Name resolution is an
essential function on all TCP/IP networks, and the network
infrastructure design process includes a determination of what names
your computers will use, and how those names will be resolved into
Internet Protocol (IP) addresses. As with IP addressing itself, the
names you choose for your computers are affected by your network’s
interaction with the Internet and by the applications the computers are
running.
What Types of Names Need To Be Resolved?
As you know, TCP/IP
communications are based on IP addresses. Every IP datagram transmitted
by a TCP/IP computer contains a source IP address, which identifies the
computer sending the datagram, and a destination IP address, which
identifies the computer that is to receive it. Routers use the network
identifiers in the IP addresses to forward the datagrams to the
appropriate locations, eventually getting them to their final
destinations.
Friendly names are only
for use by people; they do not change the way the TCP/IP computers
communicate among themselves. Whenever you use a name instead of an
address in an application, the computer must convert the name into the
proper IP address before initiating communications with the target
computer. This name-to-address conversion is called name resolution.
When you type the name of an Internet server in your Web browser, for
example, the first thing your computer does is resolve that name into an
IP address. Once the computer has the address of the Internet server,
it can send its first message, requesting access to the resource you
specified in the browser.
To design a
name resolution strategy for an enterprise network, you must know the
types of names the computers will have to resolve. Networks running
Microsoft Windows operating systems use two basic types of names for
computers and other resources: Network Basic Input/Output System
(NetBIOS) names and DNS names.
NetBIOS Names
Windows
operating systems prior to Windows 2000 used NetBIOS names to identify
the computers on the network. The NetBIOS name of a Windows system is
the computer name that you assign it during the operating system
installation. Windows includes several name resolution mechanisms for
NetBIOS names, and chief among these is WINS.
While computers
running Windows 2000 and later use a host name to identify themselves on
the network, and use DNS as their primary name resolution mechanism,
they can interoperate with earlier versions of Windows because they
support a second NetBIOS name as well. If all the computers on your
network are running Windows 2000 or later, Active Directory has been
installed, and no applications are using NetBIOS,
it is possible to remove WINS servers and disable the NetBIOS Over
TCP/IP (NetBT) protocol on your computers. You can do this by using the
controls in the NetBIOS Setting box, found in the WINS tab in the
computer’s Advanced TCP/IP Settings dialog box.
Until the time when
each computer on your network meets all three of the requirements
listed above, NetBIOS name resolution will be required in your
environment. NetBIOS name resolution processes and services, such as
WINS, have not changed fundamentally since Windows NT 4.0. Therefore,
NetBIOS name resolution is not an objective of the MCSE Upgrade exams
and are not discussed further in this training kit.
Note
For more information on NetBIOS, refer to the Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference or the Microsoft Windows Server 2003 Resource Kit. |
DNS Names
DNS is the name
resolution mechanism that computers running Windows 2000 and later use
to identify hosts and services on the network, and it is the mechanism
used by all computers while running Internet-based applications and
protocols.
Reviewing DNS Concepts, Components, and Processes
DNS consists of a hierarchical namespace, a collection of name servers, and DNS clients called resolvers.
Each name server is the authoritative source for a small part of the
namespace. When DNS servers receive name resolution requests from
resolvers, they check their own records for the IP address associated
with the requested name. If the server does not have the information
needed, it passes the request to other DNS servers until it reaches the
authoritative server for that name. That authoritative server is the
ultimate source for information about that name, so the IP address it
supplies is considered definitive. The authoritative server returns a
reply containing the IP address to the requesting server, which in turn
relays it back to the resolver, as shown in Figure 1.
For
DNS to function in this manner, it was necessary to divide the
namespace in a way that would distribute it among many servers. It was
also necessary to devise a methodology that would enable a server to
systematically locate the authoritative source for a particular name. To
accomplish these goals, the developers of DNS created the concept of
the domain. A domain
is an administrative entity that consists of a group of hosts (which
are usually computers). When a DNS server is the authoritative source
for a domain, it possesses information about the hosts in that domain,
in the form of resource records. The most common resource record is the Host (A) resource record, which consists of the host name and its equivalent IP address.
Therefore, the full name for
a computer in DNS consists of two basic parts: a host name and a domain
name. Note the similarity between the DNS name and an IP address, which
also consists of two parts: a network identifier and a host identifier.
The host name identifies a specific computer and has to be unique in
its domain.
Understanding Domains
The domain name part of a
DNS name is hierarchical and consists of two or more words, separated by
periods. The domain namespace takes the form of a tree that, much like a
file system, has its root at the top. Just beneath the root is a series
of top-level domains, and beneath each top-level domain is a series of
second-level domains. At minimum, the complete DNS name for a computer
on the Internet consists of a host name, a second-level domain name, and
a top-level domain name, written in that order and separated by
periods. The complete DNS name for a particular computer is called its fully qualified domain name (FQDN).
Name Resolution and the Domain Hierarchy
The hierarchical nature
of the DNS domain namespace is designed to make it possible for any DNS
server on the Internet to use a minimum number of queries to locate the
authoritative source for any domain name, as shown in Figure 2.
This efficiency is possible because the domains at each level are
responsible for maintaining information about the domains at the next
lower level. For example, if a DNS server receives a name resolution
request for www.adatum.com from a client resolver, and the server has no
information about the adatum.com domain, it forwards the request to one
of the root name servers on the Internet. This is called a referral.
Note
The root name servers
are the highest-level DNS servers in the namespace, and they maintain
information about the top-level domains. Software developers
preconfigure all DNS server implementations with the IP addresses of
multiple root name servers, so they can send referrals to these servers
at any time. |
On receiving the request, the root name server reads the top-level domain in the requested name, in this case com,
and returns a resource record that contains the IP addresses of the
authoritative servers for the com domain to the requesting server. With
this information, the requesting server can now send a duplicate of the
client request to the authoritative server for the top-level, or com,
domain. The top-level domain server reads the requested name and replies
with a resource record that contains the IP addresses of the
authoritative servers for the second-level domain—in this case, adatum.
The requesting server
can now forward its request to the server that is ultimately responsible
for the adatum.com domain. The adatum.com server reads the requested
name and replies by sending the resource record for the host called www
to the requesting server. The requesting server can now relay the
resource record to the client that originally requested the resolution
of the www.adatum.com FQDN. The client reads the IP address for www.adatum.com from the resource record and uses it to send packets to that server.
|
The
name resolution process described in the previous section is designed
to convert DNS names into IP addresses. However, there are occasions
when it is necessary for a computer to convert an IP address into a DNS
name. This is called a reverse name resolution.
Because the domain hierarchy is broken down by names, there is no
apparent way to resolve an IP address into a name using iterative
queries, except by forwarding the reverse name resolution request to
every DNS server on the Internet, which is obviously impractical.
To address this problem, the developers of DNS created a special domain called in-addr.arpa
(described in RFC 1035, “Domain Names - Implementation and
Specification”), specifically designed for reverse name resolution. The
in-addr.arpa second-level domain contains four additional levels of
subdomains. Each of the four levels consists of subdomains that are
named using the numerals 0 to 255. For example, beneath in-addr.arpa,
there are 256 third-level domains, numbered from 0 to 255. Each of those
256 third-level domains has 256 fourth-level domains beneath it, also
numbered from 0 to 255. Each fourth-level domain has 256 fifth-level
domains and the fifth-level domains have 256 sixth-level domains, as
shown in Figure 3.
Using
this hierarchy, it is possible to express an IP address as a domain
name, and to create a resource record in the domain that contains the
name associated with the IP address. For example, to resolve the IP
address 192.168.89.34 into a name, a DNS server would locate a domain
called 34.89.168.192.in-addr.arpa in the usual manner and read the
contents of a special type of resource record called a Pointer (PTR)
resource record to determine the name associated with that IP address.
The IP address is reversed in the domain name because in IP addresses,
the host identifier is on the right and in FQDNs, the host name is on
the left.
|
Caching to Improve DNS Query Performance
Although this might
seem like a long and tedious process, the DNS name resolution procedure
usually occurs in a few seconds or less. Several DNS elements speed up
the process. The first reason for the quick responses is that the most
commonly used toplevel domains—such as com, org, and net—are actually hosted by the root name servers, eliminating one iteration from the request referral process.
The second reason is that
most DNS server implementations maintain a cache of information they
receive from other DNS servers. When a server possesses information
about a requested FQDN in its cache, it responds directly using the
cached information, rather than sending another referral to the
authoritative server for the FQDN’s domain. Therefore if you have a DNS
server on your network that has just successfully resolved the name www.adatum.com
by contacting the authoritative adatum.com DNS server, a second user
trying to access the same host a few minutes later would receive an
immediate reply from the local DNS server, rather than having to wait
for the entire referral process to repeat.
|
DNS servers recognize two types of name resolution requests: recursive queries and iterative queries.
In a recursive query, the DNS server receiving the name resolution
request takes full responsibility for resolving the name. If the server
possesses information about the requested name, it replies immediately
to the requestor. If the server has no information about the name, it
sends referrals to other DNS servers until it obtains the information it
needs. TCP/IP client computers send recursive queries to their
designated DNS servers. In an iterative query, the servers that receive
the name resolution request immediately respond with the best
information they possess at the time, whether that information is a
fully resolved name or a reference to another DNS server. DNS servers
use iterative queries when communicating with each other. It is
considered impolite to configure one DNS server to send a recursive
query to another DNS server, except in the case of a special type of
server called a forwarder, which is specifically configured to interact
with other servers in this way.
|
Understanding the Domain Hierarchy Levels
The
top two levels of the DNS hierarchy—the root and the top-level
domains—exist primarily to respond to queries for information about
other domains. The root name servers do nothing but respond to millions
of iterative requests by sending out the addresses of the authoritative
servers for the top-level domains.
Note
There are seven primary top-level domains: com, net, org, edu, mil, gov, and int, plus two-letter international domain names representing most of the countries in the world, such as fr for France and de for Deutschland (Germany). There are also a number of newer top-level domains promoted by Internet entrepreneurs, such as biz and info, which have yet to be widely used commercially. |
Each top-level domain has
its own collection of second-level domains. Individuals and
organizations can lease these domains for their own use. For example,
the second-level domain adatum.com belongs to a company that purchased
the name from one of the many Internet registrars now in the business of
selling domain names to consumers. For the payment of an annual fee,
you can purchase the rights to a second-level domain.
To use the domain name,
you must supply the registrar with the IP addresses of the DNS servers
that you want to be the authoritative sources for information about this
domain. The administrators of the top-level domain servers then create
resource records pointing to these authoritative sources so that any com
server receiving a request to resolve a name in the adatum.com domain
can reply with the addresses of the adatum.com servers.
Planning
To
create authoritative sources for your domain, you can deploy your own
DNS servers, using Windows Server 2003 or another operating system, or
you can pay to use your ISP’s DNS servers. |
Once
you purchase the rights to a second-level domain, you can create as
many hosts as you want in that domain, simply by creating new resource
records on the authoritative servers. You can also create as many
additional domain levels as you want. For example, you can create the
subdomains sales.adatum.com and marketing.adatum.com, and then populate
each of these subdomains with hosts. The only limitations to the
subdomains and hosts you can create in your second-level domain are that
each domain name can be no more than 63 characters long, and that the
total FQDN (including the trailing period) can be no more than 255
characters long. For the convenience of users and administrators, most
domain names do not even approach these limitations. |
|
Determining DNS Requirements
If
you plan to give network users client access to the Internet, they must
have direct access to one or more DNS servers. You can run your own DNS
servers on your network for this purpose, or you can use your ISP’s DNS
servers. You do not need to register a domain name. The clients’ DNS
servers can be caching-only servers,
meaning that they exist only to process name resolution requests sent
by clients, and they can be located on your private network, with
unregistered IP addresses.
Hosting an Internet Domain
If you plan to host an
Internet domain, you must register a second-level domain name and give
the IP addresses of your DNS servers to your domain registrar. These
servers must have registered IP addresses and must be available on the
Internet at all times. The servers do not have to be on your network,
and do not have to be in the domain you have registered. You can use
your ISP’s DNS servers for this purpose (for a fee), but be aware that
to create or modify the resource records stored there, you will
occasionally have to change the server configuration. If you maintain
your own DNS servers, you can manage the resource records yourself and
retain full control over their security. If your ISP hosts your domain,
you might have to have your ISP make the changes, and they might charge
you an additional fee for each modification.
Hosting Internet Servers
If you plan on hosting
Internet servers on your network, you must have access to a registered
domain on the Internet, with authoritative DNS servers on which you can
create resource records that assign host names to your servers. You can
either register your own domain (in which case, you must meet the
requirements described in the previous section, “Hosting an Internet Domain”), or you can use your ISP’s DNS servers (in which case, the ISP must create the necessary resource records for you).
Using Active Directory
If you plan to run Active
Directory directory service on your network, you must have at least one
DNS server on the network that supports the Service Location (SRV)
resource record, such as the DNS Server service in Windows Server 2003.
Computers on the network running Windows 2000 and later versions use
DNS to locate Active Directory domain controllers. To support Active
Directory clients, the DNS server does not have to have a registered IP
address or an Internet domain name.
Combining DNS Functions
In
many cases, a network requires some or all of these DNS functions, and
you must decide which ones you want to implement yourself and which you
want to delegate to your ISP. It is possible to use a single DNS server
to host both Internet and Active Directory domains, as well as to
provide name resolution services for clients. However, when planning a
DNS name resolution strategy for a medium or large network, you should
run at least two DNS servers, to provide fault tolerance.
Note
If
you plan to use your ISP’s DNS servers for any functions other than
client name resolution, be sure that the DNS server implementation the
ISP is using is compatible with the Windows Server 2003 DNS servers you
are using, and that the ISP is able to provide the services you need. |
You might also
want to consider splitting up these functions by using several DNS
servers. For example, you can use your ISP’s DNS servers for client name
resolution, even if you are running your own DNS servers for other
purposes. The main advantage of using your ISP’s servers is to conserve
your network’s Internet bandwidth. Remember that the Internet name
resolution requests that DNS servers receive from client resolvers are
recursive queries, giving the first server responsibility for sending
iterative queries to other DNS servers on the Internet to resolve the
name. When the DNS server receiving the recursive queries is on your
private network, all the iterative queries the server generates and
their responses go through your Internet access router, using your
bandwidth. (See Figure 4.)
If your clients use a DNS server on your ISP’s network (which is nearly
always a free service), only one query and one response go through your
router. The ISP’s DNS servers generate all the iterative queries, and
these queries travel directly to the Internet.
