Domain name server : fundamentals

DNS (Domain Name System), are road signs of the Internet. That's how a human can recognize server's names, like a big directory but for Internet.

It is also used to know whre a mail should be delivered, and many others things hidden to normal human beings but crucial to have a reliable network.

DNS is based on the idea of a "zone". First, you start at the root represented by a dot ".". The root list addresses of all authoritary name servers : tld (fr, de, com, net, org...). Each tld has a list of servers for the next levels.

That's how it looks like :

                     .
                     |
                     |
 +-------+-------+---+--+-------+-------+
 |       |       |      |       |       |
 v       v       v      v       v       v
.fr    .com    .tld   .xyz    .org    .net
                 |
   +-------------+--------------+
   |             |              |
   v             v              v
site.tld     athome.tld     other.tld
                 |
                 +------------------+
                 |                  |
                 v                  v
         webmail.athome.tld   wiki.athome.tld

If you start at the root, you can find the IP of any domain name. Searching through the zone is called "resolving". A server hosting data about a zone is "authoritary".

When a resolver retrieved a device IP, for a website or other purpose, it is kept in cache, in memory, as long as it is specified in the Time To Live (TTL) of the zone. So it is not reached too often.

This validity expiration time means there will be a delay before every resolver update a fresh zone. However, a bigger TTL means less network stress. It's about balance.

DNSSEC

A few years ago, clever people started worrying since DNS is critical. It had to be secured.

It is actually quite easy to be redirected on fake addresses. We make sure there is a way to ensure DNS authenticity.

To do so, domain name owner wite a zone and sign it. Resolvers check if the signature is correct.

Thus, you are certain to have reached the corret IP behind a domain name, not hijecked on a fake website.

One can publish through DNS safe data. That's the idea of DANE/TLSA to to publish fingerprints of TLS certificates.

Zone example

Zone files uses a standard format undestrood by every domain name servers.

Below is an example of "/var/nsd/zones/athome.tld" :

$TTL 1D
@           IN SOA    master.athome.tld. hostmaster.athome.tld. (
          ; domain of DNS server
          ; followed by admin email address
          ; Here : hostmaster@athome.tld
          ; "@" is replaced by a "."
                    2014110502      ; serial number to increment
                                    ; after each changes
                    86400           ; Refresh
                    7200            ; Retry
                    3600000         ; Expire
                    172800 )        ; Negative Cache TTL
$ORIGIN athome.tld.
@           IN NS       master
@           IN NS       secondary
@           IN MX       10 mail1
@           IN MX       20 mail2
master      IN A        192.0.2.2
master      IN AAAA     2001:db8:1:1::2
mail1       IN A        192.0.2.10
mail2       IN A        192.0.2.11
ipv4only    IN A        192.0.2.15
ipv6only    IN AAAA     2001:db8:1:1::400
dualstack   IN A        192.0.2.200
dualstack   IN AAAA     2001:db8:1:1::200
gate        IN AAAA    %%ipv6_gate
master      IN A       %%ip_pub_master
master      IN AAAA    %%ipv6_master
secondary  IN  A       %%ip_pub_second
secondary  IN  AAAA    %%ipv6_second
...

DNS records and how to use them

DNS records are usually written like this :

NAME    CLASS    TYPE    TTL    DATA(RDATA)

NAME is what you're looking for when you ask a resolver.

Class means internet (IN). At the beginning, other classe were used but not anymore.

Type is the king of data in the record.

TTL is Time To Live, delay while the data is considered as valid.

At last, RDATA is the data relative to the Name.

Types : @, $ORIGIN, $TTL

"$ORIGIN" is the complete zone name. As example, "athome.tld".

When a zone file don't have a "$ORIGIN" instruction, the domain name server will create one with the zone name.

"@" is replaced by "$ORIGIN".

Read this page if you want to learn more about this intruction.

"$TTL" is the validity duration of datas. It is recommended to set to 1 day (1D).

Each DNS record can have its own TTL if you want to reduce network stress for very stable fiels such as MX and NS.

"$ORIGIN" and "$TTL" must be written at the beginning of the zone file.

SOA

The first record with "$ORIGIN" and "$TTL" is called SOA as in Source Of Authority. It is crucial. The first field after SOA indicate the origin name server, in example master.athome.tld. and the last field indicates the domain administrator mail address. "hostmaster.athome.tld." will turn into "hostmaster@athome.tld". The first dot is turned into a "@". You may have set an alias on hostmaster when you configured the mail server. If you can't and have to use a dot before the "@" in the admin mail (you like it rough... 😲), you have to write a "\" before :

john\.doe.athome.tld.

Autoritary domain name server and administrator mail may be on different servers or domains.

The serial number can have multiple formats, but always must increase everytime the zone is updated. Thus, secondary servers otice there is an update to download. Some admins use a timestamp, others start from 1 and increment each time. It's up to you.

SOA values (refresh, retry, expire, negative) and TTL in the example are those recommended in standard (RFC). Of course you can use your own values, but in doubt you have a robust example.

By default, values are seconds. You can write them as hours (H), days (D) or weeks (W).

Refresh et retry describe when secondary autoritative servers should reload the zone. Nowadays, most servers send alerts to secondary servers so it's automatic.

Expire tells how many time we can still use data in the zone if servers are unreachable. It is not TTL.

Negative is the delay a NXDOMAIN answer (non existent data requested) is kept in cache.

A, AAAA

It may be one of the most important record type. Like others, they follow this format : {NOM, TTL, CLASSE, TYPE, RDATA}.

Addresses of device master.athome.tld are recorded like this :

master          IN A        192.0.2.2
master          IN AAAA     2001:db8:1:1::2

Remember the last dot in addresses is very important. It represent the root zone. If a data doesn't end with a dot, it is expanded or will be buggy.

CNAME

CNAME, means Canonical NAME, it is an alias.

In the following example, the real name of www is master.

www IN CNAME master

It is used for virtual hosts such as blog.athome.tld, webmail.athome.tld, ...

NS

A DNS zone should have at least 2 NS records since they describe where are the authoritative servers. Actually, the zone will work with only one as long as the domain name server doesn't encounter any problem.

There is no NS servers maximum limit in theory. If you got two, that's a good start : yours and a friend's server.

athome.tld.   IN  NS   master.athome.tld.

This record means : for zone athome.tld, authoritative name server (NS) is master.athome.tld. It also can be written this way :

@     IN NS   master

In this case, the "@" is replaced by zone"s "$ORIGIN", actually its full name to the root, and master hasn't an ending dot so it is expanded with $ORIGIN too, : "master.athome.tld".

Name servers must be known to the rest of the world, you have to register then in the registrar, in the tld zone. This is actually one of the two only records you have to do in your registrar panel with DNSSEC keys records. Later, once authoritative server are published, everythings happens on your server.

When recording NS on the registrar, you generally give two fields : the full hostname of the server, master.athome.tld here, and its addresses. In this case, we talk about "Glue Record". How to know master.athome.tld even though it's it wo knows addresses for zone athome.tld? In this specific case, the address is written in the registrar.

To record authoritative servers on the registrar, you have to log on your registrar panel

With GANDI, it's quite easy (20% discount with this link).

You'll find a panel "GLUE" in your domain setup.

Once the new GLUE recorded, you can modify the name server list for your domain.

Read more about registrars and self-hosting with this article.

MX

MX, a little like NS, tells where is a king of service for the zone. In this case, where mail should be delivered. The record is build the same way as before :

@     IN MX 10   mail1
@     IN MX 20   mail2

For the zone athome.tld, the mails server (MX) is mail1.athome.tld.

The only significant differences is the "10", indicating the priority or "weight". When you have multiple servers, which one has priority to receive the mail? The one with the lowest weight.

If you self-host, you can choose to use the main domain name instead of a subdomain ith the same address in the A record, it is still valid:

@     IN MX 10   athome.tld.

MX and NS can't be redirections (CNAME), they must point to A or AAAA records, or in last resort to IP.

TXT

TXT records are used to publish various data about your server. It is useful to share public keys as example. It looks like this :

@    IN TXT    "v=spf1 a mx ~all"

Ending words

That's it for this long part about DNS. Do not hesitate to read again later, there are many things to understand here.

Of course, you can do so much more with DNS (SRV, SSHFP, ...), we'll describe eache case later if necessary.