DNS Hierarchy cannot be stored on a single server so it is divided into Zones from ROOT DNS servers to Authoritative DNS servers. At each level of DNS, there is a name server containing a Zone file which holds the trusted, correct DNS Records for that Zone. DNS Zones hold the data needed by DNS to operate. DNS Zone is a database of the DNS Records.
By using DNS zones, we can divide the name space for administrative reasons.
A DNS zone contains DNS Records. Depending upon which type of DNS zone is created, different kind of DNS records will be stored in that zone and also if the records can be modified.
Main Reason for DNS Zones : It allows us to divide Domain Name Space for administration and redundancy.
Note : Since DNS allows decentralization administration, DNS records need to be stored on multiple locations in different zones. This allows administrator to configure DNS for performance and availability while still having centralized control.
- Primary Zone
- Secondary Zone
- Active Directory Integrated Zone
- Stub Zone
- Reverse Look Up Zone
A Primary Zone contains the Read/Write Copy of the Zone data. The First implementation of DNS were on Unix in 1980’s. This system was called BIND(Berkeley Internet Domain Name) and it is still widely used today. If you use DNS on windows, Microsoft’s implementation is fully bind compatible. Bind stores the primary zone in a text file. Since the DNS data is stored in a text file, changes can be made in one location at a time.
Note : Changes to zone can only happen on the Primary Zone. If another Zone type is asked to make a change, the change will be forwarded to the server holding the primary zone in order to make the change.
Problem : The problem with this approach is that if the server holding the primary zone is not available, changes cannot be made until that DNS server is available again.
Active Directory Integrated Zone
It address the issue of having only the one DNS server holding the primary DNS Zone. There is always a confusion in understanding the difference between a Primary Zone stored in a text file and a primary zone stored in a Active Directory Integrated Zone.
An Active Directory Zone is simply a Primary Zone stored in Active Directory. In other words, the text file holding the DNS Zone data has been moved into the Active Directory database. It is done by moving the text file into Active Directory.
Advantages of Active Directory Zone
- DNS can use the same Active Directory replication system that is used to replicate objects in Active Directory.
- Changes to DNS records can be made on multiple servers at the same time.
- Gain of Redundancy as the DNS Zone data is no longer just stored on the one DNS server.
- Clients that are members of the domain can use secure dynamic updates to update DNS records.
Dynamic Updates : Like when a computer starts up for the first time it will attempt to register its host name in DNS. If secure updates are enabled, the client can use the secure channel that is created when it is joined to the domain to update DNS record.
Domain Controller must be installed on a server to access the DNS data stored in a Active Directory. This limits the servers that Active Directory Integrated can be used on, however you do gain additional features using an Active Directory Integrated Zone. If you do not use Active Directory Integrated Zones, your clients can still use dynamic updates, however there is nothing stopping an attacker from using dynamic updates to add their own DNS records to the DNS Zone.
A Secondary Zone is a read only copy of another zone. This can be a copy of primary zone or another secondary zone. Remember that an Active Directory Integrated Zone is a primary zone, so a secondary zone can be copy of an Active Directory Integrated Zone.
Since a secondary zone is a read only, changes cannot be made to the zone file contained on the DNS server. However, if the DNS server does receive request to change a DNS Record, this request can be passed onto a DNS server that is holding a primary zone and thus a writable copy.
Advantages Of Secondary Zone
- They work on member servers or servers that are not part of the domain.
- They can be configured on a Windows and Unix based System.
- Secondary zones are interchangeable so you could have a Windows Primary Zone and UNIX secondary zone working together.
- Secondary Zones by design will keep a complete copy of the zone they are replicating off.
- Even if the master copy is not available, the secondary copy can still answer for the zone using its read only copy.
Problem : If the zone file is quite large and changes a lot, this means there is a lot of replication. If you have a small amount of users this means that there could be 100’s or even 1000’s of records that are replicated to that branch office that no client on that network will ever ask for. To get around this problem you can use a Stub Zone.
A Stub Zone contains partial data from another Zone File. This Zone contain only those records which can be used to find an authoritative server. It does not contain any other DNS records. An Authoritative server is a DNS Server that is able to answer requests for that Zone or to put in another way, it is a DNS server that holds a Primary or Secondary Zone.
To Understand how a Stub Zone works, consider that you have a server configured as a Stub Zone and another server is configured as a Primary Zone. So effectively what happens is that when a request to resolve a DNS record comes through, the DNS server with the Stub Zone simply directs the request to a DNS server that can resolve the Record.
Advantage over Conditional Forwarding : add or remove DNS server ( conditional forwarder needs to be changed to reflect this change ). Stub Zone automatically updates the Records.
A Secondary Zone could also be used here ( replicate all DNS records ).
Stub Zone is created where DNS server doesn’t receive more requests and has no access to reads the DNS records on other server.
Reverse Lookup Zone
This Zone file contain a mapping from the IP address to the Host.
- You had an IP address, you could send a query to a DNS server asking what the host name is that belongs to that IP address.
- If the DNS server has a reverse lookup zone configured and that reverse lookup zone contains a record for that IP address, the DNS server will respond back with the Host Name associated with that IP address.
- Reverse Lookup Zones are mainly used in troubleshooting .
- They are useful when you find an IP address in a log file and want to know which hosts it belongs to.
- Reverse Lookup Zones are not created by default and are not required for day to day network activity.
Ex. Services like Active Directory can work without issue with not a single reverse lookup zone configured. It is up to the administrator to decide if they want to create reverse lookup Zones for their network.
Basically, Domains are considered as Zones. DNS Zones helps to do the administrative work easily by dividing them at different levels starting from the ROOT DNS Server to the bottom. These Zones contains Zone file which are text files. These text files contains Resource Records like Origin, Serial No, MX(mail exchange records), A(IPv4 mapping), AAAA(quad A), NS(name service) Records. Different Zones contains different types of Resource Records. And different Zones are useful in different scenarios.
That’s all about DNS Zones, IF YOU HAVE ANY QUERY, please let us know in the comment section below.