Domain Name System (DNS): Difference between revisions

From InboxSys document library
Jump to navigation Jump to search
Created page with "The '''Domain Name System''' is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers. There are various types of records with a variety of functions. The most important ones are: {| class="wikitable" style="margin:auto" |+ DNS Record Types |- ! Name !! Purpose !! Lookup result example |- ! scope="ro..."
 
No edit summary
Line 1: Line 1:
The '''Domain Name System''' is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers. There are various types of records with a variety of functions. The most important ones are:
The '''Domain Name System''' is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers only.  
 
=Hierarchy=
 
DNS is a hierarchical system. On top of the hierarchy-stryucture of a domain name is the '''[[wikipedia:DNS_root_zone|toplevel domain (TLD)]]'''. Examples of toplevel domains are "[[wikipedia:.com|com]]", "[[wikipedia:.net|net]]", "[[wikipedia:.org|org]]", "[[wikipedia:.nl|nl]]", "[[wikipedia:.berlin|berlin]]" and many more. TLDs are provided by [[wikipedia:Internet_Assigned_Numbers_Authority|IANA]].
 
In the example "example.com", "com" is the toplevel domain and "example" is the second level domain or public suffix domain (PSD).
 
Some toplevel domains have a second-level domain (SLD) included in their hierarchy. One famous example is "[[wikipedia:.uk#Second-level_domains|co.uk]]". In "example.co.uk", "[[wikipedia:.uk|uk]]" is the TLD, "co" is the SLD and "example" is the PSD.
 
The '''responsible domain''' is the domain that's on top of a zone. Any responsible domain can have almost infinite subdomains. In our example "sub.example.com", "example.com" is the responsible domain and "sub" is the subdomain. In "sub1.sub2.sub3.example.com", "example.com" is the responsible domain for all subdomain levels.
 
=Record types=
 
There are various [[wikipedia:List_of_DNS_record_types|types of records]] with a variety of functions. The most important ones are:


{| class="wikitable" style="margin:auto"
{| class="wikitable" style="margin:auto"
Line 15: Line 29:
|-
|-
! scope="row"| MX  
! scope="row"| MX  
|| Assigns mail exchangers with priorities to a name || <pre>$ host -t mx example.com
|| Assigns mail-receiving hostnames with priorities to a name || <pre>$ host -t mx example.com
example.com mail is handled by 10 mx2.example.com.
example.com mail is handled by 10 mx2.example.com.
example.com mail is handled by 5 mx1.example.com.</pre>
example.com mail is handled by 5 mx1.example.com.</pre>
Line 25: Line 39:
! scope="row"| TXT  
! scope="row"| TXT  
|| Holds a piece of text || <pre>$ host -t txt _spf.example.com
|| Holds a piece of text || <pre>$ host -t txt _spf.example.com
_spf.example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a include:email.example.com ~all"</pre>
_spf.example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"</pre>
|-
|-
! scope="row"| PTR  
! scope="row"| PTR  
|| Reverse DNS assigns a name to an IP || <pre>$ host -t ptr 192.168.10.34
|| Reverse DNS assigns a name to an IP || <pre>$ host -t ptr 192.168.10.34
34.10.168.192.in-addr.arpa domain name pointer example.com.</pre>
34.10.168.192.in-addr.arpa domain name pointer example.com.</pre>
|-
! scope="row"| NS
|| Delegates a (sub)domain to one or more nameservers || <pre>$ host -t ns example.com
example.com name server dns2.example.net.
example.com name server dns1.example.net.
</pre>
|}
|}
==A- and AAAA-Record==
Those two record types assign IPs to domain names. For example, if my domain name is "example.com" and my website is hosted at "192.168.10.34", I need to set an A-Record with the content "192.168.10.34" on "example.com".
==MX-Record==
MX Records assign mail servers (MTAs) to a domain. MX records consist of a domain name and a priority:
* The domain name should contain an A and/or AAAA record with the IP address of the MTA.
* The priority is used to prioritise one MTA over another. In the above example, "mx1.example.com" has the lowest priority (5) and will be tried first. Only if "mx1.example.com" is unavailable, "mx2.example.com" is used. When multiple domains in an MX record have the same priority, a random choice is made (round robin).
==CNAME Record==
CNAME records are aliases. Let's stick with the example from the above table and "aliasdomain.example.net" is an alias of "example.com", as you can see from the CNAME record. If we now first query the A-Records and then the TXT record for "aliasdomain.example.net", this will be the output:
<pre>
$ host -t a aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
example.com has address 192.168.10.34
example.com has IPv6 address fe80::1ff:fe23:4567:890a
$ host -t txt aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"
</pre>
A CNAME record ona domain renders A-, MX- and TXT-records on the same domain invalid. In fact, it's recommended to remove all other records once a CNAME record is available.
Common use cases for CNAME records are:
* [[Link- and Imagedomain tracking]]
* [[DKIM key rotation]]
In both use cases, [[Domain Delegation‏‎|domain delegation]] could offer a much better solution.
==TXT Record==
TXT records are records that can hold various pieces of text. The most common use case is for domain verification, whereby a provider provides a code and when this code is later found in a DNS TXT record, domain ownership has been verified. Common use cases in E-Mail are:
===SPF records===
''Main article: [[Sender Policy Framework (SPF)]]''
Example:
<pre>host -t aaaa example.com
example.com has IPv6 address fe80::1ff:fe23:4567:890a</pre>
===DKIM records===
''Main article: [[DomainKeys Identified Mail (DKIM)]]''
Example:
<pre>
host -t txt selector._domainkey.example.com
selector._domainkey.example.com descriptive text "v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB"
</pre>
===DMARC records===
''Main article: [[Domain-based Message Authentication, Reporting, and Conformance (DMARC)]]''
Example:
<pre>
$ host -t txt _dmarc.example.com
_dmarc.example.com descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"
</pre>
==PTR Record==
PTR records, or reverse DNS, are defined in [https://datatracker.ietf.org/doc/html/rfc1035 RFC1035]. The reverse lookup is meant to find a name to an IP, instead of the other way around. Because it's not possible to create a DNS zone with an IP, an alias (canonical name) is used for each IP. This alias always has the TLD "arpa", which is reserved for this purpose. IPv4 uses "in-addr.arpa" and IPv6 uses "ip6.arpa".
Each sending IP should resolve recursively to a domain. This domain is the "hostname". Each hostname should resolve to an IP. This IP should be the same sending IP we started from.
Example from Gmail with sending IP ''2a00:1450:4864:20::632'':
<pre>
$ host -t ptr 2a00:1450:4864:20::632
2.3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.ip6.arpa domain name pointer mail-ej1-x632.google.com.
$ host -t aaaa mail-ej1-x632.google.com
mail-ej1-x632.google.com has IPv6 address 2a00:1450:4864:20::632
</pre>
=DNS delegation=
If you create an NS record for a subdomain, this subdomain now is on top of it's own zone. What used to be a subdomain, is now a responsible domain.
For example, with DNS delegation it's possible for dns[1|2].example.com to host the zone for "example.com", while dns[1|2].example.net hosts the zone for "sub.example.com".


=Useful links=
=Useful links=


* [[wikipedia:Domain_Name_System]]
* [[wikipedia:Domain_Name_System]]

Revision as of 02:51, 3 September 2023

The Domain Name System is a naming system for the internet. It was originally invented to assign names to IPs, because names are more easy to remember than the numbers in IP addresses. meanwhile, DNS has more purposes than to translate names in numbers only.

Hierarchy

DNS is a hierarchical system. On top of the hierarchy-stryucture of a domain name is the toplevel domain (TLD). Examples of toplevel domains are "com", "net", "org", "nl", "berlin" and many more. TLDs are provided by IANA.

In the example "example.com", "com" is the toplevel domain and "example" is the second level domain or public suffix domain (PSD).

Some toplevel domains have a second-level domain (SLD) included in their hierarchy. One famous example is "co.uk". In "example.co.uk", "uk" is the TLD, "co" is the SLD and "example" is the PSD.

The responsible domain is the domain that's on top of a zone. Any responsible domain can have almost infinite subdomains. In our example "sub.example.com", "example.com" is the responsible domain and "sub" is the subdomain. In "sub1.sub2.sub3.example.com", "example.com" is the responsible domain for all subdomain levels.

Record types

There are various types of records with a variety of functions. The most important ones are:

DNS Record Types
Name Purpose Lookup result example
A Assigns an IPv4 address to a name
$ host -t a example.com
example.com has address 192.168.10.34
AAAA Assigns an IPv6 address to a name
host -t aaaa example.com
example.com has IPv6 address fe80::1ff:fe23:4567:890a
MX Assigns mail-receiving hostnames with priorities to a name
$ host -t mx example.com
example.com mail is handled by 10 mx2.example.com.
example.com mail is handled by 5 mx1.example.com.
CNAME Causes this domain to be an alias of another domain
$ host -t cname aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
TXT Holds a piece of text
$ host -t txt _spf.example.com
_spf.example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"
PTR Reverse DNS assigns a name to an IP
$ host -t ptr 192.168.10.34
34.10.168.192.in-addr.arpa domain name pointer example.com.
NS Delegates a (sub)domain to one or more nameservers
$ host -t ns example.com
example.com name server dns2.example.net.
example.com name server dns1.example.net.

A- and AAAA-Record

Those two record types assign IPs to domain names. For example, if my domain name is "example.com" and my website is hosted at "192.168.10.34", I need to set an A-Record with the content "192.168.10.34" on "example.com".

MX-Record

MX Records assign mail servers (MTAs) to a domain. MX records consist of a domain name and a priority:

  • The domain name should contain an A and/or AAAA record with the IP address of the MTA.
  • The priority is used to prioritise one MTA over another. In the above example, "mx1.example.com" has the lowest priority (5) and will be tried first. Only if "mx1.example.com" is unavailable, "mx2.example.com" is used. When multiple domains in an MX record have the same priority, a random choice is made (round robin).

CNAME Record

CNAME records are aliases. Let's stick with the example from the above table and "aliasdomain.example.net" is an alias of "example.com", as you can see from the CNAME record. If we now first query the A-Records and then the TXT record for "aliasdomain.example.net", this will be the output:

$ host -t a aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
example.com has address 192.168.10.34
example.com has IPv6 address fe80::1ff:fe23:4567:890a

$ host -t txt aliasdomain.example.net
aliasdomain.example.net is an alias for example.com.
example.com descriptive text "v=spf1 ip4:192.168.10.34 ip6:fe80::1ff:fe23:4567:890a ~all"

A CNAME record ona domain renders A-, MX- and TXT-records on the same domain invalid. In fact, it's recommended to remove all other records once a CNAME record is available.

Common use cases for CNAME records are:

In both use cases, domain delegation could offer a much better solution.

TXT Record

TXT records are records that can hold various pieces of text. The most common use case is for domain verification, whereby a provider provides a code and when this code is later found in a DNS TXT record, domain ownership has been verified. Common use cases in E-Mail are:

SPF records

Main article: Sender Policy Framework (SPF)

Example:

host -t aaaa example.com
example.com has IPv6 address fe80::1ff:fe23:4567:890a

DKIM records

Main article: DomainKeys Identified Mail (DKIM)

Example:

host -t txt selector._domainkey.example.com
selector._domainkey.example.com descriptive text "v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB"

DMARC records

Main article: Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Example:

$ host -t txt _dmarc.example.com
_dmarc.example.com descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.example.com; ruf=mailto:dmarc@dmarc.example.com; rf=afrf; pct=100;"

PTR Record

PTR records, or reverse DNS, are defined in RFC1035. The reverse lookup is meant to find a name to an IP, instead of the other way around. Because it's not possible to create a DNS zone with an IP, an alias (canonical name) is used for each IP. This alias always has the TLD "arpa", which is reserved for this purpose. IPv4 uses "in-addr.arpa" and IPv6 uses "ip6.arpa".

Each sending IP should resolve recursively to a domain. This domain is the "hostname". Each hostname should resolve to an IP. This IP should be the same sending IP we started from.

Example from Gmail with sending IP 2a00:1450:4864:20::632:

$ host -t ptr 2a00:1450:4864:20::632
2.3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.ip6.arpa domain name pointer mail-ej1-x632.google.com.

$ host -t aaaa mail-ej1-x632.google.com
mail-ej1-x632.google.com has IPv6 address 2a00:1450:4864:20::632

DNS delegation

If you create an NS record for a subdomain, this subdomain now is on top of it's own zone. What used to be a subdomain, is now a responsible domain.

For example, with DNS delegation it's possible for dns[1|2].example.com to host the zone for "example.com", while dns[1|2].example.net hosts the zone for "sub.example.com".

Useful links