DNS Concepts

Internet Domains vs. NT Domains

There is much confusion regarding Internet domains and NT domains. While an Internet domain and an NT domain are logical groupings of computers, that's about all they have in common.

Let's look at the differences in them:

Internet Domains
An Internet domain is used merely to logically group computers together by using the same name, such as www.microsoft.com, ftp.microsoft.com, news.microsoft.com, etc. With Internet domain names, you must use the FQN (Fully Qualified Name). For instance, you can get to "www.microsoft.com" just fine, but you can't get to "www" because it is an ambiguous name. NT does not use the domain the same way. You can have a "www" in every domain on the face of the Earth, but because it is in a different domain, it doesn't matter because everyone uses the FQN and each "www" has a unique domain name which differentiates it from any other domain in the world.	While it is not forbidden to have 2 primary DNS servers, you want to only have one primary DNS server in a given domain with one or more secondary DNS servers for that domain. Some cases may warrant having a second primary DNS server such as if you use the same domain name on your Intranet as you have on the Internet, and you are not connected to the Internet, or you have internal addresses that cannot be allowed to be published on the Internet. If you do set up 2 primary DNS servers you must be prepared for the added administration and possible confusion when resolving names from a client PC that can access both servers simultaneously.
NT Domains
With an NT domain you also have a logical group of computers, but the domain name is not used to differentiate them from other PCs in other NT domains. NT domains use only NetBIOS names, over TCP/IP or other protocol. For instance, if you have a PC named "TampaS1" in your Tampa domain, you cannot have another PC named "TampaS1" in that, or any other domain connected to your organization. Unfortunately NT domains do not use FQN's, as in "NTDomain\TampaS1". If they did, you would have a fully qualified name and could name computers the same thing as long as they existed in a different domain. With an NT domain, the domain structure is used to group computers together in such a way as when you browse the network you will see all of the computer belonging to one domain grouped together. It also used for security authentication. NT has special types of servers called Domain Controllers.	It can have one (1) Primary Domain Controller (PDC) and as many Backup Domain Controllers (BDC) as you want to put in that domain. Note: there can never be more than one PDC in an NT domain. Having the NT domain handle the security with in your domain, and between other domains takes a lot of headaches away from administrators because everyone uses the same security database and has one login Much of what's said here will be much different in Windows NT 5 (Win 2K). They plan to do away with the domain model, trust relationships, and use Internet DNS names to do the same things they are doing with NetBIOS names today, in their current domain model. Therefore what's been said here only applies to Windows NT versions up to 4.0.

Sub-Domains and Third-Level Domains

This is yet another concept there is much confusion over. First of all, the term "sub-domain" seems logical, but is an unrecognized term in DNS even though MS uses it in its documentation. Technically, if we used that terminology it would be ambiguous because any domain that you can control is a "sub-domain" by default, of one of the top-level domains and then if you have a third-level domain that's another "sub-domain" of a "sub-domain" and you must qualify it so others know what your are talking about. The most recognized term for this is "third-level domain", although they are also sometimes referred to as "child" domains. And yes, there can be fourth, fifth, sixth, etc. -level domains. Note: It cannot be distinguished, from a domain name, if a name is an X-level domain name or a fully qualified host name. For example, there is no way to tell if "library.mit.edu" is a host name or a domain name. this could actually be the library, or there could be "science.library.mit.edu", and "law.library.mit.edu". IBM has "AS400.ibm.com". You tell me, is that a host name or a domain name? Wrong, its a domain name. IBM chose to do this and has "www.AS400.IBM.com".

The short of it is, in cases where you control the second-level domain, don't use separate zones for Third-Level domains if possible. There will be less administration hassle.

The long of it is, a third-level domain, in its strictest translation, requires that you maintain zone files for each of your third-level domains. This would mean that Walt.Disney.com, Mickey.Disney.com, and Goofy.Disney.com would all have to have their own zone files for stuff like www.Walt.Disney.com, ftp.Mickey.Disney.com. Instead, try this, and keep one zone file and have less administrative overhead by putting it all in the same file.

How, you ask? See the following. (Bind ONLY)

Example Zone File (BIND ONLY):

www                           IN    A     206.222.198.5
www.Walt                   IN    A    206.222.198.14
ftp.mickey                   IN    A    206.44.3.7
;Fourth-Level Example:
FTP.Mickey.Minnie      IN    A     206.234.98.12
news.Goofy                IN    CNAME    www.Walt.Disney.com.

The key here is the period ("."). As long as your records have no period on the end of the name, it is relative. This means that whatever you put as a name in your record gets the domain name, in this case Disney.com, appended to the end. If you put a period on the end, DNS considers it absolute and will not append anything to it.

Example:
Absolute: "www.Seven.Dwarfs.Disney.com."
Relative: "www.Seven.Dwarfs.Disney.com" (this will end up as "www.Seven.Dwarfs.Disney.com.Disney.com." once DNS interprets it.)

Third-Levels with MS DNS

The period at the end of that line makes the last name in the line absolute. DNS will not append anything to it. Be careful with this because if you were to put "news.Goofy." in your record, the client who queried this would go looking for "news.Goofy" without the "Disney.com" on the end.

Changing DNS Servers Part 1, Changing the primary from one server to another.

You can make a secondary, then make it a primary. There are different ways to do this, depending on your DNS software. I will only explain MS DNS and Bind for NT since those are the predominant DNS software being used, and they are both FREE.

OK, so you have an old 486/66 NT server and you just got your new P450 with 1G of RAM and you want to switch over your DNS to your new server with as little work as possible. The following instructions are general:

Set up DNS server on the new server.

Make this new DNS server secondary for your primary zone.

Once the secondary syncs with the primary, change the secondary to primary and change the primary to secondary, or take it down. Note: if you have clients that depends on the primary DNS server you may want to give the new DNS server the IP address of the old primary once you take the old one down.

With MS DNS you merely look at the properties for the zone and click the option box on the General tab to Primary instead of Secondary. You need not make any other changes.

With Bind for NT you must change the directive in the "Named.Boot" file in the Windows NT directory. Change it from:

secondary mydomain.com 206.22.33.44 mydomain.txt
to
primary mydomain.com mydomain.txt

Bounce the DNS server. And that's all there is to it.

The advantages here are that you do not have to re-enter even one record since your secondary made a copy of the entire zone and all of its attributes before you made it into a primary. Pretty neat, huh?

Changing DNS Servers Part 2, Changing from your ISP's DNS to your own DNS.

Use the method in Changing DNS Servers, Part 1 to make your would-be primary DNS server a secondary for your Internet domain.

Submit a request with Network Solutions to change your primary DNS to your would-be primary DNS server and the current primary DNS server to the secondary.
Note:

What Network Solutions has on record for your primary only means the first server that they point Internet clients, looking for your domain, to, It has nothing to do with whether your DNS server is the Primary DNS server for your domain.

Your ISP will know this because they are listed as technical contact for your domain now. You will need to change this also, to yourself, when you submit the DNS change request.

Once the changes have gone through, talk to your ISP and tell them you want them to be secondary now, and give them the IP address of your primary so they can perform zone transfers.

Notes:

Verify that the changes have gone through with NSLookup. Just because Network Solutions' Whois tells you that the change has taken place does not mean that the Root servers have been updated. I have run into this recently. Network Solutions' service has gone down hill since taking over from Internic, even though Internic has always been a subsidiary of Network Solutions.

If you do not want your ISP to be your secondary, that's OK. You just have to arrange with someone else to be your secondary, or bring up your own secondary server. It is suggested that your have your secondary on some other leg of the network, in case your Internet connection goes down. I know, you're now saying, "Well if my Internet connections goes down no one can get to anything in my domain anyway, so why bother?" Well, consider if you have a mail forwarder on your ISP or your mail records point to your ISP. If your link goes down, and you have secondary DNS somewhere else on the Internet, mail can still be going to, and sitting on your mail forwarder, or your ISP's mail server until your Internet connection comes back up.

Zone Serial Numbers

What's The Serial Number For?

The serial number is equivocally the version of the zone file. The secondaries read the serial number when they check with the primary at the end of the Refresh time limit. If the serial number is higher than the serial number of the information it has for that zone, it does a zone transfer to get the latest records for that zone form the primary.

Serial Number Format:

If you are using MS DNS then it is not that much of an issue for you since MS DNS takes care of the serial numbers (MS DNS uses consecutive numbers, 1, 2, 3, 4, etc.). But if you run Bind, you must remember to increment the serial number on your zones files any time you edit a zone file, including the reverse-lookup zone. This is so that the zone gets transferred when the secondary checks it.

The standard, and most widely used format is as follows:
Year, Month, Date, sequential number
1999 07 02 01

1999070201

The sequential number at the end is for situations where you edit your zone file more than once a day. Using this format you are guaranteed to never use the same number twice, and it also allows you to quickly determine when the last update to that file took place without having to look at file dates.

Zone File Names:

I suggest that when you name your zone files, no matter whether you use MS DNS or Bind, as text files ("txt" extension). Neither DNS program cares what the name is, but when you need to open the files directly, you can just double-click them instead of having to send them to Notepad or associate them with Notepad. This is just one of those things that makes life simpler.

Getting the Cache File:

You can get it from ftp://rs.internic.net/netinfo/root-servers.txt, or here, if that site is not available. Rename as necessary. In NT is is called "CACHE.DNS", hard-coded. In Bind it's usually called "db.cache", but you can name it what you want, provided you change your Boot file to reflect the new file name. MS DNS also has a "feature" which allows it to "Auto Update" the Cache file. this has been known to put erroneous information in the cache file and mess up resolution

Private Cache Files:

If you do not want your DNS server sending queries onto the Internet and want your DNS server or other DNS server on your network to be authoritative for everything, you are looking in the right place. First, make a copy of you cache file so that you can go back later if you want to. Next, open the cache file and modify it. You will see a series of records for the root server. You can delete all of them except for the number of private root servers you have.
The format of the file looks like this:

.    3600000    IN    NS    A.ROOT-SERVERS.NET.

        A.ROOT-SERVERS.NET.    3600000    A    198.41.0.4

; formerly NS1.ISI.EDU

.    3600000    NS    B.ROOT-SERVERS.NET.

        B.ROOT-SERVERS.NET.    3600000    A    128.9.0.107

There are 2 entries in the example above. Where you see the names suffixed by "Root-Servers.net", replace the name with your private root DNS server name. Replace the IP address in the entry(s) with the IP address of the applicable root server you are using. Save the file and you are done. Restart DNS to have it take affect.
Note: if you do this you must disable AutoCacheUpdate on MS DNS servers

Do I Need DNS? (DNS vs. WINS)

DNS is useful, and 2-10 times as fast as WINS, but it cannot do things like resolve addresses for NetBIOS apps, like mapping drives or connecting server/user manager to a domain/server. Another thing DNS does for you is allow you to have multiple virtual servers using one IP address, if you have IIS4. You cannot do this with WINS. If you have hosts that do not use WINS, such as UNIX hosts, mini-computers, or Mainframes that need host name resolution you must have DNS. Otherwise, WINS is perfectly capable of resolving your internal server name for web sites, in addition to resolution for everything else.

You need DNS if:

You obviously need DNS if you make any type of resources available on the Internet and want accessibility by host name.

You have web site(s), or other resources (FTP, Mail), on your internal server(s) that require accessibility, by host name, from hosts that cannot use WINS to resolve the IP address. This includes hosts that come in from the Internet, if you have a server behind a firewall with a web site on it.

You want to host multiple web sites with IIS4 with one IP address.

Otherwise, you'll be fine using just WINS.

The famous error, "the DNS Server Sendto() function failed"

There are 2 possible solutions to this problem.
1. Make sure your cache file is not corrupt. you may need to replace it.
2. Reinstall SP5 or whatever service-pack you are using. This is the most common cause that I have seen. You may have to reinstall the service pack as many as 3 times. This is the most that I have had to reinstall a service pack to get everything to work properly, but I won't rule out installing it more if necessary. Unfortunately the service pack install does not always work as it should, but that's software for you.

Making "mydomain.com" answer the same as "www.mydomain.com"

Sometimes you want your domain name to answer the same as your "www" host. How to do this in:

MS DNS:

Select the domain you want to add the "domain.com" record for and choose "New Record" from the DNS menu. For the Record Type, choose "A". Type in the IP address of the www host. Do not put anything in the host name text box. Leave it blank. Click OK. All done!

Bind:

Open the zone file for the domain you want to add the record to. In the Address record section add a record like the following.
@ IN A 200.200.200.200
Apply your IP addresses where applicable.
Save the file and restart DNS, or reload the database. All done!

MS DNS and Dialup Connections

Its a bug!

MS DNS does not respond well to dialup PPP connections. MS DNS will not resolve once it has been disconnected from a PPP connection and that connection has been re-established. This is a documented bug Q175436. MS has know about this since 1-99 and it isn't fixed. I know of at least 2 service packs since this bug was documented.
The only "fix" is to stop the DNS service and start it again. Note: Bind for NT does not exhibit this behavior.

Context Based Servers Reverse DNS DNS Terms DNS Concepts

Setting-up MS DNS Glossary

Home