DNS in Microsoft Windows Server 2022 has some great advantages over many other versions of Microsoft DNS. Here are some of the improvements of DNS in Windows Server 2022 (some of these became available in previous versions of Windows Server):
■ Background zone loading
■ Support for TCP/IP version 6 (IPv6)
■ Read- only domain controllers
■ GlobalName zone
■ DNS socket pools
■ DNS cache locking
■ Response Rate Limiting (RRL)
■ Unknown Record support
■ IPv6 root hints
■ DNS Security Extensions (DNSSEC)
■ DNS devolution
■ Record weighting
■ Netmask ordering
■ DnsUpdateProxy group
■ DNS Policies
Background Zone Loading
If an organization had to restart a DNS server with an extremely large Active Directory
Integrated DNS zones database in the past, DNS had a common problem with an Active Directory Integrated DNS zone. After the DNS restart, it could take hours for DNS data to be retrieved from Active Directory. During this time, the DNS server was unable to service any client requests.
Microsoft Windows Server 2008 DNS addressed this problem by implementing background zone loading, and Windows Server 2022 has taken it a step further. As the DNS restarts, the Active Directory zone data populates the database in the background. This allows the DNS server to service client requests for data from other zones almost immediately after a restart.
Background zone loading accomplishes this task by loading the DNS zone using separate threads. This allows a DNS server to service requests while still loading the rest of the zone. If a client sends a request to the DNS server for a computer that has not yet loaded into memory, the DNS server retrieves the data from Active Directory and updates the record.
Support for IPv6 Addresses
Over the past few years, the Internet has starting running into a problem that was not foreseen when it was first created— it started running out of TCP/IP addresses. As you probably know, when the Internet was created, it was used for government and academic purposes only. Then, seemingly overnight, it grew to be the information superhighway. Nowadays, asking someone for their email address is almost more common as asking for their phone number.
Version 4 (IPv4) was the common version of TCP/IP. The release of TCP/IP version 6 (IPv6) has solved the lack- of- IP- addresses problem. IPv4 addresses are 32 bits long, but IPv6 addresses are 128 bits in length. The longer lengths allow for a much greater number of globally unique TCP/IP addresses.
Microsoft Windows Server 2022 DNS has built- in support to accommodate both IPv4 and IPv6 address records (DNS records are explained later in this chapter). DHCP can also issue IPv6 addresses, which lets administrators allow DHCP to register the client with DNS, or the IPv6 client can register their address with the DNS server.
Support for Read- Only Domain Controllers
Windows Server 2008 introduced a new type of domain controller called the read- only domain controller (RODC). This is a full copy of the Active Directory database without the ability to write to Active Directory. The RODC gives an organization the ability to install a domain controller in a location (onsite or offsite) where security is a concern.
Microsoft Windows Server 2022 DNS has implemented a type of zone to help support an RODC. A primary read- only zone allows a DNS server to receive a copy of the application partition (including ForestDNSZones and DomainDNSZones) that DNS uses. This allows DNS to support an RODC because DNS now has a full copy of all DNS zones stored in Active Directory.
A primary, read- only zone is just what it says— a read- only zone; so to make any changes to it, you have to change the primary zones server. Read- only zones cannot have any changes made directly to the read- only server.
DNS Socket Pools
If your server is running Windows Server 2022, you will be able to take advantage of DNS socket pools. DNS socket pools allow source port randomization to protect against DNS cache- poisoning attacks.
If you choose to use source port randomization, when the DNS service starts, the DNS server will randomly pick a source port from a pool of available sockets. This is an advantage because instead of DNS using a well- known source port when issuing queries, the DNS server uses a random port selected from the socket pool. This helps guard against attacks because a hacker must correctly access the source port of the DNS query. The socket pool is automatically enabled in DNS with the default settings.
When using the DNS socket pool, the default size of the DNS socket pool is 2,500. When configuring the socket pool, you have the ability to choose a size value from 0 to 10,000. The larger the value, the greater the protection you will have against DNS spoofing attacks. If you decide to configure your socket pool size with a zero value, only a single socket for remote DNS queries will be used.
DNS Cache Locking
Windows Server 2022 DNS cache locking allows cached DNS records to remain safe for the duration of the record’s time to live (TTL) value. This means that the cached DNS records cannot be overwritten or changed. Because of this DNS feature, it’s tougher for hackers to perform cache- poisoning attacks against your DNS server.
DNS administrators can set how long a record will remain safe in cache. The configuration is based on a percent value. For example, if you set your cache locking value to 50 percent, then the cached records cannot be overwritten until half of the TTL has been reached. DNS cache locking is set to 100 percent by default. This means that the cached records never get overwritten.
Response Rate Limiting
Response Rate Limiting (RRL) allows you to help prevent the possibility of hackers using your corporate DNS servers to initiate a denial- of- service (DoS) attack on your corporate DNS clients.
You have the ability to configure your RRL settings so that they can control how requests are responded to by DNS servers when these servers receive multiple requests by the same clients. When you configure these settings, it helps prevent hackers from sending a DoS attack using your corporate DNS servers. When configuring RRL, you can manipulate the following settings:
Responses Per Second This setting allows you to set the maximum number of times the same response will be given to a client per second.
Errors Per Second This setting allows you to set the maximum number of times an error response will be sent to the same client per second.
Window This setting allows you to set the number of requests that are made by a client. This setting sets the number of seconds for which responses to a client will be suspended if too many requests are made.
Leak Rate This setting allows you to set how often the DNS server will respond to a query during the suspended time responses. For example, if the DNS server suspends a response to a client for 20 seconds and the leak rate is 10, then the server will still respond to one query for every 10 queries sent. This will ensure that the appropriate clients get responses even when the DNS server is applying response rate limiting.
TC Rate You can set this setting to inform clients who are trying to connect using
TCP when responses to the client are suspended. For example, if the TC rate is 3 and the DNS server suspends responses to a client, the server will issue a request for TCP connection for every three queries. You want to set the value of the TC rate lower than the leak rate. This gives clients the option to connect using TCP before the leak rate applies.
Maximum Responses This setting allows you to set the maximum number of responses a DNS server will issue to a client while responses are suspended.
White List Domains You can set the list of domains that are to be excluded from RRL settings.
White List Subnets You can set the list of subnets that are to be excluded from RRL settings.
White List Server Interfaces You can set the list of DNS server interfaces that are to be excluded from RRL settings.
Unknown Record Support
There are times when a DNS server does not recognize the RDATA format of a resource record. These resource records are known as Unknown Records.
Windows Server 2022 now supports Unknown Records (RFC 3597). This now means that you can add these unsupported record types into the Windows DNS server zone. You can add these records using the binary on- wire supported format.
Windows caching resolvers already have the ability to support these unknown record types, but DNS servers do not do any processing of these unknown records. What happens is after you add the unknown record types to the DNS zone, the DNS servers will respond back to the clients when queries are received.
IPv6 Root Hints
Windows Server 2022 DNS now supports root hints as published by the IANA. DNS name queries now have the ability to use IPv6 root servers for completing name resolution.
Leave a Reply