Does anyone know the answer to this DNS question?

Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
Why is my internet queries working when I have specified my DNS sever to be my barebones domain controller DNS server on a different ip address 192.168.0.150 as opposed to the .1 address for the router/normal DNS server? There are NO conditional forwarders or stub zones on the server and just the default root hints are on it to. The default gateway is still set to the router but that shouldn't matter for name resolutions. I have searched the internet and cant find much as to why its still working? Is the secondary server of the router cached or something?

Is the "zone" in a DNS server classed as that particular domain? In that my domain STARWARS.com has a DNS sever zone saying starwars.com , does that man that when a user in the starwars domain has a DNS query even if there are multiple zones, the query will go into the starwars.com zone because there a member of that domain?

Cheers!

Comments

  • OctalDumpOctalDump Member Posts: 1,722
    I could probably give you an answer if I understood the question.

    Are you using DHCP? Have you configured the client to use 192.168.0.150 for DNS?

    I suspect all that is happening is that the server isn't authoritative for the domain you are querying, so the query recurses out on to the internet.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    OctalDump wrote: »
    I could probably give you an answer if I understood the question.

    Are you using DHCP? Have you configured the client to use 192.168.0.150 for DNS?

    I suspect all that is happening is that the server isn't authoritative for the domain you are querying, so the query recurses out on to the internet.

    Okay, my normal default DNS server is on my normal home router of 192.168.0.1, the router is configured for DHCP but I've assigned static addresses in the 192.168.0.0/24 range for my DC and clients on those domains, along with the address of the DNS server on the DC which has no records on it besides the DC and the client machines, no conditional forwarders, stub zones or secondary zones anywhere else. The static machines and domain controllers all have 192.168.0.1 as their default gateway though.
    In nslookup the DNS server is what it should be (the address of the domain controller that has the DNS server on). So i'm wondering how these machines are still reaching the internet?

    Repeating myself but....(side question)Is the "zone" in a DNS server classed as that particular domain? In that my domain STARWARS.com has a DNS sever zone saying starwars.com , does that man that when a user in the starwars domain has a DNS query even if there are multiple zones, the query will go into the starwars.com zone because there a member of that domain?
  • poolmanjimpoolmanjim Member Posts: 285 ■■■□□□□□□□
    192.168.0.1 is part of the 192.168.0.0 /24 subnet. If you want your clients to be on a separate network than your home network, use a different subnet range. I tend to use 192.168.1.0/24 for my home range and 172.16.100.0/24 for my lab range.

    As far as to why it could be working, do you have your DC configured with an entry in its DNS that points to your router? Did you configure any forwarders (note I said forwarders, not conditional forwarders, they are different). The best way to sort this out is to start pinging around and trying to track your network. I imagine that having the devices on the same subnet is the cause of at least some of your issues.

    In regards to your question about DNS Zones. A DNS Zone is essentially a folder inside of DNS that houses all the records. When you create a new AD Domain a DNS zone is created that uses that domain's DNS context. However, a dns zone doesn't necessarily equal an AD domain but AD does rely on DNS to work. When asking how a query is performed you need to spend some time understanding iterative and recursive queries in DNS. That will clear up how all of this is working. In this case, your clients that are members of your starwars.com domain will look to the DNS servers in that domain first when attempting to resolve any address. If they don't find that the server will then ask its forwarders/root hints for help. They get their info there.

    If you have multiple DNS zones, and really at this point in your study you shouldn't have more than the root zone based on your questions, a secondary zone can be easily contacted provided your server is authoritative for that zone.

    Example:
    DC01.StarWars.com
    Zones - StarWars.com / Child.StarWars.com - DC01 is Authoritiative for both zones

    Client01.StarWars.com asks to visit Server.Child.StarWars.com. Client is configured with its primary DNS server as DC01.StarWars.Com (either static or DHCP doesn't matter here). The server sends the request and DC01 receives the message and replies that it does know of the client (if it exists) from the zone child.starwars.com though neither computer is a member of the child.starwars.com.
    2019 Goals: Security+
    2020 Goals: 70-744, Azure
    Completed: MCSA 2012 (01/2016), MCSE: Cloud Platform and Infrastructure (07/2017), MCSA 2017 (09/2017)
    Future Goals: CISSP, CCENT
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Nope, I honestly don't have any forwarders or other root hints configured except for what where already pre configured into the setting with these 3 addresses:
    2001:503:ba3e::2:30
    192.228.79.201
    192.203.230.10
    I've googled those addresses and they don't seem to lead to anything significant although I could be wrong.

    Regarding the zone clarification, basically though if a user is a member of the "test" domain and the test zone was created and had records in it, then the users query would go into that zone first.....that's what I'm getting at?

    Thanks
  • TheNewITGuyTheNewITGuy Member Posts: 169 ■■■■□□□□□□
    Those look like your binding addresses. Your dns server using root hints will recursively send queries it is not authoritative for to the root-servers and cache the result and relay that information to you. This is normal operation and forwarders are not necessary.
  • poolmanjimpoolmanjim Member Posts: 285 ■■■□□□□□□□
    Robbo777 wrote: »
    Regarding the zone clarification, basically though if a user is a member of the "test" domain and the test zone was created and had records in it, then the users query would go into that zone first.....that's what I'm getting at?

    Thanks

    You're kind of right. If you use a short name instead of a FQDN, it will attempt to resolve it in the clients local domain as long as a dns suffix is configured correctly.

    When you attempt to hit Google in your browser from a domain environment, your computer doesn't check your domain for the answer necessarily. Your computer's network stack immediately recognizes that google.com is not your computer's dns suffix and instead sends a message to its configured DNS server. If you have already resolved google.com it is likely going to be in the DNS cache and your server immediately sends back the reply and the connection happens. If it doesn't have the answer then your DNS server reaches out to another DNS Server (root hints, forwarders, etc.) to find google.com. In the case of another DNS tree in your environment, your DNS server would respond as authoritative as it has the records needed already. The exception to the domain resolution rules are DNS suffixes and Conditional forwarders.

    If you query a short name your computer and/or DNS server append suffix names in order until a connection is made or you run out of suffixes in attempt to figure out the domain. This is commonly done in corporate environments so that computers in corp.net can talk to the computers in sales.corp.net or research.corp.net or whatever the dns setup is.

    Conditional forwarders are special forwarding rules that work on a condition. If you have a conditional forwarder setup for google.com and you attempt to go to Google your DNS server immediately forwards any requests it receives for the google.com domain to the forwarder.

    Link to a page on how DNS Queries work with Windows: https://technet.microsoft.com/en-us/library/cc775637(v=ws.10).aspx

    All of this is covered in glaring detail throughout the MCSA course. I suggest diving into it and trying to understand these concepts for yourself. Figure out how things are working and why they are working (or not working). Don't forget to google the questions. You would be amazed how much free and readily available information is out there.

    Note, I use examples in here. Please no one actually create a setup in their DNS for google.com unless you just want to not be able to use google.
    2019 Goals: Security+
    2020 Goals: 70-744, Azure
    Completed: MCSA 2012 (01/2016), MCSE: Cloud Platform and Infrastructure (07/2017), MCSA 2017 (09/2017)
    Future Goals: CISSP, CCENT
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    So basically if a user is a member of the "starwars.com" domain and then their DNS query will first go to the zone named "starwars.com". Also, when you say suffix, you're basically referring to the domain name?

    What about if the user where to change the name of the "starwars.com" zone to "starwars" or just "test", what would occur then?

    Cheers
  • poolmanjimpoolmanjim Member Posts: 285 ■■■□□□□□□□
    You really need to read up on some of this more, it would make more sense.

    I suggest looking at the following articles:
    Understanding Zones and Zone Transfer: https://technet.microsoft.com/en-us/library/cc781340(v=ws.10).aspx

    Active Directory Integrated Zones: https://technet.microsoft.com/en-us/library/cc772746(v=ws.10).aspx

    How DNS Support for Active Directory Works: https://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx


    Active Directory domains reside in a DNS context. Active Directory uses DNS to perform its functions. An Active Directory domain is, in fact, a DNS Zone by definition of how we configure Active Directory and DNS. That being said a DNS Zone does not necessarily mirror an Active Directory forest, in fact, I would wager to guess that most "domain names" we are used to (e.g. Google.com, Amazon.com, Yahoo.com, etc.) are not even Active Directory domains, they are just simply DNS Zones.

    In short - Active Directory Domains are DNS Zones. DNS Zones aren't necessarily Active Directory domains. They can be standalone from Active Directory entirely.

    A query will not go to Starwars.com unless that query's suffix is for Starwars.com. Try to resolve Computer01.StarWars.com the query for that information will go to Starwars.com to be resolved as the DNS Suffix (Starwars.com) is in the zone Starwars.com. If you need to go to Computer02.MyOtherDomain.com or even Computer02.ChildDomain.StarWars.Com the query will be passed to the forwarder or root hints of the DNS server unless that DNS server has another zone called MyOtherDomain.com or ChildDomain.StarWars.com.

    Servers handle queries and resolutions. The zones themselves are simply databases (or files in the case of non Active Directory Integrated zones). The zones don't do any actual work. They depend on the server itself to do the work.

    I haven't tried changing a zone name in DNS to a single word format like you list. I imagine it wouldn't work well. DNS uses a hiearchy to resolve names going from specific to general. By providing just the name Computer01.starwars the computer has no idea where to go to resolve the name. I'm not even sure you can add a name like that into DNS.

    If you are talking about when you ping a computer named starwars in the Starwars.com domain depending on how your DNS Suffix Appending is configured your computer would append the suffixes it has in order until one of them resolved and it matched.

    If you had the suffixes Starwars.com and child.starwars.com configured in your DNS Suffixes list on the local workstation. When you pinged "starwars" it would attempt to contact starwars.Starwars.com and if that didn't work it would try child.starwars.com.
    2019 Goals: Security+
    2020 Goals: 70-744, Azure
    Completed: MCSA 2012 (01/2016), MCSE: Cloud Platform and Infrastructure (07/2017), MCSA 2017 (09/2017)
    Future Goals: CISSP, CCENT
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Thanks for the really useful links and great info as well.

    Cheers!!icon_thumright.gif
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    One more question, why would anyone say in the starwars.com need to comtact someone in say example.starwars.com if starwars.com had a delegation for example.starwars.com
    Basically why would a user in starwars.com want to get in contact with user1.example.starwars.com?

    Also with delegation, if user1.example.starwars.com wanted to contact user1.starwars.com then how would that work with delegation or whatever? Since there is delegation or maybe a conditional forwader going to example.starwars.com but nothing going to starwars.com. Does there need to be?
Sign In or Register to comment.