Domain Name System (DNS)
The Domain Name System is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers only.
Hierarchy
DNS is a hierarchical system. On top of the hierarchy-stryucture of a domain name is the toplevel domain (TLD). Examples of toplevel domains are "com", "net", "org", "nl", "berlin" and many more. TLDs are provided by IANA.
In the example "example.com", "com" is the toplevel domain and "example" is the second level domain (SLD) or public suffix domain (PSD). The PSD is also called "organisational domain".
SLD and PSD are not exactly the same thing, because some toplevel domains have a second-level domain included in their hierarchy. One famous example is "co.uk".
- In "example.co.uk", "uk" is the TLD, "co" is the SLD and "example" is the PSD.
- In "example.com", the TLD is "com" and "example" is the SLD/PSD.
The responsible domain is the domain that's on top of a zone. Any responsible domain can have almost infinite subdomains. In our example "sub.example.com", "example.com" is the responsible domain and "sub" is the subdomain. In "sub1.sub2.sub3.example.com", "example.com" is the responsible domain for all subdomain levels. However, if I create a separate zone for "sub.example.com", then "sub.example.com" is a responsible domain on top of it's own hierarchy (see also #Domain delegation).
Record types
There are various types of records with a variety of functions. The most important ones are:
Name | Purpose | Lookup result example |
---|---|---|
A | Assigns an IPv4 address to a name | $ host -t a example.com example.com has address 192.168.10.34 |
AAAA | Assigns an IPv6 address to a name | host -t aaaa example.com example.com has IPv6 address fe80::1ff:fe23:4567:890a |
MX | Assigns mail-receiving hostnames with priorities to a name | $ host -t mx example.com example.com mail is handled by 10 mx2.example.com. example.com mail is handled by 5 mx1.example.com. |
CNAME | Causes this domain to be an alias of another domain | $ host -t cname aliasdomain.example.net aliasdomain.example.net is an alias for example.com. |
TXT | Holds a piece of text | $ host -t txt example.com example.com descriptive text "lorem ipsum" |
PTR | Reverse DNS assigns a name to an IP | $ host -t ptr 192.168.10.34 34.10.168.192.in-addr.arpa domain name pointer example.com. |
NS | Delegates a subdomain to one or more nameservers | $ host -t ns example.com example.com name server dns2.example.net. example.com name server dns1.example.net. |
A- and AAAA-Record
Those two record types assign IPs to domain names. For example, if my domain name is "example.com" and my website is hosted at "192.168.10.34", I need to set an A-Record with the content "192.168.10.34" on "example.com".
MX-Record
MX Records assign mail servers (MTAs) to a domain. MX records consist of a domain name and a priority:
- The domain name should contain an A and/or AAAA record with the IP address of the MTA.
- The priority is used to prioritise one MTA over another. In the above example, "mx1.example.com" has the lowest priority (5) and will be tried first. Only if "mx1.example.com" is unavailable, "mx2.example.com" is used. When multiple domains in an MX record have the same priority, a random choice is made (round robin).
CNAME Record
CNAME records are aliases. Let's stick with the example from the above table and "aliasdomain.example.net" is an alias of "example.com", as you can see from the CNAME record. If we now first query the A-Records and then the MX records for "aliasdomain.example.net", this will be the output:
$ host aliasdomain.example.net aliasdomain.example.net is an alias for example.com. example.com has address 192.168.10.34 example.com has IPv6 address fe80::1ff:fe23:4567:890a $ host -t mx aliasdomain.example.net aliasdomain.example.net is an alias for example.com. example.com mail is handled by 10 mx2.example.com. example.com mail is handled by 5 mx1.example.com.
A CNAME record ona domain renders A-, MX- and TXT-records on the same domain invalid. In fact, it's recommended to remove all other records once a CNAME record is available.
Common use cases for CNAME records are:
In both use cases, domain delegation could offer a much better solution.
TXT Record
TXT records are records that can hold various pieces of text. The most common use case is for domain verification, whereby a provider provides a code and when this code is later found in a DNS TXT record, domain ownership has been verified. Common use cases in E-Mail are:
SPF records
Main article: Sender Policy Framework (SPF)
Example:
$ host -t txt _spf.example.com _spf.example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"
DKIM records
Main article: DomainKeys Identified Mail (DKIM)
Example:
host -t txt selector._domainkey.example.com selector._domainkey.example.com descriptive text "v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB"
DMARC records
Main article: Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Example:
$ host -t txt _dmarc.example.com _dmarc.example.com descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"
PTR Record
The reverse lookup is meant to find a name to an IP, instead of the other way around. Because it's not possible to create a DNS zone with an IP, an alias (canonical name) is used for each IP. This alias always has the TLD "arpa", which is reserved for this purpose. IPv4 uses "in-addr.arpa" and IPv6 uses "ip6.arpa".
Each sending IP should resolve recursively to a domain. This domain is the "hostname". Each hostname should resolve to an IP. This IP should be the same sending IP we started from.
Example from Gmail with sending IP 2a00:1450:4864:20::632:
$ host -t ptr 2a00:1450:4864:20::632 2.3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.ip6.arpa domain name pointer mail-ej1-x632.google.com. $ host -t aaaa mail-ej1-x632.google.com mail-ej1-x632.google.com has IPv6 address 2a00:1450:4864:20::632
NS Record
Nameserver records are found on responsible domains. They define which nameserver stores the zone file with resource records for this domain.
Domain delegation
If you create an NS record for a subdomain, this subdomain now is responsible for it's own zone, on top of it's own hierarchy. What used to be a subdomain, is now a responsible domain.
Because of that, with DNS delegation it's possible for - for example - Jake's nameservers (dns[1|2].example.com) to host the zone for "example.com", while Andrew's nameservers (dns[1|2].example.net) host the zone for "sub.example.com". While Jake still owns "example.com" and all its subdomains, Andrew is now the only person who can set resource records for the subdomain "sub.example.com", until Jake revokes the delegation by removing the NS records from the subdomain.