IT601 – System and Network Administration

DNS Service
Arif Husen

Department of Computer Science and Information Technology,

Virtual University of Pakistan
DNS Service
➢ Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names
(FQDN) to one another.
➢ DNS service alleviates the need to remember IP addresses. Computers that run DNS are called name servers.
➢ Ubuntu is shipped with BIND (Berkley Internet Naming Daemon), the most common program used for maintaining a
name server on Linux.
➢ Fully Qualified Domain Name (FQDN)

browser
https://api.aws.amazon.com.

protocol FQDN
https:// , http:// api.aws.amazon.com.

subdomain root domain

api.aws or www .amazon.com

host subdomain SLD TLD root

api .aws .amazon .com .
DNS Terminology and Components

• DNS Terminology DNS Components

▪ Domain Name System
▪ Domain Name ▪ Root Servers
▪ IP Address ▪ TLD Servers
▪ Top-Level Domain ▪ Domain-Level Name Servers
▪ Hosts ▪ Resolving Name Server
▪ Subdomain ▪ Zone Files
▪ Fully Qualified Domain Name
▪ Name Server
▪ Zone File
▪ Records
DNS Resolution

➢ DNS resolution is completed in several steps.

User ISP DNS Root DNS Auth DYN DNS TLD DNS

DNS Query
2
www.google.com
DNS Query
4
www.google.com
DNS Query Ask .com server 3
1
www.google.com
Ask DYN Server 5

DNS Query
6
www.google.com

Authoritative Resp
7
<IP Address>
<IP Address> 8
DNS ZONE
➢ The DNS is broken up into many different zones. These zones
root Root
differentiate between distinctly managed areas in the DNS namespace.
zone

➢ A DNS zone is a portion of the DNS namespace that is managed by a

specific organization or administrator. A DNS zone is an administrative
space which allows for more granular control of DNS components,
such as authoritative nameservers. .pk TLD
.com .net zone
zone zone
➢ The domain name space is a hierarchical tree, with the DNS root
domain at the top. A DNS zone starts at a domain within the tree and
can also extend down into subdomains so that multiple subdomains .edu
can be managed by one entity. zone

➢ Don't associate a DNS zone with a domain name or a single DNS server.
In fact, a DNS zone can contain multiple subdomains and multiple zones
can exist on the same server. DNS zones are not necessarily physically
separated from one another, zones are strictly used for delegating control. .vu
zone

➢ All of the information for a zone is stored in what’s called a DNS zone
file, which is the key to understanding how a DNS zone operates
.exam .vulms
zone zone
DNS Record Types

1 SOA 2 A and AAAA 3 CNAME 4 MX 5 NS 6 PTR 7 CAA

•Admin Email •A is an address •CNAME or •A mail exchange •A nameserver (NS) •A pointer (PTR) •The CAA record is a
record. "canonical name“ is (MX) record, is a record specifies the record provides a type of DNS record
•Last Update a record that points DNS record type authoritative DNS domain name for used to provide
•Shows the IP a domain name (an that shows where server for a domain. reverse lookup. additional
address of alias) to another emails for a domain confirmation for the
•Refresh Rate domain. should be routed to. Certification
hostname or domain •The NS record •It's the opposite of
helps point to where an A record as it Authority (CA) when
• The subdomain •An MX record internet applications provides the domain validating an SSL
•AAAA record, just certificate.
like A record, point ng.example.com makes it possible to like a web browser name linked to an IP
to the IPv6 address can point to direct emails to a can find the IP address instead of
for a domain example.com using mail server. address for a the IP address for a
CNAME. Here domain name. domain.
example.com points
to the actual IP
address using an A
record.

8 TXT 9 SRV 10 CERT 11 DCHID 12 DNAME

•TXT stands for •Using this DNS •This record type •This DNS record •DNAME is
"text," and this record type, it's stores public keys type stores "delegation name.“
record type lets the possible to store the certificates. information related
owner of a domain IP address and port to dynamic host •It works very
store text values in for specific services configuration similarly to CNAME.
the DNS. protocol (DHCP).
•It points all the
•Several services subdomains for the
use this record to alias to the
verify ownership of canonical domain
a domain name.
SOA Records

➢ The Start of Authority (SOA) record is a mandatory record in all zone files.

➢ It must be the first real record in a file (although $ORIGIN or $TTL specifications may appear above).

➢ It is also one of the most complex to understand.

➢ Example

domain.com. IN SOA ns1.domain.com. admin.domain.com. (

12083 ; serial number
3h ; refresh interval
30m ; retry interval
3w ; expiry period
1h ; negative TTL
)
A and AAAA Records
➢ Both of these records map a host to an IP address.

➢ The “A” record is used to map a host to an IPv4 IP address, while “AAAA” records are used to
map a host to an IPv6 address.

➢ The general format of these records is this:

▪ host IN A IPv4_address
▪ host IN AAAA IPv6_address
▪ ns1 IN A 111.222.111.222

▪ ns1.domain.com. IN A 111.222.111.222
▪ www IN A 222.222.222.222

▪ domain.com. IN A 222.222.222.222
▪ @ IN A 222.222.222.222

▪ * IN A 222.222.222.222
CNAME Records
➢ CNAME records define an alias for canonical name for your server (one defined by an A or
AAAA record).

➢ For instance, we could have an A name record defining the “server1” host and then use the
“www” as an alias for this host:

server1 IN A 111.111.111.111
www IN CNAME server1

➢ Be aware that these aliases come with some performance losses because they require an
additional query to the server.

➢ Most of the time, the same result could be achieved by using additional A or AAAA records.

➢ One case when a CNAME is recommended is to provide an alias for a resource outside of the
current zone.
MX Records
➢ MX records are used to define the mail exchanges that are used for the domain. This helps
email messages arrive at your mail server correctly.
➢ Unlike many other record types, mail records generally don’t map a host to something, because
they apply to the entire zone. As such, they usually look like this:
IN MX 10 mail.domain.com.

➢ Example
The MX record should generally point to a host defined by an A or AAAA record, and not one defined by a
CNAME. So, let’s say that we have two mail servers. There would have to be records that look something like
this:

IN MX 10 mail1.domain.com. IN MX 10 mail1
IN MX 50 mail2.domain.com. IN MX 50 mail2
mail1 IN A 111.111.111.111 mail1 IN A 111.111.111.111
mail2 IN A 222.222.222.222 mail2 IN A 222.222.222.222
NS Records
➢ NS record type defines the name servers that are used for this zone.
Question : if the zone file resides on the name server, why does it need to reference itself?”. Part of
what makes DNS so successful is its multiple levels of caching.
▪ One reason for defining name servers within the zone file is that the zone file may be actually
being served from a cached copy on another name server.

➢ Like the MX records, these are zone-wide parameters, so they IN NS ns1.domain.com.

do not take hosts either. In general, they look like this: IN NS ns2.domain.com.

▪ You should have at least two name servers defined in each zone file IN NS ns1.domain.com.
in order to operate correctly if there is a problem with one server. IN NS ns2.domain.com.
▪ Most DNS server software considers a zone file to be invalid if there is ns1 IN A 111.222.111.111
only a single name server. ns2 IN A 123.211.111.233
▪ As always, include the mapping for the hosts with A or AAAA records:

➢ There are quite a few other record types you can use, but these are probably the most common
types that you will come across.
PTR Records
➢ The PTR records are used define a name associated with an IP address.

➢ PTR records are the inverse of an A or AAAA record.

➢ PTR records are unique in that they begin at the .arpa root and are delegated to the owners of the IP addresses.

➢ The Regional Internet Registries (RIRs) manage the IP address delegation to organization and service providers.

➢ The Regional Internet Registries include APNIC, ARIN, RIPE NCC, LACNIC, and AFRINIC.

➢ Example of a PTR record for 111.222.333.444 would look like:

➢ 444.333.222.111.in-addr.arpa. 33692 IN PTR host.example.com.

➢ Example of a PTR record for an IPv6 address shows the nibble format of the reverse of Google’s IPv6
DNS Server 2001:4860:4860::8888.

8.8.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. 86400IN PTR google-public-dns-a.google.com.

PTR Records
➢ The command line tool dig with the -x flag can be used to look up the reverse DNS name of an IP address.

➢ An example of a dig command. The +short is appended to reduce the output to the reverse DNS name.

dig -x 8.8.4.4 +short

▪ The output for the dig command above will be the domain name in the PTR record for the IP address: google-
public-dns-b.google.com.

➢ Servers on the Internet use PTR records to place domain names within log entries, make informed spam handling
decisions, and display easy-to-read details about other devices.

➢ Most commonly-used email servers will look up the PTR record of an IP address it receives email from.

➢ If the source IP address does not have a PTR record associated with it, the emails being sent may be treated
as spam and rejected.

➢ It is not important that the FQDN in the PTR matches the domain name of the email being sent. What is
important is that there is a valid PTR record with a corresponding and matching forward A record.
CAA Records
➢ CAA records are used to specify which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for
your domain.
▪ As of September 8, 2017 all CAs are required to check for these records before issuing a certificate. If no record is
present, any CA may issue a certificate.
▪ Otherwise, only the specified CAs may issue certificates. CAA records can be applied to single hosts, or entire
domains.
➢ An example CAA record

example.com. IN CAA 0 issue "letsencrypt.org"

▪ The host, IN, and record type (CAA) are common DNS fields. The CAA-specific information above is the 0 issue
"letsencrypt.org" portion. It is made up of three parts: flags (0), tags (issue), and values ("letsencrypt.org").
▪ Flags are an integer which indicates how a CA should handle tags it doesn’t understand. If the flag is 0, the record
will be ignored. If 1, the CA must refuse to issue the certificate.
▪ Tags are strings that denote the purpose of a CAA record. Currently they can be issue to authorize a CA to create
certificates for a specific hostname, issuewild to authorize wildcard certificates, or iodef to define a URL where CAs
can report policy violations.
▪ Values are a string associated with the record’s tag. For issue and issuewild this will typically be the domain of the CA
you’re granting the permission to. For iodef this may be the URL of a contact form, or a mailto: link for email feedback.
➢ You may use dig to fetch CAA records using the following options:

dig example.com type257