Need some advice on learning networking

[BillyCarpenter]

Lord have mercy. These access lists are something else. They're also amazing and wonderful.

I have a real router installed on my network at the office and I'm using it to NAT and that involves setting up an access list but it's not complicated as far as ACL go. In order to pass the CCNA, we must take it to the next level and that's exactly what I did.

I don't know where to start. (side note: This lab was done in Packet Tracer)

We have a 2 webservers. One is running http (port 80) and the other server is running https: (port 443)

We also have 2 PC's on the same subnet.

Using an ACL, we blocked PC 1 from accessing server 1 but allowed it to access server 2.

Using the same access list, we blocked PC 2 from accessing server 1 to allowed it to access server 1.


We did this by allowing TCP for both PC because http rides on top of TCP. But then we denied access for port 80 for PC 1 and also denied access to port 443 for PC 2.

Neither computer could ping either server but they could accesss their respective webpages.

You can get very granular with a ACL. But it's very easy to end up with unintended consequences. It's scary because you can bring down a large portion of a network if you're not careful.

[BillyCarpenter]

I'll get off routers and switches for a minute and talk about Windows Server. More specifically, I have a question about DNS forward and reverse lookup zones, a-records and pointer records. I'm working on this under protest on my own network.

I need to preface what I'm about to say. I've been building and configuring a lot of labs on physical equipment here at the shop and as a result of trying a lot of different things, I've broken and repaired a lot of mistakes. Unfortunately, that's the only way to learn this stuff.

One of the problems that I noticed is the DNS queries for internal hosts was unsuccessful. I confirmed this by running nslookup.

Anyway, I got it straightened out after doing a deep dive into setting up DNS on windows server.


Here's my question. It appears to me that I must manually enter every a-record for every device on the network. Is that right?

[BillyCarpenter]

One more quick comment on NAT'ing. As mentioned previously, there are a few different flavors of NAT but the one I want to concentrate on here is PAT or Port Address Translation. This is the one that most of us are using right now.

When I started this CCNA journey, I didn't know the difference between a public or private IP address. I didn't understand that my local IP address (192.168.1.xxx) wasn't routable over the internet and needed to be translated.

But if we only have 1 public IP address and 50 PC's on our network, how does the router keep track of all the different sessions that are started over the internet by the different PC's?

That's where ports come into play. Each PC is given a random port number for each session that is attached to the IP address and the router keeps a table of all of these, thus when the server sends information back to the host, the router can differentiate between the different sessions and send it to the correct destination.


I find some of these processes absolutely fascinating and genius.

PS - On a cisco router, I can run the command "show ip nat translation" and it will show me all the different sessions along with the respective IP addresses and ports as well as the translations that were created in over for the packet to go out over the internet.

[rthonpm]

I'll get off routers and switches for a minute and talk about Windows Server. More specifically, I have a question about DNS forward and reverse lookup zones, a-records and pointer records. I'm working on this under protest on my own network.

Anyway, I got it straightened out after doing a deep dive into setting up DNS on windows server.


Here's my question. It appears to me that I must manually enter every a-record for every device on the network. Is that right?

If you're using Windows DNS, are you using Active Directory? If yes, then your domain controller(s) should be your DNS servers for everything connected to that network. The domain controller should be set with its loopback address and regular IP in its DNS settings. The forward lookup settings will then send out anything that isn't in the local domain to the external providers you specify. I've seen where people will set their DC to use an ISP or external DNS server which then breaks name resolution because there's nothing to resolve internal names.

In a workgroup, your Windows DNS server is still what every device points to, you just don't have the additional authentication and management of AD along with the DNS portion. There's no difference in configuration.

For A records, Windows machines have an option to register the connection's information in DNS, which then sends the information to the DNS server(s) and this is turned on by default. Depending on the refresh time of the server it can take time to see new hosts.

I generally will let any DHCP host register itself in DNS. Static devices, I'll add in ahead of time so that once the device is connected it's already resolvable. I do the same with any computer object in AD and create the host in the correct container so that once it's bound, the object is in the right OU to pull the correct policies and settings.

The real trick is making sure that DHCP is looking to assign the correct name server(s) and that those servers are also set to only refer to themselves and any primary for name resolution. Your primary DNS or domain controller will use 127.0.0.1 and its IP for name resolution, and any secondary ones will use the loopback and the IP of the primary. Nothing in your environment should be using an external DNS server for any reason whatsoever, whether you're using a dedicated DNS server or just an ISP router for name resolution.

One of the great truisms in networking is: 'it's always DNS'.

Just wait until you get the fun of also integrating IPv6 and Active Directory. That can be some real fun that breaks a lot of things depending on where the v6 addresses come from.

Sent from my BlackBerry using Tapatalk

[BillyCarpenter]

If you're using Windows DNS, are you using Active Directory? If yes, then your domain controller(s) should be your DNS servers for everything connected to that network. The domain controller should be set with its loopback address and regular IP in its DNS settings. The forward lookup settings will then send out anything that isn't in the local domain to the external providers you specify. I've seen where people will set their DC to use an ISP or external DNS server which then breaks name resolution because there's nothing to resolve internal names.

In a workgroup, your Windows DNS server is still what every device points to, you just don't have the additional authentication and management of AD along with the DNS portion. There's no difference in configuration.

For A records, Windows machines have an option to register the connection's information in DNS, which then sends the information to the DNS server(s) and this is turned on by default. Depending on the refresh time of the server it can take time to see new hosts.

I generally will let any DHCP host register itself in DNS. Static devices, I'll add in ahead of time so that once the device is connected it's already resolvable. I do the same with any computer object in AD and create the host in the correct container so that once it's bound, the object is in the right OU to pull the correct policies and settings.

The real trick is making sure that DHCP is looking to assign the correct name server(s) and that those servers are also set to only refer to themselves and any primary for name resolution. Your primary DNS or domain controller will use 127.0.0.1 and its IP for name resolution, and any secondary ones will use the loopback and the IP of the primary. Nothing in your environment should be using an external DNS server for any reason whatsoever, whether you're using a dedicated DNS server or just an ISP router for name resolution.

One of the great truisms in networking is: 'it's always DNS'.

Just wait until you get the fun of also integrating IPv6 and Active Directory. That can be some real fun that breaks a lot of things depending on where the v6 addresses come from.

Sent from my BlackBerry using Tapatalk

rthon,

I have many questions but let me get up to speed on the info you just posted so that I wont be asking dumb questions. I don't want to waste your time.

PS - That's some interesting information. I'm about to dig into as we speak.

[BillyCarpenter]

rthonpm has been such a valuable resource for me and I try not to bug him anymore than I have to.

I found an article that is full of good information on Windows DNS but it starts off talking about DNS replication (2 DNS servers) and it's kinda throwing me off but this is what I've gathered thus far.


You never, EVER, never EVER, want to use a public DNS server as your primary or secondary DNS server.

Why?

Because public DNS servers can't resolve internal IP addresses. I had learned that from rthonpm already but what about using a public DNS server for your secondary DNS? Bad idea. Why? Because your primary DNS server may be busy and the secondary DNS will be used and you run into the same problem.


That's all I have for now.


Is any of that wrong?

PS - I did read about setting the loopback on the windows DNS server. I had been doing that. That gets a little confusing when you're using 2 DNS servers.

[BillyCarpenter]

Please excuse me while I ramble on and bitch and complain....


First things first. Windows Server is such a different world than routing and switching and that's the reason I backed away from it...so that I could give my full attention to CCNA. But I was forced to learn DNS and it got fucking complicated real quick.


rthonpm touched on this but I found out the hard way that there's a big difference between DNS on a Work Group Server and Active Directory.

I had previously demoted AD for learning purposes and set up DCHP and it worked fine. I then promoted AD and DCHP no longer worked. Why? Because there's an option when we initially created AD that's not under DHCP when using a work group. (It's complicated, I know.)

Anyway, there is integration between DNS and DHCP when using AD and there's a lot of fucking steps involved if you follow best practice. I'll be on DNS for a while.

[rthonpm]

rthonpm has been such a valuable resource for me and I try not to bug him anymore than I have to.

I found an article that is full of good information on Windows DNS but it starts off talking about DNS replication (2 DNS servers) and it's kinda throwing me off but this is what I've gathered thus far.


You never, EVER, never EVER, want to use a public DNS server as your primary or secondary DNS server.

Why?

Because public DNS servers can't resolve internal IP addresses. I had learned that from rthonpm already but what about using a public DNS server for your secondary DNS? Bad idea. Why? Because your primary DNS server may be busy and the secondary DNS will be used and you run into the same problem.


That's all I have for now.


Is any of that wrong?

PS - I did read about setting the loopback on the windows DNS server. I had been doing that. That gets a little confusing when you're using 2 DNS servers.

With two DNS servers, you have a hierarchy as I posted before:

Your primary DNS server would be set like this, no matter how many DNS servers there are in the environment.

DNS 1 = 127.0.0.1
DNS 2 = IP of server

Your secondary would be:

DNS 1 = IP of primary
DNS 2 = 127.0.0.1

Your secondary and any other servers will always defer to the primary, this is due to always needing a definitive source that replicates to the subordinates. In Active Directory this becomes even more critical. The choice of DNS server for clients will go with the order that they are configured, again, you always want your primary listed first.

In the settings for the DNS service, you can configure any external servers that the local server will forward requests it can't resolve.

Screenshot 2021-12-04 170339.jpg

This is a sample from one of my DNS servers that's configured for both IPv4 and v6.

[BillyCarpenter]

I hear you on the config for 2 DNS servers but I want to get 1 down first.


Here's where I'm at thus far. I have DNS working so when a user joins the domain, his static IP address is registered under Forward Zone. When I give him a DHCP address, the a-record is automatically up dated with the new DHCP address.

However, a new pointer record is not created and that's because we must set up integration been DNS and DHCP. I'll update once I've done this.

[BillyCarpenter]

I hear you on the config for 2 DNS servers but I want to get 1 down first.


Here's where I'm at thus far. I have DNS working so when a user joins the domain, his static IP address is registered under Forward Zone. When I give him a DHCP address, the a-record is automatically up dated with the new DHCP address.

However, a new pointer record is not created and that's because we must set up integration been DNS and DHCP. I'll update once I've done this.

I'm trying to understand how this works. Here's the rule to live by:


-- Pointer records are registered to DNS by the DHCP Server

-- Host Names are registered to DNS by the DHCP Client


** This is due to the DHCP Client being the source of the host name
*** and the DHCP Server is the source of IP addresses


That's why I must integrate DNS and DHCP.

I'll get back with ya.