Stub zone is one of the way to forward DNS query for a specific zone to another DNS server where the zone resides (the Master server). Stub zone is similar to Secondary zone, but instead of creating duplicate of all records, it keeps only the information of SOA and NS record from the Master. The other difference is that Stub zone can work without any additional configuration in the Master server. There are many use cases where Stub zone is required, and thatâ€™s why it is important to understand how to Configure Stub Zone in Windows DNS Server.
How to Configure Stub Zone in Windows DNS Server
It is very easy to configure Stub zone in Windows DNS server. We can use either DNS manager or PowerShell cmdlets. Each way will be shown in the next section by using the scenario below:
We have an AD domain named mustbegeek.com and AS-DCO001 is both the DC and DNS server in the domain. There is another AD domain named corp.mbg.com and BG-DCO001 is DNS server in that domain. The hosts in corp.mbg.com needs to be able to get name resolution for hosts in mustbegeek.com. However, for security reason we donâ€™t want to let them store the copy of all DNS records in mustbegeek.com in their DNS server. In this case, configuring Stub zone can be the solution.
Using DNS Manager to Configure Stub Zone
Stub zone only needs to be configured on the DNS server of the domain that needs the name resolution for other domain. In this case, hosts in corp.mbg.com are the one who needs name resolution to hosts in mustbegeek.com. Therefore, we must create a Stub zone named mustbegeek.com in BG-DCO001.
We start that by opening the Server Manager in BG-DCO001 then navigate to Tools > DNS Manager.
Expand the server name, and under that server name youâ€™ll see few items with folder icon, including Forward Lookup Zones and Reverse Lookup Zones.
Since the target is a forward lookup zone, right click on Forward Lookup Zones and select New Zone.
Click Next on the welcome screen that appears.
Select Stub Zone on the zone type selection.
You can also tick on Store the zone in Active Directory to make this zone replicated to other DNS server. If you do, in the next step you will set the replication scope. In this example we selected to replicate the zone To all DNS servers running on domain controllers in this domain: corp.mbg.com.
Now in this step, specify the stub zone name that you want to create. It must be matching with the zone name in the Master. In this example it is mustbegeek.com.
For the next step, you should specify the IP address of DNS server where we could refer to (the Master server) for all information about the zone that we have specified previously. In our case, we can get information about zone mustbegeek.com from 192.168.0.7 which is the IP address of AS-DCO001. Enter the IP address in the available field and press Enter button, if the entry is valid then it will be marked with green check icon as shown below.
Now this is the last step, verify everything is correct then click Finish to confirm.
At first after creation, you may see the zone with error message as shown below:
When you see this error usually thereâ€™s nothing you need to do except verify the network connection between the DNS servers, and make sure no firewall is blocking the connectivity. You can wait a while and refresh the view, or you can also initiate the transfer manually by right click on the zone name and select Transfer from Master.
When the transfer completes, you will be able to see the result as in below picture. Notice that in Stub zone only the SOA, NS, and A record of the Master DNS server is present.
Using PowerShell to Configure Stub Zone
You can use PowerShell instead of DNS manager to configure Stub zone in Windows DNS Server. Using PowerShell is easier because basically there is only one step. You only need to enter the command below on an elevated PowerShell window in order to add a Stub zone that is integrated to Active Directory:
Add-DnsServerStubZone -Name ZONE_NAME -MasterServers MASTER_IP -ReplicationScope SCOPE
Replace ZONE_NAME with the name of the zone you want to create. Then, replace MASTER_IP with the IP addresses of the Master server. You can separate with comma if you have more than one Master server. Lastly, replace SCOPE with any one of these values depending on the replication scope that you want to set: “Forest”, “Domain”, “Legacy”, or “Custom”.
In our case, we use the below PowerShell command to get the same result as in the previous example:
Working with Stub Zone in Windows DNS Server
Now after we configure Stub zone, hosts in corp.mbg.com will be able to lookup for hosts in mustbegeek.com.
A DNS server with stub zone will forward all DNS query on behalf of the client to the Master. It is actually the Master itself that will perform the mapping then returns the answer to the previous DNS server. Finally, DNS server will forward the answer to the client. So in simple, the DNS server with Stub zone acts as the intermediate between client and Master.
Stub zone works without having to keep all copy of the records from the Master. In our case, corp.mbg.com needs to be able to lookup to mustbegeek.com. However, mustbgeek.com donâ€™t want all of their DNS records to be exposed. Creating Secondary zone can be an option but it is not considered here because Secondary zone will copy all records in mustbegeek.com into corp.mbg.com. Therefore in this situation Stub zone can be the better option.
This is why administrator must also understand how to configure Stub zone in Windows DNS Server.