Configure Stub Zone in Windows DNS Server

Spread the love




Stub zone is one of the way to forward DNS query for a specific zone to another DNS server where the zone resides (the Master server). Stub zone is similar to Secondary zone, but instead of creating duplicate of all records, it keeps only the information of SOA and NS record from the Master. The other difference is that Stub zone can work without any additional configuration in the Master server. There are many use cases where Stub zone is required, and that’s why it is important to understand how to Configure Stub Zone in Windows DNS Server.

How to Configure Stub Zone in Windows DNS Server

It is very easy to configure Stub zone in Windows DNS server. We can use either DNS manager or PowerShell cmdlets. Each way will be shown in the next section by using the scenario below:

We have an AD domain named mustbegeek.com and AS-DCO001 is both the DC and DNS server in the domain. There is another AD domain named corp.mbg.com and BG-DCO001 is DNS server in that domain. The hosts in corp.mbg.com needs to be able to get name resolution for hosts in mustbegeek.com. However, for security reason we don’t want to let them store the copy of all DNS records in mustbegeek.com in their DNS server. In this case, configuring Stub zone can be the solution.

Using DNS Manager to Configure Stub Zone

Stub zone only needs to be configured on the DNS server of the domain that needs the name resolution for other domain. In this case, hosts in corp.mbg.com are the one who needs name resolution to hosts in mustbegeek.com. Therefore, we must create a Stub zone named mustbegeek.com in BG-DCO001.



We start that by opening the Server Manager in BG-DCO001 then navigate to Tools > DNS Manager.

Configure Stub Zone in Windows DNS Server - 1

Expand the server name, and under that server name you’ll see few items with folder icon, including Forward Lookup Zones and Reverse Lookup Zones.

Configure Stub Zone in Windows DNS Server - 2

Since the target is a forward lookup zone, right click on Forward Lookup Zones and select New Zone.

Configure Stub Zone in Windows DNS Server - 3

Click Next on the welcome screen that appears.

Configure Stub Zone in Windows DNS Server - 4

Select Stub Zone on the zone type selection.

Configure Stub Zone in Windows DNS Server - 5

You can also tick on Store the zone in Active Directory to make this zone replicated to other DNS server. If you do, in the next step you will set the replication scope. In this example we selected to replicate the zone To all DNS servers running on domain controllers in this domain: corp.mbg.com.

Configure Stub Zone in Windows DNS Server - 6

Now in this step, specify the stub zone name that you want to create. It must be matching with the zone name in the Master. In this example it is mustbegeek.com.

Configure Stub Zone in Windows DNS Server - 7

For the next step, you should specify the IP address of DNS server where we could refer to (the Master server) for all information about the zone that we have specified previously. In our case, we can get information about zone mustbegeek.com from 192.168.0.7 which is the IP address of AS-DCO001. Enter the IP address in the available field and press Enter button, if the entry is valid then it will be marked with green check icon as shown below.

Configure Stub Zone in Windows DNS Server - 8

Now this is the last step, verify everything is correct then click Finish to confirm.

Configure Stub Zone in Windows DNS Server - 9

At first after creation, you may see the zone with error message as shown below:

Configure Stub Zone in Windows DNS Server - 10

When you see this error usually there’s nothing you need to do except verify the network connection between the DNS servers, and make sure no firewall is blocking the connectivity. You can wait a while and refresh the view, or you can also initiate the transfer manually by right click on the zone name and select Transfer from Master.

Configure Stub Zone in Windows DNS Server - 11

When the transfer completes, you will be able to see the result as in below picture. Notice that in Stub zone only the SOA, NS, and A record of the Master DNS server is present.

Configure Stub Zone in Windows DNS Server - 12

Using PowerShell to Configure Stub Zone

You can use PowerShell instead of DNS manager to configure Stub zone in Windows DNS Server. Using PowerShell is easier because basically there is only one step. You only need to enter the command below on an elevated PowerShell window in order to add a Stub zone that is integrated to Active Directory:

Add-DnsServerStubZone -Name ZONE_NAME -MasterServers MASTER_IP -ReplicationScope SCOPE

Replace ZONE_NAME with the name of the zone you want to create. Then, replace MASTER_IP with the IP addresses of the Master server. You can separate with comma if you have more than one Master server. Lastly, replace SCOPE with any one of these values depending on the replication scope that you want to set: “Forest”, “Domain”, “Legacy”, or “Custom”.

In our case, we use the below PowerShell command to get the same result as in the previous example:

Configure Stub Zone in Windows DNS Server - 13

Working with Stub Zone in Windows DNS Server

Now after we configure Stub zone, hosts in corp.mbg.com will be able to lookup for hosts in mustbegeek.com.

Before

Configure Stub Zone in Windows DNS Server - 14

After

Configure Stub Zone in Windows DNS Server - 15

A DNS server with stub zone will forward all DNS query on behalf of the client to the Master. It is actually the Master itself that will perform the mapping then returns the answer to the previous DNS server. Finally, DNS server will forward the answer to the client. So in simple, the DNS server with Stub zone acts as the intermediate between client and Master.

Stub zone works without having to keep all copy of the records from the Master. In our case, corp.mbg.com needs to be able to lookup to mustbegeek.com. However, mustbgeek.com don’t want all of their DNS records to be exposed. Creating Secondary zone can be an option but it is not considered here because Secondary zone will copy all records in mustbegeek.com into corp.mbg.com. Therefore in this situation Stub zone can be the better option.

This is why administrator must also understand how to configure Stub zone in Windows DNS Server.




The following two tabs change content below.

Arranda Saputra

ITIL Certified, CCNA, CCDA, VCP6-DCV, MCSA Administering Windows Server 2012
I am IT practitioner in real life with specialization in network and server infrastructure. I have years of experience in design, analysis, operation, and optimization of infrastructure solutions for enterprise-scaled network. You can send me a message on LinkedIn or email to arranda.saputra@outlook.com for further inquiry regarding stuffs that I wrote or opportunity to collaborate in a project.

Latest posts by Arranda Saputra (see all)

scroll to top