DNS Zone Ques

Hi all,

I have a question on DNS zones. Am I right to say this in simple terms:

1. A conditional forwarder when configured to forward all xyz.com DNS requests, simply forwards them to the IP of a xyz.com DNS server regardless of whether the server is alive of dead.

2. A Stub Zone is like the dynamic version of conditional forwarder. It checks all authoritive DNS servers to see whether they are alive or dead or when IP has changed.

3. A delegation zone is the static version of the Stub Zone, and it only supports child domains.

4. A Secondary Zone simply copy the records in the Primary Zone but is read only.

Thanks.

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

theseman

Looks good to me! Though to me a stub zone is more of a delegation/forwarder combo than anything. It is dynamic like you said; if you add a new NS to the zone that it points to, the stub zone will automatically be updated.

bighornsheep

Welcome to the forum first of all.

I dont think you have all the right terminology, but let's see what we can do.

conditional forwarder will forward requests that itself doesnt not resolve.

stub zone is a special type of dns zone where only SOA, NS, and A records are replicated, this is typically done to speed up particular types of dns requests compromising the speed on the link.

delegated zone is simply a portion of the dns namespace that is delegated as a new zone.

and you hace the right understanding of secondary zone.

note that there's no aspect of static, dynamic particular to a zone type, because you can choose to implement dynamic dns with whatever zone type as long as it's active directory environment, and the dns server is also a dc.

hope this helps.

royal

I want to add 2 more things.

1. A delegations only being for child zones is a common misconception. You can add a delegation for another domain AND you can add more delegations under it for child domains for that specific namespace.

2. Lets say you are a client and try to contact microsoft.com. Your dns server has a stub zone for microsoft.com. Your dns server will reply with a referral telling the client to contact an NS server in microsoft.com. Now lets say you have firewalls configured where ONLY your dns server can communicate out of the firewall using port 53. Since the stub zone gives a referral to the client, the client won't be able to get out of the firewall and the query will fail. With conditional forwarding, instead of the client getting a referral, the server will actually proceed with the iterative queries to try and resolve the client's query. So in this case, with those firewall rules in place, conditional forwarding will work.

redred

Hey guys,

Thanks for the speedy replies. I am really having a tough time with 291. These DNS and subnetting stuffs are not as simple as I expected. Moreover, I have to find new resources on studying WSUS instead of SUS. Boy...

redred

icroyal wrote:

I want to add that a delegations only being for child zones is a common misconception. You can add a delegation for another domain AND you can add more delegations under it for child domains for that specific namespace.

Hi icroyal, can you explain a little more on "You can add a delegation for another domain"? I thought when you delegate a zone to another server, you can only append the child name(child.xyz.com) to the parent name(xyz.com).

Sorry and also what difference does it make when I choose to create a child domain(say child.xyz.com) by right-clicking my domain name in the "Forward lookup zone", and selecting "new domain". And entering the name as "child".
As compared to creating a new Primary Zone named the child domain(child.xyz.com).

Thanks again.

royal

Sorry, I should have explained better. Most of the time you only add a delegation for a child domain. If you have a root infrastructure setup internally (.), you could add delegations for other domains under it.

Configure your server will help you configure a primary zone (read/write zone) for your dns. It will allow you to create both a forward lookup and a reverse lookup zone. A reverse lookup zone will allow you to find the dns information specific to an ip address by doing something like ping -a ip address. Going directly to forward lookup zone creates just that. A forward lookup zone where you can create a host record that will point something like www to an ip address. You won't be able to create a reverse lookup zone this way. You would have to go to the reverse lookup zone section and create a reverse lookup zone there manually that matches the information of the forward lookup zone.