Understanding Primary and Secondary DNS Zones and how to setup Forward and Reverse Lookup Zones

Home > Blogs > CompTIA > Understanding Primary and Secondary DNS Zones and how to setup Forward and Reverse Lookup Zones

Understanding Primary and Secondary DNS Zones and how to setup Forward and Reverse Lookup Zones

Like This Blog 0 Rick Trader
Added by August 28, 2019

This content is from our CompTIA Network + Video Certification Training Course. Start training today!

Once DNS has been installed, one of the next steps that we need to do if we want our DNS server to be an authoritative DNS server to be able to resolve a user‑friendly name for an IP address, or an IP address to a user‑friendly name is we have to start creating and populating what’s referred to as a zone‑based database file.

When we’re looking at DNS, there’s two types of zone database files Primary and Secondary.

We have a Primary Zone Database File, which is our user‑friendly names to an IP address. When we have ay primary DNS, or a primary zone, that primary zone is the only writeable copy of the database.

Think of a primary or secondary in anything you talk about. You have the primary that’s only the writeable.

We also have what’s referred to as the Secondary Zone. The Secondary is also an authoritative DNS server that allows us to be able to read the database file from another DNS server, but it’s going to be a read‑only version.

This is going to provide for fault tolerance. It’s going to provide for load balancing, and it also is going to be what’s referred to as facility or geographically aware. When we have users that are in one location, we don’t want them traveling across the WAN to be able to authenticate to our environment.

Let’s take a look at what this looks like.


Let’s say, for instance, we have a DNS server here in Phoenix.

We’re a single location. All of our users are going to be in this primary DNS server.

They’re going to query that DNS server looking for nothing but our records inside of our database. They may not have resolved those user‑friendly names and IP address.

Let’s say though we stand up a facility up in New York City.

We don’t want the users in New York City coming all the way across the WAN to Phoenix to query the DNS server to find out that the resource is sitting right down the hall from them in office 201, and they happen to be in office 201.

That would be ridiculous and not optimizing the use of our corporate network, or the wide area network. What we can do is build a DNS server in New York City and make it a secondary.

Now when we make that DNS server a secondary, what’s going to happen is it’s going to come out to the Phoenix DNS server and say, “Hey, Phoenix, can you do a zone transfer of your current database to the secondary?”

Next, what we’ll want to do is, to go to all of our computers and all of our DNS clients in New York City and configure them with DNS to a point to the New York City DNS server. That’s the first DNS server. It’ll be New York City. The second DNS server will be Phoenix.

Over here in Phoenix, we’ll configure this first DNS server to be Phoenix, and the second DNS server to be New York City.

The reason why we want to doing is for our fault tolerance. If this DNS server up in New York City happens to fail, we have a second one. we’ll come over to Phoenix and resolve, or vice versa. If we’re in Phoenix, we can go over to New York City and resolve.

Once the zone transfer’s been made, in order to keep the database up‑to‑date, our primary might notify the secondary on a routine basis, “Hey, I’ve got changes,” and the secondary will come get it.

Or the secondary may be configured to come back to the primary on a routine basis, “Hey, do you have changes for me? If so, what are they?”

This is referred to what’s called the Start of Authority Record (SOA).

We’re going to discuss records in a future lesson, so you will understand what this actual time here in a little bit. This is actually how a primary and secondary DNS servers work.

They’re both authoritative. They both will have a zone database, and they’ll be able to go into the database.

Now that we’ve got our zone databases built, and we understand what a primary and secondary is, let’s actually look at what type of databases we have.

The first database is called a Forward Lookup Zone.

A Forward Lookup Zone is your user‑friendly name turned IP address, whether it be an IPv4 address or an IPv6 address. We’ll talk later about the differences between the type of records that we’re going to have. That’s our Forward Lookup Zone.

A Reverse Lookup Zone is our IP address to a user‑friendly name. For example, let’s say we’re getting that proverbial ping of death. We have a machine that’s been compromised. Now it’s pinging, maybe, our mail server, or it’s pinging one of our domain controllers or our file server continuously.

If we were to use something where we will be monitoring the network, all we would see is the IP address of this machine. We may be wondering where that machine’s coming from. We can do a reverse lookup on that IP address, and it will tell us the user‑friendly name of that machine.

Let’s take a look at inside DNS, how this would actually look.

If we come to our DNS environment.

We’ll delete these zones real quick just to show you how to create them.

If we come in my DNS server and right‑click on the Forward Lookup Zone, we’ve already look at how we install DNS and how we got here through our DNS console. Next, right‑click on the server and right‑click on Forward Lookup Zone

And add a new zone.

Next. We’ll create a primary zone.

Next. We’re going to give it a name, myenvironment.local.

If you remember when we did the name resolution earlier, we have our top‑level name spaces. We want to make sure this one doesn’t get out on the Internet. Click next. Then create the zone database file. Next.

We’re not going to do anything with updates right now. Next,

And click finish.

Our DNS server is now an authoritative DNS server for an environment called myenvironment.local.

For the purposes of CompTIA Network +, you don’t have to know what a stub zone is.

For Network +, you have to know what a primary and secondary is, so when we create the primary zone.


The next thing we want to do is create the Reverse Lookup Zone.


Create an IPv4 zone. Next.

Create a Network ID is 172.16.1.

Notice it’s the three first octets of my IP address. Next.

Notice it does create a Reverse Lookup Zone called 1.16.172.in-addr.arpa.dns. Hit next.

We’ll not select the updates options right now. Finish.

Notice it created my Reverse Lookup Zone.

Now this is going to start populating with IP addresses to user‑friendly names.

If you have an IPv6 environment, you’re going to want to set up a Reverse Lookup Zone for IPv6. It’s going to look a little bit different than IPv4. First of all, it’s going to have a .IPv6.ARPA.

It doesn’t include the ADDR. If you’re familiar with an IPv6 address, you might have an address of 2002.F461.25B7 and it will continue.

Remember this is 128 characters total. We’re not going to write the whole 128 characters out. What you’ll see as a IPv6 reverse address is it’ll take this number, and it’s going to write it backwards. You have and so forth for the IPv6 address. It’s going to write them out backwards.

Just be familiar with what an IPv6 Reverse Lookup Zone looks like and what the address looks like.

Let’s go look at real quick a DNS server that we already built that has some legal zones in it.

Next we’ll come into DNS.

Notice I have a Forward Lookup Zone called USSHQ.local. It’s already been populated with records.

We have another lesson that explains what all these different record types are and how we go about creating them manually, or how we dynamically can populate it.

Next we’ll come down to the Reverse Lookup Zone. There it knows we have our Reverse Lookup Zone.

Again, this is what a reverse lookup record would look like. If we had a reverse lookup for IPv6, you’d see the IPv6 address in here.

Here, we have had the IP address, and it maps to this user‑friendly name.

Back in the Forward Lookup Zone, we have the user‑friendly name mapping to an IP address.

We’ve looked at what are the different zone types in DNS and why they’re so important to you in your environment.

Until next time….

Rick Trader
CompTIA Network + Instructor – Interface Technical Training
Phoenix, AZ

Video Certification Training: CompTIA Network +

Videos You May Like

A Simple Introduction to Cisco CML2

0 3896 0

Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2

Creating Dynamic DNS in Network Environments

0 642 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader teaches how to create Dynamic DNS zones in Network Environments. Video Transcription: Now that we’ve installed DNS, we’ve created our DNS zones, the next step is now, how do we produce those … Continue reading Creating Dynamic DNS in Network Environments

Cable Testers and How to Use them in Network Environments

0 727 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.