DNS Suffix Search Order via DHCP

I was recently working on a new parallel domain with one of the members of my team and the issue of DNS Suffix Search Order came up. The search order had to be set to include the parallel domain, the primary domain and a number of other things.

I was adamant that the search order could be set by DHCP as well as by GPO, but I couldn't specifically remember the details. My engineer pointed me to this Microsoft Knowledge Base article that states:

The following methods of distribution are not available for pushing the domain suffix search list to DNS clients:

• Dynamic Host Configuration Protocol (DHCP). You cannot configure DHCP to send out a domain suffix search list. This is currently not supported by the Microsoft DHCP server.

Fortunately, an engineer from another department came to the rescue with DHCP Option 135. This can be added in Windows Server 2008 as follows (I believe this originated in a TechNet post):

1. On the 2008 Server running DHCP, open the DHCP MMC.
2. Expand DHCP and choose the DHCP server name.
3. Right click on IPv4
4. Choose "Set Predefined Options"
5. Click on Add.
6. Name: "Domain suffix search order"
Data Type: String
Code: "135" (without the quotation marks)
Description: "List of domain suffixes in order" (without the quotation marks)
String: enter your search suffixes separated by comma with no spaces
sample1.com.au,sample2.net,sample3.org

7. Click onto the OK to save changes .
8. Exit the DHCP MMC and restart the DHCP Server Service.
9. Open the DHCP MMC again and now scope option 135 is a listed option.

Reverse DNS

I recently had a guy ask me how he could fix a corrupt reverse DNS.

Simple enough, I thought and proceeded to instruct him how to change the AD Integrated DNS zone to a "Standard Primary" DNS zone, then take the DNS file, import it into Excel and manipulate the data however he wanted. He could then just put the file back and reload the DNS zone and that's that.

I also told him how he could use DNSCMD to export the DNS data from an AD Integrated zone.:
dnscmd /ZoneExport FQDN_of_zonename Zone_export_file

He then started telling me he had problems locating the reverse DNS information and it was at this point my techie sense started tingling. He may not even have a reverse DNS zone (it is completely optional, but can be quite useful), or may actually be referring to his DNS resolver cache. (I haven't determined the answer yet).

Reverse DNS operates just like regular DNS, but instead of looking up an IP address using a hostname, you look up the hostname from the IP address. This can be very useful in easily determining which host is the source or destination of traffic, instead of finding the port on the local switch.

Reverse DNS zones use the network address in reverse notation and the suffix in-addr.arpa. So if your network's IP Schema is based on subnets of the private range 172.16.0.0, you could have a reverse DNS zone of 16.172.in-addr.arpa, which could contain entries for all hosts within all subnets on your network. Of course, if you have an extremely large network, you probably want to break this down further, such as 10.16.172.in-addr.arpa, etc.

So, if your host server.company.com has an (A) record of 172.16.10.99, he can have a pointer DNS record type (PTR) in the reverse DNS zone of 99.10.16.172.in-addr.arpa pointing back to its designated hostname of server.company.com.

Reverse DNS zones for IPv6 use the special zone ip6.arpa and store their loooong IPv6 addresses as a sequence of nibbles in reverse order in much the same way as the IPv4 addresses are stored in reverse order. So an IPv6 address of 2001:0db8:85a3::62cd will be stored as a PTR record as d.c.2.6.0.0.0.0.3.a.5.8.8.b.d.0.1.0.0.2.ip6.arpa.

A DNS resolver cache on a caching name server will resolve a query, even though they are not authoritative for the result, by making a query to the authoritative server on behalf of the client. The caching name server will then store this record for it's Time-To-Live (TTL) in a local cache. This will result in quicker resolutions and reduced load on Internet name servers. A corrupted resolver cache can simply be cleared and it will rebuild itself with use.

Wake on LAN over the Internet

I was recently sitting at a desk at work with one of my colleagues and needed some information on my home computer. He watched as I turned on my home computer, established a remote session into it, got the information I needed and then shut it down again (I don't believe in leaving the computer turned on and wasting power).

"So that was interesting," said my colleague. "How did you set that up?"

The first thing to know about waking up your computer over the Internet is that not all home firewall/routers are going to be able to do it. Check the specs of your device. Along with the usual things like port forwarding, it needs to support static ARP entries. If it can, it's relatively straightforward.

First of all, set a static IP address on your target machine. Then go into the properties of the network card and enable Wake on LAN if it is not already enabled (It's usually enabled by default). You may have to enable Wake on LAN in the BIOS as well. Record the MAC address of your machine as you will need this to wake it (you can get this at the command prompt with an ipconfig /all ).

Next, you need to register the static IP address of your machine in the ARP table of your router. This is the part that some firewall/router devices targeting the home market are not going to be able to do. You will need to refer to your devices manual or support site to determine how to do this. You may not be able to do this while the network interface you are registering is connected to the network, so you may require another network interface or a second computer.

Finally, you need to set up a virtual server on your firewall with the following parameters:

• Use the UDP protocol.
• Use 9 for the internal port.
• Use your static IP address of the target computer for the internal address.
• Use any common port for the external port, but choose one not already in use. If you don't have a POP3 Mail server for instance, you could use 110.

I would also advise that you set up a Dynamic DNS. Many home firewall/router devices will be able to register their address automatically with one of these sites (for example: http://www.dyndns.com or http://www.no-ip.com.) This enables you to just remember a FQDN entry instead of an IP address and will also update if your IP address changes.

Now you should be able to turn off your computer and use another computer, or even a smart phone to send a magic packet to wake up the computer. I use http://www.depicus.com/wake-on-lan/woli.aspx

Just enter the MAC address of the computer, the IP address or FQDN, 255.255.255.255 as the subnet mask (as you are targeting a single host) and the port number you registered as the external port for your virtual server. Click the WAKE ON LAN button and your computer should turn itself on moments later!

If you have another virtual server set up to relay VNC or RDP to your machine, you can then control the machine remotely.


Cheers,
Sean