Sometimes I am a little surprised how many questions I get about DNS (Dynamic Name Server). What is especially difficult for many people is setting up DNS. DNS is the basis of the internet. Compare it with a phone book. In a telephone book you search for telephone numbers by a specific name. In DNS you search for IP addresses by a specific name. A name (domain name) is easier to remember than an IP address. Imagine having to remember the number “188.8.131.52” to go to Google.nl. Or “184.108.40.206” to go to Wikipedia.nl. Even worse if we later switch to IPv6…. Then you have to remember “2a00: 1450: 400e: 80c :: 2003” and type in to go to Google.nl. DNS to the rescue!
The “internet” therefore consists of IP addresses. See an IP address as a house number. After all, traffic (mail) must know where it must be delivered. Package A must go to a different destination than package B. Because names are easier to remember than IP addresses, we have devised DNS.
So if you want to send traffic to a certain destination, we use a name as people, but the transmission itself still uses an IP address. The moment we use a name and our computer does not yet know which IP address it sends, the computer forwards the request for an IP address to the specified DNS server. If it can resolve the request, the IP address will be returned in the background. If that does not happen, it will forward the request to one of the 13 main DNS servers on the internet. See these as the “main” telephone directories. We call these main DNS servers “root” servers. Each root server manages multiple TLDs (Top Level Domains). Each root server actually consists of hundreds of redundantly executed servers throughout the world. For example, the .NL TLD is hosted on the “ICANN. ORG ”TLD server. If the IP address for the name is returned, intermediate DNS servers will cache it for a limited time so that a follow-up request must travel a shorter route and is therefore faster and does not burden all servers. The time that caching is allowed is determined with the TTL (Time To Live) value. Sometimes a DNS change can take a while before it is implemented on all servers worldwide.
However, DNS is more than just a simple record that converts a name to an IP address. DNS manages the domain name, sub domains and different traffic types. DNS does this with so-called DNS records.
The “A” record is the best known DNS record. The A record is an address record. This means that the A record maps an FQDN (Fully Qualified Domain Name) to an IP address. Google will therefore have an A record for mapping from “www.google.com” to “220.127.116.11”.
The name in the A record acts as the host for the domain (google.com) and the domain name is automatically linked to the name. Google has therefore created an A record for “google.com” with the name value “www”. This mapping therefore applies to “www.google.com”.
You may also come across an AAAA record. The AAAA record is similar to an A record but then applies to IPv6. An AAAA record therefore maps an IPv6 address to an FQDN.
With a CNAME record you can make a reference to an A record. CNAME stands for “Canonical Name record” or “alias”. This is useful if you have many (sub) domains that must point to the same IP address. In that case it is better to create an A record once and have the other (sub) domains refer to this A record. If the IP address changes, you only have to change this at 1 location (the single A record).
A DNAME record is a “Non-Terminal DNS Name Redirection”. A DNAME record is used to redirect a complete sub-tree within DNS to another domain. This is in contrast to a CNAME which only refers to a single node.
DNSSEC / DNSKEY / DS
DNS has never been designed with security in mind. To increase DNS security, the DNSSEC (Domain Name System Security ExtenSions) security protocol has been designed. DNSSEC makes it possible to add cryptographic signatures to DNS. So that the applicant for an IP address can check whether the returned IP address is authentic and is therefore returned by a valid DNS server. DNSSEC prevents DNS Spoofing.
The DNSSEC implementation comprises 2 types of DNS records, namely the DNSKEY and the DS record. The DNSKEY record consists of the public key and the DS record consists of a hash of the DNSKEY record.
To understand this technique, it is good to know that 2 zone characters are added to each DNSSEC zone. We call these zone signs ZSKs. There is a private ZSK and a public ZSK. The private ZSK is used to sign DNS records in that zone. The public ZSK is used to sign the private ZSK. The public ZSK is published in the DNSSEC record as it is published to the DNSSEC resolver which the public ZSK uses to check whether the records from this zone are authentic. For extra security, DNS zones have a second DNS KEY which contains the KSK (Key Signing Key) which verifies the authenticity of the public ZSK.
Briefly through the bend, the user requests a DNS record (IP address). The client receives an answer with a public key (DSKEY). This key is checked through the hash that is hosted on the DNS server (DS record). If the check is successful, the information is authentic. If not, it will be refused.
The MX (Mail eXchange) record is a special record which indicates which mail servers handle the e-mail for the domain. E-mail is therefore forwarded to the servers specified within the MX records. There can be several types of MX records with different priodirties. The e-mail server of the MX record with the last priority receives the e-mail. However, if this e-mail server is not online, the e-mail is forwarded to the e-mail server
NS stands for “Name Server”. The NS record is therefore a name server record which indicates authoritative name servers the DNS zone file of the domain can be found. The NS records will therefore always match the name servers used. The name servers in the NS record can handle traffic that requests IP addresses for that domain. Multiple NS records function just like multiple MX records. When a name server goes down, the next name server can take over and resume traffic.
The PTR record is also called a “pointer” record and is used for “reverse DNS”. The PTR record is actually the opposite of an A record. The A record converts a name to an IP address. The PTR record converts an IP address to a name.
The SOA (Start Of Authority) record is an essential record which has a number of essential values for the entire DNS zone. This includes the primary name server, serial number (for zone transfers), the administrator, TTL values, etc. Without a good SOA record, DNS will not function (properly).
SRV stands for “SeRVice” record and specifies the location for specific services. The SRV record describes, among other things, the host name and port number of the service. The SRV record is often required for internet protocols such as SIP and XMPP.
The TXT record is a versatile record that is used for many applications. TXT records are not case sensitive and were originally conceived to link random (readable) text to a host in order to provide more information in readable text if possible. These days the TXT record is used for multiple purposes such as verifying that the domain name is actually your property and for anti-spam facilities such as SPF and DKIM .
URI or Uniform Resource Identifier is used to link host names to a URI. The URI Record is an alternative to the SRV record. As with the SRV record, both weight and priority values are returned that can be used to select an appropriate URI based on multiple results. However, unlike the SRV, no port number is returned in the URI record, because this information (if applicable) occurs in the URI string. The returned URI series of a URI query can therefore be used directly by the requested application.
However, there are quite a few other types of DNS records that occur a lot less frequently. Think for example of CERT, DS, HIP, KEY, NSEC and TKEY. If you want to know more about these types of DNS records, you can of course easily Google them.
Reverse DNS: You
may also have come across the term “Reverse DNS”. Reverse DNS is exactly as the name suggests, DNS but backwards. So the linking of a name to an IP address. Look above also at the explanation of the PTR record which, like A records, often occur with forward DNS.
You sometimes also have to deal with Dynamic DNS. Dynamic DNS is the mapping of a name to a dynamic, therefore constantly changing, IP address. This way you can make an application available by name while the IP address can (and will) change in the background. We sometimes call dynamic DNS “DDNS” and “DynDNS”. There are various providers / tools that make dynamic DNS possible. A Dynamic DNS works with a domain name. You register this (often free) with a Dynamic DNS provider.
I hope this short post has given some more insight into DNS, what DNS does and what kinds of records there are. If you thought this was a fun or interesting post, please let us know and share it further. Like Like Like!