published
priority 12
30 min. 50 XP.
DNS Fundamentals. Records, Resolvers, Zones
DNS lookups power four of the 13 scored NCAE services. This lesson teaches the vocabulary you need. what a record is, what a zone is, the difference between authoritative and recursive. so when you read `named.conf` later, you already know the concepts.
DCWF roles:
IT-441 Network Operations Specialist
IT-451 System Administrator
Services:
DNS EXT FWDDNS EXT REVDNS INT FWDDNS INT REV
Objectives
- Know the common DNS record types: A, AAAA, CNAME, MX, NS, SOA, PTR, TXT
- Distinguish forward (nameIP) from reverse (IPname) lookups
- Understand the difference between authoritative vs recursive resolvers
- Read a zone file and identify SOA, NS, and resource records
- Use `dig` to query any DNS server for any record type
- Interpret NXDOMAIN vs NOERROR + empty answer
Quick reference
| Command | Purpose |
|---|---|
| dig <name> | Default A record lookup |
| dig <name> AAAA | IPv6 (AAAA) record |
| dig <name> MX | Mail server record |
| dig <name> NS | Name servers for a domain |
| dig <name> TXT | Text records (SPF, DKIM, verification) |
| dig +short <name> | Just the answer, no ceremony |
| dig @<dns-server> <name> | Ask a specific resolver |
| dig +trace <name> | Follow the delegation chain from root |
| dig -x <ip> | Reverse lookup (IP name via PTR) |
| host <name> | Simpler output than dig |
| nslookup <name> | Interactive resolver |
| getent hosts <name> | Goes through NSS. includes /etc/hosts |
Common pitfalls
- Confusing NXDOMAIN (name doesn't exist) with NOERROR + empty answer (name exists, but no record of this type)
- Missing the trailing dot on FQDNs. `example.com` vs `example.com.` matters in zone files
- Forgetting that PTR records live in a special reverse-zone naming scheme (`in-addr.arpa`)
- Querying your own resolver and not understanding it may be cached. use `dig +trace` or `@localhost` explicitly
- Leaving recursion enabled on an authoritative server. lets anyone on the internet use you as a resolver (DNS amplification attack)
How it works (walkthrough)
# DNS record types at a glance: # A name IPv4 example.com. IN A 93.184.216.34 # AAAA name IPv6 example.com. IN AAAA 2606:2800:220:1::2c # CNAME alias real name www.example.com. IN CNAME example.com. # MX mail routing example.com. IN MX 10 mail.example.com. # NS nameserver example.com. IN NS ns1.example.com. # SOA zone authority example.com. IN SOA ns1 admin serial . # PTR reverse lookup 34.216.184.93.in-addr.arpa. IN PTR example.com. # TXT arbitrary text example.com. IN TXT "v=spf1 . " # Authoritative vs recursive: # Authoritative server: has the zone file, knows the records firsthand # (your BIND at 192.168.10.12 for team10.ncaecybergames.org) # Recursive resolver: doesn't have the zone; asks authoritative servers on your behalf # (your ISP's DNS, 8.8.8.8, 1.1.1.1) # A well-configured NCAE BIND is authoritative for YOUR zones, # NOT recursive for the world.
Skill drills
-
1. DNS record type that maps a name to an IPv4 address?A
-
2. DNS record type for a reverse lookup?PTR
-
3. What does SOA stand for in DNS?Start of Authority
-
4. What does NXDOMAIN mean?The queried name does not exist at all
-
5. Command-line tool to query any DNS server for any record type?dig
-
6. What's the reverse-zone name for 10.0.0.0/24?0.0.10.in-addr.arpa
-
7. Authoritative vs recursive. which one has the zone file?Authoritative
NCAE scoreboard patterns this lesson prevents
- 15,977.8 DNS EXT FWD. Can't contact DNS Server on IP
- 144.4 DNS EXT FWD. Failed to lookup: ns1.team15.ncaecybergames.org, files.team15.ncaecybergames.org, shell.team15.ncaecybergames.
- 69.4 DNS EXT FWD. Connected to IP:53, no useful content though...
- 36.1 DNS EXT FWD. Failed to lookup: ns1.team18.ncaecybergames.org, files.team18.ncaecybergames.org, shell.team18.ncaecybergames.