Windows Server 2008 DNS Reverse Lookup Zones
A reverse lookup zone is an authoritative DNS zone that is used
primarily to resolve IP addresses to network resource names. This zone
type can be primary, secondary, or Active Directory–integrated. Reverse
lookups traverse the DNS hierarchy in exactly the same way as the more
common forward lookups. To handle reverse lookups, a special root domain
called in-addr.arpa was created. Subdomains within the in-addr.arpa
domain are created using the reverse ordering of the octets that form an
IP address. For example, the reverse lookup domain for the
192.168.100.0/24 network would be 100.168.192.in-addr.arpa. The reason
the IP addresses are inverted is that IP addresses, when read from left
to right, get more specific; the IP address starts with the more general
information first. FQDNs, in contrast, get more general when read from
left to right; the FQDN starts with a specific host name. In order for
reverse lookup zones to work properly, they use a special RR called a
PTR record that provides the mapping of the IP address in the zone to
the FQDN. Reverse lookup zones are used by certain applications, such as
NSLookup (an important diagnostic tool that should be part of every DNS
administrator’s arsenal). If a reverse lookup zone is not configured on
the server to which NSLookup is pointing, you will get an error message
when you invoke the nslookup command.
Security Considerations for the Presence of a Reverse Lookup Zone
Being able to make NSLookup work against your DNS servers is not the only, or most important, reason why you should configure reverse lookup zones. Applications on your internal network, such as DNS clients that are trying to register PTR records in a reverse lookup zone, can “leak” information about your internal network out to the Internet if they cannot find a reverse lookup zone on the intranet. To prevent this information from leaking from your network, you should configure reverse lookup zones for the addresses in use on your network.
Configuring Reverse Lookup Zones
Now, we need to create a matching reverse lookup zone. This will handle reverse resolution for our subnet. In this case, it is 192.168.1.x.
1. Choose Start Administrative Tools DNS.
2. In the console tree, click Reverse Lookup Zones.
3. Right-click Reverse Lookup Zones, and then click New Zone.
4. When the New Zone Wizard appears, click Next.
5. On the Zone Type page, select Primary Zone, and then click Next.
6. On the Reverse Lookup Zone Name page, make sure IPv4 is selected, and then click Next.
7. On the Reverse Lookup Zone Name page, in the Network ID field, type the start of the subnet range of your network (in this case, 192.168.1.x), and then click Next.
8. On the Zone File page, click Next.
9. On the Dynamic Update page, click Next.
10. On the Completing The New Zone Wizard page, click Finish.
Now we need to enable IPv6 so we can offer domain name resolution for clients who may use IPv6 as opposed to IPv4. We’re also going to need it if we want to enable IPv6 DHCP addressing. First, we need to set an IPv6 address for our server. To do so, perform the following steps:
1. Choose Start and right-click Network.
2. Select Properties from the drop-down menu.
3. Click Manage Network Connections.
4. Right-click the Network connection and choose Properties.
5. Double-click Internet Protocol Version 6 (TCP/IPv6).
6. Click the radio button for Use The Following IPv6 Address. If you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403.
7. Enter a Subnet prefix length of 64.
8. Your preferred DNS server would be the same as that mentioned earlier (your IPv6 address).
9. Close the Network Connections window and re-open the DNS administrator console.
10. In the console tree, click Reverse Lookup Zones.
11. Right-click Reverse Lookup Zones, and then click New Zone.
12. When the New Zone Wizard appears, click Next.
13. On the Zone Type page, select Primary Zone, and then click Next.
14. On the Reverse Lookup Zone Name page, make sure IPv6 is selected, and then click Next.
15. In the Reverse Lookup Zone Name field, type in the prefix 2001:0db8:29cd:1a0f::/64, and then click Next.
16. On the Dynamic Update page, choose Allow Both Nonsecure And Secure Dynamic Updates, and click Next.
17. Click Finish to create the New Zone.
18. To create an IPv6 record, right-click the Primary Lookup Zone for your domain (in our lab, it is uccentral.ads), and then click New Host.
19. In the Name field, enter the name of your server. Our server name is dc1.
20. In the IP address field, enter the IPv6 address we set for the server.
21. Verify that Create Associated Pointer (PTR) Record is checked, and click Add Host.
You should now see a new AAAA record for the server, as well as a new PTR record in the Reverse Lookup Zone we created.
Now you can double-click the Forward Lookup Zones and Reverse Lookup Zones and view the zones you have created. The zones will be displayed in the console pane under the appropriate zone type. From here, you can add records by right-clicking the zone and selecting the type of record you want to create. Likewise, you can right-click the zone and select Properties to modify the properties of the zone. Some of the properties you can modify include:
• Dynamic Updates: The ability for clients to automatically update DNS records.
• Zone Type: You can change a zone type from Primary, to Secondary, or to Stub Zone. If Active Directory is installed, you can also make the zone Active Directory–integrated.
• WINS integration: This is where you can involve WINS resolution with DNS resolution.
• Name Servers: You can add the names and IP addresses of servers that have the rights to create copies of the DNS zone.
• Zone Transfer: Here, you can specify whether the zone can be transferred to another DNS server. You can also specify whether it can be transferred to any server, only the servers in the Name Servers tab (discussed earlier), or to only specific DNS servers by IP address or FQDN.
Tidak ada komentar:
Posting Komentar