2.6 DNS Configuration

DNS: Domain Name System

• Translates fully qualified domain names (e.g., www.example.com) to IP addresses.

• Not a standalone server; it's a distributed, hierarchical system.

DNS Hierarchy

• Multiple servers work together across the Internet.

• There are 13 root server clusters (actually over a thousand physical servers).

• Hundreds of generic top-level domains (gTLDs) like .com, .org, .net, etc.

• Country-code top-level domains (ccTLDs) like .US, .CA, .UK.

Hierarchy Visualization (example: professormesser.com)

• Start with a period (.) representing the root.

• Then .com, .net, .edu, etc.

• Next level: professormesser.com.

• Subdomains: www.professorMesser.com, mail.professorMesser.com.

• Organizational domains (for large networks): east.professorMesser.com, west.professorMesser.com.

• Hierarchy allows for specific structure and applies to all fully qualified domain names.

DNS Translation Verification

• Using dig command:

  • dig www.professormesser.com shows the summary of request.

  • Shows information sent (request for address associated with mentioned domain).

  • Lists IP addresses associated with the web server (e.g., three different IP addresses for redundancy).

• Using nslookup command:

  • nslookup professormesser.com queries the locally configured DNS server.

  • Provides IP addresses for the domain.

DNS Server Database

• DNS server has a database containing FQDNs, IP addresses, and other details.

• These details are stored as resource records.

Resource Records

• Over 30 different types of resource records exist.

• Examples: IP addresses, certificates, hostnames.

DNS Server Importance

• Critical resource: if unavailable, FQDN to IP address translation fails.

  • Good backups are crucial before making DNS changes.

  • Understand the changes to avoid configuration mistake.

• Configuration often stored in text files for easy editing.

  • Startup authority record, mail exchanger records, IP addresses, FQDNs, canonical names.

  • Web-based front ends can simplify configuration.

A and AAAA Records

• Address records:

  • A record: IPv4 address.

    • FQDN + IPv4 address.

    • Example: www.professormesser.com with IP address 162.159.246.164.

  • AAAA record (quad-A): IPv6 address.

    • FQDN + IPv6 address.

• Time to Live (TTL):

  • Specifies how long a client should cache the DNS record.

  • Example: A TTL of 15 minutes means a device caches the FQDN to IP address mapping for 15 minutes.

MX Record (Mail Exchanger)

• Specifies where emails should be delivered.

• Requires two records:

  • MX record: points to the mail server (e.g., mail.mydomain.name).

  • A record: provides the IP address for the mail server.

• Example configuration:

  • MX record for mydomain.name points to mail.mydomain.name.

  • A record for mail.mydomain.name is 123.124.14.141 (Linux server).

TXT Record (Text Record)

• Stores text information.

• Publicly accessible.

• Originally for informal purposes, now used for specific functions.

Uses for TXT Records

• Verification purposes.

  • Adding a specific string to a TXT record to verify domain ownership or configuration changes.

• Email security (SPF, DKIM, DMARC).

Examples of TXT Records

• Checking TXT records for professormesser.com using dig professormesser.com txt or nslookup -type=txt professormesser.com.

• Google.com TXT records: Facebook domain verification, Google site verification, DocuSign record.

SPF Record (Sender Policy Framework)

• A list of authorized email servers for a domain.

• Helps prevent email spoofing.

• Receiving mail server queries the SPF record to verify if the sending server is authorized.

DKIM (DomainKeys Identified Mail)

• Provides a digital signature for outgoing emails.

• Validated by receiving mail servers.

• The public key is stored in a TXT record in DNS.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

• Extends SPF and DKIM by specifying how to handle unvalidated emails.

• Options: accept, send to spam, reject.

• Mail servers track validation results and provide reports.

• DMARC record specifies the policy and reporting address.