For Geeks @nd the not so Geeky

Domain Name Resolution and New DNS Features in Windows Server 2008 R2

Domain Name Resolution

Domain name resolution or domain name to IP resolution in Windows can be achieved by using the NetBIOS Extended User Interface (NETBUI) in combination with WINS as well as DNS.

While the former two methods are a bit outdated and are said to become obsolete, they might still be required for some older legacy applications in your company that require single namespace resolution. domain name resolution

DNS resolves hosts names to IP addresses and contains several new features and enhancements in Windows Server 2008 R2 such as:

Stub Zone Support – A zone that only contains a copy of the authoritative servers for a zone like the SOA and NS records without including all the records for the hosts registered in that zone.

Stub zones in Active Directory are useful to hold records of child domains and therefore delegate authority to that child domain for any records it is responsible for.

These are called Delegation or Glue Records. Likewise, you can use stub zones in the child domain to hold records pointing to the parent domain.
To create a stub zone you must have administrator privileges on the target DNS server.

Domain Name Resolution – Conditional Forwarding

Without a stub zone a DNS server will forward a domain name resolution request to an upstream DNS server if it holds no records for the request in its database. This is called a recursive query as the upstream DNS server will contact other DNS servers if it has no record.

Conditional forwarding in Windows Server 2008 R2 means that you can configure a DNS server to forward queries for a particular domain space to one or more specified DNS servers. If no conditional forwarders are configured or the forwarder is unable to resolve the name the DNS server will fall back on its root hints in its attempt to resolve the name.

For Security purposes it is generally recommended to remove the root hints from a domain controller. If the server would use root hints to perform iterative queries it would be vulnerable to attacks from the Internet. Preferred practice would be to use a caching-only forwarder to perform these queries on the public Internet.

DNS Zone Transfers and Replication

As long as the zone is Active Directory-integrated and the DNS service runs on a domain controller, it is automatically replicated to all DNS servers. These DNS servers must be specified to allow for zone transfer.

Read Only Domain Controllers (RODCs)

RODCs contain a primary read-only zone which can only be updated by pulling new DNS records from a writeable domain controller it has access to.

DNS Security Extension (DNSSEC)

Uses digital signatures and certificates to improve domain name resolution security

DNS Cache Locking

A popular method of malicious servers sending the DNS server a response to write or overwrite an entry in the cache.  Cache poisoning involves overwriting the entries in the cache with entries pointing to the attackers’ server. Windows Server 2008 R2 lets you lock down the cache.

DNS Socket Pool

Allows for a randomized pool of source ports as opposed to the known DNS ports and thus helps in reducing attack attempts.

DNS Devolution

Provides host name resolution for child domains. It will first append the domain namespace of the parent domain and subsequently append the namespace for each child domain to facilitate domain name resolution.

Background Zone Loading

While it could take a long time in large organizations to load the DNS data and start servicing clients Windows Server 2008 R2 remedies this situation through background zone loading. Background Zone Loading in Windows Server 2008 R2 allows the server to respond to domain name resolution queries much faster by using information stored in Active Directory.

GlobalNames DNS Zone

While similar to WINS to resolve hostnames to a single namespace the GlobalNames zone is not supported for peer-to-peer name resolution. Instead the zone holds a CNAME resource record mapping a single-label name to a FQDN, usually belonging to corporate servers or websites.

WINS Push and Pull

As soon as a specified number of updated records have been reached in the WINS database the WINS server will push the updates to its peers.

Pull replication lets an administrator specify to allow updates at specific intervals.

Windows Server 2008 R2 – New DNS Features in Domain Name Resolution

  • Background zone loading
  • RODC support
  • GlobalNames DNS Zone
  • Full support for IPv6 forward and reverse lookup


Windows Server 2008 R2 DNS Role


Leave a Response