News
Seven days of Black Friday madness — great deal from Serverspace!
Serverspace Black Friday
WB
February 14 2020
Updated June 7 2023

Configuring a DNS server on Windows Server 2012 or later

DNS Windows

DNS (Domain Name System) is a system that lets you translate domain names into IP addresses and vice versa.

A DNS server is a network service that provides and maintains the operation of DNS. The DNS server is an easy and light service that can run on most machines. If you don't intend to configure other roles and services on the target machine, the minimum configuration is enough.

How to set up a DNS server:

Configuring the network adapter on the DNS server

Installing a DNS server requires a domain zone. You need to create a private network in your personal account and connect virtual machines to it.

After the machine is connected to both of the networks, it is important to remember which connection needs to be configured. Usually, a network adapter is setup by default from the very beginning with an access to the Internet. At the same time other additional network adapters have no Internet access until the configuration is performed manually:

Screenshot 1: Configuring the network adapter

By hovering the cursor over the network icon in the system tray, you can find a tooltip with brief information about networks. Following the example above, you can see that the joined network is Network 3.

Perform a series of actions:

  • Right-click Start and select Network Connections from the drop-down menu;
  • Right-click on the required network adapter and select Properties from the menu;
  • Select IPv4 In the Properties window, and click on the Properties button;
  • Fill in the appropriate fields with the necessary data:

Screenshot 2: Perform a series of actions

Here, the machine is assigned as the preferred DNS server, and the alternate is assigned as dns.google [8.8.8.8].

Installing the DNS server role

To add new roles to Windows Server, you use Add Roles and Features Wizard in Server Manager.

On the upper navigation bar of the Server Manager click the Manage menu, and then select Add Roles and Features:

Screenshot 3: Installing the DNS server role

Here, the Wizard recommends you to verify if the following tasks have been completed:

1. The Administrator account has a strong password.

2. Network settings, such as static IP addresses, are configured.

3. The most current security updates from Windows Update are installed.

If you are sure that all the conditions are met, click Next;

Select the Role-based or feature-based installation and click Next:

Screenshot 4: Installing the DNS server role

Select a server you want from the server pool and click Next:

Screenshot 5: select a server you want from the server pool

Check off the DNS server role and click Next:

Screenshot 6: check off the DNS server role

Check the list of features to install and confirm by clicking Add Features:

Screenshot 7: check the list of features to install and confirm

Keep the list of features as is and click Next:

Screenshot 8: keep the list of features

Read the information and click Next:

Screenshot 9: read the information about DNS roles

Check the installation configuration once again and confirm your decision by clicking Install:

Screenshot 10: Check the installation configuration

The final confirmation screen lets you know that the installation has been successfully completed, and you can close the installation Wizard:

Screenshot 11: the final confirmation screen

Creating forward and reverse lookup zones

A domain zone — a set of domain names within a specific domain.

Forward lookup zones resolve names to IP addresses.

Reverse lookup zones resolve IP addresses to names.

You have to use the DNS Manager to create and manage the zones.

On the upper navigation bar of the Server Manager click the Tools menu and select DNS in the drop-down list:

Screenshot 12: Creating forward and reverse lookup zones

Creating a forward lookup zone

  • Right-click on the Forward Lookup Zones folder, select New Zone. This will open the New Zone Wizard:

Screenshot 13: creating a forward lookup zone

  • On the Welcome screen of the Wizard, click Next:

Screenshot 14: welcome screen of the DNS Manager Wizard

  • On the Zone Type screen, Select Primary Zone, and click Next:

Screenshot 15: On the Zone Type screen, Select Primary Zone

  • Enter the name, and click Next:

Screenshot 16: enter the name of DNS zone

  • If necessary, change the name of the future zone file and click Next:

Screenshot 17: change the name of the future DNS zone file

  • You must choose whether you want to allow dynamic updates or not. It is not recommended to allow this because of a significant vulnerability. Click Next:

Screenshot 18: allow dynamic updates of DNS zone or not

  • Verify that the selected settings are correct, click Finish:

Screenshot 19: Verify that the selected settings of DNS zone are correct

Creating a reverse lookup zone

  • Open the DNS Manager and right-click on the Reverse Lookup Zones folder, select New Zone. This will open the New Zone Wizard:

Screenshot 20: creating a reverse lookup zone

  • On the Zone Type screen, Select Primary Zone, and click Next:

Screenshot 21: on the Zone Type screen, Select Primary Zone

  • In the first Reverse Lookup Zone Name page, select IPv4, click Next:

Screenshot 22: In the first Reverse Lookup Zone Name page, select IPv4

  • Type the network ID (the first three octets of the IP address) and click Next:

Screenshot 23: type the network ID

  • If necessary, change the name of the future zone file and click Next:

Screenshot 24: change the name of the future zone file

  • You must choose whether you want to allow dynamic updates or not. It is not recommended to allow this because of a significant vulnerability. Click Next:

Screenshot 25: choose whether you want to allow dynamic updates or not

  • Verify that the selected settings are correct, click Finish:

Screenshot 26: Verify the settings of new zone

Creating a host (A) record

This section of the guideline is here to mostly check all the steps you performed earlier.

A Resource Record is the unit of information storage and transmission in DNS. RRs are the basic building blocks of host-name and IP information and are used to resolve all DNS queries.

Record A — a record that lets you map hostnames to an IP address of the host.

Record PTR — is the reverse version of an A Record.

  • Open the Forward Lookup Zones folder in the DNS Manager and find the zone folder. Right-click on the right part of the DNS Manager and select New Host (a or AAA):

Screenshot 27: creating a host (A) record

  • New Host page opens. In Name, type a name of the host (with no domain, it will use the name of the Zone as a domain) and your IP address. Check off the section "Create associated pointer (PTR) record", to verify if both Forward and Reverse Lookup Zones are operating properly:

Screenshot 28: type a name of the host and your IP address.

If the Name field is blank it uses parent domain name.

  • You can also add records for other servers:

Screenshot 29: add records for other servers

  • Once you are finished, click Done.

Making sure everything is correct

  • Check the changes in the folders of the zones (in the example below you can see 2 records appeared in each of them):

Screenshot 30: check the changes in the folders of the zones

Screenshot 31: check the changes in the folders of the zones

  • Open the command line (cmd) or PowerShell and run the nslookup command:

Screenshot 32: run the nslookup command

It shows that the default DNS server is example-2012.com with the address 10.0.1.6.

To make sure that the Forward and Reverse Zones are operating properly, you can send two queries:

  • To query the domain;
  • To query the IP address:

Screenshot 33: make sure that the Forward and Reverse Zones are operating properly

In the example, we have got appropriate responses for both queries.

  • There is an option to send a query to an external resource:

Screenshot 34: send a query to an external resource

We see a new line here "Non-authoritative answer". This means that our DNS server does not contain domain’s original zone files. Although the information displayed below, received from an authoritative server, it is not itself authoritative in this case.

To compare, all the same queries were made on the server where the forward and reverse zones were not configured:

Screenshot 35: comparison with non-configured zones

Here, the machine assigned itself as a default DNS server. The DNS server domain name is displayed as unknown because there are no resource records for the IP address (10.0.1.7). For the same reason, the 2nd query returns an error (Non-existent domain).

Describtion of the Domain Name System (DNS) features which are new or changed in Windows Server 2016.

In Windows Server 2016, DNS Server offers updates in the following areas:

DNS Server Policies

Now you can use these features:

  • DNS Policy for Geo-Location based traffic management
  • Intelligent DNS responses based on the time of day, to manage a single DNS server configured for split-brain deployment
  • Apply filters on DNS queries, and more.

Specific description of these features:

Application Load Balancing
When you have deployed multiple instances of an application at different locations, you can use DNS policy to balance the traffic load between the different application instances, dynamically allocating the traffic load for the application.

Geo-Location Based Traffic Management.
You can use DNS Policy to allow primary and secondary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.

Split Brain DNS
With split-brain DNS, DNS records are split into different Zone Scopes on the same DNS server, and DNS clients receive a response based on whether the clients are internal or external clients. You can configure split-brain DNS for Active Directory integrated zones or for zones on standalone DNS servers.

Filtering
You can configure DNS policy to create query filters that are based on criteria that you supply. Query filters in DNS policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends the DNS query.

Forensics
You can use DNS policy to redirect malicious DNS clients to a non-existent IP address instead of directing them to the computer they are trying to reach.

Time of day based redirection
You can use DNS policy to distribute application traffic across different geographically distributed instances of an application by using DNS policies that are based on the time of day.

You can also use DNS policies for Active Directory integrated DNS zones.

Response Rate Limiting (RRL)

ТYou can configure RRL settings to control how to respond to requests to a DNS client when your server receives several requests targeting the same client.
By doing this, you can prevent someone from sending a Denial of Service (Dos) attack using your DNS servers.
For instance, a bot net can send requests to your DNS server using the IP address of a third computer as the requestor. Without RRL, your DNS servers might respond to all the requests, flooding the third computer.
When you use RRL, you can configure the following settings:

Responses per second This is the maximum number of times the same response is given to a client within one second.

Errors per second This is the maximum number of times an error response is sent to the same client within one second.

Window This is the number of seconds for which responses to a client are suspended if too many requests are made.

Leak rate This is how frequently the DNS server responds to a query during the time responses are suspended. For instance, if the server suspends responses to a client for 10 seconds, and the leak rate is 5, the server still responds to one query for every 5 queries sent. This allows the legitimate clients to get responses even when the DNS server is applying response rate limiting on their subnet or FQDN.

TC rate This is used to tell the client to try connecting with TCP when responses to the client are suspended. For instance, if the TC rate is 3, and the server suspends responses to a given client, the server issues a request for TCP connection for every 3 queries received. Make sure the value for TC rate is lower than the leak rate, to give the client the option to connect via TCP before leaking responses.

Maximum responses This is the maximum number of responses the server issues to a client while responses are suspended.

Allowlist domains This is a list of domains to be excluded from RRL settings.

Allowlist subnets This is a list of subnets to be excluded from RRL settings.

Allowlist server interfaces This is a list of DNS server interfaces to be excluded from RRL settings.

DNS Based Named Entity Authentication (DANE)

You can use DANE support (RFC 6394 and 6698) to specify to your DNS clients what CA they should expect certificates to be issued from for domains names hosted in your DNS server. This prevents a form of man-in-the-middle attack where someone is able to corrupt a DNS cache and point a DNS name to their own IP address.

Unknown record support

An "Unknown Record" is an RR whose RDATA format is not known to the DNS server. The newly added support for unknown record (RFC 3597) types means that you can add the unsupported record types into the Windows DNS server zones in the binary on-wire format. The Windows caching resolver already has the ability to process unknown record types. Windows DNS server does not do any record specific processing for the unknown records, but sends it back in responses if queries are received for it.

IPv6 root hints

The IPV6 root hints, as published by IANA, have been added to the Windows DNS server. The internet name queries can now use IPv6 root servers for performing name resolutions.

Windows PowerShell support

The following new Windows PowerShell cmdlets and parameters are introduced in Windows Server 2016:

Add-DnsServerRecursionScope - This cmdlet creates a new recursion scope on the DNS server. Recursion scopes are used by DNS policies to specify a list of forwarders to be used in a DNS query.

Remove-DnsServerRecursionScope - This cmdlet removes existing recursion scopes.

Set-DnsServerRecursionScope - This cmdlet changes the settings of an existing recursion scope.

Get-DnsServerRecursionScope - This cmdlet retrieves information about existing recursion scopes.

Add-DnsServerClientSubnet - This cmdlet creates a new DNS client subnet. Subnets are used by DNS policies to identify where a DNS client is located.

Remove-DnsServerClientSubnet - This cmdlet removes existing DNS client subnets.

Set-DnsServerClientSubnet - This cmdlet changes the settings of an existing DNS client subnet.

Get-DnsServerClientSubnet - This cmdlet retrieves information about existing DNS client subnets.

Add-DnsServerQueryResolutionPolicy - This cmdlet creates a new DNS query resolution policy. DNS query resolution policies are used to specify how, or if, a query is responded to, based on different criteria.

Remove-DnsServerQueryResolutionPolicy - This cmdlet removes existing DNS policies.

Set-DnsServerQueryResolutionPolicy - This cmdlet changes the settings of an existing DNS policy.

Get-DnsServerQueryResolutionPolicy - This cmdlet retrieves information about existing DNS policies.

Enable-DnsServerPolicy - This cmdlet enables existing DNS policies.

Disable-DnsServerPolicy - This cmdlet disables existing DNS policies.

Add-DnsServerZoneTransferPolicy - This cmdlet creates a new DNS server zone transfer policy. DNS zone transfer policies specify whether to deny or ignore a zone transfer based on different criteria.

Remove-DnsServerZoneTransferPolicy - This cmdlet removes existing DNS server zone transfer policies.

Set-DnsServerZoneTransferPolicy - This cmdlet changes settings of an existing DNS server zone transfer policy.

Get-DnsServerResponseRateLimiting< - This cmdlet retrieves RRL settings.

Set-DnsServerResponseRateLimiting - This cmdlet changes RRL settigns.

Add-DnsServerResponseRateLimitingExceptionlist - This cmdlet creates an RRL exception list on the DNS server.

Get-DnsServerResponseRateLimitingExceptionlist- This cmdlet retrieves RRL excception lists.

Remove-DnsServerResponseRateLimitingExceptionlist - This cmdlet removes an existing RRL exception list.

Set-DnsServerResponseRateLimitingExceptionlist - This cmdlet changes RRL exception lists.

Add-DnsServerResourceRecord - This cmdlet was updated to support unknown record type.

Get-DnsServerResourceRecord - This cmdlet was updated to support unknown record type.

Remove-DnsServerResourceRecord - This cmdlet was updated to support unknown record type.

Set-DnsServerResourceRecord- This cmdlet was updated to support unknown record type

For more information, see the following Windows Server 2016 Windows PowerShell command reference topics.

Powershell DNS Server
Powershell DNS Client

Vote:
5 out of 5
Аverage rating : 5
Rated by: 4
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.