A zone transfer can be defined as the process that occurs to copy the resource records of a zone on the primary DNS server to secondary DNS servers. Zone transfer enables a secondary DNS server to continue handling queries if the primary DNS server fails. A secondary DNS server can also transfer its zone data to other secondary DNS servers, who are beneath it in the DNS hierarchy. In this case, the secondary DNS server is regarded as the master DNS server to the other secondary servers.
The zone transfer methods are:
Full transfer: When you configure a secondary DNS server for a zone, and start the secondary DNS server, the secondary DNS server requests a full copy of the zone from the primary DNS server. A full transfer is performed of all the zone information. Full zone transfers tend to be resource intensive. This disadvantage of full transfers has led to the development of incremental zone transfers.
Incremental zone transfer: With an incremental zone transfer, only those resource records that have since changed in a zone are transferred to the secondary DNS servers. During zone transfer, the DNS databases on the primary DNS server and the secondary DNS server are compared to determine whether there are differences in the DNS data. If the DNS data of the primary and secondary DNS servers are the same, zone transfer does not take place. If the DNS data of the two servers are different, transfer of the delta resource records starts. This occurs when the serial number on the primary DNS server database is higher than that of secondary DNS server.s serial number. For incremental zone transfer to occur, the primary DNS server has to record incremental changes to its DNS database. Incremental zone transfers require less bandwidth than full zone transfers.
Active Directory transfers: These zone transfers occur when Active Directory-integrated zones are replicated to the domain controllers in a domain Replication occurs through Active Directory replication.
DNS Notify is a mechanism that enables a primary DNS server to inform secondary DNS servers when its database has been updated. DNS Notify informs the secondary DNS servers when they need to initiate a zone transfer so that the updates of the primary DNS server can be replicated to them. When a secondary DNS server receives the notification from the primary DNS server, it can start an incremental zone transfer or a full zone transfer to pull zone changes from the primary DNS servers.
Determining Zone Requirements
(i). When determining how to break up the DNS namespace into zones, keep the following factors in mind:
(ii). Transferring zone files between zones increases DNS zone transfer traffic, and Active Directory replication traffic.
(iii).You need to determine the traffic patterns that exist between clients and the DNS server. Pay careful attention to queries which are being passed over WAN connection. The System Monitor tool can be used to obtain DNS server statistics.
(iv).Consider the network links between your DNS servers, and the speed of these links.
(v).Determine whether full DNS servers or caching-only DNS servers are required for your different locations.
(i). When determining how to break up the DNS namespace into zones, keep the following factors in mind:
(ii). Transferring zone files between zones increases DNS zone transfer traffic, and Active Directory replication traffic.
(iii).You need to determine the traffic patterns that exist between clients and the DNS server. Pay careful attention to queries which are being passed over WAN connection. The System Monitor tool can be used to obtain DNS server statistics.
(iv).Consider the network links between your DNS servers, and the speed of these links.
(v).Determine whether full DNS servers or caching-only DNS servers are required for your different locations.
Determining Zone Placement
The process that DNS uses to forward a query that one DNS server cannot resolve, to another DNS server is called DNS forwarding. DNS forwarders are the DNS servers used to forward DNS queries for different DNS namespace to those DNS servers who can answer the query. Creating DNS forwarders can improve name resolution efficiency.
The process that DNS uses to forward a query that one DNS server cannot resolve, to another DNS server is called DNS forwarding. DNS forwarders are the DNS servers used to forward DNS queries for different DNS namespace to those DNS servers who can answer the query. Creating DNS forwarders can improve name resolution efficiency.
Windows Server 2003 DNS introduces a feature called conditional forwarding. With conditional forwarding, you create conditional forwarders within your environment that will forward DNS queries based on the specific domain names being requested in the query. This differs from DNS forwarders where the standard DNS resolution path to the root was used to resolve the query. A conditional forwarder can only forward queries for domains that are defined in the particular conditional forwarders list. The query is passed to the default DNS forwarder if there are no entries in the forwarders list for the specific domain queried.
When planning your DNS environment and it is evident that you need to implement forwarders or conditional forwarders, consider the recommendations for planning forwarders which are summarized below:
(i).Use forwarders to limit the number of DNS servers which have to communicate between each other over firewalls. This strategy enhances DNS security.
(ii).You can also enhance fault tolerance by configuring multiple forwarders, and then enabling recursion for those queries which cannot be forwarded to your specified forwarders.
(iii).You should only implement the number of DNS forwarders that are necessary for your environment. You should refrain from creating loads of forwarders for your internal DNS servers.
(iv).You should avoid chaining your DNS servers together in a forwarding configuration.
(v).To avoid the DNS forwarder turning into a bottleneck, do not configure one external DNS forwarder for all your internal DNS servers.
Recommendations for Determining Zone Replication
A number of recommendations for planning for zone replication are noted below:
(i). You should limit the number of zones of authority within your DNS environment. The more zones of authority you have, the greater the administrative effort required to manage your DNS environment.
(ii). Transferring zone files between zones increases DNS zone transfer traffic, and Active Directory replication traffic.
(iii). If you need to minimize zone transfer traffic, and your DNS servers exist on Windows Server 2003 domain controllers and you are using Active Directory-integrated zones, consider using the application directory partition for storing zone data.
(iv).If you are using standard DNS zone transfers, it is beneficial to implement the following:
*Incremental zone transfers
*Fast zone transfers
(v). If you need to reduce the bandwidth used by standard DNS zone transfers, consider changing the schedule for zone transfers to your secondary DNS zones.
(vi). Consider implementing stub zones to minimize DNS traffic.
(vii). You should use Active Directory-integrated zones so that you can specify that only secure updates to your zones are allowed
(viii). To secure zone data of the standard zone types, consider implementing the following:
*Limit the number of hosts that are allowed to receive zone transfers.
*Encrypt zone transfer data by using VPN tunnels or IPSec
A number of recommendations for planning for zone replication are noted below:
(i). You should limit the number of zones of authority within your DNS environment. The more zones of authority you have, the greater the administrative effort required to manage your DNS environment.
(ii). Transferring zone files between zones increases DNS zone transfer traffic, and Active Directory replication traffic.
(iii). If you need to minimize zone transfer traffic, and your DNS servers exist on Windows Server 2003 domain controllers and you are using Active Directory-integrated zones, consider using the application directory partition for storing zone data.
(iv).If you are using standard DNS zone transfers, it is beneficial to implement the following:
*Incremental zone transfers
*Fast zone transfers
(v). If you need to reduce the bandwidth used by standard DNS zone transfers, consider changing the schedule for zone transfers to your secondary DNS zones.
(vi). Consider implementing stub zones to minimize DNS traffic.
(vii). You should use Active Directory-integrated zones so that you can specify that only secure updates to your zones are allowed
(viii). To secure zone data of the standard zone types, consider implementing the following:
*Limit the number of hosts that are allowed to receive zone transfers.
*Encrypt zone transfer data by using VPN tunnels or IPSec
No comments:
Post a Comment