DNS & Name Resolution

DNS is the phonebook every other Windows Server service depends on. Nine stops, one foundation block of the WSA Lego kit.

What you'll learn

  • Hierarchy & zones — forward, reverse, primary, secondary
  • AD-Integrated zones ★ — multi-master replicated via AD
  • Record types — A, AAAA, CNAME, MX, PTR, SRV
  • Forwarding — conditional + global
  • Dynamic updates & scavenging — DDNS + stale-record cleanup
Where this fits: Block #8 — name resolution. Maps to CTS1328C Objective #1. AZ-800 domain: Hybrid networking (15-20%). AD-Integrated zones (★) make DNS authoritative + replicated alongside the directory.
Module 08 — your journey 1Name Resolution 2Hierarchy 3Zone Types 4AD-Integrated ★ 5Forward/Reverse 6Record Types 7Forwarding 8Dynamic Updates 9Scavenging → next: M09 — DHCP

DNS Fundamentals

DNS (Domain Name System) translates human-readable names to IP addresses. The right-side diagram shows recursive resolution walking from your client all the way to the authoritative server.

Key Concepts

  • FQDN - Fully Qualified Domain Name (e.g., dc01.hexworth.local)
  • Zone - A portion of the DNS namespace managed by a server
  • Record - An entry mapping a name to data (IP, alias, mail server)
  • TTL - Time To Live, how long to cache a record
Recursive resolution: how a lookup walks the treeClient1Recursive DNS2Root .3TLD .com4Auth corp.comAAnswer ✓1. Query www.corp.com?2. Who handles .com?3. Who handles corp.com?4. What is www.corp.com?

DNS Hierarchy

DNS uses a tree structure with the root at the top:

                    . (Root)
                    │
        ┌───────────┼───────────┐
        │           │           │
       com         org         local
        │                       │
    google                  hexworth
        │                       │
      www                     dc01
                
DNS namespace is a tree, root on topRoot ..com.org.localmicrosoftcontosocorpacmewwwmaildc01apiFQDN reads right-to-left: www.contoso.com.host . subdomain . SLD . TLD . root

Domain Levels

Level Example Description
Root . (dot) Top of hierarchy, 13 root server clusters worldwide
TLD .com, .org, .local Top-Level Domain, managed by registries
Second-Level hexworth.local Your organization's domain
Subdomain dc01.hexworth.local Hosts and child domains
DNS namespace is a tree, root on topRoot ..com.org.localmicrosoftcontosocorpacmewwwmaildc01apiFQDN reads right-to-left: www.contoso.com.host . subdomain . SLD . TLD . root

DNS Zone Types

Primary Zone

  • Read/write copy of zone data
  • Only one primary per zone
  • Source for zone transfers
  • Can be AD-integrated

Secondary Zone

  • Read-only copy of zone data
  • Multiple secondaries allowed
  • Provides redundancy
  • Gets data via zone transfer

AD-Integrated Zones

Zone data lives in AD: multi-master, replicates with AD, secure dynamic updates. Default choice for AD environments.

Four ways to host a DNS zonePrimaryread-write mastercorp.com.dnsflat filewritable✓ updates here✗ single pointBest for: simplesmall orgSecondaryread-only mirrorcorp.com.dnscopy from primaryread-only✓ redundancy⚠ AXFR/IXFRBest for: HA withoutAD integrationAD-Integratedmulti-masterin AD databasereplicates with ADwritable on any DC✓ secure dynamic✓ ACL via ADBest for: AD DSdomainsStubjust NS recordsSOA + NS onlyno recordspointer only✓ tiny footprintdelegation onlyBest for: cross-zonerouting hints

Forward & Reverse Lookup

Forward Lookup Zone

Name → IP Address

Query: dc01.hexworth.local Answer: 192.168.1.10
  • Most common lookup type
  • Users and apps use this
  • Contains A, AAAA, CNAME records

Reverse Lookup Zone

IP Address → Name

Query: 10.1.168.192.in-addr.arpa Answer: dc01.hexworth.local
  • Used for logging, security
  • Email spam checking
  • Contains PTR records
Two directions: name to IP, IP to nameForward LookupA or AAAA recordwww.corp.localresolves to10.0.0.42Zone: corp.localwww IN A 10.0.0.42Reverse LookupPTR record10.0.0.42reverses towww.corp.localZone: 0.0.10.in-addr.arpa42 IN PTR www.corp.local

DNS Record Types

Each record maps a name (or address) to data. The right panel lists every common type with examples.

Type Example
A IPv4 dc01 → 192.168.1.10
AAAA IPv6 dc01 → 2001:db8::1
CNAME alias mail → exchange01.hexworth.local
MX Mail exchanger for domain hexworth.local → mail.hexworth.local (priority 10)
Common record types and what they storeAwww → 10.0.0.42IPv4AAAAwww → 2001:db8::1IPv6CNAMEstore → wwwaliasMXcorp → mail.corpmailSRV_ldap._tcp → dc01serviceTXT"v=spf1 -all"textPTR42 → www.corpreverseNScorp → dc01name srvSOAauthority datazoneCAAletsencrypt.orgcert authDNSKEYDNSSEC pubkeyDNSSECEach record has a TTL

DNS Record Types (cont.)

Type Purpose Example
PTR Reverse lookup (IP to name) 10.1.168.192 → dc01.hexworth.local
SRV Service location _ldap._tcp → dc01.hexworth.local:389
NS Name server for zone hexworth.local → dc01.hexworth.local
SOA Start of Authority (zone info) Serial, refresh, retry, expire, TTL
Active Directory Critical: SRV records are essential for AD. Clients use them to find domain controllers, LDAP servers, Kerberos, and Global Catalogs.
Common record types and what they storeAwww → 10.0.0.42IPv4AAAAwww → 2001:db8::1IPv6CNAMEstore → wwwaliasMXcorp → mail.corpmailSRV_ldap._tcp → dc01serviceTXT"v=spf1 -all"textPTR42 → www.corpreverseNScorp → dc01name srvSOAauthority datazoneCAAletsencrypt.orgcert authDNSKEYDNSSEC pubkeyDNSSECEach record has a TTL

SRV Records & Active Directory

AD uses SRV records for service discovery — clients query _service._protocol.domain, get host+port back.

# Key AD SRV records in _msdcs.hexworth.local _ldap._tcp.dc._msdcs → dc01:389 _kerberos._tcp.dc → dc01:88 _gc._tcp → dc01:3268 _kpasswd._tcp → dc01:464 # Format: _service._proto.name TTL class SRV priority weight port target
Troubleshoot: Can't find DC? Run nslookup -type=srv _ldap._tcp.dc._msdcs.hexworth.local.
SRV records: how clients find servicesWorkstationneeds to log onqueryPS> Resolve-DnsName _ldap._tcp.corp.local -Type SRVName Priority Weight Port Target_ldap._tcp.corp 0 100 389 dc01.corp.localDC01LDAP on 389Key AD SRV records:_ldap._tcpdomain controllers_kerberos._tcpauthentication_gc._tcpglobal catalog_kpasswd._tcppassword changeAD adds these automatically when DCs come onlineDelete them at your peril, no client can find AD

DNS Forwarding

Forwarders send queries upstream instead of using root hints.

Standard

  • ALL external queries
  • ISP or public DNS (8.8.8.8)
PS> Set-DnsServerForwarder -IPAddress "8.8.8.8","8.8.4.4"

Conditional

  • Specific domains only
  • Essential for AD trusts
PS> Add-DnsServerConditionalForwarderZone -Name "partner.com" -MasterServers "10.20.1.10"
Forwarder: send unknown queries upstreamClientgithub.com?Internal DNSauthoritative for corpnot authoritative for .comforward8.8.8.8Google publichandles .com .net etcTwo flavors:Conditional forwarderIf query is for partner.com → ask 10.20.0.5Useful for cross-org or merged AD forestsCatch-all forwarderIf nothing else matches → ask 8.8.8.8Avoids hitting root + TLD servers directly

Dynamic DNS Updates

Dynamic updates allow clients to automatically register their DNS records:

Setting Description When to Use
None No dynamic updates allowed Static-only environments
Nonsecure and Secure Any client can register Non-AD environments only
Secure Only Only authenticated clients Recommended for AD
Dynamic updates: clients register themselvesPC01got 10.0.0.78updateDNS Servercreates A recordcorp.local zonePC01 A 10.0.0.78TTL: 3600 Type: DHCPPC01got 10.0.0.92updateDNS Serveroverwrites A recordcorp.local zonePC01 A 10.0.0.92replaced 10.0.0.78Secure dynamic update (AD-integrated only):Kerberos-authenticated, only the original owner can modify the record

How It Works

  1. Client boots and gets IP from DHCP
  2. Client sends dynamic update to DNS server
  3. DNS server authenticates client (if secure)
  4. A record created/updated for client
  5. DHCP can also register PTR records

Lock down the zone so only authenticated AD clients can register records.

# Restrict dynamic updates to authenticated clients only PS C:\> Set-DnsServerPrimaryZone -Name "hexworth.local" -DynamicUpdate "Secure"
Dynamic updates: clients register themselvesPC01got 10.0.0.78updateDNS Servercreates A recordcorp.local zonePC01 A 10.0.0.78TTL: 3600 Type: DHCPPC01got 10.0.0.92updateDNS Serveroverwrites A recordcorp.local zonePC01 A 10.0.0.92replaced 10.0.0.78Secure dynamic update (AD-integrated only):Kerberos-authenticated, only the original owner can modify the record

DNS Troubleshooting

Three command-line tools cover most DNS triage. The right-side terminal walks through the typical sequence.

The triage triad

  • Resolve-DnsName — PowerShell-native query with object output
  • Resolve-DnsName -Server <ip> — force a specific resolver (bypass local)
  • Clear-DnsClientCache · ipconfig /flushdns — wipe the local cache when answers go stale
Order matters: flush cache → test against local DNS → test against external (8.8.8.8). If external works and local doesn't, the local server is the problem.
Test the resolver from the command linenslookup, Resolve-DnsName, ipconfigPS> Resolve-DnsName www.corp.local Name Type TTL Section IPAddress www.corp.local A 600 Answer 10.0.0.42PS> Resolve-DnsName -Server 8.8.8.8 microsoft.com bypass internal DNS, force a specific resolverPS> Clear-DnsClientCache wipe the local stub resolver cachePS> ipconfig /flushdns same idea, traditional commandPS> _

Essential Commands

Resolve a hostname to its IP address using the default DNS server.

# Look up the A record for a server by name PS C:\> nslookup dc01.hexworth.local
# Look up the mail exchanger records for the domain PS C:\> nslookup -type=mx hexworth.local
# PowerShell-native DNS query with typed output PS C:\> Resolve-DnsName -Name "dc01.hexworth.local" -Type A
Test the resolver from the command linenslookup, Resolve-DnsName, ipconfigPS> Resolve-DnsName www.corp.local Name Type TTL Section IPAddress www.corp.local A 600 Answer 10.0.0.42PS> Resolve-DnsName -Server 8.8.8.8 microsoft.com bypass internal DNS, force a specific resolverPS> Clear-DnsClientCache wipe the local stub resolver cachePS> ipconfig /flushdns same idea, traditional commandPS> _

Cache Management + Common Issues

Flush + inspect DNS caches.

PS> Clear-DnsClientCache # client PS> Clear-DnsServerCache # server PS> Get-DnsClientCache # inspect

Issues: stale records (enable scavenging) · missing SRV (nltest /dsregdns) · wrong DNS server · forwarder timeout.

Test the resolver from the command linenslookup, Resolve-DnsName, ipconfigPS> Resolve-DnsName www.corp.local Name Type TTL Section IPAddress www.corp.local A 600 Answer 10.0.0.42PS> Resolve-DnsName -Server 8.8.8.8 microsoft.com bypass internal DNS, force a specific resolverPS> Clear-DnsClientCache wipe the local stub resolver cachePS> ipconfig /flushdns same idea, traditional commandPS> _

DNS Scavenging

Scavenging automatically removes stale (old) DNS records that are no longer valid.

Scavenging removes stale records over timeDay 0PC01 registers A record → timestamp setNo-refresh interval (7 days), Refresh interval (7 days)Day 1-7no-refresh window → timestamp will not updatePC01 keeps using same IP, no churn on DNSDay 8-14refresh window → PC01 re-registers, timestamp updatesActive records stay aliveDay 15+if PC01 never came back → record marked staleScavenger job (runs weekly) deletes itStale records cause hard-to-debug name collisions otherwise

Why Scavenging Matters

  • DHCP clients may get new IPs but old records remain
  • Decommissioned servers leave orphaned records
  • Stale records cause failed connections
  • Zone becomes cluttered and hard to manage

Configuration

Turn on automatic scavenging at the server level with a 7-day interval.

# Enable scavenging on the DNS server every 7 days PS C:\> Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00
Scavenging removes stale records over timeDay 0PC01 registers A record → timestamp setNo-refresh interval (7 days), Refresh interval (7 days)Day 1-7no-refresh window → timestamp will not updatePC01 keeps using same IP, no churn on DNSDay 8-14refresh window → PC01 re-registers, timestamp updatesActive records stay aliveDay 15+if PC01 never came back → record marked staleScavenger job (runs weekly) deletes itStale records cause hard-to-debug name collisions otherwise

Why Scavenging Matters (cont.)

Enable aging on the specific zone so stale records get timestamped.

# Turn on record aging for the hexworth.local zone PS C:\> Set-DnsServerZoneAging -Name "hexworth.local" -Aging $true
# Check the current scavenging settings PS C:\> Get-DnsServerScavenging
Caution: Scavenging must be enabled on BOTH the server AND the zone. Enable on only one or two DNS servers to prevent accidental record deletion.
Scavenging removes stale records over timeDay 0PC01 registers A record → timestamp setNo-refresh interval (7 days), Refresh interval (7 days)Day 1-7no-refresh window → timestamp will not updatePC01 keeps using same IP, no churn on DNSDay 8-14refresh window → PC01 re-registers, timestamp updatesActive records stay aliveDay 15+if PC01 never came back → record marked staleScavenger job (runs weekly) deletes itStale records cause hard-to-debug name collisions otherwise

Module Summary

Key Takeaways

  • DNS is hierarchical - root → TLD → domain → hostname
  • AD-integrated zones provide security and replication
  • SRV records are critical for Active Directory
  • Forwarders handle external resolution
  • Secure dynamic updates prevent unauthorized registrations
Module 8 takeawaysResolutionrecursive walkHierarchyroot → TLD → domainZonesAD-Integrated winsRecordsA, CNAME, MX, SRVForwardingconditional + catch-allDynamicDHCP + secure updateScavengingstale records purgedReady for DNS labs and quiz

PowerShell Quick Reference

List every DNS zone hosted on the server to see what is configured.

# Show all forward and reverse lookup zones PS C:\> Get-DnsServerZone
# Add a host (A) record for a new server PS C:\> Add-DnsServerResourceRecordA -Name "web01" -ZoneName "hexworth.local" -IPv4Address "192.168.1.50"
Module 8 takeawaysResolutionrecursive walkHierarchyroot → TLD → domainZonesAD-Integrated winsRecordsA, CNAME, MX, SRVForwardingconditional + catch-allDynamicDHCP + secure updateScavengingstale records purgedReady for DNS labs and quiz

Listing and Testing

View all DNS records within a specific zone to audit its contents.

# List every record in the hexworth.local zone PS C:\> Get-DnsServerResourceRecord -ZoneName "hexworth.local"
# Query DNS the PowerShell way PS C:\> Resolve-DnsName -Name "web01.hexworth.local"
Start GUI Lab → PowerShell Lab → Take Quiz →
Module 8 takeawaysResolutionrecursive walkHierarchyroot → TLD → domainZonesAD-Integrated winsRecordsA, CNAME, MX, SRVForwardingconditional + catch-allDynamicDHCP + secure updateScavengingstale records purgedReady for DNS labs and quiz