Domain Name System (DNS): Difference between revisions

From InboxSys document library
Jump to navigation Jump to search
No edit summary
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Category:Deliverability]]
[[Category:Authentication]]
The '''Domain Name System''' is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers only.  
The '''Domain Name System''' is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers only.  


Line 5: Line 7:
DNS is a hierarchical system. On top of the hierarchy-stryucture of a domain name is the '''[[wikipedia:DNS_root_zone|toplevel domain (TLD)]]'''. Examples of toplevel domains are "[[wikipedia:.com|com]]", "[[wikipedia:.net|net]]", "[[wikipedia:.org|org]]", "[[wikipedia:.nl|nl]]", "[[wikipedia:.berlin|berlin]]" and many more. TLDs are provided by [[wikipedia:Internet_Assigned_Numbers_Authority|IANA]].
DNS is a hierarchical system. On top of the hierarchy-stryucture of a domain name is the '''[[wikipedia:DNS_root_zone|toplevel domain (TLD)]]'''. Examples of toplevel domains are "[[wikipedia:.com|com]]", "[[wikipedia:.net|net]]", "[[wikipedia:.org|org]]", "[[wikipedia:.nl|nl]]", "[[wikipedia:.berlin|berlin]]" and many more. TLDs are provided by [[wikipedia:Internet_Assigned_Numbers_Authority|IANA]].


In the example "example.com", "com" is the toplevel domain and "example" is the second level domain or public suffix domain (PSD).  
In the example "example.com", "com" is the toplevel domain and "example" is the '''second level domain (SLD)''' or '''public suffix domain (PSD)'''. The PSD is also called "'''organisational domain'''".


Some toplevel domains have a second-level domain (SLD) included in their hierarchy. One famous example is "[[wikipedia:.uk#Second-level_domains|co.uk]]". In "example.co.uk", "[[wikipedia:.uk|uk]]" is the TLD, "co" is the SLD and "example" is the PSD.
SLD and PSD are not exactly the same thing, because some toplevel domains have a second-level domain included in their hierarchy. One famous example is "[[wikipedia:.uk#Second-level_domains|co.uk]]".  


The '''responsible domain''' is the domain that's on top of a zone. Any responsible domain can have almost infinite subdomains. In our example "sub.example.com", "example.com" is the responsible domain and "sub" is the subdomain. In "sub1.sub2.sub3.example.com", "example.com" is the responsible domain for all subdomain levels.
* In "example.co.uk", "[[wikipedia:.uk|uk]]" is the TLD, "co" is the SLD and "example" is the PSD.
* In "example.com", the TLD is "com" and "example" is the SLD/PSD.
 
The '''responsible domain''' is the domain that's on top of a zone. Any responsible domain can have almost infinite subdomains. In our example "sub.example.com", "example.com" is the responsible domain and "sub" is the subdomain. In "sub1.sub2.sub3.example.com", "example.com" is the responsible domain for all subdomain levels. However, if I create a separate zone for "sub.example.com", then "sub.example.com" is a responsible domain on top of it's own hierarchy (see also [[#Domain delegation]]).


=Record types=
=Record types=
Line 38: Line 43:
|-
|-
! scope="row"| TXT  
! scope="row"| TXT  
|| Holds a piece of text || <pre>$ host -t txt _spf.example.com
|| Holds a piece of text || <pre>$ host -t txt example.com
_spf.example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"</pre>
example.com descriptive text "lorem ipsum"</pre>
|-
|-
! scope="row"| PTR  
! scope="row"| PTR  
Line 46: Line 51:
|-
|-
! scope="row"| NS  
! scope="row"| NS  
|| Delegates a (sub)domain to one or more nameservers || <pre>$ host -t ns example.com
|| Delegates a subdomain to one or more nameservers || <pre>$ host -t ns example.com
example.com name server dns2.example.net.
example.com name server dns2.example.net.
example.com name server dns1.example.net.
example.com name server dns1.example.net.
Line 65: Line 70:
==CNAME Record==
==CNAME Record==


CNAME records are aliases. Let's stick with the example from the above table and "aliasdomain.example.net" is an alias of "example.com", as you can see from the CNAME record. If we now first query the A-Records and then the TXT record for "aliasdomain.example.net", this will be the output:
CNAME records are aliases. Let's stick with the example from the above table and "aliasdomain.example.net" is an alias of "example.com", as you can see from the CNAME record. If we now first query the A-Records and then the MX records for "aliasdomain.example.net", this will be the output:


<pre>
<pre>
$ host -t a aliasdomain.example.net
$ host aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
aliasdomain.example.net is an alias for example.com.
example.com has address 192.168.10.34
example.com has address 192.168.10.34
example.com has IPv6 address fe80::1ff:fe23:4567:890a
example.com has IPv6 address fe80::1ff:fe23:4567:890a


$ host -t txt aliasdomain.example.net
$ host -t mx aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
aliasdomain.example.net is an alias for example.com.
example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"
example.com mail is handled by 10 mx2.example.com.
example.com mail is handled by 5 mx1.example.com.
</pre>
</pre>


Line 120: Line 126:
==PTR Record==
==PTR Record==


PTR records, or reverse DNS, are defined in [https://datatracker.ietf.org/doc/html/rfc1035 RFC1035]. The reverse lookup is meant to find a name to an IP, instead of the other way around. Because it's not possible to create a DNS zone with an IP, an alias (canonical name) is used for each IP. This alias always has the TLD "arpa", which is reserved for this purpose. IPv4 uses "in-addr.arpa" and IPv6 uses "ip6.arpa".
The reverse lookup is meant to find a name to an IP, instead of the other way around. Because it's not possible to create a DNS zone with an IP, an alias (canonical name) is used for each IP. This alias always has the TLD "arpa", which is reserved for this purpose. IPv4 uses "in-addr.arpa" and IPv6 uses "ip6.arpa".


Each sending IP should resolve recursively to a domain. This domain is the "hostname". Each hostname should resolve to an IP. This IP should be the same sending IP we started from.  
Each sending IP should resolve recursively to a domain. This domain is the "hostname". Each hostname should resolve to an IP. This IP should be the same sending IP we started from.  
Line 133: Line 139:
mail-ej1-x632.google.com has IPv6 address 2a00:1450:4864:20::632
mail-ej1-x632.google.com has IPv6 address 2a00:1450:4864:20::632
</pre>
</pre>
==NS Record==
Nameserver records are found on responsible domains. They define which nameserver stores the zone file with resource records for this domain.


=Domain delegation=
=Domain delegation=


If you create an NS record for a subdomain, this subdomain now is on top of it's own zone. What used to be a subdomain, is now a responsible domain.  
If you create an NS record for a subdomain, this subdomain now is responsible for it's own zone, on top of it's own hierarchy. What used to be a subdomain, is now a responsible domain.  


For example, with DNS delegation it's possible for dns[1|2].example.com to host the zone for "example.com", while dns[1|2].example.net hosts the zone for "sub.example.com".
Because of that, with DNS delegation it's possible for - for example - Jake's nameservers (dns[1|2].example.com) to host the zone for "example.com", while Andrew's nameservers (dns[1|2].example.net) host the zone for "sub.example.com". While Jake still owns "example.com" and all its subdomains, Andrew is now the only person who can set resource records for the subdomain "sub.example.com", until Jake revokes the delegation by removing the NS records from the subdomain.


=Useful links=
=Useful links=


* [[wikipedia:Domain_Name_System]]
* [[wikipedia:Domain_Name_System]]

Latest revision as of 15:25, 3 September 2023

The Domain Name System is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers only.

Hierarchy

DNS is a hierarchical system. On top of the hierarchy-stryucture of a domain name is the toplevel domain (TLD). Examples of toplevel domains are "com", "net", "org", "nl", "berlin" and many more. TLDs are provided by IANA.

In the example "example.com", "com" is the toplevel domain and "example" is the second level domain (SLD) or public suffix domain (PSD). The PSD is also called "organisational domain".

SLD and PSD are not exactly the same thing, because some toplevel domains have a second-level domain included in their hierarchy. One famous example is "co.uk".

  • In "example.co.uk", "uk" is the TLD, "co" is the SLD and "example" is the PSD.
  • In "example.com", the TLD is "com" and "example" is the SLD/PSD.

The responsible domain is the domain that's on top of a zone. Any responsible domain can have almost infinite subdomains. In our example "sub.example.com", "example.com" is the responsible domain and "sub" is the subdomain. In "sub1.sub2.sub3.example.com", "example.com" is the responsible domain for all subdomain levels. However, if I create a separate zone for "sub.example.com", then "sub.example.com" is a responsible domain on top of it's own hierarchy (see also #Domain delegation).

Record types

There are various types of records with a variety of functions. The most important ones are:

DNS Record Types
Name Purpose Lookup result example
A Assigns an IPv4 address to a name
$ host -t a example.com
example.com has address 192.168.10.34
AAAA Assigns an IPv6 address to a name
host -t aaaa example.com
example.com has IPv6 address fe80::1ff:fe23:4567:890a
MX Assigns mail-receiving hostnames with priorities to a name
$ host -t mx example.com
example.com mail is handled by 10 mx2.example.com.
example.com mail is handled by 5 mx1.example.com.
CNAME Causes this domain to be an alias of another domain
$ host -t cname aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
TXT Holds a piece of text
$ host -t txt example.com
example.com descriptive text "lorem ipsum"
PTR Reverse DNS assigns a name to an IP
$ host -t ptr 192.168.10.34
34.10.168.192.in-addr.arpa domain name pointer example.com.
NS Delegates a subdomain to one or more nameservers
$ host -t ns example.com
example.com name server dns2.example.net.
example.com name server dns1.example.net.

A- and AAAA-Record

Those two record types assign IPs to domain names. For example, if my domain name is "example.com" and my website is hosted at "192.168.10.34", I need to set an A-Record with the content "192.168.10.34" on "example.com".

MX-Record

MX Records assign mail servers (MTAs) to a domain. MX records consist of a domain name and a priority:

  • The domain name should contain an A and/or AAAA record with the IP address of the MTA.
  • The priority is used to prioritise one MTA over another. In the above example, "mx1.example.com" has the lowest priority (5) and will be tried first. Only if "mx1.example.com" is unavailable, "mx2.example.com" is used. When multiple domains in an MX record have the same priority, a random choice is made (round robin).

CNAME Record

CNAME records are aliases. Let's stick with the example from the above table and "aliasdomain.example.net" is an alias of "example.com", as you can see from the CNAME record. If we now first query the A-Records and then the MX records for "aliasdomain.example.net", this will be the output:

$ host aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
example.com has address 192.168.10.34
example.com has IPv6 address fe80::1ff:fe23:4567:890a

$ host -t mx aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
example.com mail is handled by 10 mx2.example.com.
example.com mail is handled by 5 mx1.example.com.

A CNAME record ona domain renders A-, MX- and TXT-records on the same domain invalid. In fact, it's recommended to remove all other records once a CNAME record is available.

Common use cases for CNAME records are:

In both use cases, domain delegation could offer a much better solution.

TXT Record

TXT records are records that can hold various pieces of text. The most common use case is for domain verification, whereby a provider provides a code and when this code is later found in a DNS TXT record, domain ownership has been verified. Common use cases in E-Mail are:

SPF records

Main article: Sender Policy Framework (SPF)

Example:

$ host -t txt _spf.example.com
_spf.example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"

DKIM records

Main article: DomainKeys Identified Mail (DKIM)

Example:

host -t txt selector._domainkey.example.com
selector._domainkey.example.com descriptive text "v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB"

DMARC records

Main article: Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Example:

$ host -t txt _dmarc.example.com
_dmarc.example.com descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"

PTR Record

The reverse lookup is meant to find a name to an IP, instead of the other way around. Because it's not possible to create a DNS zone with an IP, an alias (canonical name) is used for each IP. This alias always has the TLD "arpa", which is reserved for this purpose. IPv4 uses "in-addr.arpa" and IPv6 uses "ip6.arpa".

Each sending IP should resolve recursively to a domain. This domain is the "hostname". Each hostname should resolve to an IP. This IP should be the same sending IP we started from.

Example from Gmail with sending IP 2a00:1450:4864:20::632:

$ host -t ptr 2a00:1450:4864:20::632
2.3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.ip6.arpa domain name pointer mail-ej1-x632.google.com.

$ host -t aaaa mail-ej1-x632.google.com
mail-ej1-x632.google.com has IPv6 address 2a00:1450:4864:20::632

NS Record

Nameserver records are found on responsible domains. They define which nameserver stores the zone file with resource records for this domain.

Domain delegation

If you create an NS record for a subdomain, this subdomain now is responsible for it's own zone, on top of it's own hierarchy. What used to be a subdomain, is now a responsible domain.

Because of that, with DNS delegation it's possible for - for example - Jake's nameservers (dns[1|2].example.com) to host the zone for "example.com", while Andrew's nameservers (dns[1|2].example.net) host the zone for "sub.example.com". While Jake still owns "example.com" and all its subdomains, Andrew is now the only person who can set resource records for the subdomain "sub.example.com", until Jake revokes the delegation by removing the NS records from the subdomain.

Useful links