DNS Server Deployment Getting Started Guide

One of the most important components of any current TCP/IP network is the DNS server. DNS servers can do a lot of things, such as parsing an Internet URL into an IP address; resolving host names in the local network; and providing the infrastructure on which Windows Active Directory depends. Therefore, deploying a DNS server is not a very simple matter.

To help some novice friends better understand the DNS server, this article discusses some of the experience and common sense of deploying a DNS server, describes the role that the DNS server can do, and the location where the DNS server should be deployed in the network. Also, for your network, how many DNS servers you should deploy is the best choice.

How many DNS servers do you need?

In general, for some large networks, relying on only one DNS server to satisfy the need for name resolution is not the best way. So how many DNS servers can you meet your needs? There may be a lot of factors involved, let's start with the capabilities of the DNS server.

Instantly your DNS server is a medium-sized server, and the name resolution requests it can handle are amazing. For example, I saw in an old Microsoft article that Windows Server 2003 is installed on a Pentium III 700MHz computer as a dedicated DNS server that can process more than 10,000 per second. Name resolution. If Microsoft's data is correct, you can estimate the number of DNS servers you need based on the number of name resolutions in your network.

Unless you work in a large company, when you see this number, you may think that your DNS server may never reach this load, then is it enough to deploy a DNS server? ?

There are many reasons to explain that deploying a single DNS server is a bad idea. I will introduce these different reasons in the article. One of the most convincing reasons is the problem of fault tolerance. If there is only one DNS server in your network, and once the DNS server goes wrong, your network will stop working. Therefore, for fault tolerance purposes, you will need to deploy at least two DNS servers.

DNS Server Roles

Fault tolerance is just one of the different reasons to deploy multiple DNS servers; a DNS server can perform many different tasks. Companies typically decide whether to deploy multiple DNS servers based on the role these DNS servers play. Or, in terms of performance, a DNS server can be perfect for multiple roles at the same time, but from a security perspective, it is obviously not a good idea to have a DNS server do many other things at the same time, especially if the DNS server is to be exposed. On the outside, it is even more insecure. Even if you don't consider security issues, having a DNS server do the same thing will obviously affect the performance of this server.

In the following sections, I will describe the different roles a DNS server can take and the impact of these roles on DNS.

Providing Internet Access

Technically, a DNS server itself does not provide Internet access. However, it allows users on your network to access the Internet. I believe everyone should know that each website corresponds to a corresponding IP address. In order to access a website, the computer must know the IP address of the site. Therefore, every computer accessing the website needs to perform a DNS query to obtain the IP address of the requested website.

If you just want to provide Internet access to users on your network, then technically, you don't need to deploy a DNS server. Usually, your network service provider has its own DNS servers, you can use them. You only need to enter your network provider's DNS server address in the preferred DNS in the TCP/IP configuration of the network properties.

Although network access providers provide DNS servers for users to use, it is not necessary to deploy a local DNS server to achieve network access, but many companies choose to deploy a local DNS server. A local DNS server can save bandwidth resources because it can cache addresses that have already been resolved.

For example, if someone on your network needs to visit Google's website www.google.com. After he enters the URL in the browser, the browser goes to the DNS server to resolve the domain name of google.com. Your DNS server then submits this query up to your network access provider's DNS server. The network access provider's DNS server sends the parsed information back to the local DNS server and back to the browser that originally requested the request.

This process may sound a bit inefficient, but your DNS server now knows the IP address of the Google site. When another user tries to access the Google site, the local DNS server already knows the IP address, so it no longer forwards the request to your network access provider's DNS server. You can deploy a cached DNS without having to register the IP address of your DNS server. In fact, from a security perspective, this is also the best option, you can use a private address, which does not allow the server to be accessed by computers on the public network.

The process of domain name resolution is made more efficient and requires less time through a DNS server that has already cached IP addresses, because the entire resolution process can be done locally, and you save bandwidth. Resources.

Basic Active Directory

If you are planning to deploy a Windows network using Active Directory, then you have no choice but to install at least one DNS server because Active Directory is missing. The DNS server will not function properly. As I explained earlier, DNS is a very important service, so you end up deploying multiple DNS servers for fault tolerance.

In an Active Directory environment, a DNS server is used to help find domain controllers. Active Directory requires that you use a DNS server that supports DRV records, so the DNS service included with Windows Server 2003 can meet this requirement.

Active Directory requires a DNS server to locate domain controllers; computers in Active Directory on the network typically also use DNS services to resolve the names of network hosts. Windows 2000 versions of Windows use NetBIOS names, so they can use WINS as their primary name resolution method. Now, WINS is almost never used, and most companies use NDS as a way to resolve network host names. ---http://www.bianceng.cn

If you find yourself having to deploy a DNS because you are using Active Directory Network, then you will be happy to know that you will automatically enjoy the cache. The benefits of DNS, which we have already introduced. In an Active Directory network, you can't use the network access provider's DNS server to resolve hostnames on your local network, so you need a DNS server on the local network, in the network configuration of all hosts in the network. The preferred DNS server must point to this DNS server.

This configuration has a problem. If the network host points to a local DNS server instead of a network access provider's DNS server, there is no way to resolve the network domain name. However, you can add your network access provider's DNS server as a forwarding address to your local DNS server. This way, you create a store-and-forward DNS that meets the needs of supporting Active Directory and has the ability to resolve names on your local network.

Establishing an Internet Domain

Another situation where a DNS server is required is to host an Internet domain. Usually when a company owns an Internet domain name, they can actually set up a website that uses the domain name, but they can also set up a web server or other type of Internet access resource. For the sake of simplicity, in this article we assume that companies want to set up their own websites.

As I explained earlier, each site has an IP address. When a user decides to visit the website, they will enter the website's URL, but the browser must obtain the IP address of the website through a DNS query.

This means that if you want to set up your own website, you will need to have a publicly accessible DNS server that contains the IP address of the server where you want to set up the website. Also, when you register your domain name, the DNS server needs to be ready, because the registered place will ask you to provide the IP address of the DNS server as the authoritative DNS for this domain. You can choose to modify the IP address of this DNS server later, but it usually takes 24-48 hours to take effect.

When you consider using this DNS server as the authoritative DNS for your Internet, keep in mind that this DNS server does not have to be part of your network. In fact, most network access providers will allow you to use their DNS server as the authoritative DNS for your domain name. This service is usually free when you host your website with a network access provider.

Depending on the level of service your network provider provides, the best way is to have them maintain DNS records associated with your website. This allows you to maintain your own DNS server without security. It is important to check the service level agreement of your network access provider because this DNS server requires 24*7 operation.

Another benefit of having your network access provider manage your DNS records is that it saves you money on Internet bandwidth. If you set up your own DNS server, recursive DNS queries can consume a lot of bandwidth, which can impact your router and consume your bandwidth.

Of course, there is also a disadvantage. If the DNS record is handed over to the network access provider for maintenance, when it is necessary to modify the address of the website server, it is not convenient to maintain it directly on its own DNS server. .

Effects of Deployment Locations on Network Performance

We have already discussed some common applications for DNS servers and how to deploy multiple DNS servers for fault tolerance purposes. There is one more important thing to consider when you deploy a DNS server on your network.

For example, although we mentioned earlier, a very old DNS server can handle up to 10,000 name resolution tasks per second. It's great to have a server that can handle such a large number of name resolutions, but you must consider the impact it has on other parts of your network. For example, if you have a network of five network segments, you put two DNS servers (which are fault tolerant) on one of the network segments.

Then you will face this situation, all network computers in other network segments will perform DNS queries across the network segment, which may increase the burden on the router or block the network segment where the DNS server is located. Therefore, when you choose the number of DNS servers and the installation location, you should minimize the impact of DNS queries on the network.

If your network spans one or more WAN connections, then I recommend that you put a DNS server in each WAN to prevent DNS queries from blocking WAN connections. If you are deploying an Active Directory network environment, you can create an Active Directory integration area. You can prevent the primary DNS server from protecting the headquarters and the secondary DNS server from branching, which can also reduce the data traffic between the areas. Of course, the computers in the branch need to set the DNS to the nearest DNS in the network configuration. server.

Overview

We can see how to distribute DNS servers in your enterprise is a very important job. In order to achieve better results, you should consider the DNS server needs to act. The role, in addition to security and performance can not be ignored.