2.6 DNS Configuration

DNS: Domain Name System

  • Translates fully qualified domain names (e.g., www.example.com) to IP addresses.

  • Not a standalone server; it's a distributed, hierarchical system.

DNS Hierarchy

  • Multiple servers work together across the Internet.

  • There are 13 root server clusters (actually over a thousand physical servers).

  • Hundreds of generic top-level domains (gTLDs) like .com, .org, .net, etc.

  • Country-code top-level domains (ccTLDs) like .US, .CA, .UK.

Hierarchy Visualization (example: professormesser.com)
  • Start with a period (.) representing the root.

  • Then .com, .net, .edu, etc.

  • Next level: professormesser.com.

  • Subdomains: www.professorMesser.com, mail.professorMesser.com.

  • Organizational domains (for large networks): east.professorMesser.com, west.professorMesser.com.

  • Hierarchy allows for specific structure and applies to all fully qualified domain names.

DNS Translation Verification

  • Using dig command:

    • dig www.professormesser.com shows the summary of request.

    • Shows information sent (request for address associated with mentioned domain).

    • Lists IP addresses associated with the web server (e.g., three different IP addresses for redundancy).

  • Using nslookup command:

    • nslookup professormesser.com queries the locally configured DNS server.

    • Provides IP addresses for the domain.

DNS Server Database

  • DNS server has a database containing FQDNs, IP addresses, and other details.

  • These details are stored as resource records.

Resource Records

  • Over 30 different types of resource records exist.

  • Examples: IP addresses, certificates, hostnames.

DNS Server Importance
  • Critical resource: if unavailable, FQDN to IP address translation fails.

    • Good backups are crucial before making DNS changes.

    • Understand the changes to avoid configuration mistake.

  • Configuration often stored in text files for easy editing.

    • Startup authority record, mail exchanger records, IP addresses, FQDNs, canonical names.

    • Web-based front ends can simplify configuration.

A and AAAA Records

  • Address records:

    • A record: IPv4 address.

      • FQDN + IPv4 address.

      • Example: www.professormesser.com with IP address 162.159.246.164.

    • AAAA record (quad-A): IPv6 address.

      • FQDN + IPv6 address.

  • Time to Live (TTL):

    • Specifies how long a client should cache the DNS record.

    • Example: A TTL of 15 minutes means a device caches the FQDN to IP address mapping for 15 minutes.

MX Record (Mail Exchanger)

  • Specifies where emails should be delivered.

  • Requires two records:

    • MX record: points to the mail server (e.g., mail.mydomain.name).

    • A record: provides the IP address for the mail server.

  • Example configuration:

    • MX record for mydomain.name points to mail.mydomain.name.

    • A record for mail.mydomain.name is 123.124.14.141 (Linux server).

TXT Record (Text Record)

  • Stores text information.

  • Publicly accessible.

  • Originally for informal purposes, now used for specific functions.

Uses for TXT Records
  • Verification purposes.

    • Adding a specific string to a TXT record to verify domain ownership or configuration changes.

  • Email security (SPF, DKIM, DMARC).

Examples of TXT Records
  • Checking TXT records for professormesser.com using dig professormesser.com txt or nslookup -type=txt professormesser.com.

  • Google.com TXT records: Facebook domain verification, Google site verification, DocuSign record.

SPF Record (Sender Policy Framework)

  • A list of authorized email servers for a domain.

  • Helps prevent email spoofing.

  • Receiving mail server queries the SPF record to verify if the sending server is authorized.

DKIM (DomainKeys Identified Mail)

  • Provides a digital signature for outgoing emails.

  • Validated by receiving mail servers.

  • The public key is stored in a TXT record in DNS.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

  • Extends SPF and DKIM by specifying how to handle unvalidated emails.

  • Options: accept, send to spam, reject.

  • Mail servers track validation results and provide reports.

  • DMARC record specifies the policy and reporting address.