Dns
Chapter 10: DNS - Domain Name System - Complete Deep Dive
Section titled “Chapter 10: DNS - Domain Name System - Complete Deep Dive”DNS is one of the most critical infrastructure services on the internet. This comprehensive chapter covers everything about DNS.
10.1 Introduction to DNS
Section titled “10.1 Introduction to DNS”DNS translates human-readable domain names into IP addresses.
+------------------------------------------------------------------+| DNS Overview |+------------------------------------------------------------------+
Why DNS Exists:+------------------------------------------------------------------+
Without DNS:+------------------------------------------------------------------+
User would need to remember: http://142.250.190.46 instead of google.com
Problems with IP addresses:- Hard to remember- Can change (CDN, load balancing)- Not descriptive
With DNS:+------------------------------------------------------------------+
- Human-readable names- Flexible - can change underlying IP- Distributed - no single point of failure- Caching - fast lookups
How DNS Works (High-Level):+------------------------------------------------------------------+
User types: google.com | vBrowser checks local cache | v (if not cached)DNS Resolver (ISP or local) | vRoot DNS server (.) | vTLD server (.com) | vAuthoritative DNS server for google.com | vReturns IP address: 142.250.190.46 | vBrowser connects to IP
DNS Hierarchy:+------------------------------------------------------------------+
. / | \ .com .org .net | | | google.com wikipedia.org github.com | mail.google.com | www.google.com
Root Zone:+------------------------------------------------------------------+
13 root server instances (A-M)+------------------------------------------------------------------+
| Server | Operator | Location ||--------|-----------------------------|----------------------|| A | Verisign | Dulles, VA || B | USC-ISI | Marina del Rey, CA || C | Cogent Communications | New York, NY || D | University of Maryland | College Park, MD || E | NASA (Ames) | Mountain View, CA || F | Internet Systems Consortium | Palo Alto, CA || G | US Department of Defense | Columbus, OH || H | Army (Redstone) | Huntsville, AL || I | Netnod | Stockholm || J | Verisign | Multiple locations || K | RIPE NCC | Multiple locations || L | ICANN | Los Angeles, CA || M | WIDE Project | Tokyo |
Note: Each root server instance uses Anycast for multiple locations.
+------------------------------------------------------------------+10.2 DNS Record Types
Section titled “10.2 DNS Record Types”DNS uses various record types for different purposes.
+------------------------------------------------------------------+| DNS Record Types Deep Dive |+------------------------------------------------------------------+
A Record (Address Record):+------------------------------------------------------------------+
Purpose: Maps domain name to IPv4 address
Example:+------------------------------------------------------------------+
example.com. 3600 IN A 93.184.216.34
Fields:- Name: example.com.- TTL: 3600 (1 hour)- Class: IN (Internet)- Type: A- Value: IPv4 address
AAAA Record (IPv6 Address):+------------------------------------------------------------------+
Purpose: Maps domain name to IPv6 address
Example:+------------------------------------------------------------------+
example.com. 3600 IN AAAA 2606:2800:220:1d8:3b2:2862:2c20
CNAME Record (Canonical Name):+------------------------------------------------------------------+
Purpose: Creates alias from one name to another
Example:+------------------------------------------------------------------+
www.example.com. 3600 IN CNAME example.com.
Rules:- Cannot point to IP directly- Cannot create CNAME chain (point to another CNAME)- Cannot coexist with other records (except DNSSEC)
MX Record (Mail Exchange):+------------------------------------------------------------------+
Purpose: Specifies mail servers for domain
Example:+------------------------------------------------------------------+
example.com. 3600 IN MX 10 mail1.example.com.example.com. 3600 IN MX 20 mail2.example.com.
Priority:- Lower number = higher priority- Mail server tried first has priority 10- Backup has priority 20
NS Record (Name Server):+------------------------------------------------------------------+
Purpose: Delegates DNS zone to authoritative nameservers
Example:+------------------------------------------------------------------+
example.com. 3600 IN NS ns1.example.com.example.com. 3600 IN NS ns2.example.com.
TXT Record:+------------------------------------------------------------------+
Purpose: Text records for various purposes
Examples:+------------------------------------------------------------------+
1. SPF (Sender Policy Framework):+------------------------------------------------------------------+
example.com. 3600 IN TXT "v=spf1 mx -all"
v=spf1: SPF version 1mx: Allow mail servers listed in MX records-all: Deny all other servers
2. DKIM (DomainKeys Identified Mail):+------------------------------------------------------------------+
selector._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=publickey..."
3. DMARC:+------------------------------------------------------------------+
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
p: Policy (none, quarantine, reject)rua: Aggregate reports
SOA Record (Start of Authority):+------------------------------------------------------------------+
Purpose: Contains administrative information about zone
Example:+------------------------------------------------------------------+
example.com. 3600 IN SOA ns1.example.com. admin.example.com. ( 2024021501 ; Serial 3600 ; Refresh (1 hour) 1800 ; Retry (30 minutes) 604800 ; Expire (1 week) 86400 ) ; Minimum TTL (1 day)
Fields:+------------------------------------------------------------------+
- Serial: Version number (YYYYMMDDNN format)- Refresh: How often secondary checks for updates- Retry: How often secondary retries after failed transfer- Expire: How long secondary serves zone if primary unreachable- Minimum: Default TTL for records
PTR Record (Pointer):+------------------------------------------------------------------+
Purpose: Reverse DNS lookup (IP to name)
Example:+------------------------------------------------------------------+
34.216.184.93.in-addr.arpa. 3600 IN PTR example.com.
For IPv6:+------------------------------------------------------------------+
4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.6.0.8.2 IP6.ARPA. 3600 IN PTR example.com.
SRV Record (Service):+------------------------------------------------------------------+
Purpose: Specifies location of services
Example:+------------------------------------------------------------------+
_http._tcp.example.com. 3600 IN SRV 10 5 80 www.example.com.
Format: Priority Weight Port Target- Priority: Like MX (lower = preferred)- Weight: Relative weight for load balancing- Port: Service port- Target: FQDN of service server
Common SRV uses:- _sip._tcp for SIP- _ldap._tcp for LDAP- _kerberos._udp for Kerberos
CAA Record (Certification Authority Authorization):+------------------------------------------------------------------+
Purpose: Specifies which CAs can issue certificates
Example:+------------------------------------------------------------------+
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
Flags: 0 (critical)Tag: issue/issuewild/iodefValue: CA identifier
+------------------------------------------------------------------+10.3 DNS Query Types
Section titled “10.3 DNS Query Types”DNS queries can be recursive or iterative.
+------------------------------------------------------------------+| DNS Query Types Deep Dive |+------------------------------------------------------------------+
Recursive Query:+------------------------------------------------------------------+
Client expects complete answer
Process:+------------------------------------------------------------------+
Client -> DNS Resolver -> Root -> TLD -> Authoritative -> Resolver -> Client
1. Client asks resolver for google.com2. Resolver queries root (.)3. Root says "Ask .com servers"4. Resolver queries .com TLD5. TLD says "Ask google's DNS"6. Resolver queries google DNS7. Google DNS returns IP8. Resolver returns IP to client
Iterative Query:+------------------------------------------------------------------+
Client makes multiple queries
Process:+------------------------------------------------------------------+
Client -> Root: "What's google.com?"Root: "I don't know, ask .com servers"Client -> .com: "What's google.com?".com: "I don't know, ask google's DNS"Client -> google DNS: "What's google.com?"google DNS: "IP is 142.250.190.46"
Most resolvers use iterative queries but return recursive results to clients.
Query Response Types:+------------------------------------------------------------------+
1. Authoritative Answer:+------------------------------------------------------------------+
DNS server has the zone file and is authoritative for the domain
2. Non-Authoritative Answer:+------------------------------------------------------------------+
DNS server got answer from cache (not from authoritative server)
3. Referral:+------------------------------------------------------------------+
Server returns information about other servers to ask
4. NXDOMAIN:+------------------------------------------------------------------+
Domain does not exist
DNS UDP vs TCP:+------------------------------------------------------------------+
UDP (Port 53):+------------------------------------------------------------------+
- Default for queries < 512 bytes- Faster (no handshake)- Can be lost (requires retry)
TCP (Port 53):+------------------------------------------------------------------+
- Zone transfers (AXFR)- Large responses (> 512 bytes)- Reliable delivery- DNSSEC responses
+------------------------------------------------------------------+10.4 DNS Tools
Section titled “10.4 DNS Tools”Linux provides several tools for DNS queries.
+------------------------------------------------------------------+| DNS Tools Complete Guide |+------------------------------------------------------------------+
dig (Domain Information Groper):+------------------------------------------------------------------+
Basic query:+------------------------------------------------------------------+
$ dig example.com
; <<>> DiG 9.18.1 <<>> example.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:;; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;example.com. IN A
;; ANSWER SECTION:example.com. 86400 IN A 93.184.216.34
;; Query time: 2 msec;; SERVER: 8.8.8.8#53(8.8.8.8);; WHEN: Mon Feb 22 10:00:00 UTC 2026;; MSG SIZE rcvd: 56
Query specific record:+------------------------------------------------------------------+
$ dig example.com AAAA$ dig example.com MX$ dig example.com NS$ dig example.com TXT$ dig example.com SOA
Reverse DNS lookup:+------------------------------------------------------------------+
$ dig -x 8.8.8.8
; <<>> DiG 9.18.1 <<>> -x 8.8.8.8;; QUESTION SECTION:;8.8.8.8.in-addr.arpa. IN PTR
;; ANSWER SECTION:8.8.8.8.in-addr.arpa. 86400 IN PTR dns.google.
Query specific server:+------------------------------------------------------------------+
$ dig @8.8.8.8 example.com
Trace resolution path:+------------------------------------------------------------------+
$ dig example.com +trace
Short output:+------------------------------------------------------------------+
$ dig example.com +short93.184.216.34
DNSKEY query (DNSSEC):+------------------------------------------------------------------+
$ dig example.com DNSKEY
+nslookup:+------------------------------------------------------------------+
Basic lookup:+------------------------------------------------------------------+
$ nslookup example.comServer: 8.8.8.8Address: 8.8.8.8#53
Non-authoritative answer:Name: example.comAddress: 93.184.216.34
Specific record:+------------------------------------------------------------------+
$ nslookup -type=MX example.com$ nslookup -type=TXT example.com
Reverse lookup:+------------------------------------------------------------------+
$ nslookup 8.8.8.8Server: 8.8.8.8Address: 8.8.8.8#53
8.8.8.8.in-addr.arpa name = dns.google.
host command:+------------------------------------------------------------------+
$ host example.comexample.com has address 93.184.216.34example.com has IPv6 address 2606:2800:220:1d8:3b2:2862:2c20
$ host -t MX example.comexample.com mail is handled by 10 mail1.example.com.
$ host -t TXT example.comexample.com descriptive text "v=spf1 -all"
+------------------------------------------------------------------+10.5 DNS Cache and TTL
Section titled “10.5 DNS Cache and TTL”DNS caching improves performance but requires understanding TTL.
+------------------------------------------------------------------+| DNS Cache Deep Dive |+------------------------------------------------------------------+
Caching Levels:+------------------------------------------------------------------+
1. Browser Cache:+------------------------------------------------------------------+
- TTL controlled by TTL from DNS- Chrome: 1 minute minimum- Firefox: 1 minute minimum
2. OS Cache (Stub Resolver):+------------------------------------------------------------------+
- Linux: /etc/nsswitch.conf -> hosts: files dns- Cache duration varies
3. Recursive Resolver Cache:+------------------------------------------------------------------+
- ISP DNS servers- Local DNS servers (dnsmasq, systemd-resolved)- Caches based on TTL
TTL Values:+------------------------------------------------------------------+
| TTL | Use Case ||--------|---------------------------------------------------|| 300 | 5 minutes - frequently changing records || 3600 | 1 hour - normal records || 86400 | 24 hours - stable records || 604800 | 1 week - very stable records |
Low TTL considerations:+------------------------------------------------------------------+
- Faster DNS changes propagation- More queries to authoritative servers- More load on DNS infrastructure
High TTL considerations:+------------------------------------------------------------------+
- Slower changes propagation- Less load on DNS servers- Longer outage if DNS changes
Best Practices:+------------------------------------------------------------------+
1. Before planned change: Lower TTL 24 hours before2. For new records: Use higher TTL initially3. For critical services: Use multiple TTL levels4. Monitor: Check cache behavior
Clear DNS Cache:+------------------------------------------------------------------+
# systemd-resolvedsudo resolvectl flush-caches# orsudo systemd-resolve --flush-caches
# nscd (Name Service Cache Daemon)sudo nscd -i hosts
# BIND/namedsudo rndc flush
View Cache:+------------------------------------------------------------------+
# systemd-resolvedresolvectl statistics
+------------------------------------------------------------------+10.6 DNS Security
Section titled “10.6 DNS Security”DNS is vulnerable to various attacks.
+------------------------------------------------------------------+| DNS Security Deep Dive |+------------------------------------------------------------------+
Common DNS Attacks:+------------------------------------------------------------------+
1. DNS Spoofing/Cache Poisoning:+------------------------------------------------------------------+
Attack: Attacker injects false DNS records into cacheResult: Users redirected to malicious sites
Defense: DNSSEC
2. DNS Tunneling:+------------------------------------------------------------------+
Attack: Encode data in DNS queries/responsesUse: Data exfiltration, C2 communicationPorts: 53 (must be allowed)
Detection: Monitor for high DNS volume, unusual queries
3. DNS Flood/DDoS:+------------------------------------------------------------------+
Attack: Overwhelm DNS servers with requestsResult: DNS service unavailable
Defense: DDoS protection, rate limiting
4. Domain Hijacking:+------------------------------------------------------------------+
Attack: Transfer domain to attacker via social engineeringDefense: Registrar lock, 2FA
5. NXDOMAIN Attacks:+------------------------------------------------------------------+
Attack: Flood with nonexistent domainsResult: Fill up resolver cache, cause denial of service
Defense: Response Rate Limiting (RRL)
DNSSEC:+------------------------------------------------------------------+
What is DNSSEC?+------------------------------------------------------------------+
Adds digital signatures to DNS records to verify authenticity
How DNSSEC Works:+------------------------------------------------------------------+
1. Zone signs records with private key2. Resolver gets records + signature3. Resolver verifies with public key4. If valid, answer is authentic
DNSSEC Chain of Trust:+------------------------------------------------------------------+
Root -> TLD -> Domain -> Records
DNSKEY Record:+------------------------------------------------------------------+
Contains public signing keys
$ dig dnskey example.com
DS Record:+------------------------------------------------------------------+
Delegation Signer - provides hash of DNSKEY
$ dig ds example.com
Enable DNSSEC on Linux:+------------------------------------------------------------------+
# /etc/systemd/resolved.conf[Resolve]DNSSEC=yes
# Restartsudo systemctl restart systemd-resolved
# Verifyresolvectl status
DNS Filtering:+------------------------------------------------------------------+
Using Pi-hole:+------------------------------------------------------------------+
# Installsudo pacman -S pi-hole
# Web interfacehttp://pi.hole/admin
# Add blocklistpihole -b ads.example.com true
+------------------------------------------------------------------+10.7 DNS Configuration Files
Section titled “10.7 DNS Configuration Files”DNS server configuration involves zone files.
+------------------------------------------------------------------+| DNS Zone Files Deep Dive |+------------------------------------------------------------------+
Example Zone File:+------------------------------------------------------------------+
$TTL 86400@ IN SOA ns1.example.com. admin.example.com. ( 2024021501 ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL
; Name servers@ IN NS ns1.example.com.@ IN NS ns2.example.com.
; A records@ IN A 192.168.1.10www IN A 192.168.1.10mail IN A 192.168.1.20
; CNAME recordsblog IN CNAME www
; MX records@ IN MX 10 mail1.example.com.@ IN MX 20 mail2.example.com.
; TXT records@ IN TXT "v=spf1 mx -all"
; AAAA records@ IN AAAA 2001:db8::1
Reverse Zone File:+------------------------------------------------------------------+
$TTL 86400@ IN SOA ns1.example.com. admin.example.com. ( 2024021501 ; Serial 3600 1800 604800 86400 )
@ IN NS ns1.example.com.10 IN PTR ns1.example.com.10 IN PTR mail.example.com.20 IN PTR www.example.com.
+------------------------------------------------------------------+Summary
Section titled “Summary”In this chapter, you learned:
- DNS fundamentals and hierarchy
- All DNS record types in detail
- Query types (recursive vs iterative)
- DNS tools (dig, nslookup, host)
- DNS caching and TTL
- DNS security (DNSSEC, attacks)
Next Chapter
Section titled “Next Chapter”Chapter 11: DHCP - Dynamic Host Configuration Protocol
Last Updated: February 2026