DNS

ALL DNS records: A, AAAA, CNAME, MX, TXT, SOA, PTR, DNSSEC

A beautiful domain (name of your website) purchased for some dollars is nothing but a DNS record corresponding to that name in central domain registry. This post will explain most of the DNS records and their use. In contrast PTR record is a reverse DNS record which points IP address to a domain name.

What is DNS (Domain Name System)?

DNS is an application layer protocol which translate human readable alphanumeric domain name to IP address and act as the source of domain name system. When a client (say web browser) try to reach a domain (name of the website) it first makes a query to DNS server, get the IP address and then connect to the consequent IP. An authoritative DNS server serve different DNS records for a domain name namely ‘A’, ‘AAAA’, ‘MX’, ‘TXT’ etc to point the domain to it’s web-server, mail server and also for security purpose explained bellow.

Different DNS Records:

  1. ‘A’ Record: An ‘A’ record point a domain to an IPv4 address (32 bit, usually written in decimal, ex: 8.8.8.8) and act as parent to some other record like ‘MX’ or ‘CNAME’ which ultimately points a domain to IP. Main purpose of ‘A’ record includes pointing a domain to it’s webserver IPv4 address and pointing a ‘MX’ record to corresponding mail server address. One must create an ‘A’ record for a newly registered domain to it’s web hosting server.

  2. ‘AAAA’ Record: This points a domain to it’s IPv6 enabled server’s IPv6 address (128 bit, usually written in hexadecimal, ex: 2001:4860:4860::8888). Serve same function as ‘A’ record while the server IP is a 128 bit IPv6.

  3. ‘CNAME’ Record: ‘CNAME’ points a domain to another domain, which is rather pointed to an IP address. This is used to hide the actual IP address from DNS record for flexibility. Say one want to use GSuite and use an custom email login URL (Say email.serverlog.net). For this a ‘CNAME’ record corresponding to ’email.serverlog.net’ is to be created with a value ‘ghs.googlehosted.com’ (fixed by GSuite). Now it’s up to ‘GSuite’ where to point it or when to change it. NOTE: ‘CNAME’ works only in absence of an ‘A’ or ‘AAAA’ record for that particular domain or sub-domain, if an ‘A’ or ‘AAAA’ present client prefer that before ‘CNAME’.

  4. ‘MX’ Record: ‘MX’ Records point a domain to it’s mail server. Here the record value is the domain of the mail server rather than an IP address. The ‘MX’ record domain is again pointed to the mail server IP address at mail administrator end. This gives the flexibility of switching mail server IP address without changing a DNS record of the concerned domain. This comes handy when thousands of domain use a big mail server, changing its IP don’t require a change in DNS record of all thousand domain. Changing the ‘A’ or ‘AAAA’ record correspond the the ‘MX’ record value is sufficient. Ex. If anyone want to use zoho.com (a free business email provider) as their email provider s/he need to set a ‘MX’ record correspond to zoho’s mail server i.e. ‘mx.zoho.com’ and ‘mx2.zoho.com’. Now it’s up to Zoho’s mail administration where to point those ‘MX’ record.  

  5. ‘NS’ Record: ‘NS’ stands for ‘Name Server’ and this contains the nameserver domain of the concerned domain. This is decided by DNS hosting provider, usually the domain register. ‘NS’ domain again points to DNS server’s IP address using ‘A’ or ‘AAAA’ record. RFC recommend a minimum of 3 NS record per domain geologically well separated from each other. As DNS is the heart of domain name system this measure is taken to prevent the effect of a single point failure on name resolution

  6. ‘SOA’ record: SOA stands for ‘Start Of Authority’ record and contains authority data for the domain. This contain ‘One authoritative Nameserver’, ‘nameserver’ administrative email, Serial number, refresh, expire, retry, and minimum TTL value. Those takes important role in DNS catching, AXFR etc. [See here for explanation of those terms] 

  7. ‘TXT’ Record: TXT record contain some text value in DNS zone of a domain and is usually used to verify domain ownership. Ideally domain owner should have hand in DNS zone of that domain and if one can add an given ‘TXT’ record to a domain’s DNS zone his ownership of the domain is verified. SSL certificate sellers often use this to verify domain ownership before issuing a SSL certificate.

  8. ‘SPF’ Record: ‘SPF’ is a ‘TXT’ record related to mail sender’s identity and is useful in email spam detection. It have the following format.
    v=spf1 include:_spf.google.com +ip4:xx.xx.xx.xx +ip6:xxxx -all

    It includes the IP address of permitted mail servers on behalf of the domain. v=spf1 indicate version of ‘SPF’ is ‘1’. ‘include’ indicate all ‘SPF’ record present in the domain ‘_spf.google.com’ is authorised to send email on behalf of the domain. +ip4 and +ip6 indicate IPv4 and IPv6 authorized to send email on behalf of the domain. ‘-all’ imply any other IP is unauthorized to send email for this domain. ‘~all’ indicates soft-fail and ‘-all’ indicates hard-fail.

  9. ‘DKIM’ record: This is another ‘TXT’ record is used for email verification purpose. ‘SPF’ verify sender server of the email only but not the email content, which may get altered on way. ‘DKIM’ record contain public part of the Cryptographic key used to sign the email digest.

  10. ‘DMARC’ record: This is another ‘TXT’ record containing domain owner’s instruction in specified format for receiver email server about what to do if ‘SPF’ and ‘DKIM’ verification fail for email send on behalf of his domain. ‘DMARC’ record is defined in RFC 7489 on March 18th, 2015 (see official site dmarc.org). Along with ‘SPF’ and ‘DKIM’; ‘DMARC’ is enough to protect a domain from outgoing spoofed email. [Read here for more about ‘SPF’, ‘DKIM’ and ‘DMARC’]

  11. ‘SRV’ Record: SRV record is used to specify which server is responsible for what on behalf of a particular domain and up tp what content. Nowadays using ‘SRV’ for load balancing using DNS is a common practice for high volume cluster.  SRV has the following format
    _service._proto.name. TTL class SRV priority weight port target.1

    For more regarding SRV read here 

  12. ‘DNSSEC’2: ‘DNSSEC’ is a relatively complex protocol defined in RFC 2535, 4033-4035 and 5920 for signing DNS zone data. This contains the public part of the cryptographic key used for DNS zone signing.

  13. ‘PRSIG’ Record: This contains the signed zone value. Some authoritative DNS software like PowerDNS supply on the fly zone signing and doesn’t contain any ‘PRSIG’ record, instead sign zones while quaried, create the ‘PRSIG’ and send it with the zone value. 

  14. ‘DS’ Record: DS stands for ‘Delegation Signature’ This is a digest of ‘DNSSEC’ record (which itself is at authoritative nameserver) at parent DNS server. Presence of DS record at parent DNS server indicates the zones are signed.

    NOTE: Read here for more about DNSSEC [Link coming soon]

  15. ‘PTR’ Record: Contrast to all other DNS record PTR is a reverse DNS record. This points an IP address to a domain name. PTR record verify authenticity of an IP address as email sending server. Usually only repudiated IP address belongs  to web hosting company are allowed to alter PTR record. This contains a guide from Microsoft about how to write PTR record. Read here for google’s guideline regarding PTR and IPv6 mail sending policy

For any further query don’t forget to leave a comment.  

Reference:

  1. https://en.wikipedia.org/wiki/SRV_record Accessed On: 29th Dec 2016 12:45 am IST. 
  2. https://technet.microsoft.com/en-us/library/jj200221(v=ws.11).aspx Accessed On: 29th Dec 2016 12:45 am IST.

Leave a Reply

Your email address will not be published. Required fields are marked *