a zone for a DNS namespace outside of an ActiveDirectory environment, you must specify the organization's Internet domain name, such as wikipedia .org .

NOTE: AddendumDNS servers per domain controller

To add a DNS server to an existing domain controller, a copy of the primary zone is usually added to provide name resolution in the local Active Directory domain. To do this, simply create a zone whose name matches the name of an existing zone in the local Active Directory domain. The new zone will be populated with data from other DNS servers in the domain.

Configuring Dynamic Update Options

DNS client computers can register and dynamically update their resource records with a DNS server. By default, DNS clients with static IP addresses update host (A or AAAA) and pointer (PTR) records, while DNS clients that are DHCP clients only update host records. In a workgroup environment, the DHCP server updates the pointer entries on behalf of the DHCP client each time the IP configuration is updated.

For dynamic DNS updates to succeed, the zone in which clients register or update records must be configured to accept dynamic updates. There are two types of such an update:

■ Safeupdate (secureupdates)

Allows you to register only from computers in the Active Directory domain and update only from the computer that originally performed the registration.

■ Unsafeupdates (Nonsecureupdates)

Allows you to update from any computer.

On the Dynamic Update page of the New Zone Wizard, you can enable secure, insecure dynamic updates for the zone you are creating, or disable updates altogether.

Parsing Embedded Resource Records

When you create a new zone, two types of records are automatically created. First, such a zone always includes an initial SOA (Start Of Authority) zone record that defines the basic properties of the zone. In addition, new zones contain at least one NS name server entry (Name Server ) that specifies the name of the authoritative server(s) for the zone. The functions of these two resource records are described below.

Initial Zone Records

When a zone is loaded, the DNS server uses the zone's Start Of Authority (SOA) record to determine the basic properties and authorities of the zone. These parameters also characterize the frequency of zone transfers between the primary and secondary servers. Double-clicking a SOA entry opens the Start Of Authority (SOA) tab of the zone's properties dialog box.

■ Serialnumber (Serial Number)

This text box on the Start Zone Record (SOA) tab contains the revision number of the zone file. The number specified here is incremented each time the resource records in the zone are changed. It can also be manually increased using the Increment button.

If zones are configured to perform zone transfers to one or more secondary servers, these secondary servers periodically request the zone serial number from the primary server. Such requests are called SOA requests. If a primary zone serial number equal to the secondary zone serial number is received in the SOA request, the transfer fails. If the zone serial number on the primary server is greater than the corresponding value on the requesting secondary server, the latter initiates a zone transfer.

NOTE: Zone transfer on the primary server

Clicking the Increment button initiates a zone transfer.

■ Basicserver (Primaryserver)

■ Responsibleperson (Responsible Person)

In this field, enter the Responsible Person (RP) name corresponding to the zone administrator's domain mailbox. The name entered in this field must always end with a dot. The default name is hostmaster.

■ Intervalupdates (Refresh Interval)

The value in this field determines how long the secondary DNS server waits before requesting a zone update on the primary server. After the refresh interval has elapsed, the secondary DNS server queries the primary server for a copy of the current SOA record. After receiving the response, the additional DNS server compares the serial number of the current SOA record of the main server (specified in the response) with serial number your local SOA record. If these values ​​differ, the secondary DNS server requests a zone transfer from the primary DNS server. The default refresh interval is 15 minutes.

■ IntervalRetry Interval

■ Termexpiresafter (Expires After)

The value in this field determines the amount of time that the secondary server continues to query DNS clients without contacting the primary server. After this time, the data is considered unreliable. The default for this setting is one day.

■ Minimumtermlifetime TTL (Minimum (Default)TTL)

TTL values ​​do not apply to resource records in authoritative zones. And these zones use the resource write cache lifetime on non-authoritative servers for TTL values. The DNS server that cached the resource record from the previous request flushes that record, but the TTL of the record expires.

■ Term life(TTL)records(TTL For This Record)

The value specified in this iole determines the lifetime of the current SOA record. This value replaces the default value specified in the previous field.

Name server entries

The name server (NS) entry specifies the authoritative server for the zone. When you create a zone in Windows Server 2008, each server that manages the master copy of an AD-integrated zone will have its own NS record in the new zone by default. When you create a standard primary zone, the local server's NS record will be added by default.

For servers that manage secondary zones, you must manually add NS records to the master copy of the zone.

NS records are created using a different procedure than when creating other types of resource records. To add NS records, in DNS Manager, double-click any an existing record NS. The Name Servers tab of the zone properties dialog box opens. On the Name Servers tab, click the Add button to add the FQDN and IP address of the server that manages the local primary zone's secondary zone. By adding new server, click OK - DNS Manager will display new entry NS indicating this server.

NOTE: Enabling transmission to additional zones

The secondary zone does not recognize this entry as a valid name server as long as it contains a valid copy of the zone data. In order for the secondary zone to receive this data, zone transfers must be enabled for that server on the Zone Transfers tab of the zone properties dialog box. This tab is described in more detail in the next topic.

The following is an example of an entry created in a standard zone file:

@NS dns1.lucernepublishing.com.

The @ symbol represents the zone defined by the SOA entry in the zone file. The full record then maps the wikipedia .org domain to the DNS server dns1.wikipedia .org .

Create resource records

In addition to SOA and NS records, some other resource records are automatically created. For example, during the installation of a new DNS server, when the server is designated as a domain controller, many Active Directory Domain Services (AD DS) SRV records are created automatically in the locally managed zone. In addition, many DNS clients automatically register host (A and AAAA) and pointer (PTR) records in the zone by default through dynamic update.

Although many resource records are created automatically, corporate environments typically require you to create some resource records manually, such as MX (Mail Exchanger ) for mail servers, aliases (CNAME ) for web and application servers, and host records for servers and clients which cannot perform their own updates.

To manually add a resource record for a zone, in the DNS Manager console, right-click the zone icon and select context menu select the type of record to create.

After selecting an entry from the context menu, a dialog box will open where you can specify the name of the entry and the computer associated with it. Note that only host records associate a computer name with an IP address. Most entry types associate a service name or alias with the original host entry. Thus, the MX record relies on the presence of the node SRV 12.nwtraders .msft in the record zone.

Record Types

The following are common manually created resource records:

■ node (AorALAA);

■ alias (CNAME);

■ mailexchanger (MX);

■ pointer (PTR);

■ locationservices (SRV).

Node (A or AAAA)

For most networks, the bulk of the resource records in the zone database are node resource records. These records are used in the zone to associate computer names (hostnames) with IP addresses.

Even with dynamic updates enabled for zones, in some node write scenarios, you will need to add entries to the zone manually. In the figure below, Contoso, Inc. uses the domain name contoso .com in the public namespace and the internal Active Directory domain. In this case, the public web server www .contoso .com is located outside the Active Directory domain and performs updates only on the public authoritative DNS server contoso .com . But internal clients forward their DNS queries to internal DNS servers. Because the www .contoso .com A record is not dynamically updated on internal DNS servers, it is added manually so that internal clients can resolve names and connect to the public Web server.

Host entries can be added manually if the network uses a UNIX server. For example, Fabrikam, Inc. has one Active Directory domain on its private network named fabrikam ,com . This network also includes the UNIX server App1.fabrikam,com, which runs an important application for the day-to-day operations of the company. Because UNIX servers cannot perform dynamic updates, you must manually add the App1 server host entry to the DNS server that manages the fabrikam.com zone. Otherwise, users will not be able to connect to the application server by specifying its FQDN.

Alias ​​(CNAME)

These entries are sometimes called canonical names. They allow you to use multiple names to refer to a single node. For example, well-known server names (ftp, www) are typically registered using CNAME records. These entries map the host names corresponding to their services to the actual entry of the A-Computer that controls the service.

■ When you want to rename the host specified in the A record of the same zone.

■ When a well-known server group name (eg www) needs to be resolved into a group of separate computers (each containing individual A records) providing the same service (eg a group of redundant web servers).

mail exchanger (MX)

These entries are used by applications Email for localization mail server in the zone. They allow you to match the domain name specified in the e-mail address with the A record of the Computer that manages the mail server in the domain. Thus, this record type allows the DNS server to process email addresses that do not have a mail server specified.

Often, MX records are created to provide failover to another mail server in case the preferred server becomes unavailable.

A plurality of servers are assigned preference values. The lower this value, the higher the server preference order.

NOTE: Symbol @

In this example, the @ symbol represents the local domain name contained in the email address.

PointerPTR

This entry is only used in reverse lookup zones to support the reverse lookup that occurs when resolving IP addresses to hostnames or FQDNs. The reverse lookup is performed in the root zones of the in -addr .arpa domain. PTR records can be added to zones manually or automatically.

The following is an example of a textual representation in a zone file of a PTR record created in DNS Manager that maps the IP address 192.168.0.99 to the hostname server 1.google.ru :

99 PTRserver 1.google.ru.

NOTE: Record number 99PRT

In a reverse lookup zone, the last octet of the IPv 4 address is equivalent to the hostname. Therefore, the number 99 represents the name assigned to the node within the zone 0.168.192.in -addr .arpa . This zone corresponds to the 192.168.0.0 subnet.

Service locationSRV

Entries SRV is used to specify the location of services in a domain. Client applications that use SRV can use DNS to retrieve the SRV records of application servers.

An application that uses SRV is Windows Server 2008 Active Directory . The Netlogon Net Logon service uses SRV records to locate domain controllers by performing Lightweight Directory Access Protocol (LDAP) Active Directory domain lookups. DNS to improve fault tolerance or troubleshoot network services.

InclusionDNS for resolutionWINS

On the WINS tab of the zone properties window, you can specify the WINS server that the DNS Server service will contact to look up names not found by DNS queries. When you specify a WINS server on the WINS tab of the properties dialog box for a forward lookup zone, a special WINS entry is added to the zone that points to that WINS server. When you specify a WINS server on the WINS tab of a reverse lookup zone's properties dialog box, a special WINS -R entry is added to the zone to identify that WINS server.

For example, if a DNS client requests the name ClientZ .contoso .com and the preferred DNS server cannot find the answer from the usual sources (cache, local zone data, and polling other servers), the server requests the name CLIENTZ . on the WINS server specified in the WINS entry. If the WINS server responds to a query, the DNS server returns its response to the client.

Cleaning up and deleting obsolete entries

Timestamps are used in DNS to keep track of the age of dynamically registered resource records. Stale records cleanup is the process of removing stale timestamped records. Clearing can only be performed if timestamps are used. Timestamps and scrubbing work together to remove old records that may accumulate over time in a zone. By default, timestamps and cleanup are disabled.

Enabling cleaning

To enable scrubbing for a particular zone, you must enable this feature at the server level and the zone level.

To enable server-level scavenging, in the DNS Manager console tree, right-click the server icon and use the Set Aging / Scavenging For All Zones command. Then, in the Server Aging / Scavenging Properties dialog box that opens, select the Delete obsolete resource records check box ( Scavenge Stale Resource Records). Although this setting enables server-level time stamping and cleanup for all new zones, it does not enable time stamping and cleanup of existing Active Directory-integrated zones.

To enable them, click OK, and then in the Server Aging/ Scavenging Confirmation dialog box that appears, select the check box to apply these settings to existing Active Directory-integrated zones.

To enable zone-level time stamping and purging, open the Zone Properties, and then on the General tab, click the Aging button. In the Zone Aging/Scavenging Properties dialog box that opens, select the Scavenge Stale Resource Records check box.

Timestamps The DNS server performs cleanup using the timestamps that are set on the resource records in the zone. Active Directory-integrated zones set default timestamps for dynamically registered records even before scavenging is enabled. However, core standard zones do not timestamp dynamically registered records in a zone until after scavenging is enabled. Manually created resource records for all zone types are assigned a timestamp of 0; this means that their age will not be determined. is the time between latest update stamp and its possible next update. Blocking prevents the server from processing unnecessary updates and reduces traffic. By default, the blocking interval is set to 7 days.

■ Modificationintervalupdates

The update interval is the interval between the earliest time a timestamp is updated and the earliest time a record cleanup starts. Records can be removed from the zone after the blocking and refresh intervals have elapsed. The default interval is 7 days. Therefore, when timestamps are enabled, dynamically registered resource records can be deleted after 14 days.

Performing cleaning

Cleaning is performed in the zone automatically or manually. To perform cleanup automatically, you must enable automatic deletion of obsolete resource records on the Advanced tab of the DNS server properties dialog box.

If this option is not enabled, you can manually scavenge the zones by right-clicking the server icon in the DNS Manager console tree and using the Scavenge Stale Resource Records command.

Global Names Zone

Windows Server 2008 includes a new feature that allows all DNS clients in an Active Directory forest to use names from the same label, such as Mail, to connect to server resources. This component is useful when the default DNS suffix lookup list for DNS clients does not allow users to quickly connect (or connect at all) to a resource using that single-label name.

The DNS server in Windows Server 2008 allows you to create the GlobalNames zone. By default, the GlobalNames zone does not exist, however, by deploying a zone with this name, you can access selected resources using single-label names without using WINS. Typically, single-label names are assigned to important and widely used servers that already have static IP addresses assigned. GlobalNames on the remote server, replace the dot with the name of the remote server.

■ CreationGlobalNames zones

The next step in deploying the GlobalNames zone is to create a zone for the DNS server serving as a Windows Server 2008 domain controller. The GlobalNames zone is not a special type of zone, but just an AD-integrated forward lookup zone named GlobalNames. When creating a zone, choose to replicate zone data for all DNS servers in the forest. This option is located on the Replication Scope page of an Active Directory-integrated zone (to enable single-label name resolution, create a resource alias (CNAME) record in the GlobalNames zone. The name assigned to each CNAME record represents a single-label name that users can use to connect to the resource Note that each CNAME record points to a host record in yet another zone.

At one time I discovered a simple truth for myself: if you want to remember something - take notes (even when reading a book), but if you want to consolidate and systematize - convey it to people (write an article). Therefore, after two years of work in system integration (a field that I system administrator, I considered it just a cornucopia for specialists who were thirsty for pumping), when I realized that knowledge was gradually being replaced by the skills of editing documentation and configuring according to manuals and instructions, to keep in shape, I began to write articles about basic things. For example here - about DNS. Then I did it more for myself, but I thought - suddenly someone will come in handy.

Service in modern networks, if not the key, then one of those. Those for whom the DNS service is not new can safely skip the first part.

(no anchors, so content without links)

1. Basic information

DNS is a database containing mainly information about mapping network object names to their IP addresses. “Mostly” - because there is some other information stored there. More specifically, Resource Records (RR) of the following types:

A- the same mapping of the symbolic name of the domain to its IP address.

AAAA- same as A, but for IPv6 addresses.

CNAME- Canonical NAME - alias. If you want a server with an unreadable name, such as nsk-dc2-0704-ibm, on which the corporate portal is running, to also respond to the name portal, you can create another record of type A for it, with the name portal and the same IP address. But then, in case of changing the IP address (anything happens), it will be necessary to recreate all such records again. And if you make a CNAME named portal pointing to nsk-dc2-0704-ibm, then you won't have to change anything.

MX- Mail eXchanger - pointer to the mail exchanger. Like CNAME, it is a symbolic pointer to an already existing record of type A, but in addition to the name it also contains a priority. There can be several MX records for one mail domain, but first of all, mail will be sent to the server for which the lower value is specified in the priority field. If it is unavailable - to the next server, etc.

NS- Name Server - contains the name of the DNS server responsible for this domain. Naturally, for each record of type NS there must be a corresponding record of type A.

SOA- Start of Authority - indicates on which of the NS servers the reference information about this domain is stored, the contact information of the person responsible for the zone, the timings for storing information in the cache.

SRV- a pointer to the server, the holder of some service (used for AD services and, for example, for Jabber). In addition to the server name, it contains such fields as Priority (priority) - similar to the same for MX, Weight (weight) - used to balance the load between servers with the same priority - clients select a server randomly with probability based on weight and Port Number - port number, on which the service "listens" for requests.

All of the above record types occur in the forward lookup zone of DNS. There is also a reverse lookup zone - records like PTR- PointTeR - a record opposite to type A. Stores a mapping of an IP address to its symbolic name. Needed to process reverse requests - determining the host name by its IP address. Not required for DNS to function, but needed for various diagnostic utilities, as well as for some types of anti-spam protection in mail services.

In addition, the zones themselves, which store information about the domain, are of two types (classically):

Primary- is a text file containing information about hosts and services of the domain. The file can be edited.

Additional (secondary)- also a text file, but, unlike the main one, it cannot be edited. Pulled automatically from the server that stores the primary zone. Increases availability and reliability.

To register a domain on the Internet, it is necessary that at least two DNS servers store information about it.

Windows 2000 introduces a zone type called AD-integrated- the zone is not stored in a text file, but in the AD database, which allows it to replicate to other domain controllers along with AD using its replication mechanisms. The main advantage of this option is the ability to implement secure dynamic registration in DNS. That is, only computers that are members of the domain can create records about themselves.

Windows 2003 also introduced stub zone - stub zone. It only stores information about DNS servers that are authoritative for a given domain. That is, NS records. Which is similar in meaning to conditional forwarding ( conditional forwarding), which appeared in the same Windows versions Server, but the list of servers to which requests are forwarded is updated automatically.

Iterative and recursive queries.

It is clear that a single DNS server does not know about all domains on the Internet. Therefore, when a request is received to an address unknown to him, for example, metro.yandex.ru, the following sequence of iterations is initiated:

The DNS server refers to one of the Internet root servers that store information about the authorized holders of first-level domains or zones (ru, org, com, etc.). It reports the received address of the authoritative server to the client.

The client addresses the holder of the ru zone with the same request.

The DNS server of the RU zone looks for the corresponding entry in its cache and, if it does not find it, returns to the client the address of the server that is authoritative for the second-level domain - in our case, yandex.ru

The client accesses DNS yandex.ru with the same request.

Yandex DNS returns the desired address.

Such a sequence of events is rare in our time. Because there is such a thing as a recursive query - this is when the DNS server that the client initially contacted performs all iterations on behalf of the client and then returns a ready-made response to the client, and also stores the received information in its cache. Support for recursive queries can be disabled on the server, but most servers support it.

The client, as a rule, makes a request that has the "recursion required" flag.

2. A little about the DNS message format

The message consists of a 12-byte header followed by 4 variable length fields.

The header consists of the following fields:

DNS message format

Identification - a certain identifier is generated in this field by the client, which is then copied into the corresponding field of the server response, so that you can understand which request received the answer.

Flags is a 16-bit field divided into 8 parts:

• QR(message type), 1-bit field: 0 indicates request, 1 indicates response.
• opcode(opcode), 4-bit field. The default value is 0 (standard query). Other values ​​are 1 (inverse query) and 2 (server status query).
• AA- A 1-bit flag that means "authoritative answer". The DNS server has authority for this domain in the questions section.
• TC- 1-bit field that means "truncated" (truncated). In the case of UDP, this means that the overall size of the response exceeded 512 bytes, but only the first 512 bytes of the response were returned.
• RD- 1-bit field that means "recursion desired" (recursion desired). The bit may be set in a request and then returned in a response. This flag tells the DNS server to process this query itself (ie the server must determine the required IP address itself, and not return the address of another DNS server), which is called a recursive query. If this bit is not set and the queried DNS server does not have an authoritative answer, the queried server will return a list of other DNS servers that must be contacted to obtain a response. This is called an iterative query. We will look at examples of both types of requests in the following examples.
• RA- 1-bit field that means "recursion is possible" (recursion available). This bit is set to 1 in the response if the server supports recursion. We will see in our examples that most DNS servers support recursion, with the exception of a few root servers (root servers are unable to process recursive queries due to their workload).
• 0 - This 3-bit field must be 0.
• rcode this is a 4-bit return code field. Common values ​​are 0 (no error) and 3 (name error). A name error is only returned from an authoritative DNS server and means that the domain name specified in the request does not exist.

The next four 16-bit fields indicate the number of items in the four variable length fields that complete the record. In a request, the number of questions is typically 1 and the other three counters are 0. In a response, the number of answers is at least 1, and the remaining two counters can be zero or non-zero.

Example (obtained using WinDump when running the ping www.ru command):

IP KKasachev-nb.itcorp.it.ru.51036 > ns1.it.ru.53: 36587+ A? www.ru. (24)
IP ns1.it.ru.53 > KKasachev-nb.itcorp.it.ru.51036: 36587 1/2/5 A 194.87.0.50 (196)

The first line is the query: my PC name, 51036 is a randomly selected sending port, 53 is a pre-known port of the DNS server, 36587 is the query ID, + - "recursion required", A is a record type A query, the question mark means that this request, not response. In brackets - the length of the message in bytes.

The second line is the server's response: to the specified source port with the specified request ID. The response contains one RR (DNS Resource Record) which is the response to the query, 2 authority records, and 5 additional records of some kind. The total length of the response is 196 bytes.

3.TCP and UDP

It is rumored that DNS works over UDP protocol (port 53). This is true by default - requests and responses are sent over UDP. However, the presence of the TC (Truncated) flag in the message header is mentioned above. It is set to 1 if the response size exceeded 512 bytes - the limit for a UDP response - and therefore was cut off and only the first 512 bytes were received by the client. In this case, the client repeats the request, but over TCP, which, due to its specificity, can safely transfer large amounts of data.

Also, the transfer of zones from the main servers to additional ones is carried out via TCP, since in this case much more than 512 bytes are transferred.

4. DNS in Windows Server 2008 and 2012

Windows 2008 introduces the following features:

Background loading of zones

In very large organizations with extremely large zones that use Active Directory Domain Services to store DNS data, restarting the DNS server can take an hour or more while the DNS data is retrieved from the directory service. At the same time, the DNS server is unavailable to service client requests for the entire time that AD DS zones are being loaded.
DNS server running Windows Server 2008 now loads zone data from AD DS into background, so it can still process requests for data from other zones. When the DNS server is started, the following actions are performed:

• all zones to be loaded are determined;
• Root hints are loaded from files or an Active Directory Domain Services store;
• All file-backed zones are loaded, that is, zones stored in files and not in AD DS;
• processing of requests and remote procedure calls (RPC) begins;
• One or more threads are created to load zones stored in Active Directory Domain Services.

Because the task of loading zones is performed by separate threads, the DNS server can process queries while the zone is loading. If a DNS client requests data for a host in a zone that is already loaded, the DNS server responds with data (or, if appropriate, a negative response). If a query is made for a host that is not yet loaded into memory, the DNS server reads the host data from Active Directory Domain Services and updates the list of host records accordingly.

Support for IPv6 addresses

Internet Protocol version 6 (IPv6) defines addresses that are 128 bits long, as opposed to IP version 4 (IPv4) addresses that are 32 bits long.
Windows Server 2008 DNS servers now fully support both IPv4 and IPv6 addresses. Means command line dnscmd also accepts addresses in both formats. The list of forwarders can contain both IPv4 addresses and IPv6 addresses. DHCP clients can also register IPv6 addresses along with (or instead of) IPv4 addresses. Finally, DNS servers now support the ip6.arpa domain namespace for reverse mapping.

DNS client changes

LLMNR name resolution
DNS client computers can use Link-local Multicast Name Resolution (LLMNR), also known as multicast DNS or mDNS, to resolve names on a local network segment where a DNS server is not available. For example, if a subnet is isolated from all DNS servers on the network due to a router failure, clients on that subnet that support LLMNR name resolution can still resolve names using the peer-to-peer scheme until network connectivity is restored.
In addition to name resolution in the event of a network outage, LLMNR can also be useful in peer-to-peer deployments such as airport lounges.

Changes in Windows 2012 in terms of DNS, they mainly touched on DNSSEC technology (ensuring DNS security by adding digital signatures To DNS records), specifically to provide dynamic updates that were not available when DNSSEC was enabled in Windows Server 2008.

5. DNS and Active Directory

Active Directory relies heavily on DNS for its operations. With it, domain controllers look for each other for replication. With its help (and the Netlogon service), clients determine the domain controllers for authorization.

To provide search, in the process of raising the role of a domain controller on the server, its Netlogon service registers the corresponding A and SRV records in DNS.

SRV records registered by the Net Logon service:

_ldap._tcp.DnsDomainName
_ldap._tcp.SiteName._sites.DnsDomainName
_ldap._tcp.dc._msdcs.DnsDomainName
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName
_ldap._tcp.pdc._msdcs.DnsDomainName
_ldap._tcp.gc._msdcs.DnsForestName
_ldap._tcp.SiteName._sites.gc._msdcs. DnsForestName
_gc._tcp.DnsForestName
_gc._tcp.SiteName._sites.DnsForestName
_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName
_kerberos._tcp.DnsDomainName.
_kerberos._udp.DnsDomainName
_kerberos._tcp.SiteName._sites.DnsDomainName
_kerberos._tcp.dc._msdcs.DnsDomainName
_kerberos.tcp.SiteName._sites.dc._msdcs.DnsDomainName
_kpasswd._tcp.DnsDomainName
_kpasswd._udp.DnsDomainName

The first part of the SRV record identifies the service that the SRV record points to. The following services exist:

_ldap - Active Directory is an LDAP-compliant directory service with domain controllers acting as LDAP servers. The _ldap SRV entries identify the LDAP servers on the network. These servers can be Windows Server 2000+ domain controllers or other LDAP servers;

_kerberos - _kerberos SRV records identify all Key Distribution Centers (KDCs) on the network. They can be Windows Server 2003 domain controllers or other KDC servers;

_kpassword - identifies kerberos password change servers on the network;

_gc - an entry related to the global catalog feature in Active Directory.

Only domain controllers register in the _mcdcs subdomain Microsoft Windows server. They make both master records and records in a given subdomain. Non-Microsoft services only do basic recording.

Domain Guide - global domain identifier. The record containing it is needed in case the domain is renamed.

How does the DC search process work?

During user logon, the client initiates a DNS locator using a Remote Procedure Call (RPC) by the NetLogon service. The computer name, domain name, and site name are passed to the procedure as initial data.

The service sends one or more requests using the DsGetDcName() API

The DNS server returns the requested list of servers, sorted according to priority and weight. The client then sends an LDAP query using UDP port 389 to each of the entry's addresses in the order they were returned.

All available domain controllers respond to this request by reporting their health.

After discovering a domain controller, the client establishes an LDAP connection with it to gain access to Active Directory. As part of their conversation, the domain controller determines which site the client is hosted in based on its IP address. And if it turns out that the client did not contact the nearest DC, but, for example, recently moved to another site and, out of habit, requested a DC from the old one (information about the site is cached on the client based on the results of the last successful login), the controller sends it the name of it (the client) new site. If the client has already tried to find a controller in this site, but without success, it continues to use the found one. If not, a new DNS query is initiated specifying the new site.

The Netlogon service caches information about the location of the domain controller so that it does not initiate the entire procedure every time it needs to contact the DC. However, if a "non-optimal" DC (located in a different site) is used, the client clears this cache after 15 minutes and initiates the search again (in an attempt to find its optimal controller).

If a computer does not have its site information cached, it will contact any domain controller. To stop this behavior, NetMask Ordering can be configured on the DNS. DNS will then return the list of DCs in such order that controllers located on the same network as the client are listed first.

Example: Dnscmd /Config /LocalNetPriorityNetMask 0x0000003F will specify a subnet mask of 255.255.255.192 for priority DCs. The default mask is 255.255.255.0 (0x000000FF)