Configuring Root DNS server

[Srinivas Acharya]

Hi All,
Assume that your designing a DNS for internet. What are the
configurations you make in root dns server.
I mean how many zone files you create ?. how many doamins
you create?.
There are top level domains like com,net,au,mil.do you
create subdomains in the root zone or seperate zone for
each domain. Which is good? and why?


Regards,
Srinivas Acharya

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi All,
Assume that your designing a DNS for internet. What are
the configurations you make in root dns server.
I mean how many zone files you create ?. how many doamins
you create?.
There are top level domains like com,net,au,mil.do you
create subdomains in the root zone or seperate zone for
each domain. Which is good? and why?

It would be much easier to start with a delegated Root.
294906 - How to Delegate All Internet Top-Level Domains on an Internal Root
DNS Server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;294906

 

[ObiWan]

Assume that your designing a DNS for internet. What are the

configurations you make in root dns server.
I mean how many zone files you create ?. how many doamins
you create?.

Assuming you're talking about the standard root zone, there's
nothing to create (well, almost); just setup your DNS server as
usual but then, delete the root hints and the "cache.dns" file (if
existing); if you have AD be sure to delete the root hints from
AD too, now, stop and restart the DNS server, you should not
have any root hints now, if that's ok, just proceed creating a new
zone, secondary standard, name "." (single dot, no quotes) the
master servers will be 192.5.5.241 192.228.79.201 192.33.4.12
now, confirm the zone creation and, if your firewall is correctly
configured, in a few seconds your DNS will transfer a copy of
the root zone from one of the master servers; at this point your
DNS will be acting as an "unpublished" root server

As a note, you may do the same for the reverse zone, to do that
just follow the procedure above, but use "in-addr.arpa" as the
zone name and 192.5.5.241 192.33.4.12 as the master servers
this will give you the "reverse root" too ... just in case

Regards

 

[Srinivas Acharya]

Hi,
Thanks for replying. I have few queries regarding your
comments.
"
delete the root hints and the "cache.dns" file (if
existing); if you have AD be sure to delete the root hints from
AD too, now"

Why I have to delete this ?. How to delete root hints ?.

Regards,
Srinivas Acharya

 

[ObiWan]

delete the root hints and the "cache.dns" file (if

existing); if you have AD be sure to delete the root hints from
AD too, now"

Why I have to delete this ?. How to delete root hints ?.

Well ... if you're going to setup your DNS as a root server
you won't be using root-hints but you'll have a full copy of
the root zone "."; about deleting the root hints

1) ensure that the ...\system32\dns folder doesn't contain a
file called "cache.dns" in case rename it to e.g. cache.bak

2) open the DNS MMC right click on the server and open the
property sheets, verify that the "parameters" sheet doesn't
list any root dns (a.root-servers ...) in case, delete all the
entries you'll find there, close the DNS MMC and stop the
DNS server

3) If you're using AD integrated DNS, ensure that the AD doesn't
contain a copy of the root hints, in case delete them

4) Start the DNS server and check it has no root hints (see 2) in
case the hints are still there repeat checks from 2

from this point on you'll need to follow the other instructions
to setup your root direct (and if you like, reverse) zone

 

[Ace Fekay [MVP]]

In

Hi,
Thanks for replying. I have few queries regarding your
comments.
"
delete the root hints and the "cache.dns" file (if
existing); if you have AD be sure to delete the root hints from
AD too, now"

Why I have to delete this ?. How to delete root hints ?.

Regards,
Srinivas Acharya

Curious, what is the end result of your prespective tasks? Do you want to
just create a .com TLD zone with say, only two or three second level zones
that your users will ONLY be able to get to and nothing else on the Inernet?
Of course, this will be absolute control over Internet use.

If so, will Internet access be controlled thru ISA or Proxy or do you want
to abolish Internet access?

If you create a .com TLD, you can create the second levels under them, say
microsoft, intel, macromedia and any others you want to be there. Thats a
monumental task. But if you follow Obi's suggestions to specify the Master
servers under a "." zone, then your server will grab the zones from there.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jonathan de Boyne Pollard]

SA> Assume that your designing a DNS for internet.

Assume, instead, that I'm doing your school homework for you.

SA> I mean how many zone files you create ?.

As many as necessary. At minimum one, for ".", will be required.

SA> how many doamins you create?.

As many as necessary.

SA> There are top level domains like com,net,au,mil.do you
SA> create subdomains in the root zone or seperate zone for
SA> each domain[?]

Yes.

SA> Which is good?

Both.

 

[Jeff Teall]

I am just reading about delegated root servers. What is the advantage of
configuring the DNS infrastructure this way vice just having internal DNS
servers forwarding to an ISP's DNS server? The environment I am working in
requires internal DNS resolution and Internet resolution. I currently have
redundant pair of internal DNS servers that forward to a redundant pair of
external DNS servers (they have Internet access where as the internals do
not). The exteranals don't forward but recursively resolve for the internal
requests. Would a delegated root at the external boundary provide better
performance/functionality/security or is it just a matter of preference in
deployment models?

Jeff Teall

 

[Ace Fekay [MVP]]

In

I am just reading about delegated root servers. What is the
advantage of configuring the DNS infrastructure this way vice just
having internal DNS servers forwarding to an ISP's DNS server? The
environment I am working in requires internal DNS resolution and
Internet resolution. I currently have redundant pair of internal DNS
servers that forward to a redundant pair of external DNS servers
(they have Internet access where as the internals do not). The
exteranals don't forward but recursively resolve for the internal
requests. Would a delegated root at the external boundary provide
better performance/functionality/security or is it just a matter of
preference in deployment models?

Jeff Teall

I would leave it the way it is. The advantage of an internal Root is
security and performance, but your design looks efficient and it secure the
internal machine. I realize the external ones are exposed, but in many cases
forwarding from the internal to the ISP is norm and secure. By creating your
own Root by installing the top-level domain zone files as your cache.dns
file, you control it. If there are any updates, you need to manually
retrieve them.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jonathan de Boyne Pollard]

JT> I am just reading about delegated [sic] root servers. What is the
JT> advantage of configuring the DNS infrastructure this way [...]?

With one's own private "." content DNS server, a "stealth slave" of a public
"." content DNS server, one is a better neighbour, one uses less bandwidth
over one's borders, and one leaks less information.

Misconfigured Windows systems are, in my experience, exceedingly prone to
causing multiple and oft-repeated DNS lookups on domain names underneath
non-existent TLDs, and thus contributing to the 13% of queries to ICANN's "."
content DNS servers where the TLDs are (as far as ICANN is concerned, at any
rate) non-existent. With a private "." content DNS server of one's own, those
queries hit that server and thus do not cause DNS traffic outside of the
organization, let alone DNS traffic to and from any public "." content DNS
servers. The same goes for eliminating one's contribution to the 7% of
pointless queries to public "." content DNS servers that are the domain name
equivalents of human-readable IP addresses.

Large organizations tend to set up their own private "." content DNS servers
for these very reasons. But the benefits of doing so apply to more than only
large organizations.

Of course, one has to arrange for timely replication of the "." DNS data from
the public content DNS server(s) and for all of one's resolving proxy DNS
servers to be configured to use the private "." content DNS server instead of
public ones.