notes blog about

DNS database

Zone

Zone files

Zone files have two types of entries:

Parser commands (directives)

$ORIGIN <domain-name> - sets/changes the origin, i.e. the default domain (defaults to the domain name specified in the name server’s config file)

$INCLUDE <filename> [origin] - allows you to separate records into files or to keep cryptographic keys in a file with restricted permissions

$TTL <default-ttl> - must be the first line of the zone file

Resource records

Special characters in resource records

;   comment
@   the current zone name
()  allows data to span lines
*   wild card (`name` field only)

Syntax

[name] [ttl] [class] type data

name

ttl

class

type

SOA    Start of Authority (Defines a DNS zone)
NS     Name Server
A      IPv4 Address (Name-to-address translation)
AAAA   IPv6 Address
PTR    Pointer (Address-to-name translation)
MX     Mail Exchanger (Controls email routing)
DNSKEY Public Key (Public key for a DNS name - used for DNSSEC)
CAA    Certification Authority Authorization
SPF    Sender Policy (Identifies mail servers, inhibits forging)
DKIM   DomainKeys Identified Mail (Signature system for email - verify sender and message integrity)
CNAME  Canonical Name (Nicknames or aliases for a host)
SRV    Services (Gives locations of well-known services)
TXT    Text (Comments or untyped information; used for trying out new ideas)

See Cloudflare article for more types.

SOA

NS records

CNAME

CAA

SPF

DKIM - powered by asymmetric cryptography

  1. The sender’s Mail Transfer Agent (MTA) signs every outgoing message with a private key.
  2. The recipient retrieves the public key from the sender’s DNS records and verifies if the message body and some of the header fields were not altered since the message signing took place.

DNS query process

Common return statuses

Name server taxonomy

authoritative - an official representative of a zone

non-authoritative - answers queries from cache; doesn’t know if the data is still valid

recursive - queries on your behalf until it returns either an answer or an error

non-recursive - refers you to another server if it can’t answer a query

resolver (meaning 1) - client side software (library) doing lookups

resolver (meaning 2) - local nameserver (like that one you put in /etc/resolv.conf) for doing lookups

Tips and tricks

host

host name|addr [server]

nslookup

(Cricket Liu doesn’t like it :-))

nslookup [name|addr] [server]

dig

dig [@server] [-x addr] [name] [type] [+trace] [+short]

The pseudo-type any is a bit sneaky: instead of returning all data associated with a name, it returns all cached data associated with the name. So, to get all records, you might have to do dig domain NS followed by dig @ns1.domain domain any. (Authoritative data counts as cached in this context.)

Find out the names of authoritative nameservers for a domain

dig ist.ac.at ns

Find out master nameserver

dig ist.ac.at soa

Find out the version of a bind nameserver (can be concealed in some cases)

dig @ns1.ist.ac.at version.bind txt chaos

Open resolver

Checking for open resolvers: http://dns.measurement-factory.com/tools/ => open resolver test

Client side

Find DNS server used by your system:

# Ubuntu 16.04
nmcli device show | grep IP4.DNS

Sources and more