Chapter 6: Installing and Configuring a DNS Caching-only DNS Server on the Perimeter Network Segment
DNS servers allow client systems to resolve names to IP addresses. Internet applications need to know the IP address of a destination host before they can connect. A caching-only DNS server is a special type of DNS in that is it not authoritative for any domain. This means the caching-only DNS server does not contain any domain resource records. Instead, the caching-only DNS server accepts DNS queries from DNS client systems, resolves the name in the request, caches the answer and returns the cached answer to the client that made the initial DNS query.
A caching-only DNS server is an optional component. You do not need to use a caching-only DNS server. You can move to the next document in this ISA Server 2004 Configuration Guide if you do not plan to use a perimeter network segment. If you do choose to use a perimeter network segment, you should follow the procedures outlined in this document.
DNS servers located in the perimeter network are used for two primary purposes:
- name resolution for domains under your administrative control
- caching-only DNS services for internal network clients, or as forwarders for internal network DNS servers
A perimeter network DNS server can contain DNS zone information about publicly accessible domains. For example, if you have implemented a split DNS infrastructure, the public records for your domain would be contained on the perimeter network DNS server. Internet-located hosts can query this DNS server and obtain the IP addresses required to connect to resources you have published through the ISA Server 2004 firewall.
The DNS server on the perimeter network can also act as a caching-only DNS server. In this role, the machine contains no DNS resource record information. Instead, the caching-only DNS server resolves Internet host names and caches the results of its queries. It can then return answers from cache if it has already resolved the name. If not, it can query other DNS servers on the Internet and cache the results before returning the answer to the client.
In this document we will discuss the following procedures:
- Installing the DNS server service
- Configuring the DNS server as a secure caching-only DNS server
Installing the DNS Server Service
The first step is to install the DNS server service on the perimeter network host. This machine will act as both a secure caching-only DNS server and a publicly accessible Web and SMTP relay machine.
Perform the following steps to install the DNS server service on the perimeter network host computer, TRIHOMELAN1:
- Click Start; point to Control Panel. Click Add or Remove Programs.
- In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
- On the Windows Components page, scroll through the list of Components and select Networking Services. Click the Details button.
- In the Networking Services dialog box, put a check mark in the Domain Name System (DNS) check box and click OK.
- Click Next on the Windows Components page.
- Click OK in the Insert Disk dialog box. In the Files Needed dialog box, enter the path to the i386 folder in the Copy files from text box and click OK.
- Click Finish on the Completing the Windows Components Wizard page.
The next step is to configure the DNS server as a secure caching-only DNS server.
Configuring the DNS Server as a Secure Caching-only DNS Server
The DNS server on the perimeter network will be in direct contact with Internet hosts. These hosts can be DNS clients that query the perimeter network DNS server for addresses of publicly accessible domain resources. They can also be DNS servers on the Internet that the caching-only DNS server contacts to resolve Internet host names for internal network clients. In this example, the DNS server will act as a caching-only DNS server and will not host public DNS records for the domain.
Perform the following steps on the perimeter network DNS servers to configure it as a secure caching-only DNS server:
- Click Start and point to Administrative Tools. Click DNS.
- In the DNS management console, right-click the server name in the left pane of the console and click Properties.
- In the DNS server’s Properties dialog box, click the Root Hints tab. The entries in the Name servers list are for Internet root name servers that the caching-only DNS server uses to resolve Internet host names. Without this list of root DNS servers, the caching-only DNS server will not be able to resolve the names of machines located on the Internet.
- Click the Forwarders tab. Make sure there is not a check mark in the Do not use recursion for this domain check box. If this option is selected, the caching-only DNS server cannot use the root hints list of the root Internet DNS server to resolve Internet host names. Select this option only if you decide to use a forwarder. In this case, we do not use a forwarder.
- Click the Advanced tab. Confirm that a check mark appears in the Secure cache against pollution check box. This prevents Internet DNS servers and attackers from inserting additional records in a DNS response. These additional records could be used as part of a co-coordinated DNS attack.
- Click the Monitoring tab. Put checkmarks in the A simple query against this DNS server and A recursive query to other DNS servers check boxes. Then click the Test Now button. Note in the Test results frame that the Simple Query shows a Pass, while the Recursive Query displays a Fail. The reason is that an Access Rule has not been created that allows the caching-only DNS server access to the Internet. Later, we will create an Access Rule on the ISA Server 2004 firewall that allows the DNS server outbound access to DNS servers on the Internet.
- Click Apply and then click OK in the DNS server’s Properties dialog box.
- Close the DNS management console.
At this point, the caching-only DNS server is able to resolve Internet host names. Later, we will create Access Rules allowing hosts on the internal network to use the caching-only DNS server to resolve Internet host names.
In this ISA Server 2004 Configuration Guide document we discussed the uses of a caching-only DNS server and how to install and configure the Microsoft DNS server service. Later in this guide we will configure Access Policies that allow hosts on the internal network to use this DNS server and allow the caching-only DNS server to connect to the Internet.