Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise

TCP/IP, and together the DNS Client and DNS Server provide computer name-to-IP address
mapping name resolution services to computers and users.

Note

In addition to this topic, the following DNS content is available.

• What's New in DNS Client

• What's New in DNS Server

In Windows Server 2016, DNS is a server role that you can install by using Server Manager or
Windows PowerShell commands. If you are installing a new Active Directory forest and domain,
DNS is automatically installed with Active Directory as the Global Catalogue server for the forest
and domain.

Active Directory Domain Services (AD DS) uses DNS as its domain controller location mechanism.
When any of the principal Active Directory operations is performed, such as authentication,
updating, or searching, computers use DNS to locate Active Directory domain controllers. In
addition, domain controllers use DNS to locate each other.

The DNS Client service is included in all client and server versions of the Windows operating
system, and is running by default upon operating system installation. When you configure a TCP/IP
network connection with the IP address of a DNS server, the DNS Client queries the DNS server to
discover domain controllers, and to resolve computer names to IP addresses. For example, when a
network user with an Active Directory user account logs in to an Active Directory domain, the DNS
Client service queries the DNS server to locate a domain controller for the Active Directory domain.
When the DNS server responds to the query and provides the domain controller's IP address to the
client, the client contacts the domain controller and the authentication process can begin.

The Windows Server 2016 DNS Server and DNS Client services use the DNS protocol that is
included in the TCP/IP protocol suite. DNS is part of the application layer of the TCP/IP reference
model, as shown in the following illustration.

What's New in DNS Client in Windows Server

2016

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

This topic describes the Domain Name System (DNS) client functionality that is new or changed in
Windows 10 and Windows Server 2016 and later versions of these operating systems.

Updates to DNS Client

DNS Client service binding: In Windows 10, the DNS Client service offers enhanced support for
computers with more than one network interface. For multi-homed computers, DNS resolution is
optimized in the following ways:

• When a DNS server that is configured on a specific interface is used to resolve a DNS query,
the DNS Client service will bind to this interface before sending the DNS query.

By binding to a specific interface, the DNS client can clearly specify the interface where name
resolution occurs, enabling applications to optimize communications with the DNS client over
this network interface.

• If the DNS server that is used is designated by a Group Policy setting from the Name
Resolution Policy Table (NRPT), the DNS Client service does not bind to a specific interface.

Note

Changes to the DNS Client service in Windows 10 are also present in computers running Windows
Server 2016 and later versions.

What's New in DNS Server in Windows Server

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

This topic describes the Domain Name System (DNS) server functionality that is new or changed in
Windows Server 2016.

In Windows Server 2016, DNS Server offers enhanced support in the following areas.

New or
Functionality Improved Description

DNS Policies New You can configure DNS policies to specify how a DNS
server responds to DNS queries. DNS responses can be
based on client IP address (location), time of the day,
and several other parameters. DNS policies enable
location-aware DNS, traffic management, load
balancing, split-brain DNS, and other scenarios.
 New or
Functionality Improved Description

Response Rate New You can enable response rate limiting on your DNS
Limiting (RRL) servers. By doing this, you avoid the possibility of
malicious systems using your DNS servers to initiate a
denial of service attack on a DNS client.

DNS-based New You can use TLSA (Transport Layer Security

Authentication of Authentication) records to provide information to DNS
Named Entities clients that state what CA they should expect a
(DANE) certificate from for your domain name. This prevents
man-in-the-middle attacks where someone might
corrupt the DNS cache to point to their own website,
and provide a certificate they issued from a different
CA.

Unknown record New You can add records which are not explicitly supported
support by the Windows DNS server using the unknown record
functionality.

IPv6 root hints New You can use the native IPV6 root hints support to
perform internet name resolution using the IPV6 root
servers.

Windows Improved New Windows PowerShell cmdlets are available for

PowerShell Support DNS Server.

DNS Policies
You can use DNS Policy for Geo-Location based traffic management, intelligent DNS responses
based on the time of day, to manage a single DNS server configured for split-brain deployment,
applying filters on DNS queries, and more. The following items provide more detail about these
capabilities.

• Application Load Balancing. When you have deployed multiple instances of an application
at different locations, you can use DNS policy to balance the traffic load between the different
application instances, dynamically allocating the traffic load for the application.
• Geo-Location Based Traffic Management. You can use DNS Policy to allow primary and
secondary DNS servers to respond to DNS client queries based on the geographical location
of both the client and the resource to which the client is attempting to connect, providing the
client with the IP address of the closest resource.
• Split Brain DNS. With split-brain DNS, DNS records are split into different Zone Scopes on
the same DNS server, and DNS clients receive a response based on whether the clients are
internal or external clients. You can configure split-brain DNS for Active Directory integrated
zones or for zones on standalone DNS servers.
 • Filtering. You can configure DNS policy to create query filters that are based on criteria that
you supply. Query filters in DNS policy allow you to configure the DNS server to respond in a
custom manner based on the DNS query and DNS client that sends the DNS query.
• Forensics. You can use DNS policy to redirect malicious DNS clients to a non-existent IP
address instead of directing them to the computer they are trying to reach.
• Time of day based redirection. You can use DNS policy to distribute application traffic
across different geographically distributed instances of an application by using DNS policies
that are based on the time of day.

You can also use DNS policies for Active Directory integrated DNS zones.

For more information, see the DNS Policy Scenario Guide.

Response Rate Limiting

You can configure RRL settings to control how to respond to requests to a DNS client when your
server receives several requests targeting the same client. By doing this, you can prevent someone
from sending a Denial of Service (Dos) attack using your DNS servers. For instance, a bot net can
send requests to your DNS server using the IP address of a third computer as the requestor.
Without RRL, your DNS servers might respond to all the requests, flooding the third computer.
When you use RRL, you can configure the following settings:

• Responses per second. This is the maximum number of times the same response will be
given to a client within one second.
• Errors per second. This is the maximum number of times an error response will be sent to the
same client within one second.
• Window. This is the number of seconds for which responses to a client will be suspended if
too many requests are made.
• Leak rate. This is how frequently the DNS server will respond to a query during the time
responses are suspended. For instance, if the server suspends responses to a client for 10
seconds, and the leak rate is 5, the server will still respond to one query for every 5 queries
sent. This allows the legitimate clients to get responses even when the DNS server is applying
response rate limiting on their subnet or FQDN.
• TC rate. This is used to tell the client to try connecting with TCP when responses to the client
are suspended. For instance, if the TC rate is 3, and the server suspends responses to a given
client, the server will issue a request for TCP connection for every 3 queries received. Make
sure the value for TC rate is lower than the leak rate, to give the client the option to connect
via TCP before leaking responses.
• Maximum responses. This is the maximum number of responses the server will issue to a
client while responses are suspended.
• White list domains. This is a list of domains to be excluded from RRL settings.
• White list subnets. This is a list of subnets to be excluded from RRL settings.
• White list server interfaces. This is a list of DNS server interfaces to be excluded from RRL
settings.
 An Introduction to DNS Terminology,
Components, and Concepts
PostedFebruary 18, 2014 424.5kviews CONCEPTUAL FAQ LINUX BASICS DNS

•
• By Justin Ellingwood
Become an author

Introduction
DNS, or the Domain Name System, is often a very difficult part of learning how to configure
websites and servers. Understanding how DNS works will help you diagnose problems with
configuring access to your websites and will allow you to broaden your understanding of what’s
going on behind the scenes.

In this guide, we will discuss some fundamental DNS concepts that will help you hit the
th ground
running with your DNS configuration. After tackling this guide, you should be ready to set up your
domain name with DigitalOcean or set up your very own DNS server.

Before we jump into setting up your own servers to resolve your domain or setting up our domains
in the control panel, let’s
et’s go over some basic concepts about how all of this actually works.

Domain Terminology
We should start by defining our terms. While some of these topics are familiar from other contexts,
there are many terms used when talking about domain names and DNS that aren’t used too often
in other areas of computing.

Let’s start easy:

Domain Name System

The domain name system, more commonly known as “DNS” is the networking system in place that
allows us to resolve human-friendly
friendly names to unique addresses.