click below
click below
Normal Size Small Size show me how
IST 164 CH3
Configuring Advanced DNS
Term | Definition |
---|---|
Zone Delegation | The transfer of authority for a subdomain to a new zone, which can be on the same server as the parent zone or another server. |
Stale Resource Record | A DNS record that is no longer valid, either because the resource is offline for an extended period or permanently, or because the resource's name or address has changed. |
Scavenging | The process whereby the DNS server periodically checks the zone file for stale records periodically and deletes those meeting the criteria for a stale record. |
Stub Zone | A DNS zone containing a read-only copy of only the zone's SOA and NS records and the necessary A records to resolve NS records. A stub zone forwards queries to a primary DNS server for that zone and is not authoritative for the zone. |
Zone Replication | The transfer of zone changes from the DNS server to another. |
Zone Replication Scope | A scope that determines which Active Directory partition the zone is stored in and which DCs the zone information is replicated to. |
Active Directory Partition | A special file that Active Directory uses to store domain information. |
Unknown Record Support | A new feature of DNS in Windows Server 2016 that has the ability to support resource records of a unknown to the DNS server on Windows Server 2016. |
DNS Policy | A new feature in Windows Server 2016 that allows you to manage DNS traffic, filter queries, and load balance your applications based on a number of criteria. |
Query Resolution Policy | A DNS policy that specifies how DNS queries are handled by the DNS server |
Zone Transfer Policy | A DNS policy that specifies whether a zone transfer is allowed. For example, you can allow or deny zone transfers to particular subnets |
Client Subnet | A named subnet that has a value in the format a.b.c.d/y, for example 192.168.0.0/24 |
Zone Scope | A subset of a zone where a zone can contain multiple zone scopes and each zone scope has its own set of resource records. |
Recursion Scope | A scope that defines which queries will use DNS recursion. |
DNS Recursion Scope | A DNS feature that allows you to specify which DNS queries will use recursion and which will not. |
Domain Name System Security Extension (DNSSEC) | A suite of features and protocols for validating DNS server responses. |
Zone Signing | A DNSSEC feature that uses digital signatures contained in DNSSEC-related resource records to verify DNS responses. See also Domain Name System Security Extension (DNSSEC) |
DNSKEY | The public key for the zone that DNS resolvers use to verify the digital signature in Resource Record Signature (RRSIG) records. |
Resource Record Signature (RRSIG) | A key containing the signature for a single resource record, such as an A or MX record. |
Next Secure (NSEC) | A DNSSEC record returned when the requested resource record does not exist. See also Domain Name System Security Extension (DNSSEC). |
Next Secure 3 (NSEC3) | An alternative to NSEC records. NSEC3 can prevent zone-walking, which is a technique of repeating NSEC queries to get all the names in a zone. See also Next secure (NSEC). |
Next Secure 3 (NSEC3) Parameter | DNSSEC records used to determine which NSEC3 records should be included in responses to queries for nonexistent records. See also Next Secure 3 (NSEC3). |
Delegation Signer (DS) | A DNSSEC record that holds the name of a delegated zone and is used to verify delegated child zones. See also Domain Name System Security Extension (DNSSEC). |
key-signing key (KSK) | A DNSSEC key that has a private and public key associated with it. The private key is used to sign all DNSKEY records and the public key is used as a trust anchor for validating DNS responses. See also Domain Name System Security Extension (DNSSEC). |
Trust Anchor | A DNSKEY that is usually for a zone but can also be a DS key for a delegated zone. Public keys are used as trust anchors for validating DNS responses. |
Zone-Signing Key (ZSK) | A public and private key combination stored in a certificate used to sign the zone. |
DNS socket pool | A pool of port numbers used by a DNS server for DNS queries to protect against DNS cache poisoning. See also DNS cache poisoning. |
DNS cache poisoning | An attack on DNS servers in which false data is introduced into the DNS server cache, causing the server to return incorrect IP addresses. |
DNS cache locking | A DNS security feature that allows you to control whether data in the DNS cache can be overwritten. |
Response Rate Limiting (RRL) | A new DNS Server role feature in Windows Server 2016 that mitigates a type of distributed denial of service (DDoS) attack called a DNS amplification attack. |
DNS amplification attack | A type of DDoS attack that uses public DNS servers to overwhelm a target with DNS responses by sending DNS queries with spoofed IP addresses. |
DNS-based Authentication of Named Entities (DANE) | A new feature in Windows Server 2016 that is used to provide information about the certification authority (CA) used by your domain when a client is requesting DNS information for your domain. |
Zone-Level Statistics | A feature in Windows Server 2016 that provides detailed statistics for each zone to show how a DNS server is used. |