DNS Guide
Learn how DNS works, record types, and best practices
How DNS Works
The Domain Name System (DNS) is the internet's phone book. It translates human-readable domain names (like example.com) into IP addresses (like 93.184.216.34) that computers use to communicate.
The DNS Hierarchy
- Root Servers: The top of the DNS hierarchy, directing queries to TLD servers
- TLD Servers: Handle top-level domains (.com, .org, .net)
- Authoritative Servers: Store actual DNS records for domains
- Recursive Resolvers: Query other servers on behalf of clients
User Query: example.com
|
Recursive Resolver
|
Root Server (.)
|
TLD Server (.com)
|
Authoritative Server
|
IP: 93.184.216.34
DNS Record Types
| Type | Purpose | Example |
|---|---|---|
| A | Maps domain to IPv4 address | example.com -> 93.184.216.34 |
| AAAA | Maps domain to IPv6 address | example.com -> 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME | Alias for another domain | www.example.com -> example.com |
| MX | Mail server for domain | example.com -> mail.example.com (priority 10) |
| TXT | Text data (SPF, verification, etc.) | "v=spf1 include:_spf.google.com ~all" |
| NS | Nameservers for domain | example.com -> ns1.example.com |
| SOA | Start of Authority - zone information | Serial, refresh, retry, expire times |
| PTR | Reverse DNS - IP to domain | 34.216.184.93.in-addr.arpa -> example.com |
| SRV | Service location | _sip._tcp.example.com -> sipserver.example.com:5060 |
| CAA | Certificate Authority Authorization | example.com CAA 0 issue "letsencrypt.org" |
DNS Resolution Process
- Browser Cache: Browser checks its local cache for recent DNS lookups
- OS Cache: Operating system checks its DNS cache
- Recursive Resolver: Query sent to ISP or configured DNS resolver (e.g., 8.8.8.8)
- Root Server: Resolver queries root server for TLD location
- TLD Server: Root directs to .com/.org/.net server
- Authoritative Server: TLD directs to domain's nameserver
- Response: IP address returned and cached at each level
TTL (Time To Live): Each DNS record has a TTL value that determines how long it can be cached. Lower TTL means faster propagation of changes but more DNS queries.
Email Authentication
SPF
Sender Policy Framework - specifies which servers can send email for your domain
v=spf1 include:_spf.google.com ~all
DKIM
DomainKeys Identified Mail - cryptographic signature for email authenticity
selector._domainkey.example.com
DMARC
Domain-based Message Authentication - policy for handling failed SPF/DKIM
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
DNSSEC
DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS records, preventing DNS spoofing and cache poisoning attacks.
Key Record Types
- DNSKEY: Public key used to verify signatures
- DS: Delegation Signer - links child zone to parent
- RRSIG: Resource Record Signature - cryptographic signature
- NSEC/NSEC3: Authenticated denial of existence
Important: DNSSEC requires careful key management. Key rollovers must be planned to avoid service disruption.
Best Practices
Security
- Enable DNSSEC for your domains
- Configure SPF, DKIM, and DMARC
- Use CAA records to restrict certificate issuance
- Monitor for unauthorized DNS changes
Performance
- Use appropriate TTL values (300-3600 seconds typical)
- Use multiple nameservers for redundancy
- Consider anycast DNS providers
- Minimize CNAME chains
Management
- Document all DNS changes
- Test changes in staging first
- Lower TTL before making changes
- Have a rollback plan
Monitoring
- Set up DNS health checks
- Monitor certificate expiration
- Track DNS propagation
- Alert on unexpected record changes