Using DNS Server | Microsoft Windows 2000 Server Administrators Companion

In most TCP/IP-based networks, name resolution is provided by one or more DNS servers, which are also required for Windows 2000 Server-based networks using Active Directory.

Although Active Directory works with any DNS server that complies with the appropriate standards, such as BIND version 8.2.2 or later, the DNS server provided with Windows 2000 Server is more than good enough. In fact, unless you already have BIND deployed on the network, you should use Microsoft's DNS server for the network. The DNS server in Windows 2000 Server is easy to set up, integrates well with Active Directory, provides full multimaster zone replication when using Active Directory-integrated zones, and generally works as it's supposed to.

If you're using Active Directory-integrated DNS, you can skip the next section, as DNS is automatically set up during the Active Directory Setup Wizard (see Chapter 11).

Installing DNS

To install DNS, set up Active Directory on the server and let Windows install DNS at the same time. This provides domain controller functionality and also lets DNS benefit from Active Directory integration. To set up the server as a domain controller, see Chapter 11.

If DNS wasn't installed on the domain controller when you set up Active Directory, or you don't want to use Active Directory integration with DNS Server, follow these steps to install the DNS service, or use the Configure Your Server Wizard, which is discussed in Chapter 6:

Click Start and choose Settings, and then select Network And Dial-Up Connections. Right-click the connection you want, and choose Properties from the shortcut menu.
Select the Internet Protocol (TCP/IP) entry, and then click Properties. Type the IP address, subnet mask, and default gateway that you're using. Be sure the Use The Following DNS Server Addresses option is selected. In the Preferred DNS Sever box, type the computer's assigned IP address.
An alternative to using a static IP address is to make a client reservation with the DHCP server so that the DNS server is always guaranteed the same IP address.
Right-click the My Computer icon, and choose Properties from the shortcut menu.
In the Computer Name tab, click Change. In the Identification Changes box, click More (you won't be able to perform this procedure on domain controllers).
In the DNS Suffix And NetBIOS Computer Name dialog box, type the DNS domain name, and click OK. Reboot the server to implement the DNS suffix changes (if any, otherwise no reboot is necessary).
Open the Add/Remove Programs Control Panel tool, and then click Add/Remove Windows Components to launch the Windows Components Wizard.
Select Networking Services from the list of components, and then click Details.
Select the check box next to the Domain Name System (DNS) component, as shown in Figure 14-12, and then click OK.

Figure 14-12. Installing the DNS service.
Click Next to install the service. All the necessary files are copied to the hard disk.

Using the Configure A DNS Server Wizard

Windows 2000 provides a handy wizard to help you set up a DNS server. The following procedure walks you through the wizard, while later sections delve into more detail on individual tasks that the wizard accomplishes:

Launch DNS from the Administrative Tools folder on the Programs menu.
Select the DNS server you want to configure (choose the Connect To Server command from the Action menu if the server isn't displayed in the console tree).
Choose the Configure The Server command from the Action menu.
Click Next in the first page.
Choose the Yes, Create A Forward Lookup Zone option in the Forward Lookup Zone page, shown in Figure 14-13, and then click Next.

Figure 14-13. Choosing whether to create a forward lookup zone.
Specify whether the DNS server will maintain the zone (Active Directory-Integrated or Standard Primary), recording and handling DNS records for clients on the network, or whether another DNS server (possibly maintained by your ISP) maintains the zone (Standard Secondary), as shown in Figure 14-14. Click Next to continue.

Figure 14-14. Choosing whether to create a primary or secondary forward lookup zone.

Real World

The Need (or Lack Thereof) for Secondary DNS Servers

Because of the pivotal role DNS plays in any TCP/IP-based network, it's vital for it to be reliable. Small networks can often make do with a single DNS server, but medium and large networks must have fault-tolerant DNS service.

One way of doing this is to set up secondary DNS servers to provide redundancy if the primary DNS server (of which there can be only one) doesn't respond to client queries. Secondary DNS servers can also be useful in reducing network traffic if placed in a location where the zone is heavily queried.

Another way of providing DNS redundancy is to add another Active Directory-integrated DNS server. Because Active Directory uses a full multiple-master model, all DNS servers using Active Directory-integrated zones can be primary servers—no secondary zones are required.

If you are going to use standard primary and secondary DNS servers, set up secondary DNS servers for both forward and reverse lookup zones. Fewer secondary servers are required for reverse lookup zones because of their infrequent use. They are usually placed outside the network and subnet that the reverse zone serves.
Enter the zone name and then click Next.
If your ISP or another DNS server maintains the zone, enter the IP address of the master DNS server or servers maintaining the zone in the IP Address box, and click Add. The IP address is added to the list box as shown in Figure 14-15. The Windows 2000 Server DNS Server copies the zone information from these DNS servers.

Figure 14-15. The Master DNS Servers screen.
If you chose to create a standard primary forward lookup zone, the Zone File page appears. Type a filename for the zone file. To use an existing file, copy the file to the %SystemRoot%\System32\Dns folder, select the Use This Existing File option, type the filename in the box provided, and then click Next.
In the Reverse Lookup Zone page, choose No, Do Not Create A Reverse Lookup Zone to finish the setup process, or click Yes, Create A Reverse Lookup Zone to create a reverse lookup zone.
If you chose to create a reverse lookup zone, choose the type of zone to create and then click Next.
Enter the address of the network in the Network ID box and then click Next as shown in Figure 14-16. The wizard automatically creates the reverse lookup zone name from this information.

Figure 14-16. Creating a reverse lookup zone.
If you're creating a standard zone, click Next to approve the filename provided.
Review the summary of the DNS server configuration, and then click Finish to complete the initial configuration of the DNS server.

Use the Nslookup command from a command prompt to test the functionality of the DNS server. However, the command's functionality is limited without a reverse lookup zone (you won't be able to perform reverse lookups to obtain DNS names from IP addresses). Consult online help for command reference information.

Real World

DHCP and Secure Dynamic Updates

If multiple DHCP servers are operating in the same DNS zone and you're using secure dynamic updates, you might end up with some stale DNS records if one of the DHCP servers fails. To prevent this, you can use the Active Directory Users and Computers MMC snap-in to add all DHCP servers to the DnsUpdateProxy group, which loosens permissions. Because of these loosened permissions, don't install DHCP on a domain controller in this scenario, unless DNS resource record security is of low importance to you (in which case it's probably easier to use unsecured dynamic updates).

Creating Zones

Zones allow you to store portions of the DNS namespace so that a single DNS server can serve a portion of the namespace.

When setting up the domains, start with the top-level domain. Then create subdomains and delegate control of the domains to other DNS servers as necessary.

The two types of zones concerned are forward lookup zones and reverse lookup zones. Forward lookup zones are the types of zones normally associated with DNS servers; they return an IP address when given a DNS name. Reverse lookups are used less often, but they are still important. They provide the ability to resolve an IP address into a DNS name, something that Internet Information Services (IIS) uses for its log files (troubleshooting tools such as Nslookup rely on reverse lookup zones as well).

Creating a New Forward Lookup Zone

When you first setup a DNS server, you'll probably want to use the Configure A DNS Server Wizard (discussed in the previous section), which walks you through creating the first forward lookup zone. However, if you didn't use the wizard to set up the zones, or you need to create additional forward lookup zones, use the following procedure:

Launch DNS from the Administrative Tools folder on the Programs menu.
Select the DNS server you want to configure (choose the Connect To Server command from the Action menu if the server isn't displayed in the console tree).
If you select the Forward Lookup Zone container in the console before choosing New Zone from the Action menu, the New Zone Wizard assumes that you intend to create a forward lookup zone and skips step 6.
Choose New Zone from the Action menu to start the New Zone Wizard. Click Next to start using the wizard.
In the Zone Type page (Figure 14-17) choose one of the following options, and then click Next to continue:
- Active Directory-Integrated Use this option to take advantage of Active Directory-integrated zone storage, which permits multiple-master operation (all servers are primary DNS servers). This option is available only on domain controllers.
- Standard Primary Use this option if the DNS server is to be authoritative for the zone you want to create. Only authoritative servers can update the DNS database.
- Standard Secondary Use this option if the DNS server is hosted on another server. Also use it if this server is to have read-only privileges in the zone with all data obtained from the primary DNS server.
Figure 14-17. The Zone Type screen of the New Zone Wizard.
Select the Forward Lookup Zone option, and click Next.
Type the DNS name for the zone in the Name text box, and then click Next. If you chose an Active Directory-integrated zone, it is created now.
If you chose to create a secondary zone, type the IP addresses of the master servers from which you want to copy the zone data, clicking Add after entering each one (shown previously in Figure 14-15). Click Browse to search for servers. Use the Up and Down buttons to arrange the IP addresses in the order in which you want to contact them. Click Next when you're done.
To create a new file to store the zone data for a standard primary zone, select the Create A New File With This File Name option and type the name you want to give the zone file, or use the one provided for you.
To use an existing zone file to store the zone data, copy the file to the %SystemRoot%\System32\Dns folder, select the Use This Existing File option, and type the filename in the box provided. Click Next.
Review the summary of the zone, and then click Finish to complete the creation of the zone.

Creating a New Reverse Lookup Zone

Reverse lookup zones allow clients to resolve a host's DNS name from an IP address, which is useful for troubleshooting tools such as Nslookup. Reverse lookups also permit IIS log files to record DNS names instead of just IP addresses.

To create a new reverse lookup zone, follow these steps:

Launch DNS from the Administrative Tools folder on the Programs menu.
Select the DNS server from the console tree, and then choose New Zone from the Action menu to start the New Zone Wizard. Click Next to start using the wizard.
In the Zone Type screen choose Active Directory-Integrated, Standard Primary, or Standard Secondary, and then click Next to continue.
Select the Reverse Lookup Zone option, and click Next in the Select The Zone Type screen.
Type the network address in the Network ID box, shown previously in Figure 14-16. (See Chapter 13 for more information about network addresses and TCP/IP addressing.) To type the name of the reverse lookup instead of supplying the network ID, select Reverse Lookup Zone Name, and type the name of the reverse lookup zone. Click Next.
If you are creating a lookup zone that is Active Directory-integrated, the wizard creates the zone immediately.
If you are making a standard primary zone, type the name you want to give the zone file, or use the name provided for you. To use an existing zone file to store the data, copy the file into the %SystemRoot%\ System32\Dns folder, choose the Existing File option, and type the filename in the box provided. Click Next to continue.
For a secondary zone, type the IP addresses of the master servers from which you want to copy the zone data in the next screen, clicking Add after entering each one. Click Next to continue.
Review the summary of the zone, and then click Finish to complete the creation of the zone.

Creating Subdomains and Delegating Authority

In most large network environments, you need to create subdomains and delegate their management to other DNS zones hosted by other DNS servers. Doing so eliminates the undesirable situation of having a large namespace hosted in a single zone by a single server. Thus, you might have a zone containing the root domain scribes.com as well as the subdomain marketing.scribes.com; however, you might have the subdomain tech.scribes.com and its subdomains delegated to a separate zone managed by another DNS server, as shown in Figure 14-18.

Figure 14-18. A domain tree with zones identified.

Be sure that you have a host record created for the DNS server in the forward lookup zone and a pointer record for the DNS server in the reverse lookup zone. DNS might not automatically create these (especially the pointer record) so double-check them—otherwise the server might not work.

Zones must have a contiguous namespace, so it isn't possible to combine subdomains from different branches of the namespace and place them in a single zone. Create separate zones for each noncontiguous part of the domain.

To create a new subdomain in an existing zone and then delegate authority over the domain to another DNS server, perform the following steps:

Select the domain in which you want to create a new subdomain, and then choose New Domain from the Action menu.
Type the name of the subdomain in the dialog box that appears, and then click OK. This name must not be fully qualified. For example, if you were creating the subdomain tech.scribes.com under the domain scribes.com, type only tech in this dialog box.
Subdomains don't have to be delegated to a different DNS server. Subdomains can even be created in new zone files and still be managed by the same server. This is useful if you want to host the domains on the same computer, yet manage them differently.
To delegate authority over the subdomain, select the parent domain of the subdomain, choose New Delegation from the Action menu, and then click Next to start the New Delegation Wizard.
Type the name for the subdomain you want to delegate, as shown in Figure 14-19. Check that the fully qualified name of the subdomain displayed is correct and then click Next.

Figure 14-19. Delegating a subdomain.
Click Add to specify the servers to which you want to delegate the subdomain.
Type the name of the server to which you want to delegate authority and then click Resolve, or click Browse to locate its resource record in the DNS server's zone files. Alternatively, type the IP address or addresses for the server, clicking Add after typing each one. Click OK when you're done.
Add any other DNS servers that will host the delegated subdomain, as shown in Figure 14-20. Click Next to continue.
When you delegate control over a subdomain to multiple DNS servers, Windows 2000 Server automatically monitors the round-trip times to the servers and selects the closest (fastest) one.
Review the summary window, and click Finish to complete the delegation process.

Figure 14-20. The Name Servers screen of the New Delegation Wizard.

Adding Resource Records

After creating zones and subdomains, add resource records (RRs) for the domain server and any other servers with static IP addresses or IP reservations (DHCP servers, WINS servers, routers, and so on). The steps that follow are for adding new host RRs, but the process to add new pointer RRs, Alias (CNAME) RRs, mail exchangers, or other RRs is similar (note that the DNS server doesn't work properly without a host record and a pointer record, which might not be created automatically for you):

Select the zone and domain or subdomain to which the host belongs, and then choose New Host from the Action menu. Alternatively choose New Alias, New Mail Exchanger, or another type of record from the Action menu. Table 14-1 lists the records supported by Windows 2000 DNS server.
In the Name box, type the host name (and only the host name—the name must not contain any periods), or leave the Name box blank to use the name of the parent domain (Figure 14-21). Type the host's IP address.

Figure 14-21. The New Host dialog box.
Select the Create Associated Pointer (PTR) Record to create an RR for the host in the reverse lookup zone.
Click Add Host, and then fill out the fields for any additional host records you want to create, or click Done.

Real World

Changing DNS Records

When you make a change to the DNS records, make sure you choose the Update Server Data Files command from the Action menu after making the changes. This option increments the serial number, letting other DNS servers know that you made a change and that they need to update their information.

If you're using conventional DNS zones, add or change DNS records only from the primary DNS server for a zone. If you're using Active Directory-integrated DNS, you can make the changes to any Active Directory-based DNS and it propagates correctly to the other Active Directory DNS servers and notifies secondary servers that there are updated records.

Table 14-1. Supported DNS record types

Record Type	Common Name	Function	RFC
A	Address record	Maps a fully qualified domain name (FQDN) to a 32-bit IPv4 address	1035
AAAA	IPv6 Host	Maps an FQDN to a 128-bit IPv6 address	1886
AFSDB	Andrews file system (AFS) or distributed computing environment (DCE) record	Maps a DNS domain name to a server subtype that is either an AFS version 3 volume or an authenticated name server (NS) using DCE or network computing architecture (NCA)	1183
ATMA	Asynchronous Transfer Mode (ATM) Address	Maps a host name to an ATM address	"ATM Name System Specification Version 1.0"
CNAME	Canonical name or alias record	Maps a virtual domain name (alias) to a real domain name	1035
HINFO	Host information record	Specifies the CPU and operating system type for the host	1700
ISDN record	ISDN information	Maps an FQDN to an ISDN telephone number	1183
Key	Public key resource record	Contains a public key for a DNS zone	2535
MB	Mailbox name record	Maps a domain mail server name to the actual host name of the mail server	1035
MG	Mail group record	Maps a domain mailing group to the actual mailbox (MB) resource records of its members	1035
MINFO	Mailbox information record	Specifies a mailbox for the person who maintains the mailbox or list, and can also specify a mailbox for related errors	1035
MR	Mailbox renamed record	Maps an old mailbox name to a new mailbox name for forwarding purposes	1035
MX	Mail exchange record	Provides routing information to reach a given mailbox	974
NS	Name server record	Specifies that the name server listed has a zone starting with the owner name	1035
NXT	Next record	Specifies the nonexistence of the specified name	2035
OPT	Option resource record	Specifies optional data with a DNS request or reply	2671
PTR	Pointer resource record	Points to another DNS resource record, most often used in reverse lookup to point to the A record	1035
RP	Responsible person information record	Provides information about the person responsible for a server	1183
RT	Route-through record	Provides routing information for hosts lacking a direct WAN address	1183
SIG	Signature resource record	Digitally signs a host name	2535
SOA	Start of authority	Specifies the beginning of a zone and indicates the authoritative server	1034
SRV	Service locator record	Provides a way of locating multiple servers providing similar TCP/IP services	2052
TXT	Text record	Maps a DNS name to a string of descriptive text	1035
WKS	Well-known services record	Describes the most popular TCP/IP services supported by a protocol on a specific IP address	1035
X25	X.25 information	Maps a DNS address to a public switched data network (PSDN) address number	1083

More Info

For more information about each of these record types and what they mean, refer to the related RFC or see Microsoft Windows 2000 Server Resource Kit (2001), available from Microsoft Press.

Configuring Zone Transfers

Because the DNS service is so important to a modern TCP/IP-based network, and because it's essential to the operation of Active Directory, always configure multiple DNS servers in each zone to provide fault tolerance.

Windows 2000 Server supports several ways of achieving zone transfers between DNS servers managing a zone. If the DNS servers are using Active Directory to store their zone data, Active Directory handles the zone replication, allowing for a full multimaster model in which all servers are peers and any can make changes to the DNS database. Additionally, zone transfers are incremental so that only changed records are synchronized.

Windows 2000 Server also supports RFC 1995-compliant incremental zone transfers when using standard zone files. This incremental zone transfer method permits a secondary DNS server to pull only the zone changes that it needs to synchronize its copy of the zone data with the primary server's. If the serial number of the primary DNS server's zone file matches that of the secondary DNS server's serial number, no changes were made, so no zone transfer need take place.

Incremental zone transfers occur only if both servers support this feature. When performing zone transfers with Windows NT 4 DNS servers or other DNS servers that don't support this feature, a full zone transfer occurs. In a full zone transfer, the entire contents of the zone file are pulled from the primary DNS server by the secondary server.

If the DNS server is a secondary DNS server on a zone, the server is already configured to perform zone transfers with the master server in the zone. If the server is a primary server in the zone, the server is configured to perform zone transfers with any DNS servers that request them. This situation can be a potential security problem if someone wants to create a rogue DNS server and pull the zone data, so you might want to allow only certain DNS servers to perform zone transfers with the server. To modify the way zone transfers occur on the DNS server, follow these steps:

Select the zone in which you want to enable zone transfers, go to the Action menu, and choose Properties.
Click the Zone Transfers tab, shown in Figure 14-22.

Figure 14-22. The Zone Transfers tab of the Properties dialog box.
To disable zone transfers entirely on the DNS server, clear the Allow Zone Transfers check box.
To allow any DNS server to perform zone transfers with the DNS server, select To Any Server (note that this is a potential security risk).
To set up the server to allow only servers that have NS records in the zone file to perform zone transfers with the server, choose Only To Servers Listed On The Name Servers Tab.
To create a list of approved servers with which the DNS server can perform zone transfers, select Only To The Following Servers. Then type each secondary server's IP address in the box provided, clicking Add after typing each one.
To change whether secondary servers in the zone are notified when the zone file has been updated, click Notify.
To disable the notification of secondary servers when changes to the zone file take place, clear the Automatically Notify check box, shown in Figure 14-23.

Figure 14-23. The Notify dialog box.
To notify only DNS servers with name server records in the zone file, select Servers Listed On The Name Servers Tab.
To create a list of servers that you want to notify about changes to the zone file, select the The Following Servers option. Then type each server's IP address in the box provided, clicking Add after typing each one.

Interoperating with Other DNS Servers

Windows 2000 DNS servers perform fast zone transfers with data compression and multiple resource records sent in each message when transferring zones to other Windows DNS servers. This zone transfer method works with all Windows DNS servers, and BIND DNS servers version 4.9.4 or later (although Windows 2000 DNS servers should run Service Pack 3 or newer if receiving zone information from BIND 9.x servers).

If you are using BIND DNS servers, check whether Windows has fast transfers enabled. To perform zone transfers with BIND servers earlier than version 4.9.4, you need to disable this fast zone transfer method.

Although you can use Windows 2000 DNS servers and Active Directory in conjunction with Windows NT 4 Service Pack 4 DNS servers and BIND servers later than version 4.9.4, for best compatibility use Windows 2000 or BIND 8.2 or newer DNS servers. BIND versions 8.2 and later support incremental zone transfers, and BIND versions 8.1.2 and later support dynamic updates.

To toggle support for fast transfers, turn off the BIND Secondaries option. To do so, use the following procedure:

Select the DNS server from the console tree and choose Properties from the Action menu.
Click the Advanced tab, and clear the Bind Secondaries check box.

Enabling Dynamic DNS Updates

The DNS servers in Windows NT 4 and BIND 4.9.x are somewhat of a management headache because of the lack of dynamic updates. Every time a host is given a new IP address, an administrator has to manually update the DNS zone file with the new IP address.

Fortunately, the Windows 2000 DNS server implements RFC 2136-compliant dynamic updates. These dynamic updates allow Windows XP and Windows 2000 clients to update their own forward lookup DNS records, and they allow DHCP servers to update the forward and reverse lookup records of all legacy clients (if this option is enabled in DHCP). They also allow you to scavenge records that haven't been refreshed in a long time, reducing the gradual bloat that happens with DNS databases. (See Chapter 13 for more information about setting up aging and scavenging parameters.)

If you didn't turn on dynamic updates when you configured the DNS server, follow these steps to do so:

Select the zone in which you want to enable dynamic updates.
Choose Properties from the Action menu and click the General tab.
In the Allow Dynamic Updates box, select Yes.

For dynamic DNS to work properly, DHCP servers must be configured to update the DNS server when a client's IP address changes. Windows 2000 Server-based DHCP servers are set up to dynamically update DNS for Windows XP and Windows 2000 clients by default. Dynamic updates for legacy systems must be specifically enabled on the DHCP server.

Enabling WINS Resolution

WINS allows NetBIOS names to be resolved into IP addresses. This capability is important for networks that support large numbers of pre-Windows 2000 Microsoft clients. DNS can work with WINS to search the entire combined DNS and NetBIOS namespace, if necessary, when a client attempts to resolve a host name.

In Windows NT 4, enabling WINS resolution within DNS is essential to successfully resolving hosts that might have recently changed IP addresses—the dynamic WINS database provides an up-to-date IP address when the static DNS zone file can't. However, with Windows XP and the Windows 2000 family, dynamic updates to the DNS server eliminate the need to use WINS servers to keep the namespace up to date, and WINS is gradually phased out.

To enable WINS resolution in a zone, follow these steps:

Select the zone in which you want to enable WINS resolution, and then choose Properties from the Action menu.
Click the WINS tab and select the Use WINS Forward Lookup check box.
If you're not using Microsoft DNS servers as secondary servers, select the Do Not Replicate This Record check box to prevent compatibility problems (only Windows DNS servers support WINS records).
Type the IP address of each WINS server you want to query, clicking Add after typing each one.

You will find more about setting up WINS in the section Setting Up a WINS Server, later in this chapter.

Setting Up a Forwarder

No name server is able to answer the queries of all clients; sometimes clients request a DNS name that isn't in a zone managed by the DNS server, let's say example.microsoft.com. The DNS server goes to the Internet to the top level of the DNS domain tree. The top-level DNS servers then provide the address of the DNS server for the first level (.com). This server in turn provides the address of the microsoft.com DNS server, which then provides the address of example.microsoft.com's DNS server.

This process is called recursion, and it takes time and a number of trips out to the Internet by the DNS server. In a network with multiple DNS servers and domains, it can be advantageous to have DNS servers forward their unresolved queries to another DNS server. This server then either replies with the desired record from its own DNS zone, or hunts down the unresolved query and reports back to the DNS server that forwarded the request. This can reduce WAN link usage in two ways:

If the server is authoritative for the zone containing the requested DNS record, the DNS server can reply directly without having to hunt for the appropriate DNS server.
If the server isn't hosting the zone with the requested record, it still might be able to answer the query from its cache of recent DNS queries.

To configure the DNS server to forward unresolved queries to another DNS server, follow these steps:

For security reasons, a single DNS server typically forwards queries from the internal network to a DNS server on the other side of the firewall. All other internal DNS servers forward their queries to the designated forwarder to be passed on to the external name server (or resolved from the forwarder's cache file).

In the console tree, select the DNS server on which you want to enable forwarding, and then choose Properties from the Action menu.
Click the Forwarders tab and select the Enable Forwarders check box.
To forward all unresolved queries to another DNS server, type the IP addresses of the DNS server or servers to which you want to forward unresolved queries, clicking Add after typing each one, as shown in Figure 14-24.

Figure 14-24. Setting up DNS forwarders.
Before moving on to the next server in the list of servers to forward queries to, type the amount of time you want to spend attempting to contact a DNS server.
To disable recursion for a particular domain, select the domain and then select the Do Not Use Recursion check box. If the DNS server that is the target of the forwarded queries doesn't respond and the Do Not Use Recursion check box is selected, the DNS server fails the query, and the client fails over to a secondary DNS server, if configured to do so. A DNS server that's configured to use forwarders and not perform recursion is called a slave server.

Updating Root Hints

Root hints tell a DNS server where to look to find the DNS servers authoritative for the top level of the domain structure. Root hints for the Internet's root servers are automatically installed in the Cache.dns file located in the %SystemRoot%\System32\Dns folder.

If the DNS server only needs to resolve names in the private network, you must provide the locations of the top-level DNS servers for the network, either through the DNS console (as described next) or by manually editing the Cache.dns file. Alternatively, you can import root hints from another server.

If the server is the root of the network's namespace and doesn't resolve Internet host names, you can delete the Cache.dns file.

To update root hints on the server, use the following procedure:

In the console tree, select the DNS server on which you want to update the root hints, and then choose Properties from the Action menu.
Click Add in the Properties dialog box, as shown in Figure 14-25, to manually add a name server record for a root DNS server.

Figure 14-25. Updating root hints.

Setting Up a Caching-Only DNS Server

Caching-only servers are DNS servers that don't host any zones and that aren't authoritative for any domains—they simply cache the queries that they perform on behalf of the clients that use the server. Caching-only servers are useful for sites that use a slow WAN link to other DNS servers. By simply caching queries instead of holding its own zone files, a caching-only server reduces network traffic because it never performs any zone transfers. To set up a caching-only server, follow these steps:

Install the DNS service, as described earlier in this chapter.
Configure the caching server with a static IP address.
Launch DNS from the Administrative Tools folder on the Programs menu, and then choose Connect To Computer from the Action menu (don't configure any zones).
In the Select Target Computer dialog box, select The Following Computer, type the name of the DNS server from which you want to cache (Figure 14-26), and click OK.

Figure 14-26. The Select Target Computer dialog box.

The DNS server is added to the DNS console on the caching server. The caching server performs recursive queries on behalf of its clients and over time accumulates resource records for answering future queries. You can clear the cache on a caching server by right-clicking the server's name in the DNS console and selecting Clear Cache from the shortcut menu.