DNS zone

Last updated

Illustration of DNS zone for en.wiki.org DNS Zone.png
Illustration of DNS zone for en.wiki.org

A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which a specific organization or administrator manages. A DNS zone is an administrative space allowing more granular control of the DNS components, such as authoritative nameserver. The DNS is broken up into different zones, distinctly managed areas in the DNS namespace. DNS zones are not necessarily physically separated from one another; however, a DNS zone can contain multiple subdomains, and multiple zones can exist on the same server.

Contents

The domain namespace of the Internet is organized into a hierarchical layout of subdomains below the DNS root domain. The individual domains of this tree may serve as delegation points for administrative authority and management. However, it is usually desirable to implement fine-grained delegation boundaries so that multiple sub-levels of a domain may be managed independently. Therefore, the domain name space is partitioned into areas (zones) for this purpose. A zone starts at a domain and extends downward in the tree to the leaf nodes or to the top-level of subdomains where other zones start. [1]

A DNS zone is implemented in the configuration system of a domain name server. Historically, it is defined in the zone file, an operating system text file that starts with the special DNS record type Start of Authority (SOA) and contains all records for the resources described within the zone. This format was originally used by the Berkeley Internet Name Domain Server (BIND) software package and is defined in RFC 1034 and RFC 1035.

Domains and zones

Most top-level domain name registry operators offer their namespaces to the public or entities with the mandated geographic or otherwise scoped purpose for registering second-level domains. Similarly, an organization in charge of a lower-level domain may operate its namespace and subdivide its space.

Each registration or allocation of subdomain space obligates the registrant to maintain an administrative and technical infrastructure to manage the responsibility for its zone, including sub-delegation to lower-level domains. Each delegation confers essentially unrestricted technical autonomy over the allocated space. An area of one or more subdomains that have been delegated for management is called a DNS zone. A zone always starts at a domain boundary to include all leaf nodes (hosts) in the domain or ends at the boundary of another independently managed zone.

As each domain is further divided into sub-domains, each becoming a DNS zone with its own set of administrators and DNS servers, the tree grows with the largest number of leaf nodes at the bottom. At this lowest level, in the end-nodes or leaves of the tree, the term DNS zone becomes essentially synonymous with the term "domain", both in terms of use and administration. The term domain is used in the business functions of the entity assigned to it, and the term zone is usually used for the configuration of DNS services.

Forward DNS zones

DNS zones contain the records for mapping domain names to IP addresses or other information. The resolution of a domain name to its assigned information is also referred to as forward resolution, and the DNS zones associated with such processes are often referred to as forward zones. [2] The term arose as the opposite of reverse zones, which are used for the reverse process: finding the DNS name associated with an IP address. Such reverse zones are maintained in the Internet Address and Routing Parameter Area (domain arpa).

Another common use of the term forward zone refers to a specific configuration of DNS name servers, particularly caching name servers, in which resolution of a domain name is forwarded to another name server that is authoritative for the domain in question, rather than being answered from the established cache memory. [3]

Zones for Internet infrastructure

The top-level domain arpa serves as a delegation zone for various technical infrastructure aspects of DNS and the Internet, and does not implement the registration and delegation system of the country and generic domains. The name arpa is a remnant of the ARPANET, one of the predecessor stages of the Internet. Intended as a transitional aid to the DNS, deleting the domain arpa was later found to be impractical. Consequently, the name was officially redefined as an acronym for Address and Routing Parameter Area. It contains sub-zones used for reverse resolution of IP addresses to host names (IPv4: in-addr.arpa, IPv6: ip6.arpa), telephone number mapping (ENUM, e164.arpa), and uniform resource identifier resolution (uri.arpa, urn.arpa).

Although the administrative structure of this domain and its sub-domains is different, the technical delegation into zones of responsibility is similar and the DNS tools and servers used are identical to any other zone. Sub-zones are delegated by components of the respective resources. For example, 8.8.2.5.5.2.2.0.0.8.1.e164.arpa., which might represent an E.164 telephone number in the ENUM system, might be sub-delegated at suitable boundaries of the name. An example of an IP addresses in the reverse DNS zone is 166.188.77.208.in-addr.arpa, which represents the address 208.77.188.166 and resolves to the domain name www.example.com. In the case of IP addresses, the reverse zones are delegated to the Internet service provider (ISP) to which the IP address block is assigned. When an ISP allocates a range to a customer, it usually also delegates the management of that space to the customer by insertion of name server resource records pointing to the customer's DNS facilities into their zone, or provides other management tools. Allocations of single IP addresses for networks connected through network address translation (NAT) typically do not provide such facilities.

Example of zone authority in DNS queries

As an example of the DNS resolving process, consider the role of a recursive DNS resolver attempting to look up the address "en.wikipedia.org.". It begins with a list of addresses for the most authoritative name servers it knows about – the root zone name servers (indicated by the full stop or period), which contains name server information for all top-level domains (TLDs) of the Internet.

When querying one of the root name servers, it is possible that the root zone will not directly contain a record for "en.wikipedia.org.", in which case it will provide a referral to the authoritative name servers for the "org." top-level domain (TLD). The resolver is issued a referral to the authoritative name servers for the "org." zone, which it will contact for more specific information. Again when querying one of the "org." name servers, the resolver may be issued with another referral to the "wikipedia.org." zone, whereupon it will again query for "en.wikipedia.org.". Since (as of July 2010) "en.wikipedia.org." is a CNAME to "text.wikimedia.org." (which is in turn a CNAME to "text.esams.wikimedia.org."), and the "wikipedia.org." name servers also happen to contain authoritative data for the "wikimedia.org." zone, the resolution of this particular query occurs entirely within the queried name server, and the resolver will receive the address record it requires with no further referrals.

If the last name server queried did not contain authoritative data for the target of the CNAME, it would have issued the resolver with yet another referral, this time to the zone "text.wikimedia.org.". However, since the resolver had previously determined the authoritative name servers for the zone "org.", it does not need to begin the resolution process from scratch but instead start at zone "org.", thus avoiding another query to the root name servers.

There is no requirement that resolving should involve any referrals at all. Looking up "en.wikipedia.org." on the root name servers always results in referrals, but if an alternative DNS root is used which is set up to contain a record for "en.wikipedia.org.", then the record is returned on the first query.

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last non empty label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is .com. Responsibility for management of most top-level domains is delegated to specific organizations by the ICANN, an Internet multi-stakeholder community, which operates the Internet Assigned Numbers Authority (IANA), and is in charge of maintaining the DNS root zone.

The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example.com) into the corresponding numeric Internet Protocol (IP) addresses (159.89.194.43), the second principal name space of the Internet, which is used to identify and locate computer systems and resources on the Internet.

In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As of 2017, 330.6 million domain names had been registered. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer.

<span class="mw-page-title-main">Root name server</span> Name server for the DNS root zone

A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

The Internet uses the Domain Name System (DNS) to associate numeric computer IP addresses with human-readable names. The top level of the domain name hierarchy, the DNS root, contains the top-level domains that appear as the suffixes of all Internet domain names. The most widely used DNS root is administered by the Internet Corporation for Assigned Names and Numbers (ICANN). In addition, several organizations operate alternative DNS roots, often referred to as alt roots. These alternative domain name systems operate their own root name servers and commonly administer their own specific name spaces consisting of custom top-level domains.

A Canonical Name (CNAME) record is a type of resource record in the Domain Name System (DNS) that maps one domain name to another.

In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain. For example, if a domain offered an online store as part of their website example.com, it might use the subdomain shop.example.com.

The domain name arpa is a top-level domain (TLD) in the Domain Name System (DNS) of the Internet. It is used predominantly for the management of technical network infrastructure. Prominent among such functions are the subdomains in-addr.arpa and ip6.arpa, which provide namespaces for reverse DNS lookup of IPv4 and IPv6 addresses, respectively.

In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables. The reverse DNS database of the Internet is rooted in the .arpa top-level domain.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

In computer networking, the multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as unicast Domain Name System (DNS). It was designed to work as either a stand-alone protocol or compatibly with standard DNS servers. It uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and open source Avahi software packages, included in most Linux distributions. Although the Windows 10 implementation was limited to discovering networked printers, subsequent releases resolved hostnames as well. mDNS can work in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration networking technique specified separately in RFC 6763.

A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR). A zone file may be either a DNS master file, authoritatively describing a zone, or it may be used to list the contents of a DNS cache.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

The domain name .local is a special-use domain name reserved by the Internet Engineering Task Force (IETF) so that it may not be installed as a top-level domain in the Domain Name System (DNS) of the Internet. As such it is similar to the other special domain names, such as .localhost. However, .local has since been designated for use in link-local networking, in applications of multicast DNS (mDNS) and zero-configuration networking (zeroconf) so that DNS service may be established without local installations of conventional DNS infrastructure on local area networks.

<span class="mw-page-title-main">Fast flux</span> DNS evasion technique against origin server fingerprinting.

Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet master—a bulletproof autonomous system. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

Blackhole DNS servers are Domain Name System (DNS) servers that return a "nonexistent address" answer to reverse DNS lookups for addresses reserved for private use.

An Extensible Resource Identifier is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers and Internationalized Resource Identifiers, developed by the XRI Technical Committee at OASIS. The goal of XRI was a standard syntax and discovery format for abstract, structured identifiers that are domain-, location-, application-, and transport-independent, so they can be shared across any number of domains, directories, and interaction protocols.

References

  1. D.B.Terry, M. Painter, D.W.Riggle, S.Zhou, the University of California Berkeley, The Berkeley Internet Name Domain Server, Report No. UCB/CSD 84/182 (1984)
  2. "What is Forward DNS (Or Forward DNS Lookup)? - Definition from Techopedia".
  3. "Understanding Forward and Reverse Lookup Zones in DNS". 10 February 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.