內部 DNS SDN 服務 (iDNS)Internal DNS Service (iDNS) for SDN

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

如果您使用雲端服務提供者 (CSP) 或企業版,並計劃部署 Windows Server 2016 中的軟體定義網路 (SDN),您可以提供您裝載的承租人工作負載 DNS 服務使用內部 DNS (iDNS),SDN 整合。If you work for a Cloud Service Provider (CSP) or Enterprise that is planning to deploy Software Defined Networking (SDN) in Windows Server 2016, you can provide DNS services to your hosted tenant workloads by using Internal DNS (iDNS), which is integrated with SDN.

裝載的虛擬機器 (VMs) 和應用程式需要 DNS 通訊在自己的網路和網際網路上的外部資源。Hosted virtual machines (VMs) and applications require DNS to communicate within their own networks and with external resources on the Internet. 與 Idn,您可以使用 DNS 名稱解析服務提供 tenants 其名稱隔離的本機空間,以及網際網路資源。With iDNS, you can provide tenants with DNS name resolution services for their isolated, local name space and for Internet resources.

因為 Idn 服務無法承租人 Virtual 網路的存取,以外透過 Idn proxy 伺服器不會受到影響惡意承租人網路上的活動。Because the iDNS service is not accessible from tenant Virtual Networks, other than through the iDNS proxy, the server is not vulnerable to malicious activities on tenant networks.

功能鍵Key Features

以下是 Idn 按鍵功能。Following are the key features for iDNS.

  • 提供共用的 DNS 名稱解析承租人服務工作負載Provides shared DNS name resolution services for tenant workloads
  • 授權 DNS 服務的名稱解析和 DNS 登記中承租人命名空間Authoritative DNS service for name resolution and DNS registration within the tenant name space
  • 遞迴 DNS 解析度承租人 Vm 從網際網路名稱服務。Recursive DNS service for resolution of Internet names from tenant VMs.
  • 如果需要的話,您可以設定同時裝載 fabric 和承租人名稱If desired, you can configure simultaneous hosting of fabric and tenant names
  • 具成本效益的 DNS 方案部署自己 DNS 基礎結構不需要 tenantsA cost-effective DNS solution - tenants do not need to deploy their own DNS infrastructure
  • Active Directory 整合,這是必要的可用性高。High availability with Active Directory integration, which is required.

這些功能,除了如果您擔心保留整合您 AD DNS 伺服器開放網際網路,您可以部署 Idn 周邊網路中的另一個遞迴解析背後的伺服器。In addition to these features, if you are concerned about keeping your AD integrated DNS servers open to the Internet, you can deploy iDNS servers behind another recursive resolver in the perimeter network.

因為 Idn 所有 DNS 查詢中央的伺服器,CSP 或企業可以也實作承租人 DNS 防火牆、 套用篩選、 偵測惡意活動,以及稽核中央位置交易Because iDNS is a centralized server for all DNS queries, a CSP or Enterprise can also implement tenant DNS firewalls, apply filters, detect malicious activities, and audit transactions at a central location

Idn 基礎結構iDNS Infrastructure

Idn 基礎結構包含 Idn 伺服器和 Idn proxy。The iDNS infrastructure includes iDNS Servers and iDNS proxy.

Idn 伺服器iDNS Servers

Idn 包含一組裝載承租人特定資料,例如 VM DNS 資源記錄 DNS 伺服器。iDNS includes a set of DNS servers that host tenant-specific data, such as VM DNS Resource Records.

Idn 伺服器的授權伺服器他們內部 DNS 區域,並也是在公用的名稱解析時承租人 Vm 嘗試連接到外部資源。iDNS servers are the authoritative servers for their internal DNS zones, and also act as a resolver for public names when tenant VMs attempt to connect to external resources.

所有主機 Vm Virtual 網路上的名稱是 DNS 資源記錄以儲存在相同的時區。All of the host names for VMs on Virtual Networks are stored as DNS Resource Records under the same zone. 例如您部署 Idn 名 contoso.local 區域,如果的 DNS 資源記錄 vm 在網路上的儲存在 contoso.local 區域。For example, if you deploy iDNS for a zone named contoso.local, the DNS Resource Records for the VMs on that network are stored in the contoso.local zone.

承租人 VM 完整網域名稱 (FQDNs) 包含電腦名稱和 DNS 尾碼字串的格式 GUID Virtual 網路。Tenant VM Fully Qualified Domain Names (FQDNs) consist of the computer name and the DNS suffix string for the Virtual Network, in GUID format. 例如,如果您有房客名 TENANT1 Virtual 網路 contoso 本機,在 VM VM 的 FQDN 是 TENANT1。vn guid。 contoso.local,其中vn guid是 Virtual 網路的 DNS 尾碼字串。For example, if you have a tenant VM named TENANT1 that is on the Virtual Network contoso,local, the VM's FQDN is TENANT1.vn-guid.contoso.local, where vn-guid is the DNS suffix string for the Virtual Network.

注意

如果您是 fabric 系統管理員,您可以使用您 CSP 或企業 DNS 的基礎結構為 Idn 伺服器,而不是部署新的 DNS 伺服器專為作為 Idn 伺服器。If you are a fabric administrator, you can use your CSP or Enterprise DNS infrastructure as iDNS servers instead of deploying new DNS servers specifically for use as iDNS servers. 無論您部署新伺服器 Idn 您使用您現有的基礎結構,Idn 依賴提供可用性 Active Directory 中。Whether you deploy new servers for iDNS or you use your existing infrastructure, iDNS relies on Active Directory to provide high availability. Active Directory 因此必須整合 Idn 伺服器。Your iDNS servers must therefore be integrated with Active Directory.

Idn ProxyiDNS Proxy

Idn proxy 是每個主機上, 執行,同時,轉送承租人 Virtual 網路的 DNS 伺服器 Idn 流量的 Windows 服務。iDNS proxy is a Windows service that runs on every host, and which forwards tenant Virtual Network DNS traffic to the iDNS Server.

下圖描述 DNS 傳輸路徑透過 Idn proxy 伺服器 Idn 承租人 Virtual 網路和網際網路。The following illustration depicts DNS traffic paths from tenant Virtual Networks through the iDNS proxy to the iDNS Server and the Internet.

Idn 基礎結構

如何部署 IdnHow to Deploy iDNS

當您在 Windows Server 2016 SDN 部署使用指令碼時,會自動將 Idn 包含在您的部署。When you deploy SDN in Windows Server 2016 by using scripts, iDNS is automatically included in your deployment.

如需詳細資訊,下列主題。For more information, see the following topics.

了解 Idn 部署步驟Understanding iDNS Deployment Steps

若要深入了解如何安裝 Idn 和設定部署 SDN 使用指令碼時,您可以使用此一節。You can use this section to gain an understanding of how iDNS is installed and configured when you deploy SDN using scripts.

以下是摘要部署 Idn 所需的步驟。Following is a summary of the steps needed to deploy iDNS.

注意

如果您已透過使用指令碼部署 SDN,您不需要執行這些步驟。If you have deployed SDN by using scripts, you do not need to perform any of these steps. 提供資訊和疑難排解僅步驟。The steps are provided for information and troubleshooting purposes only.

步驟 1: 部署 DNSStep 1: Deploy DNS

您可以使用 Windows PowerShell 命令下例部署的 DNS 伺服器。You can deploy a DNS server by using the following example Windows PowerShell command.

Install-WindowsFeature DNS -IncludeManagementTools

步驟 2: 在 Network Controller 設定 Idn 資訊Step 2: Configure iDNS information in Network Controller

這個指令碼區段格式不由系統管理員網路控制器,請至 Idn 區域設定-例如 IP 位址 iDNSServer 與用來主機 Idn 名稱區域的相關通知它的其餘部分通話。This script segment is a REST call that is made by the administrator to Network Controller, informing it about the iDNS zone configuration - such as the IP address of the iDNSServer and the zone that is used to host the iDNS names.

    Url: https://<url>/networking/v1/iDnsServer/configuration
Method: PUT
{
      "properties": {
        "connections": [
          {
            "managementAddresses": [
              "10.0.0.9"
            ],
            "credential": {
              "resourceRef": "/credentials/iDnsServer-Credentials"
            },
            "credentialType": "usernamePassword"
          }
        ],
        "zone": "contoso.local"
      }
    }

注意

這是區段摘要設定 ConfigureIDns中 SDNExpress.ps1。This is an excerpt from the section Configuration ConfigureIDns in SDNExpress.ps1. 如需詳細資訊,請查看部署使用指令碼軟體定義網路基礎結構,For more information, see Deploy a Software Defined Network infrastructure using scripts.

步驟 3: 設定 Idn Proxy 服務Step 3: Configure the iDNS Proxy Service

Idn Proxy 服務執行每個 HYPER-V 主機,提供的 tenants virtual 網路和實體網路的 Idn 伺服器的所在位置的橋樑上。The the iDNS Proxy Service runs on each of the Hyper-V hosts, providing the bridge between the virtual networks of tenants and the physical network where the iDNS servers are located. 必須在每個 HYPER-V 主機上建立下列登錄按鍵。The following registry keys must be created on every Hyper-V host.

DNS 連接埠:修正連接埠 53DNS port: Fixed port 53

  • 登錄 = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService 」Registry Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService"
  • 停 = 」 連接埠]ValueName = "Port"
  • ValueData = 53ValueData = 53
  • 值鍵入 = [Dword]ValueType = "Dword"

DNS Proxy 連接埠:修正連接埠 53DNS Proxy Port: Fixed port 53

  • 登錄 = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService 」Registry Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService"
  • 停 = 」 ProxyPort 」ValueName = "ProxyPort"
  • ValueData = 53ValueData = 53
  • 值鍵入 = [Dword]ValueType = "Dword"

DNS IP:這是修正的 IP 位址設定網路介面,以方便承租人選擇要使用的 Idn 服務。DNS IP: This is the fixed IP address configured on the network interface, in case the tenant chooses to use the iDNS service.

  • 登錄 = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService 」Registry Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService"
  • 停 = 」 IP 」ValueName = "IP"
  • ValueData = 」 169.254.169.254 」ValueData = "169.254.169.254"
  • 值鍵入 = 」 字串 」ValueType = "String"

Mac 位址:媒體存取控制 DNS 伺服器位址Mac Address: Media Access Control address of the DNS server

  • 登錄 = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyServiceRegistry Key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet\InfraServices\DnsProxyService
  • 停 = 」 MAC 」ValueName = "MAC"
  • ValueData = 」 aa-bb-cc-aa-bb-cc 」ValueData = “aa-bb-cc-aa-bb-cc”
  • 值鍵入 = 」 字串 」ValueType = "String"

IDN 伺服器的位址:以逗號分隔的 Idn 伺服器清單。IDNS Server Address: A comma separated list of iDNS Servers.

  • 登錄鍵: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSProxy\ParametersRegistry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSProxy\Parameters
  • 停 = 」 轉送程式 」ValueName = "Forwarders"
  • ValueData = 」 10.0.0.9 」ValueData = “10.0.0.9”
  • 值鍵入 = 」 字串 」ValueType = "String"

注意

這是區段摘要設定 ConfigureIDnsProxy中 SDNExpress.ps1。This is an excerpt from the section Configuration ConfigureIDnsProxy in SDNExpress.ps1. 如需詳細資訊,請查看部署使用指令碼軟體定義網路基礎結構,For more information, see Deploy a Software Defined Network infrastructure using scripts.

步驟 4: 重新開機網路控制器主機專員服務Step 4: Restart the Network Controller Host Agent Service

若要重新開機網路控制器主機代理程式服務,您可以使用下列 Windows PowerShell 命令。You can use the following Windows PowerShell command to restart the Network Controller Host Agent Service.

Restart-Service nchostagent -Force

如需詳細資訊,請查看重新開機服務For more information, see Restart-Service.

讓免 DNS proxy 服務Enable firewall rules for the DNS proxy service

您可以使用下列的 Windows PowerShell 命令來建立防火牆規則允許例外 proxy VM 與 Idn 伺服器通訊。You can use the following Windows PowerShell command to create a firewall rule that allows exceptions for the proxy to communicate with the VM and the iDNS server.

Enable-NetFirewallRule -DisplayGroup 'DNS Proxy Firewall'

如需詳細資訊,請查看讓-NetFirewallRuleFor more information, see Enable-NetFirewallRule.

驗證 Idn 服務Validate the iDNS Service

若要驗證 Idn 服務,您必須部署範例承租人工作負載。To validate the iDNS Service, you must deploy a sample tenant workload.

如需詳細資訊,請查看建立 VM 和連接到承租人 Virtual 網路或 VLANFor more information, see Create a VM and Connect to a Tenant Virtual Network or VLAN.

如果您想要承租人 VM 使用 Idn 服務,您必須留 VM 網路介面 DNS 伺服器設定,並允許使用 DHCP 介面。If you want the tenant VM to use the iDNS service, you must leave the VM network interfaces DNS Server configuration blank and allow the interfaces to use DHCP.

起始 VM 的網路介面之後,它會自動接收可使用 Idn,VM 的設定,並 VM 立即開始使用 Idn 服務執行的名稱解析。After the VM with such a network interface is initiated, it automatically receives a configuration that allows the VM to use iDNS, and the VM immediately starts performing name resolution by using the iDNS service.

如果您設定承租人 VM 使用 Idn 服務留下空白網路介面 DNS 伺服器] 及 [其他 DNS 伺服器的資訊,Network Controller VM 提供 IP 位址,並執行代表 Idn 伺服器的 VM 的 DNS 名稱登記。If you configure the tenant VM to use the iDNS service by leaving network interface DNS Server and Alternate DNS Server information blank, Network Controller provides the VM with an IP address, and performs a DNS name registration on behalf of the VM with the iDNS Server.

Network Controller 也會告知 Idn proxy VM 並執行 vm 的名稱解析所需的詳細資料。Network Controller also informs the iDNS proxy about the VM and the required details to perform name resolution for the VM.

當 VM 起始 DNS 查詢時,proxy 就像是從 Virtual 網路查詢 Idn 服務的轉寄。When the VM initiates a DNS query, the proxy acts as a forwarder of the query from the Virtual Network to the iDNS service.

DNS proxy 也可確保承租人 VM 查詢隔離。The DNS proxy also ensures that the tenant VM queries are isolated. 如果授權查詢 Idn 伺服器,Idn 伺服器回應授權回應。If the iDNS server is authoritative for the query, the iDNS server responds with an authoritative response. 如果 Idn 伺服器不適用於查詢,它會執行 DNS 遞迴解析網際網路的名稱。If the iDNS server is not authoritative for the query, it performs a DNS recursion to resolve Internet names.

注意

這項資訊一節中包含設定 AttachToVirtualNetwork中 SDNExpressTenant.ps1。This information is included in the section Configuration AttachToVirtualNetwork in SDNExpressTenant.ps1. 如需詳細資訊,請查看部署使用指令碼軟體定義網路基礎結構,For more information, see Deploy a Software Defined Network infrastructure using scripts.