How do i design and implement a DNS infrastructure to satisfy the requirements of the following scenario.
A company requires a DNS infrastructure comprising primary and secondary servers to act as authoritative DNS
servers for three domains:
The three domains are used to satisfy the company’s requirement to restrict network privileges to staff based on
their group membership and activities.
Domains and their relationship to groups of staff are identifed below:
cnt This domain contains internal mappings for all staff machines and is used for sharing resources locally. Where
possible, once a person is allocated a FQDN in this domain, it stays with them during their time at the
admin This domain is used by the technical staff to access machines remotely, using a name that represents a fixed
asset number. This (name, machine) mapping remains constant for the lifetime of the machine.
technical This domain is used by the technical staff as a developmental infrastructure. As systems are introduced
to the company, they are tested via mappings to the technical domain and moved to the cnt domain upon
completion and testing.
The staff intranet resides in the cnt domain and hosts a web server mapped to the domain name www.cnt.co.uk. In
fact, the web server is implemented by a server farm. There are 3 servers that, together, provide a load-balanced
web service. The DNS configuration should ensure that the servers in the web server farm are accessed in a round
Each server in the farm should also be mapped individually so that it can be maintained. The domain names to
be used for this purpose are:
In addition, there is a shared content server attached to the network using NFS. In order to provide a fault-tolerant
service, the NFS server is backed up to another machine via block replication.
The content server should be accessible via the domain name: nfs.cnt.co.uk and the replication server should be
accessible via nfs2.admin.co.uk.
The cnt domain is also used to map staff in the company to machines. Each member of staff is allocated a
domain name based on their personal name (e.g. William Smith will be given the name ws, and his full domain
name will be ws.cnt.co.uk). The cnt domain should be replicated to a secondary server.
All DNS requests should be logged so as to allow an analysis of web usage which will allow the development of
a firewall policy in the future.
The admin domain is used by the technical staff to manage the infrastructure of the organisation. All equipment
that the company attaches to the network is added to this domain so that it can be accessed by the technical staff
who manage the equipment.
This domain regularly has additions made to it, but the mappings of devices to their allocated addresses are
rarely changed, once added.
Each machine can be accessed within the admin domain, using its asset number as its name. Asset numbers
start with an ‘A’ and are followed by an 8 digit number, giving a FQDN such as e.g. A12345678.admin.co.uk.
When necessary, server machines are also assigned an alias. The alias should be a memorable name that indicates
the role of the server, (e.g. database, mail etc.). This additional level of indirection allows the role name to remain
constant when equipment is updated or replaced by a new asset, i.e. the asset domain name can be changed while
the role name remains the same. The admin domain should be replicated to a secondary server.
The technical domain is used only by the technical staff. It is used for research and development within the
organisation. The domain is highly active, requiring frequent updates as new ideas are evaluated. Servers are often
installed, updated, deleted and reconfigured. Virtual machines are prevalent in this environment.
The technical domain should be managed using a DNS server that is independent from the server for the cnt
and admin domains. Only the technical staff require access to the DNS server for this domain. Nevertheless, this
DNS server is required to forward all requests that it cannot resolve to the main DNS server. This helps to promote
security by ensuring that all DNS requests are logged. There is no need to replicate the technical domain data at a