3 February 2017

DNS fortune cookies

Abbreviated answers to frequently asked questions about the Domain Name System.
  • Third parties are unlikely to keep any caching name servers open for the public indefinitely.
  • SMTP does not allow a CNAME alias in a mail address.
  • If there is no MX record for a domain, but an A record exists, mail will be sent according to the latter.
  • If your provider’s caching name servers have problems, you can often circumvent them by running your own server.
  • Private IP addresses should never show up in the public DNS.
  • Computers running Microsoft Windows may use Windows name resolution protocols.
  • If you ask for help regarding your DNS setup, do not obscure its details.
  • BIND will run on Windows, usually quite easily.
  • example.com and www.example.com are different domains.
  • The hostmaster email address for a domain can be found in the SOA record.
  • Domain names are case-insensitive.
  • hosts files precede the DNS, both historically and in the context of individual name resolution attempts.
  • Consumer-grade IP connections are usually configured using DHCP.
  • Malware might mess with your resolver settings and your hosts file.
  • When registering a domain, always make sure you become the administrative contact and the registrant.
  • By default, modern versions of BIND send their queries from ephemeral ports. This can be tuned using the query-source option.
  • If your firewall logs record incoming 53/udp packets from your provider, those are likely responses to your own DNS queries.
  • If your reverse DNS does not work, you may experience problems using some network services.
  • The AA flag indicates an authoritative response. If the flag is not set, the response is likely to be cached.
  • Sub-domains are delegated using NS records but may also need glue A records.
  • When updating zones, remember to increment the serial number and to reload.
  • When troubleshooting connection problems, check name resolution separately from IP connectivity.
  • In order to host your own domains, you should have at least two name servers in separate locations.
  • Mail or web traffic will never go through using NS delegation alone.
  • Contact information for domains and networks can be found by using Whois.
  • Relying on ‘dynamic DNS’ for incoming mail is reckless.
  • If in doubt, use your provider’s name servers to host your domains.
  • If you want to change your reverse DNS name, contact your network service provider.
  • The BIND version number might be found in the version.bind. CH TXT record.
  • The DNS cannot redirect HTTP requests to a URI path.
  • A slave checks the serial number of its master whenever either the refresh timer fires or the slave receives a notify message.
  • You can use the * wildcard character on the left hand side of a record.
  • @ stands for the current origin.
  • You cannot have both CNAME and other data for the same name.
  • It is often a good idea to separate one’s caching servers from one’s authoritative servers.
  • ‘No default TTL set using SOA minimum instead’ means that you need to put e.g. ‘TTL 1D’ at the top of the zone file.
  • ‘mail loops back to me (MX problem?)’ means that the mail server does not recognise the domain as local.
  • The default origin concept allows you to serve identically configured domains from one zone file.
  • When you do not want search list entries to be appended, add a trailing dot to the domain name.
  • Master servers should be placed so that zone updates are convenient to perform. Slaves should be placed near their users.
  • BIND will choke on Microsoft WINS or WINS-R records. These should therefore not be included in zone transfers.
  • When nslookup complains ‘Can’t find server name for address’, reverse DNS for your name server is probably broken.
  • There is nothing magic about names such as mail or www.
  • Set new authoritative name servers up as slaves. Promote them to masters later, if necessary.
  • Use high SOA timer values whenever possible.
  • Use low TTL values when you anticipate changes.
  • When you re-delegate a domain, make sure that the old delegatee removes your zones.
  • The DNS is defined in publicly available RFC documents.
  • If you make your WINS servers show dynamic leases in the DNS, do not have static records for those same entries.
  • Every DNS server should be authoritative for 0.in-addr.arpa, 0.0.127.in-addr.arpa, 255.in-addr.arpa and localhost.
  • You should have exactly one PTR record per IP address.
  • Junk mail has killed the usefulness of remote backup MX servers.
  • Do not make your servers masters for domains or networks that are not entirely yours.
  • BIND views will allow you to return different (such as internal vs. public) data for the same zone, depending on the client’s address.
  • Reverse DNS for IP addresses in one network might point to names in multiple domains. A records for names in one domain might point to IP addresses in multiple networks.
  • Consider giving organisational units their own sub-domains to administer, at least for internal use.
  • Thou shalt not chain CNAMEs.
  • Reverse pointers have no bearing on whether a name is fully qualified.
  • Whois is a simple, text-based protocol that can easily be used with a telnet client or with netcat.