DNS Zones explained
The Domain Name System (DNS) is a central part of the Internet, providing a way to match names (a website you’re seeking) to numbers (the address for the website).
The DNS records are defined per zone. A zone file is a collection of resource records with each record entry described in a certain sequence.
|FORMAT:||host label||ttl||record class||record type||record data|
- Host Label – A host label helps to define the hostname of a record and whether the $ORIGIN hostname will be appended to the label. Fully qualified hostnames terminated by a period will not append the origin.
- TTL – TTL is the amount of time in seconds that a DNS record will be cached by an outside DNS server or resolver.
- Record Class – There are three classes of DNS records: IN (Internet), CH (Chaosnet), and HS (Hesiod). The IN class will be used for the Managed DNS service.
- Record Type – Where the format of a record is defined.
- Record Data – The data within a DNS answer, such as an IP address, hostname, or other information. Different record types will contain different types of record data.
Here is a layout of the zone and resource record (RR) definitions.
Most zones start with “$ORIGIN domain.com.” (note the full stop after the domain name.)
The $ORIGIN is a special class which can be called by the @ sign. Any record not ending with a full stop (excluding IP addresses) will get the $ORIGIN domain appended to it. Thus if you add a “www” record, the full record will be “www.domain.com”. If you accidentally add “www.domain.com” (no full stop), the record will end up as “www.domain.com.domain.com.”. Similarly, you can define a record for the root domain (domain.com) as either a blank or an @ sign.
TTL (Time To Live)
This indicates how long the zone record may be kept cached before remote DNS server must regard the record as stale and request a new copy. Setting this too low causes too many lookups on a DNS server and setting it too high can cause records that have changed to remain wrong and serve incorrect information. A typical TTL time is 86400 or 24H. TTL is set in seconds unless a unit is added. Sub-domain records typically have a TTL of 14400. If you define the TTL as $TTL as the first entry in the zone, all records with no TTL will use this value. Below is a table of standard time values.
|Seconds||Other Time Units|
SOA (Start of Authority)
The SOA is a special record found at the start of each zone. It has a specific structure which is shown in the following example:
@ IN SOA ns1.mynameserver.net. zone-admin.mydomain.com. ( 2017122301 ; serial number 3600 ; refresh period 600 ; retry period 604800 ; expire time 1800 ) ; minimum ttl
- @ – this sign references the domain that the SOA is valid for. This will be the domain defined with the $ORIGIN variable.
- IN SOA – marks this as the SOA.
- ns1.mynameserver.net. – this is the nameserver that is keeping the SOA record
- zone–admin.mydomain.com. – even though it does not look like it, this is the email address of the person responsible for this domain. The first full-stop is converted to an @ sign, thus this is actually “zone–firstname.lastname@example.org“.
- ; serial number – this is a comment
- 2017122301 – the serial number for this zone.Each time this is incremented. it sends a signal to the other DNS servers to update their records for this zone.
- 3600 – refresh TTL (1H) – how often to check for a new serial
- 600 – retry period TTL (10 min) – how often to check if the primary DNS is offline
- 604800 – expire TTL (7 days) – how long this record may remain valid in a cache
- 1800 – minimum TTL (30 min) – the shortest period a record may live
NS (Name server)
An NS record defines the Name Servers that hold the DNS records for this domain. Multiple entries may exist in the zone. An NS record may not point to an IP address. They are entered as follows:
IN NS ns1.mynameserver.net. IN NS ns2.mynameserver.net.
Note the empty space at the start of each row. This represents the domain root. The records could have been written in the following two ways as well:
@ IN NS ns1.mynameserver.net. @ IN NS ns2.mynameserver.net.
mydomain.com. IN NS ns1.mynameserver.net. mydomain.com. IN NS ns2.mynameserver.net.
A (IPv4 Address Record)
The A record maps a name (or ‘label’) to an IP address and is shown below:
IN A 10.0.1.5 www. IN A 10.0.1.5
The same rules apply to these records namely, a blank is replaced by the last valid domain entry and an @ sign always represents the root domain. Labels must always end with a full stop or else they will be prepended to the NEXT label.
MX (Mail exchange RECORD)
The MX Resource Record Specifies the name and relative preference of mail servers (mail exchangers in the DNS jargon) for the zone. The MX RR is used by external SMTP (Mail) Agents to route incoming mail for the domain. An MX Record, like an NS record, may not point to an IP address. One caveat – if no MX is present, most SMTP servers will default to using the primary A record as the MX.
The numbers after the MX Resource designator indicate the PRIORITY. An example of an MX:
IN MX 10 mail.domain.com. IN MX 20 mail2.domain.com.
You may use a TXT record to store any text-based information that can be grabbed when necessary. We most commonly see TXT records used to hold SPF data and verify domain ownership. See the example below:
IN TXT 'v=spf1 mx include:_spf.google.com -all' IN TXT 'This domain is used as an example and owned by no one."
SRV (SERVICE RECORD)
This is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. We use SRV for newer protocols instead of creating protocol-specific records such as MX. Some Internet protocols such as the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) often require SRV support by network elements. An example follows:
# _service._proto.name. TTL class SRV priority weight port target. _sip._tcp.domain.com. 86400 IN SRV 10 60 5060 pbx1.domain.com.
CNAME (Canonical name record)
We use the Canonical Name record (CNAME) to specify that a domain name is an alias for another domain (the ‘canonical’ domain). A valid A Record MUST exist for the alias. Although very popular in early DNS days and still widely used, it is advised to rather use A records instead unless there is a special case to be made for a CNAME. The CNAME RR looks as follows:
NAME TYPE VALUE -------------------------------------------------- bar.domain.com. CNAME foo.domain.com. foo.domain.com. A 192.0.2.23
AAAA (IPv6 Address Record)
We also know this as the QUAD-A Record. It is the A Record for IPV6. We can use it in the same way as the IPV4 A Record. See the example below:
ipvsix.domain.com. IN AAAA fdda:5cc1:23:4::1f