Dns server primary & secondary

How do i design and implement a DNS infrastructure to satisfy the requirements of the following scenario.

A company requires a DNS infrastructure comprising primary and secondary servers to act as authoritative DNS

servers for three domains:




The three domains are used to satisfy the company’s requirement to restrict network privileges to staff based on

their group membership and activities.

Domains and their relationship to groups of staff are identifed below:

cnt This domain contains internal mappings for all staff machines and is used for sharing resources locally. Where

possible, once a person is allocated a FQDN in this domain, it stays with them during their time at the


admin This domain is used by the technical staff to access machines remotely, using a name that represents a fixed

asset number. This (name, machine) mapping remains constant for the lifetime of the machine.

technical This domain is used by the technical staff as a developmental infrastructure. As systems are introduced

to the company, they are tested via mappings to the technical domain and moved to the cnt domain upon

completion and testing.

CNT Domain

The staff intranet resides in the cnt domain and hosts a web server mapped to the domain name www.cnt.co.uk. In

fact, the web server is implemented by a server farm. There are 3 servers that, together, provide a load-balanced

web service. The DNS configuration should ensure that the servers in the web server farm are accessed in a round

robin fashion.

Each server in the farm should also be mapped individually so that it can be maintained. The domain names to

be used for this purpose are:




In addition, there is a shared content server attached to the network using NFS. In order to provide a fault-tolerant

service, the NFS server is backed up to another machine via block replication.

The content server should be accessible via the domain name: nfs.cnt.co.uk and the replication server should be

accessible via nfs2.admin.co.uk.

The cnt domain is also used to map staff in the company to machines. Each member of staff is allocated a

domain name based on their personal name (e.g. William Smith will be given the name ws, and his full domain

name will be ws.cnt.co.uk). The cnt domain should be replicated to a secondary server.

All DNS requests should be logged so as to allow an analysis of web usage which will allow the development of

a firewall policy in the future.

Admin Domain

The admin domain is used by the technical staff to manage the infrastructure of the organisation. All equipment

that the company attaches to the network is added to this domain so that it can be accessed by the technical staff

who manage the equipment.

This domain regularly has additions made to it, but the mappings of devices to their allocated addresses are

rarely changed, once added.

Each machine can be accessed within the admin domain, using its asset number as its name. Asset numbers

start with an ‘A’ and are followed by an 8 digit number, giving a FQDN such as e.g. A12345678.admin.co.uk.

When necessary, server machines are also assigned an alias. The alias should be a memorable name that indicates

the role of the server, (e.g. database, mail etc.). This additional level of indirection allows the role name to remain

constant when equipment is updated or replaced by a new asset, i.e. the asset domain name can be changed while

the role name remains the same. The admin domain should be replicated to a secondary server.

Technical Domain

The technical domain is used only by the technical staff. It is used for research and development within the

organisation. The domain is highly active, requiring frequent updates as new ideas are evaluated. Servers are often

installed, updated, deleted and reconfigured. Virtual machines are prevalent in this environment.

The technical domain should be managed using a DNS server that is independent from the server for the cnt

and admin domains. Only the technical staff require access to the DNS server for this domain. Nevertheless, this

DNS server is required to forward all requests that it cannot resolve to the main DNS server. This helps to promote

security by ensuring that all DNS requests are logged. There is no need to replicate the technical domain data at a

secondary server.