Mastering DNS: From Basics to Advanced Configuration and Security

What is DNS?

DNS (Domain Name System) is an Internet service that maps domain names to IP addresses using a distributed database, allowing users to access resources via human‑readable names.

Key Characteristics

Distributed architecture

Supports TCP and UDP (default port 53)

Maximum label length per level: 63 characters

Maximum full name length: 253 characters

When to Use TCP vs UDP?

Originally DNS used UDP with a 512‑byte limit; responses larger than that trigger TCP. Modern extensions allow larger UDP packets, so UDP is used unless the response exceeds the client’s advertised size.

Hierarchical Database Structure

DNS resembles an inverted tree similar to a Linux file system. The root “.” sits at the top, followed by top‑level domains (e.g., .com), then second‑level domains (e.g., chinaz.com), and so on.

Because the global namespace contains millions of names, DNS is implemented as a distributed system. Delegation of authority prevents name collisions and reduces storage pressure on any single server.

Top‑Level Domains

Top‑level domains (TLDs) are controlled by ICANN. They fall into two categories: generic TLDs (gTLDs) such as .com, .org, .edu, and country code TLDs (ccTLDs) such as .cn, .us. The choice of TLD depends on whether the service is global or region‑specific.

DNS Resolution Process

When a client queries a domain, the resolver follows the order defined in

/etc/nsswitch.conf

(typically

hosts: files dns myhostname

). The client contacts a recursive resolver, which queries root servers, then TLD servers, then authoritative servers, caching results along the way.

Recursive resolvers are usually provided by ISPs or public services (e.g., 8.8.8.8). Authoritative servers store the actual DNS records.

Caching

Resolvers cache responses to improve performance and reduce load. Cached data is hierarchical: a resolver that has already queried

chinaz.com

can answer sub‑domain queries without contacting the root again.

Smart Resolution

Smart DNS returns the IP address closest to the client when a name maps to multiple addresses. It relies on the EDNS extension, which includes the client’s IP in the query.

Domain Registrars

Registrars obtain authority from ICANN to allocate second‑level domains under a TLD. They also operate authoritative name servers for the domains they manage, though customers can delegate authority to other name servers.

Setting Up a BIND Server

BIND Main Configuration

The main file

/etc/named.conf

defines global options, logging, and zone declarations. Enabling

recursion yes;

allows the server to act as a recursive resolver; disabling it restricts the server to authoritative responses.

Zone Files

Zone files contain resource records such as SOA, A, CNAME, AAAA, etc. Example snippets:

@       IN     SOA      ns.a.hello.com. admin.a.hello.com. ( ... )

a.hello.com      IN       NS       ns.a.hello.com
ns.a.hello.com   IN       A        xx.xx.xx.xx

SOA and CNAME

SOA records identify the authoritative server for a zone. CNAME records act as aliases, allowing multiple names to point to the same target without duplicating A records.

Testing BIND

Use

named-checkconf

and

named-checkzone

to validate configuration, then start the service with

service named start

. Verify the listener on port 53 and test resolution with

dig

.

DNS Load Balancing

Adding multiple A records for a name enables round‑robin distribution of client requests. This simple technique contrasts with dedicated load balancers like LVS, which provide health checks and more sophisticated scheduling.

www     IN      A       1.2.3.4
www     IN      A       1.2.3.5

Sub‑domain Delegation

Delegation transfers authority for a sub‑domain to another name server by adding NS records at the parent zone. This is useful when different teams manage their own namespaces.

DNS Debugging Tools

Common utilities include

host

,

nslookup

, and

dig

, which belong to the

bind-utils

package.

dig

provides detailed query output useful for troubleshooting.

Other Topics

DNS Amplification Attacks

Attackers exploit the disparity between small DNS queries and large responses to overwhelm a target’s bandwidth. By spoofing the source IP, a DNS server can be forced to send amplified traffic to the victim.