DNS Generalization

win2k8 · September 2009

In the 70-291 CBT Nugget series in the DNS sections I believe James Conrad the instructor mentions something like in general to resolve down the DNS hierarchy you would use stub zones or delegation. To resolve up the hierarchy and out to the Internet you would use forwarders/conditional forwarding.

Is this an okay generalization to use for the 70-291 exam when dealing with DNS?

Thanks in advance,

win2k8

royal · September 2009

That's fine. Real world, if you use stub zones in 1 place, you're most likely going to use it everywhere else which is what I prefer. Why make something static when it can be dynamic? Only time you'd use a forwarder is if you wanted to force which IPs one server would use to contact another server on the target side if you wanted to do something such as only open up 1 server in your firewall to communicate over 53.

Hyper-Me · September 2009

royal wrote: »

That's fine. Real world, if you use stub zones in 1 place, you're most likely going to use it everywhere else which is what I prefer. Why make something static when it can be dynamic? Only time you'd use a forwarder is if you wanted to force which IPs one server would use to contact another server on the target side if you wanted to do something such as only open up 1 server in your firewall to communicate over 53.

Or also if the security policy of the remote DNS system specifies that no DNS information from those hosts can be stored on another server. In that case, you would need to use conditional forwarders.

Don't shoot me on that reason, thats straight from Microsoft

royal · September 2009

That's false, even if it does come from Microsoft. James Conrad did state this in Nuggets that it's false from MS Conrad is correct. This would prevent you from hosting a Secondary Zone as only allowed servers can pull all zone information unless a server allows a certain IP from pulling information. But a stub zone only pulls in the NS Servers and SOA which any server can pull the NS information which is all a stub zone pulls.

For example, do an nslookup then set type=ns. Then search for any domain you can think of on the internet. You'll get responses from just about all domains. This is why a stub zone would still work. Secondary won't. Heck, you can create a stub zone for microsoft.com, google.com, yahoo.com, etc.. if you want.

Hyper-Me · September 2009

I didnt say a secondary, i said a conditional forwarder.

As in supplying the IP address for the authoritative DNS server for another DNS domain, as opposed to creating an entire (stub) zone.

royal · September 2009

I know what you said. You didn't understand what I was saying. Let me re-explain.

You said a policy in place would be another reason why you'd need to use a conditional forwarder when we were talking about when to use stub zones vs forwarders. I said that's not true. The only time a policy would prevent you from doing that is when trying to use a secondary zone. A policy on DNS would not prevent you from using a stub hence it's incorrect to say that you'd have to use a conditional forwarder of a stub zone due to some policy preventing you from using a stub zone.

Hyper-Me · October 2009

royal wrote: »

I know what you said. You didn't understand what I was saying. Let me re-explain.

You said a policy in place would be another reason why you'd need to use a conditional forwarder when we were talking about when to use stub zones vs forwarders. I said that's not true. The only time a policy would prevent you from doing that is when trying to use a secondary zone. A policy on DNS would not prevent you from using a stub hence it's incorrect to say that you'd have to use a conditional forwarder of a stub zone due to some policy preventing you from using a stub zone.

Ah, ok.

My original post was more of a joke (hence the laughing face) because I thought the suggestion from MS was a little ridiculous myself.

DNS Generalization

Comments