Build a private DNS root

In my ongoing experiments to better understand Windows 2000's (Win2K's) DNS server service, I sometimes need a small intranet that is completely disconnected from the Internet. Building such an intranet is a simple task. In fact, you've probably assigned 10.x.x.x addresses to PCs on an unconnected Ethernet segment to test TCP/IP. You might have set up a DHCP, DNS, and WINS server, and perhaps you installed two NICs on one of the PCs to create a two-segment intranet. Maybe you even configured a DHCP forwarding agent. But one step that you probably skipped—an essential step in building a completely self-sufficient intranet—is creating a private root.

A root is the highest domain in the DNS namespace or name hierarchy. (For specific information about DNS, see "Related Articles in Windows NT Magazine," page 162.) Consider the domain asia.acme.com. This domain is a subdomain of the domain acme.com. You're probably familiar with this concept, but you might not realize that acme.com is a subdomain of the domain called com. Moreover, com is a subdomain of the DNS namespace's root, . (yes, that's a period). An Internet host's complete name ends with a period. For example, my computer's Fully Qualified Domain Name (FQDN) is pc400.minasi.com. (with the period), rather than pc400.minasi.com (without the period).

Roots are important because when a client asks a DNS server to resolve a name outside the server's domain, the DNS server must search the DNS hierarchy to determine which servers are responsible for the requested domain. For example, if a user in acme.com points his or her Web browser to www.microsoft.com, the local acme.com DNS server doesn't know where the www machine exists in the microsoft.com domain. Nor does the server know where to find the microsoft.com domain. Although the acme.com DNS server knows that the microsoft.com DNS server could reveal www's IP address in Microsoft's domain, the acme.com server doesn't know the microsoft.com server's IP address. The machine that does know the microsoft.com server's IP address is the com DNS server, and the machine that knows that server's IP address is the root domain's DNS server (i.e., . ). So, the acme.com DNS server goes to the top of the hierarchy and asks the DNS root server, "What's the com domain's IP address?" After the server obtains the address, the server queries the com domain's DNS server for the IP address of microsoft.com's DNS server. Finally, the acme.com server queries microsoft.com's DNS server to obtain www.microsoft.com's IP address.

Thus, to obtain a DNS server's name, you query the DNS server above it in the hierarchy. But you might wonder how to obtain the top server's (i.e., the root server's) IP address. Because no server exists to query, Win2K and NT's DNS servers have built-in knowledge of 13 root DNS servers. Win2K and NT's Setup procedures give these DNS servers' names to the OS's DNS server, via the root's hints file named cache.dns.

You can modify the root's hints file to redefine the machine at the top of the DNS hierarchy. This process is easiest if you first configure your DNS server to boot from a boot file rather than from the Registry. In NT 4.0, open a Registry editor, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DNS\Parameters\BootMethod Registry entry, and change the value from 2 (the default) to 1. According to the Microsoft article "Microsoft DNS Server Registry Parameters, Part 1 of 3" (http://support.microsoft.com/ support/kb/articles/ q198/4/08.asp), you need to use Service Pack 4 (SP4) or later for this change to work. In Win2K, open the DNS snap-in, right-click the name of the server you're working with, and select Properties. Click the Advanced tab, and select Boot from file. Finally, stop the DNS service.

Look in the \winnt\system32\dns directory for a file named boot, which is a simple ASCII file that you can use Notepad to view. An example boot file looks like

cache . cache.dns
primary acme.com acme.com.dns

The second line of the boot file tells the DNS server which DNS zones the server acts as primary or secondary DNS server for. In the case of a primary DNS server, this part of the file has three parts: the word primary, which tells the DNS server that it's the primary authoritative DNS server for a zone; the name of the zone over which the server has authority; and the filename. The boot file contains all the DNS records for a zone. In my example, the DNS server is the primary DNS server for the zone acme.com, and the \winnt\system32\dns directory contains a file named acme.com.dns that contains the DNS records for the zone.

The first line of the boot file can contain preloaded name-resolution information for any domain. The most common domain you need information about is the root's. Specifically, you need hints for the root domain's name servers. As I discussed previously, DNS servers store the root's hints in a file named cache.dns, and the DNS convention for designating a root is a period. Thus, the cache record in my example points to the root's hints file.

You can put various hints files on your DNS server. Suppose you access Microsoft's Web site frequently and you don't want to wait while your DNS servers search for Microsoft's DNS servers' IP addresses. To store on your DNS server a file (e.g., microsoft.cache) that lists all Microsoft's DNS servers, you need to add the following line to the boot file:

cache microsoft.com microsoft.cache

A cache file consists of name server (NS) and host name (A) records, as the following fragment shows:

@NSa.root-servers.net.
a.root-servers.netA198.41.0.4

The first line of the cache file shows that a DNS server (i.e., NS) exists for the domain named a.root-servers.net. Of course, this information is useless without the domain's IP address. Thus, the second line of the cache file tells you that a.root-servers.net's IP address is 198.41.0.4.

To configure DNS servers that aren't attached to the Internet, you need to configure one of the servers as the root, with the other DNS servers looking to that server as their root. Suppose your root is at address 10.10.10.10, and the machine's name is a.root.net. (You can name the machine anything you want because your DNS namespace is disconnected from the Internet.) The cache file for all your DNS servers (except the root server) would look like

@NSa.root.net
a.root.netA10.10.10.10

To configure the root server, you need to alter the boot file to read

primary.root.dns

This statement simply says that the DNS server is the primary DNS server for the root domain and that the file root.dns contains the root's zone files.

Here's an example root zone file:

@IN SOA a.root.net. joe.acme.com (1 900 600 86400 3600)
@NS a.root.net.
a.root.netA10.10.10.10

The first line is a Start of Authority Resource Record (SOA RR). This record names the primary DNS server for the zone, the email address of the technical contact for the zone (replacing @ with a period), and configuration values for secondary and external servers. The values I used in the example work for almost every zone. The second line in the root zone file states that an NS record exists. This record declares that a machine named a.root.net serves the zone. The last line tells you that a.root.net's IP address is 10.10.10.10.

So, to build a private DNS root, you need to use one DNS server to define the root domain, then build a root zone file with at least an SOA, NS, and A record. The root server doesn't need a cache record in its boot file. Other DNS servers recognize the root as a root because you include a cache record for the root in the servers' boot files and because you give the servers the root's hints file that contains an NS record and an A record that point to the root machine.