Introduction to DNS Server Role on Windows Server 2022

The Domain Name System (DNS) is the backbone of name resolution in any Windows Server environment. Whether you are running Active Directory, hosting web services, or managing internal network infrastructure, a properly configured DNS server is essential. Windows Server 2022 ships with a full-featured DNS Server role that supports all modern DNS standards including EDNS, DNSSEC, DNS policies, and Response Rate Limiting. This guide walks through every step of deploying, configuring, and securing a DNS server on Windows Server 2022, from initial installation to advanced operational settings.

Installing the DNS Server Role

Before configuring DNS, you must install the DNS Server role. You can do this through Server Manager or PowerShell. Using PowerShell is faster and scriptable, which is preferred in production environments.

Open an elevated PowerShell session and run the following:

Install-WindowsFeature -Name DNS -IncludeManagementTools -Restart

The -IncludeManagementTools flag installs DNS Manager (dnsmgmt.msc) and the DNS PowerShell module. The -Restart flag is optional; omit it if you want to control the restart manually. After installation, verify the service is running:

Get-Service -Name DNS
Start-Service -Name DNS
Set-Service -Name DNS -StartupType Automatic

You can also confirm the role was installed with:

Get-WindowsFeature -Name DNS

Once installed, launch DNS Manager from the Start menu by typing dnsmgmt.msc or from Server Manager under the Tools menu.

Understanding DNS Zone Types

A DNS zone is a portion of the DNS namespace that is managed by a specific DNS server. Windows Server 2022 supports several zone types, and choosing the correct type is critical for your architecture.

Primary Zone: The authoritative read/write copy of the zone. All record changes are made here. It can be stored as a standard flat file or integrated into Active Directory.

Secondary Zone: A read-only copy of a primary zone, replicated from the primary via zone transfer. Used for redundancy and load distribution.

Stub Zone: Contains only NS records, SOA records, and the A records necessary to contact the authoritative name servers for a zone. Stub zones help with name resolution for delegated zones without maintaining a full secondary copy.

Active Directory Integrated Zone: Stores zone data in the AD DS database rather than flat files. This provides multi-master replication, secure dynamic updates, and eliminates the need for zone transfers between domain controllers acting as DNS servers. This is the recommended zone type in an AD environment.

Creating Forward and Reverse Lookup Zones

A forward lookup zone resolves hostnames to IP addresses. A reverse lookup zone resolves IP addresses back to hostnames (PTR records). Both are important in a well-managed network.

To create a primary forward lookup zone using PowerShell:

Add-DnsServerPrimaryZone -Name "corp.example.com" -ReplicationScope "Forest" -PassThru

The -ReplicationScope parameter controls how the zone is replicated in AD. Options are Forest, Domain, Legacy, or Custom. Use Forest if you need all DNS servers in the forest to host the zone.

To create a reverse lookup zone for the 192.168.10.0/24 network:

Add-DnsServerPrimaryZone -NetworkId "192.168.10.0/24" -ReplicationScope "Domain" -PassThru

This creates a zone named 10.168.192.in-addr.arpa automatically.

In DNS Manager, right-click Forward Lookup Zones and choose New Zone, then follow the wizard to configure zone type, AD integration, and dynamic update settings.

Configuring Conditional Forwarders

A conditional forwarder tells the DNS server to forward queries for a specific domain to a designated DNS server rather than performing full recursive resolution. This is commonly used in split-brain DNS scenarios, multi-forest environments, or when integrating with cloud DNS resolvers.

Add-DnsServerConditionalForwarderZone -Name "partner.example.com" -MasterServers 10.50.0.10 -ReplicationScope "Domain" -PassThru

To list all conditional forwarders:

Get-DnsServerZone | Where-Object { $_.ZoneType -eq "Forwarder" }

You can also configure standard forwarders (for all unresolved queries) in DNS Manager by right-clicking the server name and selecting Properties, then the Forwarders tab. Or via PowerShell:

Set-DnsServerForwarder -IPAddress "8.8.8.8","8.8.4.4" -UseRootHint $false

Setting -UseRootHint $false ensures that if the forwarder is unreachable, the server does not fall back to root hints, which is appropriate in secure environments.

DNS Scavenging and Aging

Stale DNS records accumulate over time as machines join and leave the network. DNS scavenging automatically removes records that have not been refreshed within a defined period. There are two key parameters: no-refresh interval (how long before a record can be refreshed) and refresh interval (how long after the no-refresh interval before a record is eligible for scavenging).

Enable scavenging on the DNS server:

Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00 -PassThru

Enable aging on a specific zone:

Set-DnsServerZoneAging -Name "corp.example.com" -Aging $true -NoRefreshInterval 7.00:00:00 -RefreshInterval 7.00:00:00 -PassThru

With these settings, a record that has not been refreshed in 14 days (7-day no-refresh + 7-day refresh) becomes eligible for removal. Only records created through dynamic DNS are subject to scavenging; statically created records are not removed.

To manually trigger scavenging:

Start-DnsServerScavenging -Force -PassThru

EDNS (Extension Mechanisms for DNS)

EDNS0 extends the original DNS protocol to support larger UDP payloads (beyond the original 512-byte limit), DNSSEC data, and other options. Windows Server 2022 DNS supports EDNS0 by default. You can view and configure EDNS settings:

Get-DnsServerEdns

To enable or disable EDNS:

Set-DnsServerEdns -EnableProbes $true -CacheTimeout 0.00:15:00 -PassThru

EDNS probing allows the server to detect which upstream resolvers support EDNS and adjust packet sizes accordingly, preventing fragmentation issues.

Viewing and Modifying DNS Server Settings

The Get-DnsServer cmdlet returns a comprehensive object with all server configuration properties:

Get-DnsServer | Select-Object -ExpandProperty ServerSetting

To modify server-level settings such as listening IP addresses, recursion behavior, and cache TTL:

Set-DnsServerSetting -ListeningIPAddress "192.168.10.5","127.0.0.1" -ComputerName "DC01" -PassThru

Disable recursion to create an authoritative-only DNS server (useful for public-facing DNS):

Set-DnsServerRecursion -Enable $false -PassThru

Adjust the maximum cache TTL to prevent stale cached data:

Set-DnsServerCache -MaxTtl 1.00:00:00 -MaxNegativeTtl 0.00:15:00 -PassThru

DNS Debug Logging

When troubleshooting DNS resolution issues, enabling the DNS debug log captures all queries and responses with timestamps. This is invaluable for diagnosing mis-configurations and security incidents.

Enable debug logging via DNS Manager: right-click the server, select Properties, and navigate to the Debug Logging tab. Configure which events to log (queries, responses, specific transports) and the log file path.

Via PowerShell:

Set-DnsServerDiagnostics -All $true -LogFilePath "C:DNSdns_debug.log" -MaxMBFileSize 500 -UseSystemEventLog $false -PassThru

View the current diagnostics configuration:

Get-DnsServerDiagnostics

Remember to disable debug logging after troubleshooting as it adds disk I/O overhead and can quickly consume disk space on busy servers.

Restricting Zone Transfers

Zone transfers replicate zone data between DNS servers. Unrestricted zone transfers expose your entire DNS zone data to any requester, which is a significant security risk. By default, Windows Server 2022 restricts zone transfers.

To explicitly restrict zone transfers to named servers only:

Set-DnsServerPrimaryZone -Name "corp.example.com" -SecureSecondaries TransferToSecureServers -NotifyServers "192.168.10.6","192.168.10.7" -PassThru

The SecureSecondaries options are: NoTransfer, TransferAnyServer, TransferToZoneNameServer, and TransferToSecureServers.

To deny zone transfers entirely:

Set-DnsServerPrimaryZone -Name "corp.example.com" -SecureSecondaries NoTransfer -PassThru

For AD-integrated zones, zone transfers are handled by AD replication and you should disable zone transfers at the DNS level entirely.

Round-Robin DNS

Round-robin DNS is a simple load distribution technique where multiple A records for the same hostname are served in rotating order, distributing client connections across multiple servers. Windows Server 2022 DNS supports this natively.

Enable or disable round-robin at the server level:

Set-DnsServerSetting -RoundRobin $true -PassThru

Then create multiple A records for the same hostname pointing to different IPs:

Add-DnsServerResourceRecordA -ZoneName "corp.example.com" -Name "www" -IPv4Address "192.168.10.20"
Add-DnsServerResourceRecordA -ZoneName "corp.example.com" -Name "www" -IPv4Address "192.168.10.21"
Add-DnsServerResourceRecordA -ZoneName "corp.example.com" -Name "www" -IPv4Address "192.168.10.22"

Each successive DNS query for www.corp.example.com will receive the A records in a different order, causing clients to connect to different servers. Note that round-robin DNS is not true load balancing — it does not account for server health or actual load — but it is a zero-cost distribution mechanism suitable for stateless services.

Also enable netmask ordering if clients are spread across subnets:

Set-DnsServerSetting -LocalNetPriority $true -PassThru

With local netmask ordering enabled, the DNS server prioritizes returning IP addresses on the same subnet as the querying client.

Verifying DNS Server Health

Use the following commands to verify your DNS server is functioning correctly after configuration:

# Test local resolution
Resolve-DnsName -Name "dc01.corp.example.com" -Server 127.0.0.1

# Check server statistics
Get-DnsServerStatistics

# Verify zone list
Get-DnsServerZone | Format-Table ZoneName, ZoneType, IsDsIntegrated, DynamicUpdate

# Check DNS event log
Get-WinEvent -LogName "DNS Server" -MaxEvents 20 | Format-List TimeCreated, Message

Regularly reviewing DNS event logs and statistics helps catch configuration drift, cache poisoning attempts, or resolution failures before they impact users.

Conclusion

Deploying a DNS Server role on Windows Server 2022 is straightforward, but operating it effectively requires understanding zone types, replication, scavenging, security restrictions, and monitoring. By leveraging both DNS Manager and the DNS PowerShell module, administrators can automate configuration, enforce security policies, and maintain reliable name resolution across their infrastructure. The combination of AD-integrated zones, conditional forwarders, and proper scavenging settings forms the foundation of a robust enterprise DNS deployment.