DNS Management Cheat Sheet

Overview

DNS Management encompasses the administration, configuration, and maintenance of Domain Name System infrastructure. This cheat sheet covers essential commands and procedures for managing DNS servers, zones, and records across different platforms and environments.

⚠️ Warning: DNS changes can affect network connectivity and service availability. Always test changes in non-production environments and follow change management procedures.

DNS Server Management

BIND (Berkeley Internet Name Domain)

Installation

# Ubuntu/Debian
sudo apt update && sudo apt install bind9 bind9utils bind9-doc

# CentOS/RHEL/Rocky Linux
sudo dnf install bind bind-utils

# macOS (using Homebrew)
brew install bind

Service Management

# Start BIND service
sudo systemctl start named
sudo systemctl start bind9  # Ubuntu/Debian

# Stop BIND service
sudo systemctl stop named
sudo systemctl stop bind9   # Ubuntu/Debian

# Restart BIND service
sudo systemctl restart named
sudo systemctl restart bind9  # Ubuntu/Debian

# Enable auto-start
sudo systemctl enable named
sudo systemctl enable bind9   # Ubuntu/Debian

# Check service status
sudo systemctl status named
sudo systemctl status bind9   # Ubuntu/Debian

Configuration Management

# Check BIND configuration syntax
sudo named-checkconf

# Check zone file syntax
sudo named-checkzone example.com /etc/bind/db.example.com

# Reload configuration without restart
sudo rndc reload

# Reload specific zone
sudo rndc reload example.com

# Flush cache
sudo rndc flush

# View BIND statistics
sudo rndc stats

Windows DNS Server

PowerShell Management

# Install DNS Server role
Install-WindowsFeature -Name DNS -IncludeManagementTools

# Start DNS service
Start-Service DNS

# Stop DNS service
Stop-Service DNS

# Restart DNS service
Restart-Service DNS

# Get DNS server settings
Get-DnsServer

# Get DNS server statistics
Get-DnsServerStatistics

Zone Management

Creating Zones

BIND Zone Creation

# Create forward lookup zone file
sudo nano /etc/bind/db.example.com

# Add zone to named.conf
echo 'zone "example.com" \\\\{
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local

# Create reverse lookup zone
sudo nano /etc/bind/db.192.168.1

# Add reverse zone to named.conf
echo 'zone "1.168.192.in-addr.arpa" \\\\{
    type master;
    file "/etc/bind/db.192.168.1";
    allow-transfer \\\\{ 192.168.1.10; \\\\};
\\\\};'|sudo tee -a /etc/bind/named.conf.local

Windows DNS Zone Creation

# Create primary zone
Add-DnsServerPrimaryZone -Name "example.com" -ZoneFile "example.com.dns"

# Create Active Directory integrated zone
Add-DnsServerPrimaryZone -Name "example.com" -ReplicationScope "Domain"

# Create secondary zone
Add-DnsServerSecondaryZone -Name "example.com" -ZoneFile "example.com.dns" -MasterServers "192.168.1.10"

# Create reverse lookup zone
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Domain"

Zone Transfer Management

BIND Zone Transfers

# Configure zone transfer in named.conf
zone "example.com" \\\\{
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
    also-notify \\\\{ 192.168.1.10; 192.168.1.11; \\\\};
    notify yes;
\\\\};

# Force zone transfer
sudo rndc notify example.com

# Check zone transfer status
sudo rndc status

Windows Zone Transfers

# Configure zone transfer settings
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"

# Enable zone transfer notifications
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -Notify "Yes" -NotifyServers "192.168.1.10","192.168.1.11"

# Force zone transfer
Start-DnsServerZoneTransfer -ZoneName "example.com"

DNS Record Management

Common Record Types

A Records (IPv4)

# BIND - Add A record to zone file
echo "www    IN    A    192.168.1.100" >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.100"

# Using nsupdate (dynamic updates)
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update add www.example.com 300 A 192.168.1.100
> send
> quit

AAAA Records (IPv6)

# BIND - Add AAAA record
echo "www    IN    AAAA    2001:db8::1" >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordAAAA -ZoneName "example.com" -Name "www" -IPv6Address "2001:db8::1"

CNAME Records

# BIND - Add CNAME record
echo "mail    IN    CNAME    www.example.com." >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordCName -ZoneName "example.com" -Name "mail" -HostNameAlias "www.example.com"

MX Records

# BIND - Add MX record
echo "@    IN    MX    10    mail.example.com." >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordMX -ZoneName "example.com" -Name "@" -MailExchange "mail.example.com" -Preference 10

TXT Records

# BIND - Add TXT record
echo "@    IN    TXT    \"v=spf1 include:_spf.google.com ~all\"" >> /etc/bind/db.example.com

# Windows PowerShell
Add-DnsServerResourceRecordTxt -ZoneName "example.com" -Name "@" -DescriptiveText "v=spf1 include:_spf.google.com ~all"

PTR Records (Reverse DNS)

# BIND - Add PTR record to reverse zone
echo "100    IN    PTR    www.example.com." >> /etc/bind/db.192.168.1

# Windows PowerShell
Add-DnsServerResourceRecordPtr -ZoneName "1.168.192.in-addr.arpa" -Name "100" -PtrDomainName "www.example.com"

Record Modification and Deletion

BIND Record Management

# Edit zone file directly
sudo nano /etc/bind/db.example.com

# Increment serial number (important!)
# Change: 2024063001 to 2024063002

# Reload zone after changes
sudo rndc reload example.com

# Delete record using nsupdate
nsupdate -k /etc/bind/rndc.key
> server 192.168.1.10
> zone example.com
> update delete old-server.example.com A
> send
> quit

Windows Record Management

# Modify A record
Set-DnsServerResourceRecordA -ZoneName "example.com" -Name "www" -IPv4Address "192.168.1.101"

# Remove A record
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "www" -RRType "A"

# Remove all records for a name
Remove-DnsServerResourceRecord -ZoneName "example.com" -Name "old-server" -Force

DNS Security Management

DNSSEC Configuration

BIND DNSSEC Setup

# Generate zone signing keys
cd /etc/bind/keys
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com

# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random|sha1sum|cut -b 1-16) -N INCREMENT -o example.com -t /etc/bind/db.example.com

# Update named.conf to use signed zone
zone "example.com" \\\\{
    type master;
    file "/etc/bind/db.example.com.signed";
    key-directory "/etc/bind/keys";
    auto-dnssec maintain;
    inline-signing yes;
\\\\};

Windows DNSSEC Setup

# Enable DNSSEC for zone
Enable-DnsServerSigningKeyRollover -ZoneName "example.com" -KeyType "KeySigningKey"

# Add Key Signing Key (KSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "KeySigningKey" -CryptoAlgorithm "RsaSha256"

# Add Zone Signing Key (ZSK)
Add-DnsServerSigningKey -ZoneName "example.com" -Type "ZoneSigningKey" -CryptoAlgorithm "RsaSha256"

# Sign the zone
Invoke-DnsServerZoneSigning -ZoneName "example.com" -Sign

Access Control Lists (ACLs)

BIND ACL Configuration

# Define ACLs in named.conf
acl "internal-networks" \\\\{
    192.168.1.0/24;
    10.0.0.0/8;
    172.16.0.0/12;
\\\\};

acl "dns-servers" \\\\{
    192.168.1.10;
    192.168.1.11;
\\\\};

# Apply ACLs to zones
zone "example.com" \\\\{
    type master;
    file "/etc/bind/db.example.com";
    allow-query \\\\{ internal-networks; \\\\};
    allow-transfer \\\\{ dns-servers; \\\\};
    allow-update \\\\{ none; \\\\};
\\\\};

Windows DNS Security

# Configure zone transfer security
Set-DnsServerZoneTransferPolicy -ZoneName "example.com" -SecondaryServers "192.168.1.10","192.168.1.11"

# Disable recursion for external queries
Set-DnsServerRecursion -Enable $false -AdditionalTimeout 4 -RetryInterval 3 -Timeout 8

DNS Monitoring and Troubleshooting

Log Management

BIND Logging

# Configure logging in named.conf
logging \\\\{
    channel default_debug \\\\{
        file "data/named.run";
        severity dynamic;
    \\\\};
    channel query_log \\\\{
        file "/var/log/bind/query.log" versions 3 size 5m;
        severity info;
        print-category yes;
        print-severity yes;
        print-time yes;
    \\\\};
    category queries \\\\{ query_log; \\\\};
    category default \\\\{ default_debug; \\\\};
\\\\};

# Enable query logging
sudo rndc querylog on

# View logs
sudo tail -f /var/log/bind/query.log
sudo journalctl -u named -f

Windows DNS Logging

# Enable DNS debug logging
Set-DnsServerDiagnostics -All $true

# Enable query logging
Set-DnsServerDiagnostics -Queries $true

# View DNS events
Get-WinEvent -LogName "DNS Server"|Select-Object -First 10

# Export DNS logs
Get-DnsServerQueryResolutionPolicy|Export-Csv -Path "C:\dns-policies.csv"

Performance Monitoring

BIND Statistics

# Enable statistics
statistics-channels \\\\{
    inet 127.0.0.1 port 8053 allow \\\\{ 127.0.0.1; \\\\};
\\\\};

# View statistics via HTTP
curl http://127.0.0.1:8053/

# Command line statistics
sudo rndc stats
cat /var/cache/bind/named.stats

Windows DNS Performance

# Get DNS server statistics
Get-DnsServerStatistics

# Monitor DNS performance counters
Get-Counter "\DNS\Total Query Received/sec"
Get-Counter "\DNS\Total Response Sent/sec"
Get-Counter "\DNS\Recursive Queries/sec"

# Export performance data
Get-DnsServerStatistics|Export-Csv -Path "C:\dns-stats.csv"

Troubleshooting Commands

DNS Resolution Testing

# Test DNS resolution
nslookup www.example.com
dig www.example.com
host www.example.com

# Test specific record types
dig MX example.com
dig TXT example.com
dig NS example.com

# Test reverse DNS
dig -x 192.168.1.100

# Test DNSSEC validation
dig +dnssec www.example.com

Zone Transfer Testing

# Test zone transfer
dig @192.168.1.10 example.com AXFR

# Test zone serial number
dig @192.168.1.10 example.com SOA

Windows DNS Testing

# Test DNS resolution
Resolve-DnsName -Name "www.example.com"
Resolve-DnsName -Name "example.com" -Type MX

# Test DNS server connectivity
Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com"

# Validate zone
Test-DnsServer -IPAddress "192.168.1.10" -ZoneName "example.com" -RRType "SOA"

DNS Maintenance Tasks

Zone File Backup

# Backup BIND zone files
sudo tar -czf /backup/dns-zones-$(date +%Y%m%d).tar.gz /etc/bind/

# Backup Windows DNS zones
Export-DnsServerZone -Name "example.com" -FileName "example.com.backup"

Cache Management

# Clear DNS cache (BIND)
sudo rndc flush

# Clear DNS cache (Windows)
Clear-DnsServerCache

# Clear local resolver cache (Linux)
sudo systemctl restart systemd-resolved

# Clear local resolver cache (Windows)
ipconfig /flushdns

Zone Maintenance

# Update zone serial number
# Edit zone file and increment serial: 2024063001 -> 2024063002

# Reload zone
sudo rndc reload example.com

# Force zone refresh on secondary
sudo rndc refresh example.com

Command Reference

Command	Description
`named-checkconf`	Validate BIND configuration
`named-checkzone`	Validate zone file syntax
`rndc reload`	Reload DNS configuration
`rndc flush`	Clear DNS cache
`rndc stats`	Generate statistics
`rndc querylog`	Toggle query logging
`nsupdate`	Dynamic DNS updates
`dig`	DNS lookup utility
`nslookup`	DNS lookup utility
`host`	DNS lookup utility

PowerShell DNS Cmdlets

Cmdlet	Description
`Get-DnsServer`	Get DNS server configuration
`Add-DnsServerPrimaryZone`	Create primary zone
`Add-DnsServerSecondaryZone`	Create secondary zone
`Add-DnsServerResourceRecord*`	Add DNS records
`Remove-DnsServerResourceRecord`	Remove DNS records
`Set-DnsServerZoneTransferPolicy`	Configure zone transfers
`Test-DnsServer`	Test DNS server functionality
`Clear-DnsServerCache`	Clear DNS cache

Best Practices

Security

Implement DNSSEC for zone signing
Use TSIG for zone transfer authentication
Restrict zone transfers to authorized servers
Disable recursion for authoritative servers
Implement rate limiting
Regular security updates

Performance

Optimize TTL values
Implement proper caching strategies
Use geographically distributed servers
Monitor query patterns
Implement load balancing

Maintenance

Regular backups of zone files
Monitor DNS logs
Implement change management
Document all configurations
Test disaster recovery procedures
Keep software updated

Monitoring

Set up alerting for service failures
Monitor query response times
Track zone transfer status
Monitor DNSSEC key expiration
Log security events

Common Issues and Solutions

Zone Transfer Failures

# Check zone transfer configuration
named-checkconf
named-checkzone example.com /etc/bind/db.example.com

# Verify network connectivity
telnet secondary-dns-server 53

# Check TSIG key configuration
rndc-confgen -a

DNSSEC Validation Errors

# Check DNSSEC chain
dig +dnssec +trace www.example.com

# Verify key signatures
dig +dnssec example.com DNSKEY

# Check DS records in parent zone
dig +dnssec example.com DS

Performance Issues

# Monitor query load
rndc stats
tail -f /var/log/bind/query.log

# Check cache hit ratio
rndc dumpdb -cache
grep "cache" /var/cache/bind/named_dump.db

# Analyze query patterns
awk '\\\\{print $1\\\\}' /var/log/bind/query.log|sort|uniq -c|sort -nr

This cheat sheet provides comprehensive coverage of DNS management tasks across different platforms and scenarios. Always test changes in non-production environments and maintain proper documentation of your DNS infrastructure.