Like This Blog 10

Added by Rick Trader April 24, 2013

Stub Zones are a DNS feature introduced in Windows Server 2003. A Stub Zones allows an organization to resolve names to a private namespace or speed up name resolution to a public namespace without the use of Conditional Forwarders or Secondary Zones.

When a DNS server receives a client query request for a host address that is not part of its authoritative namespace, it starts a resolution process beginning with a root name server and continues the process until the name is resolved. When a Stub Zone is configured the local DNS server will forward the request to a DNS authoritative for the domain namespace of the query. Now you are thinking to yourself, sounds a lot like what a Conditional Forward does. Well it is kind of, but the difference is, when a Conditional Forward is configured a single DNS server is used to resolve names in the remote domain. It that DNS server is not available name resolution fails. When a Stub Zone is configured it will contain an entire list of Name Server (NS) records from the other domain. These records are referred to as “Glue A records”. One of the advantages to using a Stub Zone over a Secondary is the transfer of records only includes the glue A record (see Figure 1), where as a Secondary will transfer the entire zone database (see Figure 2). In order to configure a Stub Zone and the zone transfer to of the glue A records the source DNS server must allow zone transfers. In this blog we will look at how to configure a Stub Zone in DNS.

Scenario.

Two organizations, USSHQ and Dulce Base need to be able to share resources. A trust relationship between the two organizations Active Directory Domain Services is desired, but neither organization name space can be resolved through public name resolution. In order to configure the trust relationship name resolution need to be configured. One option for name resolution is to use a DNS Stub Zone. DNS Stub Zones in each domain will be configured to forward request for the other organization name space to a DNS server that is authoritative. All other names needing resolved will use the default name resolution method.

If a computer from Dulce Base attempts to contact a computer in USSHQ it is unable to resolve the name. See figure below, the same result would occur going the other direction.

Configuring the source DNS server to allow for zone transfers (steps will be accomplished on both DNS Servers).

1. Launch the DNS console and secondary click on the Forward Look Zone that you desire so configure Zone Transfers on, click on Properties.
2. Select the Zone Transfers tab.
   
   1. To allow zone transfers, select the Allow zone transfers check box. Then choose one of the following :
      1. To allow zone transfers to any server, click To any server.
      2. To allow zone transfers only to the DNS servers listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. Use this setting if you have configured Authoritative Name Servers for this zone in the Names Servers tab.
      3. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers. Use this setting if you have not configured Authoritative Name Servers for this zone in the Name Servers tab or you desire to allow zone transfers with Name Servers.
3. In this demonstration we will be using the last option, click Only to the following servers.
   
4. Click Edit, enter the IP Address of the Name Server that will be requesting the zone transfer, press enter. After the FQDN has resolved click OK.
5. Click OK on the DNS Properties sheet, DNS is now configured to allow zone transfers with the Dulce Base DNS serve.

Configuring a Stub Zone (Same steps will be accomplished in both DNS servers).

1. Launch the DNS Console.
   
2. Expand Forward Lookup Zones, secondary click on Forward Lookup Zone and choose New Zone. On the Welcome to the New Zone Wizard, click Next.
3. On the Zone Type page, click Stub Zone then click Next.
   

Note: If you desire the new Stub Zone to be Active Integrated leave the Store the zone in Active Directory checked, if not clear the check box.

4. On the Zone Name page, enter the desired zone to transfer from, click Next.
   
5. Click Next on the Zone File page.
6. On the Master DNS Servers page, Enter the IP Address of the master DNS server to transfer from press enter to resolve, Click Next.
7.  On the Completing the New Zone Wizard, click Finish.
8. Refresh the zone, a transfer should have occurred.

Note: The zone transfer may take a few minutes to occur, keep refreshing the screen and be patient.
Note: When looking at the new Stub Zone notice that only the Start of Authority and NS records were the only records transferred.

Name resolution will now succeed from DulceBase.Local to USSHQ.Local. Once the DNS administrator completes the configuration on the USSHQ.Local DNS server name resolution will succeed from USSHQ.Local to DulceBase.local.

As you can see configuring a Stub Zone is a simple fix to resolving names in a private network when public name resolution fails. But, does require the Administrator of the Master Zone to allow zone transfers with your organization before the zone will actually transfer.

Until next time, RIDE SAFE!

Rick Trader
Windows Server Instructor – Interface Technical Training
Phoenix, AZ