Few DNS questions

Essendon

1. Adding a "." zone to a DNS server makes it a root server. Now a root server doesnt resolve external names. Why doesnt it?

2. Let's say I have 10 clients and they use a forwarding DNS server. If the "disable recursion" in the advanced tab on the forwarding server is clicked, the forwarders tab gets dimmed out. So how do the clients resolve external queries? ( I think they can only do internal names once this happens).

3. Question 11 on page 14-22 in the blue book.

You are the network administrator for Contoso, Inc. Contoso manufactures military equipment and security is very important. You have converted the DNS zones on your Windows Server 2003 Active Directory domain to Active Directory-integrated zones. You suspect that Contoso is under attack from a malicious Internet user. In particular, you suspect that redirection is being used to feed incorrect data into the organisation. How can you combat this attack? (Choose all that apply)
A. Disable recursion on all DNS servers
B. Disable round robin on all DNS server
C. Ensure that all server caches are protected against pollution
D. Allow only secure updates on all DNS zones

They reckon it's C and D. I think it is A,C and D. It doesnt say anywhere in the question that resolving internet queries is important for the company or that clients access the internet frequently. So doesnt choice A make the network secure? All they say is the security is very important.

4. This might be a dumb question, but I'll ask anyways. A stub zone contains the NS record of some domain. I know stub zones are great, that your DNS server knows the NS record of a domain which expedites name resolution. But what if that domain changed its DNS server to something completely different, say from 155.156.45.1 to 203.120.26.63. Now your DNS server holds incorrect data. This slows down the query process as the DNS server will then have to recursively resolve the name, right?

Help's appreciated.

royal

1. It's the Root. You can't go higher than the root. The root "should" know how to get to the correct place, and if it doesn't, you're SOL and it stops there. So typically when a regular DNS server that allows recursion (go and resolve queries on the internet) it will attempt to look up its' own zone, cache, then look at a forwarder, and then go look at root servers. The root servers should know how to recurse Internet DNS. So if you were to create your own ., it should know how to recurse everything hence why your root server won't attempt recursion.

2. Through the forwarders. A forwarder will contact the forwarding DNS server. The forwarding DNS server will attempt recursion on behalf of your DNS server. The "disable recursion" is when the forwarding server sends back a negative answer and you want your DNS server to be like, "I don't believe him, I'm going to go check myself."

3. Definitely C and D. Secure updates will prevent non-domain joined clients from registering DNS records. Cache pollution says if the NS record is www.bleh.com but the A record is for a domain that doesn't match the domain of the NS record, it is not cached.

4. Yep, you always have to make sure the SOA record has the correct information.