20+ DNS Record Types and What They’re For
March 8, 2023 | By David Selden-Treiman | Filed in: DNS, hosting.Introduction
DNS records are a vital component of the internet’s infrastructure, allowing domain names to be translated into IP addresses and other information necessary for communication. In this article, we’ll describe each type of DNS record, how they are used, and provide an example of each one.
Common DNS Record Types
A Record
The A Record is the most common type of DNS record and maps a domain name to an IPv4 address. It is used to resolve a domain name into an IP address, allowing web browsers and other applications to communicate with servers on the internet. An example of an A Record would be:
example.com. IN A 192.168.1.1
This record maps the domain name “example.com” to the IPv4 address “192.168.1.1”.
AAAA Record
The AAAA Record is similar to the A Record but maps a domain name to an IPv6 address instead of an IPv4 address. This record is used to resolve domain names into IPv6 addresses, which are becoming increasingly important as the world transitions to IPv6. An example of an AAAA Record would be:
example.com. IN AAAA 2001:0db8:85a3:0000:0000:8a2e:0370:7334
This record maps the domain name “example.com” to the IPv6 address “2001:0db8:85a3:0000:0000:8a2e:0370:7334”.
CNAME Record
The CNAME Record creates an alias for a domain name, allowing a single IP address to host multiple websites. It is used when you want to point one domain name to another domain name. An example of a CNAME Record would be:
www.example.com. IN CNAME example.com.
This record creates an alias for the domain name “www.example.com” and points it to the domain name “example.com”.
MX Record
The MX Record specifies the mail server responsible for accepting email messages on behalf of a domain name. It is used to direct email traffic to the appropriate mail server. An example of an MX Record would be:
example.com. IN MX 10 mail.example.com.
This record specifies that email for the domain name “example.com” should be directed to the mail server “mail.example.com” with a priority of 10.
NS Record
The NS Record specifies the authoritative name servers for a domain name. It is used to specify which servers are responsible for resolving a particular domain name. An example of an NS Record would be:
example.com. IN NS ns1.example.com.
This record specifies that the name server responsible for resolving the domain name “example.com” is “ns1.example.com”.
PTR Record
The PTR Record maps an IP address to a domain name, which is known as reverse DNS. It is used to verify the identity of the server that is sending email messages. An example of a PTR Record would be:
1.1.168.192.in-addr.arpa. IN PTR mail.example.com.
This record maps the IPv4 address “192.168.1.1” to the domain name “mail.example.com”.
SOA Record
The SOA Record specifies the start of authority for a domain name, including the primary name server, contact email address, and other information. It is used to indicate the primary source of information for a particular domain name. An example of an SOA record would be:
example.com. IN SOA ns1.example.com. admin.example.com. (
2021030801 ; serial number
7200 ; refresh interval
3600 ; retry interval
1209600 ; expire time
86400 ; minimum TTL
)
This record specifies that the name server responsible for resolving the domain name “example.com” is “ns1.example.com”. The contact email address for the domain name administrator is “admin@example.com”. The numbers that follow indicate the serial number, refresh interval, retry interval, expire time, and minimum TTL for the domain.
SRV Record
The SRV Record specifies the location of a service or application, such as a SIP server or LDAP server. It is used to direct traffic to the appropriate server for a specific service. An example of an SRV Record would be:
_sip._tcp.example.com. IN SRV 10 60 5060 sipserver.example.com.
This record specifies that the SIP server for the domain name “example.com” can be found at “sipserver.example.com” on port 5060.
TXT Record
The TXT Record allows arbitrary text to be associated with a domain name, often used for SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) email authentication. It is used to add additional information to a domain name, such as ownership or security information. An example of a TXT Record would be:
example.com. IN TXT "v=spf1 mx ~all"
This record indicates that the domain name “example.com” is using SPF email authentication and specifies the mail server for the domain. The “~all” indicates that emails from other servers should be treated as suspicious but not rejected outright.
DNSSEC & IPSEC Records
DNSKEY Record
The DNSKEY record is a DNSSEC record that contains a cryptographic public key that can be used to validate the signatures in other DNSSEC records. DNSKEY records are used to establish a chain of trust in DNSSEC. The public key stored in the DNSKEY record can be used to verify the digital signature in an RRSIG record for a particular DNS record set.
An example of a DNSKEY Record would be:
example.com. IN DNSKEY 257 3 8 AwEAAbN6Gc... [public key data]
This record specifies the DNSKEY for the domain name “example.com”. The “257” parameter specifies the protocol number, while the following numbers specify the algorithm and flags used for the key. The “AwEAAbN6Gc…” parameter contains the actual public key data.
DNSKEY records play a crucial role in DNSSEC by providing a means of verifying the authenticity of DNS records. By using DNSKEY records to establish a chain of trust, users can be confident that they are connecting to the correct website and that their communications are secure.
DS Record
The DS record is a DNSSEC record that is used for secure delegation of subdomains. It is created by the parent zone and contains a hash of the DNSKEY record for the child zone. This hash is used to authenticate the child zone’s DNSKEY records to the parent zone, providing a secure way to delegate a subdomain to another entity.
An example of a DS Record would be:
example.com. IN DS 12345 8 2 AbCDeFgHiJkLMNopQRStUvWXYz1234567890=
This record specifies the DS record for the domain name “example.com”. The “12345” parameter specifies the key tag, while the following numbers specify the algorithm and digest type. The “AbCDeFgHiJkLMNopQRStUvWXYz1234567890=” parameter contains the hash value of the DNSKEY record.
DS records play a crucial role in DNSSEC by providing a secure way to delegate subdomains to other entities. By using DS records to authenticate DNSKEY records, the parent zone can ensure that the child zone is legitimate and that its DNS records can be trusted.
RRSIG Record
The RRSIG record is a DNSSEC record that provides a digital signature over a specific DNS record set. It is used to sign DNS records using a digital signature, providing an additional layer of security to the DNS infrastructure. The RRSIG record contains the signature and the public key used to verify the signature.
An example of an RRSIG Record would be:
example.com. IN RRSIG A 8 2 3600 20220310123000 20220209123000 12345 example.com. AbCDeFgHiJkLMNopQRStUvWXYz1234567890=
This record specifies the RRSIG record for the domain name “example.com”. The “A” parameter specifies the record type covered by the signature, while the following numbers specify the algorithm, labels, TTL, and signature expiration and inception dates. The “12345” parameter contains the key tag of the DNSKEY record used to sign the record set, while the “AbCDeFgHiJkLMNopQRStUvWXYz1234567890=” parameter contains the actual signature.
RRSIG records play a crucial role in DNSSEC by providing a way to authenticate DNS records using digital signatures. By using RRSIG records to sign DNS records, users can be confident that the DNS records they are using are authentic and have not been tampered with.
NSEC Record
The NSEC record is a DNSSEC record that provides a proof of non-existence of a specific DNS record. It is used to prevent DNS cache poisoning attacks and to provide better error messages to DNS clients. The NSEC record contains a list of all the record types in a zone, as well as the name of the next domain in the zone.
An example of an NSEC Record would be:
example.com. IN NSEC www.example.com. A NS SOA MX RRSIG NSEC DNSKEY
This record specifies the NSEC record for the domain name “example.com”. The record indicates that the next domain in the zone is “www.example.com.” and that the record types in the zone are “A”, “NS”, “SOA”, “MX”, “RRSIG”, “NSEC”, and “DNSKEY”.
NSEC records play a crucial role in DNSSEC by providing a way to authenticate DNS records and to prevent DNS cache poisoning attacks. By using NSEC records, users can be confident that the DNS records they are using are authentic and have not been tampered with. NSEC records also provide better error messages to DNS clients by indicating that a particular DNS record does not exist.
NSEC3 Record
The NSEC3 record is a DNSSEC record that provides a more secure way of proving the non-existence of a particular domain name in a zone. NSEC3 records are created by hashing the domain names in a zone using a one-way cryptographic function. The hashed domain names are then sorted in canonical order and stored in the NSEC3 record along with a bit map of the record types present in the zone. The record types included in the bit map are those that immediately follow the hashed domain name.
An example of an NSEC3 Record would be:
example.com. IN NSEC3 1 0 10 abcd... QWERTY... (
1234567890
A NS SOA MX
RRSIG NSEC3PARAM
)
This record specifies the NSEC3 record for the domain name “example.com”. The “1” parameter specifies the hash algorithm used, while the “0” parameter specifies the flags. The “10” parameter specifies the number of iterations used for the hash, while the “abcd…” parameter specifies the salt used for the hash. The hash of the domain name “example.com” with the specified algorithm, iterations, and salt is “QWERTY…”. The bit map shows the record types present in the zone immediately after the hashed domain name “QWERTY…”.
NSEC3 records play a crucial role in DNSSEC by providing a more secure way of proving the non-existence of domain names in a zone. They prevent attackers from using zone enumeration attacks to discover the domain names in a zone by hashing the domain names and storing them in the NSEC3 record. This helps to protect the integrity of the DNS infrastructure and ensure that users are directed to the correct websites.
NSEC3PARAM Record
The NSEC3PARAM record is a DNSSEC record that is used to provide parameters for the NSEC3 record. It contains the parameters used for hashing domain names in a zone, including the hash algorithm, number of iterations, and salt value. The NSEC3PARAM record is used by DNS servers to generate NSEC3 records and validate them.
An example of an NSEC3PARAM Record would be:
example.com. IN NSEC3PARAM 1 0 10 abcd...
This record specifies the NSEC3PARAM record for the domain name “example.com”. The “1” parameter specifies the hash algorithm used, while the “0” parameter specifies the flags. The “10” parameter specifies the number of iterations used for the hash, while the “abcd…” parameter specifies the salt used for the hash.
NSEC3PARAM records play a crucial role in DNSSEC by providing the necessary parameters for generating NSEC3 records. They help to ensure that NSEC3 records are generated and validated correctly, thereby preventing DNS cache poisoning attacks and other DNS-related security threats.
TLSA Record
The TLSA record is a DNS record used to specify the Transport Layer Security (TLS) certificate association with a specific domain name. It is used to validate that the TLS certificate presented by a server during a TLS handshake matches the expected certificate. The TLSA record contains a hash of the certificate or the public key, along with parameters specifying the hash algorithm and the TLS usage.
An example of a TLSA Record would be:
_example._tcp.example.com. IN TLSA 3 1 1 AbCDeFgHiJkLMNopQRStUvWXYz1234567890=
This record specifies the TLSA record for the domain name “_example._tcp.example.com”. The “3” parameter specifies the usage, while the “1 1” parameters specify the selector and matching type. The “AbCDeFgHiJkLMNopQRStUvWXYz1234567890=” parameter contains the actual hash value.
TLSA records play a crucial role in ensuring the security of TLS connections. By using TLSA records, clients can verify that the TLS certificate presented by a server during a TLS handshake matches the expected certificate. This helps to prevent man-in-the-middle attacks and other security threats. Without TLSA records, the TLS infrastructure would be vulnerable to attacks such as TLS certificate impersonation and man-in-the-middle attacks.
CDS Record
The CDS (Child DS) record is a DNS record used for securely delegating a subdomain to another entity. It is similar to the DS record, but is used for delegating a subdomain to a different entity than the parent zone. The CDS record contains a hash of the DNSKEY record for the child zone, along with parameters specifying the hash algorithm and the CDS usage.
An example of a CDS Record would be:
example.net. IN CDS 12345 8 2 AbCDeFgHiJkLMNopQRStUvWXYz1234567890=
This record specifies the CDS record for the subdomain “example.net”. The “12345” parameter specifies the key tag, while the following numbers specify the algorithm and digest type. The “AbCDeFgHiJkLMNopQRStUvWXYz1234567890=” parameter contains the hash value of the DNSKEY record.
CDS records play a crucial role in securely delegating subdomains to other entities. By using CDS records, the parent zone can ensure that the child zone is legitimate and that its DNS records can be trusted.
CDNSKEY Record
The CDNSKEY (Child DNSKEY) record is a DNS record used for securely delegating a subdomain to another entity. It is similar to the DNSKEY record, but is used for delegating a subdomain to a different entity than the parent zone. The CDNSKEY record contains a cryptographic public key that can be used to validate the signatures in other DNSSEC records for the child zone.
An example of a CDNSKEY Record would be:
example.net. IN CDNSKEY 257 3 8 AwEAAbN6Gc... [public key data]
This record specifies the CDNSKEY record for the subdomain “example.net”. The “257” parameter specifies the protocol number, while the following numbers specify the algorithm and flags used for the key. The “AwEAAbN6Gc…” parameter contains the actual public key data.
CDNSKEY records play a crucial role in securely delegating subdomains to other entities. By using CDNSKEY records, the parent zone can ensure that the child zone is legitimate and that its DNS records can be trusted.
CSYNC Record
The CSYNC (Child-to-Parent Synchronization) record is a DNS record used for synchronizing DNS data between a parent and child zone. It is used in combination with other DNSSEC records such as DS and DNSKEY to provide a secure mechanism for delegating a subdomain to another entity.
An example of a CSYNC Record would be:
example.net. IN CSYNC 60
This record specifies the CSYNC record for the subdomain “example.net”. The “60” parameter specifies the interval at which the parent zone should check for updates from the child zone.
CSYNC records play a crucial role in securely delegating subdomains to other entities. By using CSYNC records, the parent zone can ensure that the DNS data for the child zone is up-to-date and that its DNS records can be trusted.
DLV Record
The DLV (DNSSEC Lookaside Validation) record is a DNS record used for providing DNSSEC validation for zones that are not yet signed by the parent zone. It allows zones that are not part of the official DNS hierarchy to be validated using DNSSEC. The DLV record contains a hash of the DNSKEY record for the child zone, along with parameters specifying the hash algorithm and the DLV usage.
An example of a DLV Record would be:
example.net. IN DLV dlv.isc.org. 257 3 8 AbCDeFgHiJkLMNopQRStUvWXYz1234567890=
This record specifies the DLV record for the domain name “example.net”. The “dlv.isc.org.” parameter specifies the DLV registry, while the following numbers specify the algorithm and digest type. The “AbCDeFgHiJkLMNopQRStUvWXYz1234567890=” parameter contains the hash value of the DNSKEY record.
DLV records play a crucial role in providing DNSSEC validation for zones that are not yet signed by the parent zone. By using DLV records, the parent zone can ensure that the DNS data for the child zone is authenticated and that its DNS records can be trusted.
TA Record
The TA (Trust Anchor) record is a DNS record used for providing a starting point for DNSSEC validation. It contains the public key of the DNSSEC root zone, which is used to validate the entire DNSSEC chain of trust. The TA record is used by DNSSEC validators to bootstrap the process of DNSSEC validation.
An example of a TA Record would be:
. IN TA 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
This record specifies the TA record for the root zone of the DNS hierarchy. The “19036” parameter specifies the algorithm used for the key, while the following numbers specify the flags and protocol version. The “49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5” parameter contains the actual public key data.
TA records play a crucial role in providing a starting point for DNSSEC validation. By using TA records, DNSSEC validators can validate the entire DNSSEC chain of trust, starting from the root zone.
IPSECKEY Record
The IPSECKEY record is a DNS record used for storing IPsec (Internet Protocol Security) public keys and other IPsec-related information. It is used to provide a secure mechanism for setting up IPsec tunnels between two network devices. The IPSECKEY record contains a combination of a protocol identifier, a public key, a gateway address, and other parameters.
An example of an IPSECKEY Record would be:
example.com. IN IPSECKEY 0 0 1 igw.example.com. AwEAAbN6Gc... ;Public key
This record specifies the IPSECKEY record for the domain name “example.com”. The first parameter “0” specifies the IPsec protocol, the second parameter “0” specifies the IPsec gateway type, and the third parameter “1” specifies that a public key is present. The “igw.example.com.” parameter specifies the gateway address, while the “AwEAAbN6Gc…” parameter contains the actual public key data.
IPSECKEY records play a crucial role in setting up secure IPsec tunnels between two network devices. By using IPSECKEY records, the network devices can authenticate each other and establish a secure communication channel. Without IPSECKEY records, the IPsec infrastructure would be vulnerable to attacks such as man-in-the-middle attacks and eavesdropping.
CERT Record
The CERT record is a DNS record used for storing X.509 public keys and other X.509-related information. It is used for authentication and key management in IPsec, SSL/TLS, and other security protocols. The CERT record contains a combination of a type identifier, a key tag, a domain name, and the X.509 certificate data.
An example of a CERT Record would be:
example.com. IN CERT 5 0 2 \
(AbE...\
BCD...) ;X.509 certificate data
This record specifies the CERT record for the domain name “example.com”. The first parameter “5” specifies the certificate type, the second parameter “0” specifies the certificate key tag, and the third parameter “2” specifies the certificate format. The “AbE…” and “BCD…” parameters contain the actual X.509 certificate data.
CERT records play a crucial role in providing authentication and key management in security protocols such as IPsec and SSL/TLS. By using CERT records, network devices can authenticate each other and ensure that all data transmitted between them is encrypted and secure. Without CERT records, the security infrastructure would be vulnerable to attacks such as man-in-the-middle attacks and eavesdropping.
David Selden-Treiman is Director of Operations and a project manager at Potent Pages. He specializes in custom web crawler development, website optimization, server management, web application development, and custom programming. Working at Potent Pages since 2012 and programming since 2003, David has extensive expertise solving problems using programming for dozens of clients. He also has extensive experience managing and optimizing servers, managing dozens of servers for both Potent Pages and other clients.
Comments are closed here.