Windows Server 2003

Windows Server 2003 (also referred to as Win2K3) is a server operating system produced by Microsoft. Introduced on April 24, 2003 as the successor to Windows 2000 Server, it is considered by Microsoft to be the cornerstone of their Windows Server System line of business server products. An updated version, Windows Server 2003 R2 was released to manufacturing on 6 December 2005. Its successor, Windows Server 2008, was released on February 4, 2008.

Released on April 24, 2003, Windows Server 2003 (which carries the version number 5.2) is the follow-up to Windows 2000 Server, incorporating compatibility and other features from Windows XP. Unlike Windows 2000 Server, Windows Server 2003's default installation has none of the server components enabled, to reduce the attack surface of new machines. Windows Server 2003 includes compatibility modes to allow older applications to run with greater stability. It was made more compatible with Windows NT 4.0 domain-based networking. Incorporating and upgrading a Windows NT 4.0 domain to Windows 2000 was considered difficult and time-consuming, and generally was considered an all-or-nothing upgrade, particularly when dealing with Active Directory. Windows Server 2003 brought in enhanced Active Directory compatibility, and better deployment support, to ease the transition from Windows NT 4.0 to Windows Server 2003 and Windows XP Professional.

Changes to various services include those to the IIS web server, which was almost completely rewritten to improve performance and security, Distributed File System, which now supports hosting multiple DFS roots on a single server, Terminal Server, Active Directory, Print Server, and a number of other areas. Windows Server 2003 was also the first operating system released by Microsoft after the announcement of their Trustworthy Computing initiative, and as a result, contains a number of changes to security defaults and practices.

The product went through several name changes during the course of development. When first announced in 2000, it was known by its codename, "Whistler Server"; it was then named "Windows 2002 Server" for a brief time in mid-2001, before being renamed "Windows .NET Server" as part of Microsoft's effort to promote their new integrated enterprise and development framework, Microsoft .NET. It was later renamed to "Windows .NET Server 2003". Due to fears of confusing the market about what ".NET" represents and responding to criticism, Microsoft removed .NET from the name during the Release Candidate stage in late-2002. This allowed the name .NET to exclusively apply to the .NET Framework, as previously it had appeared that .NET was just a tag for a generation of Microsoft products.

Microsoft Domain Name System (MDNS)

Microsoft DNS is the name given to the implementation of domain name system services provided in Microsoft Windows operating systems.

The Domain Name System support in Microsoft Windows NT, and thus its derivatives Windows 2000, Windows XP, and Windows Server 2003, comprises two clients and a server. Every Microsoft Windows machine has a DNS lookup client, to perform ordinary DNS lookups. Some machines have a Dynamic DNS Update client, to perform Dynamic DNS Update transactions, registering the machines' names and IP addresses. Some machines run a DNS server, to publish DNS data, to service DNS lookup requests from DNS lookup clients, and to service DNS update requests from DNS update clients.

The server software is only supplied with the server versions of Windows. I want to share my experience with DDNS and Computer Help.

DNS hosting service

Dynamic DNS is a service that runs Domain Name System servers. Most, but not all, domain name registrars include DNS hosting service with registration. Free DNS hosting services also exist. Almost all DNS hosting services are "shared"; except for the most popular Internet sites, there is no need to dedicate a server to hosting DNS for a single website. Many third-party DNS hosting services provide Dynamic DNS and Computer Technical Support.

DNS hosting service is better when the provider has multiple servers in various geographic locations that minimize latency for clients around the world.

DNS can also be self-hosted by running DNS software on generic Internet hosting service

Free DNS

A number of sites offer free DNS hosting, either for second level domains registered with registrars which do not offer free (or sufficiently flexible) DNS service, or as third level domains (selection.somedomain.com). These services generally also offer Dynamic DNS. In many cases the free services can be upgraded with various premium services

Configuring Logging for the DNS Server

There are several categories that log messages fall in to. For instance, all queries fall in to the "queries" category, all notify messages will fall in to the "notify" category, and so on. We are interested in the "dnssec", the "update" and the "security" categories.

The messages for every category are channeled into files or through syslog. The channel phrase can be used to specify which severity level should be logged, how the format of the log message should be, what extra information should be logged, where it should be logged, how many versions should be kept, and how large the zone file may grow.

For this setup we will log all above categories in one place:

logging {

    category dnssec   { security_log; };

    category update   { security_log; };

    category security { security_log; };

    channel security_log {

        file "dns-security.log" versions 5 size 20m;

            // every time the log grows over 20 Mbyte, it will

            // backup and rollover. Maximum 5 backups will be kept.

        print-time yes;

        print-category yes;

        print-severity yes;

        severity info;

    };

};

This Blogs Help to work with Dynamic DNS. I want to share here with you is my experience of sharing the DNS Server Configuration and providing a computer support assistance. The most common use for this is in allowing an Internet domain name to be assigned to a computer help with a varying (dynamic) IP address

Source ops.ietf.org

What is DNS resolvers

A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.

A DNS query may be either a recursive query or a non-recursive query:

• A non-recursive query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.
• A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries.

The resolver (or another DNS server acting recursively on behalf of the resolver) negotiates use of recursive service using bits in the query headers.

Resolving usually entails iterating through several name servers to find the needed information. However, some resolvers function simplistically and can only communicate with a single name server. These simple resolvers rely on a recursive query to a recursive name server to perform the work of finding information for them.

Domain Name System Security Extensions (DNSSEC)

The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers):

• Origin authentication of DNS data.
• Data integrity.
• Authenticated denial of existence.

It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of:

1. Devising a backward-compatible standard that can scale to the size of the Internet.
2. Deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients).
3. Squabbling among key players, none of whom agree on who should own the .com (etc) root keys

IP-based networks, including the Internet, route information between computers based on their IP address, a multi-byte number (4 bytes in IP version 4, 16 bytes in IP version 6). Directly using these numbers would cause many problems, so DNS is a critical service of such networks. DNS accepts a domain name (such as www.wikipedia.org) and responds with information about that name, such as its matching IP address. DNS can also perform reverse look-ups (given an IP address, return the corresponding name). DNS is implemented as a distributed system, for scalability. (For more information, see Domain Name System.) Unfortunately, DNS was not designed to be secure.

There are several distinct classes of threats to the DNS, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol. A Request for Comments document, RFC 3833, attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent DNSSEC is a useful tool in defending against these threats.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses are the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in DNS. RFC 4398 describes how to distribute certificates via DNS, including those for email, making it possible to use DNSSEC as a world-wide public key infrastructure for email.

DNSSEC does not provide confidentiality of data, in particular, all DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against DoS attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties). Other standards (not DNSSEC) are used to secure bulk data (such as a zone transfer) sent between DNS servers. As documented in IETF RFC 4367, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name. DNSSEC cannot cure false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.

source :en.wikipedia.org

Domain Name System Client Behavior in Windows Vista

Microsoft® Windows Vista™ includes both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) protocol stacks that are installed and enabled by default. Domain Name System (DNS) name queries and registrations can now involve both IPv4 address records (A records) and IPv6 address records (AAAA records). This article describes the behavior of the DNS Client service in Windows Vista for DNS queries and registrations and the possible impact on DNS traffic.

Note: This article does not describe changes to DNS client behavior in versions of Windows released after Windows Vista with Service Pack 1 and Windows Server 2008, including additional service packs or other updates.

DNS Query Behavior

Computers running Windows Vista need to perform both A and AAAA queries to determine the best method of connectivity to the desired endpoint. By obtaining both IPv4 and IPv6 addresses, there is an increased chance of being able to access the desired endpoint if one of the addresses is unreachable.

The DNS Client service in Windows Vista has been designed to minimize the impact on DNS servers when performing DNS name queries through the following behavior:

· If the host has only link-local or Teredo IPv6 addresses assigned, the DNS Client service sends a single query for a records.

· If the host has at least one IPv6 address assigned that is not a link-local or Teredo address, the DNS Client service sends a DNS query for A records and then a separate DNS query to the same DNS server for AAAA records. If an A record query times out or has an error (other than name not found), the corresponding AAAA record query is not sent.

This DNS querying behavior will assist enterprises and ISPs in their transition to IPv6. When AAAA records are added to DNS either manually or through DNS dynamic update, computers running Windows Vista will by default use IPv6 over IPv4, providing proof to IT staff that the IPv6 routing and name resolution infrastructure is working properly for IPv6 connectivity. When organizations transition to an IPv6-only infrastructure and disable IPv4, the DNS Client service will send only AAAA queries.

Computers running Windows Vista can increase DNS traffic and the load on DNS servers when the computers have been configured with a global address:

· On intranets that have deployed IPv6 (either native or ISATAP), there will be additional DNS query traffic. However, deployments of Windows Vista in enterprise networks using IPv6 have not resulted in dramatic increases in the loads on intranet DNS servers. Intranets running at or near capacity for DNS might need to provide additional capacity to better support an enterprise deployment of Windows Vista.

· On the Internet, computers running Windows Vista by default will typically not be configured with a global address from their ISPs or from their gateway devices. At this time, typical ISPs do not support native IPv6 connectivity and typical home routers do not support the 6to4 transition technology. If a computer running Windows Vista is located behind a network address translator (NAT), the Teredo client component will automatically configure a global Teredo address, even if it is in an inactive state. However, a computer running Windows Vista will not send AAAA record queries if it only has a Teredo address assigned.

DNS Registration Behavior

The DNS Client service in Windows Vista uses DNS dynamic update and attempts to register the following records:

· A records for all IPv4 addresses assigned to the interfaces that are configured with a DNS server

· Pointer (PTR) records for IPv4 addresses assigned to interfaces that are configured with a DNS server

· AAAA records for all global IPv6 addresses assigned to interfaces that are configured with a DNS server

Teredo addresses are not registered.

For the typical intranet host configured with a global IPv6 address, additional AAAA records for IPv6 global addresses are registered. However, a DNS dynamic update client includes all of the records that they are registering in a single packet. Therefore, although there are additional records to register, there are no additional packets for AAAA record registration. Therefore, the impact on intranet DNS servers for AAAA registration is minimal.

Typical Internet-based DNS servers do not support DNS dynamic update. However, if an Internet-based DNS server did support DNS dynamic update, there is typically no additional traffic because the typical Windows Vista-based Internet host does not have a global IPv6 address assigned and Teredo addresses are not registered. Therefore, for typical Windows Vista-based hosts on today's Internet, there is no performance impact on Internet DNS servers for DNS registration.

source technet.microsoft.com