Skip to main content

Menu

LEVEL 0
0/5 XP
HomeAboutTopicsPricingMy VaultStatsPractice TestsCertifications

Categories

🎓 Certifications
🤖 Artificial Intelligence
☁️ Cloud and Infrastructure
💾 Data and Databases
💼 Professional Skills
🎯 Programming and Development
🔒 Security and Networking
📚 Specialized Topics
CheatGrid
HomeAboutTopicsPricingMy VaultStatsPractice TestsCertifications
LVLEVEL 0
0/5 XP
GitHub
© 2026 CheatGrid™. All rights reserved.
Privacy PolicyTerms of UseAboutContact

DNS Cheat Sheet

DNS Cheat Sheet

Tables
Back to Networking
Updated 2026-05-25
Next Topic: IP Addressing and Subnetting Cheat Sheet

The Domain Name System (DNS) translates human-readable domain names into IP addresses that computers use to communicate, serving as the internet's directory service. Operating through a globally distributed hierarchy of servers—from root servers through TLDs to authoritative nameservers—DNS enables virtually every internet interaction. Understanding DNS record types, zone management, resolution flows, security mechanisms like DNSSEC, and troubleshooting techniques is essential for network administrators, security professionals, and developers building resilient internet infrastructure. DNS performance, caching behavior, and attack surface remain critical concerns as the protocol continues evolving with privacy enhancements (DoH, DoT, DoQ), security extensions, and automated management tools.

Quick Index154 entries · 17 tables
Mind Map

17 tables, 154 concepts. Select a concept node to jump to its table row.

Preparing mind map...

Table 1: Core DNS Record Types

Every DNS resource record follows the format name TTL class type rdata. The seven record types below handle the overwhelming majority of real-world queries — master these before exploring the specialized types in Table 2.

TypeExampleDescription
A (Address)
example.com. 300 IN A 93.184.216.34
Maps a hostname to an IPv4 address — the most fundamental DNS record used for web hosting and service endpoints.
AAAA (IPv6 Address)
example.com. 300 IN AAAA 2606:2800:220:1:248:1893:25c8:1946
• Maps a hostname to an IPv6 address (128-bit)
• essential as IPv4 addresses are exhausted
CNAME (Canonical Name)
www.example.com. 300 IN CNAME example.com.
• Creates an alias pointing to another domain name
• cannot coexist with other records at the same name
• not allowed at zone apex in standard DNS.
MX (Mail Exchange)
example.com. 3600 IN MX 10 mail.example.com.
• Specifies mail servers for the domain with priority values (lower = higher priority)
• multiple MX records provide failover
TXT (Text)
example.com. 300 IN TXT "v=spf1 include:_spf.google.com ~all"
• Holds arbitrary text data
• commonly used for SPF, DKIM, DMARC, domain verification, and security policies
NS (Name Server)
example.com. 86400 IN NS ns1.example.com.
• Delegates a zone or subdomain to specific nameservers
• must exist at zone apex and for any delegated subdomains
PTR (Pointer)
34.216.184.93.in-addr.arpa. 3600 IN PTR example.com.
• Enables reverse DNS lookups (IP to hostname)
• critical for email deliverability and server authentication
• configured in special .in-addr.arpa or .ip6.arpa zones.
SOA (Start of Authority)
example.com. 3600 IN SOA ns1.example.com. admin.example.com. 2026030901 7200 3600 1209600 300
• Mandatory first record in every zone
• contains serial number, refresh/retry/expire timings, and negative caching TTL.
SRV (Service)
_sip._tcp.example.com. 3600 IN SRV 10 60 5060 sipserver.example.com.
• Specifies location of services (priority, weight, port, target)
• used by SIP, XMPP, LDAP, and other protocols requiring dynamic service discovery
CAA (Certification Authority Authorization)
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
• Restricts which certificate authorities can issue SSL/TLS certificates for the domain
• prevents unauthorized certificate issuance

Table 2: Advanced and Specialized Record Types

Beyond the core types, DNS supports dozens of specialized records for service binding, security, identity, and zone management. The rows below cover the most practically useful, ordered from most widely deployed to most niche.

TypeExampleDescription
HTTPS / SVCB
example.com. 300 IN HTTPS 1 . alpn=h3,h2 ipv4hint=93.184.216.34
• Service binding record providing connection hints (HTTP versions, IP hints, ports)
• enables faster HTTPS connections and HTTP/3 upgrade signaling
ALIAS / ANAME
example.com. 300 IN ALIAS target.example.com.
• Non-standard workaround enabling CNAME-like behavior at zone apex
• resolver returns A/AAAA records via CNAME flattening
• widely supported by DNS providers
TLSA (TLS Authentication)
_443._tcp.example.com. 3600 IN TLSA 3 1 1 abc123...
• Part of DANE (DNS-based Authentication of Named Entities)
• associates TLS certificates with domain names, reducing reliance on third-party CAs
DNAME (Delegation Name)
old.example.com. 3600 IN DNAME new.example.com.
• Creates an alias for an entire subtree
• unlike CNAME which aliases only exact name, DNAME redirects all subdomains beneath it
SSHFP (SSH Fingerprint)
server.example.com. 3600 IN SSHFP 1 2 abc123...
• Publishes SSH key fingerprints in DNS
• allows SSH clients to verify server identity without relying solely on known_hosts.
NAPTR (Naming Authority Pointer)
example.com. 3600 IN NAPTR 100 10 "u" "E2U+sip" "!^.*$!sip:info@example.com!" .
• Used in Dynamic Delegation Discovery System (DDDS)
• enables URI/service transformation
• primarily for ENUM and telecommunications protocols
LOC (Location)
server.example.com. 3600 IN LOC 37 46 29.000 N 122 25 10.000 W 10m 100m 1000m 10m
• Stores geographic coordinates (latitude, longitude, altitude, precision) for a host or network
• rarely used in practice but supported by all major DNS servers
OPENPGPKEY
hash._openpgpkey.example.com. 3600 IN OPENPGPKEY base64encodedkey...
• Publishes OpenPGP public keys in DNS for email encryption and sender verification
• keyed by hashed email local-part under _openpgpkey subdomain
SMIMEA
hash._smimecert.example.com. 3600 IN SMIMEA 3 1 1 abc123...
• Binds S/MIME certificates to email addresses in DNS
• similar to TLSA but for email
• enables DANE-based email authentication
URI
_ftp._tcp.example.com. 3600 IN URI 10 1 "ftp://ftp.example.com/public"
• Maps hostnames to URIs with priority and weight
• similar to SRV but returns a full URI string directly rather than requiring client-side assembly
CSYNC (Child Synchronization)
example.com. 3600 IN CSYNC 2026030901 3 A NS AAAA
• Signals to the parent zone that it should synchronize specified record types from the child zone
• enables automated NS/glue record updates without manual registry interaction
CERT
example.com. 3600 IN CERT 1 0 5 MIIBIjANBgkqhkiG9w0BAQEFAAOC...
• Stores cryptographic certificates (X.509, PGP, SPKI, etc.) directly in DNS
• largely superseded by TLSA and OPENPGPKEY for specific use cases
ZONEMD (Zone Message Digest)
example.com. 86400 IN ZONEMD 2026030901 1 1 7d016e7badfd8b...
• Provides a cryptographic hash of the entire zone for integrity verification
• combined with DNSSEC, lets consumers verify zone authenticity
• added to the root zone in late 2023.

Table 3: DNSSEC Records

DNSSEC uses a chain of cryptographic trust from the root zone through TLDs to authoritative nameservers. These specialized record types implement that chain — understand the KSK/ZSK split before working with any of them in production.

TypeExampleDescription
RRSIG (Resource Record Signature)
example.com. 300 IN RRSIG A 8 2 300 20260315120000 20260308120000 12345 example.com. abc123...
• Contains cryptographic signature for a DNS record set
• verifies authenticity and integrity of DNS data
• created by the ZSK for zone records and by the KSK for DNSKEY records
DNSKEY
example.com. 3600 IN DNSKEY 257 3 8 AwEAAb...
• Holds the public cryptographic key for the zone
• flag 257 = Key Signing Key (KSK), flag 256 = Zone Signing Key (ZSK)
• KSK signs the DNSKEY RRset, ZSK signs zone records
DS (Delegation Signer)
example.com. 86400 IN DS 12345 8 2 abc123...
• Hash of child zone's KSK placed in parent zone
• establishes the chain of trust linking parent and child zones
• must be updated at registry when KSK is rolled
CDS / CDNSKEY
example.com. 3600 IN CDS 12345 8 2 abc123...
• Published in the child zone to signal the desired DS state to the parent
• enables automated KSK rollover — parent polls child and updates its DS RRset without manual registry interaction (RFC 7344 / RFC 8078).
NSEC (Next Secure)
a.example.com. 3600 IN NSEC b.example.com. A AAAA RRSIG NSEC
• Proves non-existence of DNS records by listing the next existing name
• enables authenticated denial of existence
• reveals zone contents via zone walking — use NSEC3 for public zones
NSEC3 (Next Secure v3)
abc123.example.com. 3600 IN NSEC3 1 0 0 - def456 A RRSIG
• Hashed version of NSEC preventing zone enumeration
• RFC 9276 mandates 0 hash iterations (higher values cause DoS vulnerability without meaningful security benefit)
• empty salt recommended
NSEC3PARAM
example.com. 0 IN NSEC3PARAM 1 0 0 -
• Placed at zone apex to define NSEC3 parameters (hash algorithm, flags, iterations, salt) for zone signing tools
• per RFC 9276: algorithm=1, iterations=0, salt=-.

Table 4: DNS Zone Types and Management

A DNS zone is the administrative unit that an authoritative server manages. Knowing zone types and their relationships determines how you architect redundancy, split-horizon views, and delegations.

ConceptExampleDescription
Primary (Master) Zone
Holds master copy: example.com SOA, NS, A records
• Contains the authoritative master copy of zone data
• all changes are made here
• responsible for incrementing SOA serial on updates
Secondary (Slave) Zone
Replicates from primary via AXFR/IXFR
• Read-only replica receiving zone data via zone transfer (AXFR/IXFR)
• provides redundancy, load distribution, and geographic diversity
Stub Zone
Contains only NS records: ns1.example.com, ns2.example.com
• Holds only NS records for a delegated subdomain
• enables resolver to find authoritative servers without full zone data
• lighter than secondary zone
Forward Lookup Zone
example.com → 93.184.216.34
• Resolves hostnames to IP addresses (standard DNS)
• most common zone type for public and internal domains
Reverse Lookup Zone
93.184.216.34 → example.com
• Resolves IP addresses to hostnames using PTR records
• implemented in .in-addr.arpa (IPv4) or .ip6.arpa (IPv6) domains
• critical for email reputation
Conditional Forwarder
If query for corp.example.com → forward to 10.0.0.1
• Forwards queries for specific domain to designated DNS servers
• commonly used for split-DNS scenarios and Active Directory integration

Table 5: DNS Resolution Methods

DNS resolution is not a single operation — it is a coordinated sequence of queries between clients, recursive resolvers, and authoritative servers. Understanding this flow is essential for diagnosing latency, misconfiguration, and policy-based filtering.

MethodExampleDescription
Recursive Query
Client → resolver: "Give me IP for www.example.com"
• Client requests complete answer from resolver
• resolver does all the work querying root, TLD, and authoritative servers
• most common for end-user devices
Iterative Query
Resolver → root: "Where's .com?" → root replies with TLD referral
• Server responds with best referral rather than final answer
• recursive resolver performs multiple iterative queries to reach authoritative answer
Non-Recursive Query
Query for cached record or authoritative zone
• Query answered immediately from cache or local authority
• no further lookups needed
• fastest resolution path when data is available
DNS Forwarding
Internal DNS → corporate resolver → 8.8.8.8
• DNS server passes unresolved queries to another DNS server
• reduces external query load
• commonly used in enterprise networks
Split-Horizon (Split-Brain) DNS
Internal clients see 10.0.0.1, external see 93.184.216.34
• Returns different responses based on query source
• internal vs external view of same domain
• achieved through separate zones or view-based configuration

Table 6: DNS Caching and TTL

Caching is what makes DNS scalable — without it, every query would burden root and authoritative servers. TTL values, negative caching, and modern resilience techniques like serve-stale directly affect how quickly DNS changes propagate and how gracefully infrastructure survives outages.

ConceptExampleDescription
TTL (Time To Live)
example.com. 300 IN A 93.184.216.34 (300 seconds = 5 minutes)
• Specifies how long (in seconds) a DNS record can be cached
• lower TTL = faster updates but more queries
• typical values: 300–86400 seconds
Positive Caching
Cache stores: example.com → 93.184.216.34 for 300 seconds
• Caches successful DNS responses (NOERROR) for TTL duration
• reduces resolver workload and improves client response time
Negative Caching
Cache stores: notexist.example.com → NXDOMAIN for 300 seconds
• Caches non-existent domain responses (NXDOMAIN) or no-data responses
• TTL controlled by SOA minimum field
• prevents repeated queries for invalid names
Serve Stale (RFC 8767)
Resolver serves expired example.com A record while re-fetching in background
• Resolver serves expired cached records when the authoritative server is unreachable instead of returning SERVFAIL
• significantly cushions the impact of upstream outages (as seen in the May 2026 .de DNSSEC incident)
• default behavior in Unbound 1.23+.
Aggressive NSEC
NSEC proves a.example.com to c.example.com exists, infer b.example.com doesn't
• Uses DNSSEC NSEC/NSEC3 records to synthesize negative answers from cache
• reduces queries to authoritative servers
• improves privacy via local denial of existence
DNS Prefetching
<link rel="dns-prefetch" href="//cdn.example.com">
• Browser preemptively resolves domain names before user clicks links
• reduces perceived latency
• implemented via HTML hint or automatic browser behavior

Table 7: DNS Query Flags and Response Codes

DNS message headers carry a compact set of flags and a 4-bit RCODE that communicates query intent and server response status. RFC 8914 Extended DNS Errors (EDE) supplement RCODEs when a single code is insufficient to describe the failure.

ItemExampleDescription
QR (Query/Response)
QR=0 (query) or QR=1 (response)
Distinguishes between query (0) and response (1) packets.
AA (Authoritative Answer)
AA=1 flag in response
• Indicates the responding server is authoritative for the queried domain
• not set by recursive resolvers
RD (Recursion Desired)
RD=1 set by client
• Client requests the server to recursively resolve the query
• typically set by stub resolvers
RA (Recursion Available)
RA=1 in response
• Server indicates it supports recursion
• set by recursive resolvers, not by authoritative-only servers
AD (Authenticated Data)
AD=1 when DNSSEC validated
• Indicates DNSSEC validation succeeded
• resolver has cryptographically verified the response
• requires DNSSEC-aware resolver
CD (Checking Disabled)
CD=1 in query
• Instructs resolver to disable DNSSEC validation
• used for troubleshooting or when client performs own validation
NOERROR (RCODE 0)
Successful query with answer
• Query completed successfully
• valid data returned.
FORMERR (RCODE 1)
Malformed query packet
• Server could not interpret the request due to a format error
• often caused by corrupted packets, software bugs, or network interference
SERVFAIL (RCODE 2)
Server encountered internal error
• Server failed to complete the query
• often indicates DNSSEC validation failure, upstream timeout, or misconfiguration
• diagnosed with EDE codes (RFC 8914).
NXDOMAIN (RCODE 3)
Domain does not exist
• Domain name does not exist
• authoritative negative answer
• can be cached per negative TTL
NOTIMP (RCODE 4)
Unsupported opcode or query type
• Server does not support the requested operation or query type
• seen with unusual opcodes on older servers
REFUSED (RCODE 5)
Server policy denies the query
Server refuses to answer due to policy — ACL restriction, recursion disabled for external client, or rate limiting.
YXDOMAIN (RCODE 6)
Dynamic update tries to create existing domain
• Domain exists when it should not
• used in dynamic DNS updates (RFC 2136).
YXRRSET (RCODE 7)
RRset exists when it should not in dynamic update
• RRset exists when the update prerequisite requires it absent
• dynamic DNS updates only
NXRRSET (RCODE 8)
Required RRset does not exist
• RRset does not exist when the update prerequisite requires it present
• dynamic DNS updates only
NOTAUTH (RCODE 9)
Server not authoritative for zone
• Server is not authoritative for the zone named in the update request
• the query was sent to the wrong server
NOTZONE (RCODE 10)
Name outside zone in update
• Name in the update falls outside the zone the server manages
• dynamic DNS updates only

Table 8: DNS Security Mechanisms

DNS security is layered: DNSSEC ensures data integrity, encrypted transports protect confidentiality, RPZ enables policy-based threat blocking, and anti-spoofing measures harden resolvers against injection attacks. These mechanisms are complementary, not mutually exclusive.

MechanismExampleDescription
DNSSEC (DNS Security Extensions)
Zone signed with RRSIG, DNSKEY, DS records
• Uses public key cryptography to sign DNS records
• provides authentication and integrity but not confidentiality
• prevents cache poisoning
• organized around a chain of trust from the root zone
DNS over HTTPS (DoH)
https://1.1.1.1/dns-query with encrypted DNS query
• Encrypts DNS queries inside HTTPS (port 443)
• indistinguishable from normal HTTPS traffic
• widely supported by browsers
• most deployed encrypted DNS protocol today
DNS over TLS (DoT)
DNS query over TLS connection (port 853)
• Encrypts DNS queries using a dedicated TLS connection on port 853
• provides confidentiality
• easier to detect/block than DoH by network operators
DNS over QUIC (DoQ)
kdig @9.9.9.9 example.com +quic (port 853 UDP)
• Encrypts DNS over QUIC transport (RFC 9250, UDP port 853)
• lower latency than DoT via 0-RTT session resumption and no head-of-line blocking
• supports connection migration for mobile devices
• Quad9 and Cloudflare deploy it in production.
Response Policy Zones (RPZ)
response-policy { zone "rpz.feed"; }; in BIND
• Acts as a DNS firewall intercepting queries based on policy triggers (domain name, IP, nameserver)
• can return NXDOMAIN, redirect to walled garden, or drop queries
• supported by BIND 9.8+, Unbound 1.10+, PowerDNS
• consumes external threat-intelligence feeds.
TSIG (Transaction Signature)
Zone transfer authenticated with HMAC-SHA256 shared secret
• Uses shared secret keys to authenticate DNS messages
• primarily for securing zone transfers (AXFR/IXFR) and dynamic updates between servers
Response Rate Limiting (RRL)
Limit identical responses to 5/second from same client
• Mitigates DNS amplification attacks by limiting rate of identical responses
• prevents DNS servers from being weaponized in DDoS attacks
QNAME Minimization
Query to .com TLD only reveals example.com, not www.example.com
• Resolver sends minimum necessary query name to each server
• reduces information leakage to upstream servers
• privacy enhancement
Source Port Randomization
Use random source ports (e.g., 54321, 47892) instead of fixed port 53
• Randomizes UDP source port for queries
• adds ~16 bits of entropy
• makes DNS cache poisoning significantly harder
• critical security measure
0x20-bit Encoding
Query: WwW.ExAmPlE.CoM → expect same case in response
• Randomizes case of query name
• resolver validates response preserves same case
• adds ~7 bits of entropy
• defends against cache poisoning
• deployed by Google Public DNS

Table 9: DNS Attack Types and Threats

DNS is a high-value attack surface: every internet-connected device trusts DNS responses implicitly. Attacks range from passive eavesdropping to active cache poisoning and infrastructure flooding. Understanding each threat model is prerequisite to deploying the correct countermeasure from Table 8.

AttackExampleDescription
DNS Cache Poisoning (Spoofing)
Attacker injects false example.com → malicious IP into resolver cache
• Injects forged DNS responses into resolver cache
• redirects users to malicious servers
• mitigated by source port randomization, DNSSEC, and 0x20 encoding
DNS Amplification DDoS
Small query (EDNS0 ANY) triggers 4000+ byte response using spoofed source IP
• Amplifies attack traffic by sending small queries (with spoofed source IP) that generate large responses toward victim
• amplification factor up to 130x
• mitigated by BCP38, RRL, and disabling ANY queries
DNS Tunneling
Data: encoded-data.evil.com TXT "base64payload"
• Exfiltrates data or tunnels C2 traffic over DNS
• encodes arbitrary data in DNS queries/responses
• bypasses firewalls
• detected by monitoring query frequency, subdomain length, and entropy
NXDOMAIN Attack (DNS Flooding)
Flood of random123abc.example.com queries
• Overwhelms authoritative servers with queries for non-existent domains
• exhausts resolver and authoritative server resources
• mitigated by rate limiting and anycast
DNS Hijacking
Malicious resolvers return bank.example.com → attacker IP
• Modifies DNS resolution path by compromising resolvers, routers, or registrar accounts
• redirects users to attacker-controlled servers
Dangling DNS / Subdomain Takeover
CNAME sub.example.com → unclaimed.github.io
• DNS record points to expired or released third-party resource (cloud hosting, CDN)
• attacker claims the target resource and hijacks subdomain
• monitored via regular DNS auditing
DNS Rebinding
Attacker domain resolves to 192.168.1.1 after initial IP validated
• Attacker serves a domain with very short TTL; browser fetches initial IP to pass same-origin checks; subsequent lookups rebind to internal/private IP addresses
• bypasses same-origin policy, enabling browser as pivot to internal network
• mitigated by rejecting private IPs in responses, DNS pinning, and validating Host headers.
DNSSEC Downgrade
Attacker strips RRSIG/DNSKEY records from responses
• Attacker removes DNSSEC records to make validating resolver fall back to insecure DNS
• prevented by validators that reject unsigned responses for signed zones
Fast-Flux DNS
Botnet IP changes every 60 seconds using low TTL
• Changes A records very rapidly (60–300 second TTL) across many IPs
• provides resilient, hard-to-block infrastructure for malware C2 and phishing
BGP Hijacking + DNS
ISP-level prefix hijack redirects DNS traffic to rogue resolver
• BGP route hijacking redirects IP prefixes containing DNS servers
• targeted at public resolvers
• difficult to detect without BGP monitoring

Table 10: DNS Zone Transfer Methods

Zone transfers are the mechanism by which secondary servers receive authoritative data from primaries. Securing transfers via TSIG and controlling which servers may request them is fundamental to authoritative DNS hardening.

MethodExampleDescription
AXFR (Full Zone Transfer)
dig @ns1.example.com example.com AXFR
• Transfers the complete zone file from primary to secondary
• used for initial sync or after large changes
• should be restricted to authorized secondaries via ACLs and TSIG
IXFR (Incremental Zone Transfer)
dig @ns1.example.com example.com IXFR=2026030900
• Transfers only the changes since the last known serial
• far more efficient than AXFR for large zones with frequent small updates
• falls back to AXFR if deltas unavailable
NOTIFY
Primary sends NOTIFY to ns2.example.com on zone change
• Primary proactively notifies secondaries of zone changes instead of waiting for the SOA refresh interval
• reduces propagation delay significantly
TSIG Authentication
key "transfer-key" { algorithm hmac-sha256; secret "..."; };
• Uses HMAC-based shared keys to authenticate and verify integrity of zone transfer messages
• prevents unauthorized zone pulls
BIND allow-transfer
allow-transfer { 192.168.1.2; key transfer-key; };
BIND configuration directive restricting which servers may request zone transfers by IP address and/or TSIG key.

Table 11: DNS Infrastructure Components

DNS infrastructure spans multiple tiers, from the client's stub resolver to the global root server network. Knowing each component's role clarifies where performance bottlenecks and security boundaries exist.

ComponentExampleDescription
Root Nameservers
13 root server addresses (a.root-servers.net through m.root-servers.net); operated by 12 independent organizations
• Serve the root zone (.) and direct resolvers to the correct TLD nameservers
• implemented via anycast providing 1500+ physical instances globally
TLD Nameservers
.com → Verisign; .org → PIR; .uk → Nominet
• Maintain NS and DS delegations for all domains within their TLD
• Verisign alone manages billions of .com/.net queries daily
Authoritative Nameserver
Responds AA=1; ns1.example.com answers for example.com
• Holds the definitive DNS records for a zone
• returns answers with the AA (Authoritative Answer) flag set
Recursive Resolver
8.8.8.8 (Google), 1.1.1.1 (Cloudflare), 9.9.9.9 (Quad9)
• Performs full resolution on behalf of clients
• queries root → TLD → authoritative
• caches results
• provides DNSSEC validation
Stub Resolver
OS resolver library sending queries to configured DNS server
• Minimal resolver in the OS or application
• sends queries to recursive resolver rather than performing full resolution itself
DNS Forwarder
Internal DNS forwards all external queries to 8.8.8.8
• DNS server that forwards queries it cannot resolve locally to designated upstream servers
• common in enterprise architectures
Anycast
Multiple root servers sharing IP 198.41.0.4 routed by BGP
• Multiple servers share the same IP address
• client reaches the topologically nearest instance
• provides DDoS resilience and reduced latency
EDNS0 (Extension Mechanisms)
OPT record: EDNS version=0, payload=4096
• Extends DNS with larger UDP payloads (beyond 512 bytes), signaling DNS cookie support, DNSSEC OK flag, and other capabilities
• required for DNSSEC responses
DNS Cookies
Client cookie: 8-byte random value; server cookie: HMAC-based
• Lightweight anti-spoofing protection using client and server cookies exchanged via EDNS0 OPT
• prevents reflection attacks and off-path cache poisoning

Table 12: DNS Troubleshooting Commands

DNS troubleshooting follows a consistent workflow: confirm resolution path, verify record content, check delegation, validate DNSSEC, and test connectivity at each layer. The tools below cover every step.

CommandExampleDescription
dig (Domain Information Groper)
dig @8.8.8.8 example.com A +short
• Swiss-army DNS tool
• queries specific record types against chosen servers
• most versatile DNS troubleshooting command
• supports +dnssec, +trace, +short modifiers
dig +trace
dig +trace example.com
• Traces the full DNS resolution path from root servers to authoritative answer
• essential for diagnosing delegation issues
nslookup
nslookup example.com 8.8.8.8
• Interactive or command-line DNS lookup
• available on Windows and Unix
• less powerful than dig but ubiquitous
host
host -t MX example.com
• Simpler DNS lookup utility
• good for quick checks
• shows A, AAAA, and MX by default
delv (DNS Lookup and Validation)
delv +rtrace +multiline @8.8.8.8 example.com A
• BIND utility that performs DNSSEC validation locally using a configured trust anchor
• diagnoses validation failures that dig cannot show
kdig (Knot DNS utils)
kdig @9.9.9.9 example.com +quic
• Knot DNS query tool
• supports DNS over QUIC (+quic), DoH, DoT, and EDNS client subnet
• used for testing modern encrypted DNS protocols
whois
whois example.com
• Queries registrar records for domain registration info, nameservers, and registrar
• useful for tracking down registrar-level issues
drill
drill -D DNSKEY example.com
• DNS lookup tool from NLnet Labs
• DNSSEC-aware
• good for DNSSEC chain verification
systemd-resolve
resolvectl query example.com
• Systemd DNS client
• queries local stub resolver on Linux
• shows resolved DNS server and validation status
Wireshark / tcpdump
tcpdump -i eth0 port 53
• Packet-level inspection of DNS traffic
• essential for diagnosing truncation, EDNS0 issues, and identifying unexpected DNS servers
DNS Propagation Checkers
whatsmydns.net, dnschecker.org
• Web tools that check DNS propagation status across global resolvers
• verify that record changes are visible worldwide
DNS Benchmark
Gibson Research Corporation DNS Benchmark (Windows)
• Tests performance and reliability of DNS resolvers
• useful for selecting fastest resolver for your location

Table 13: Email Authentication DNS Records

Email authentication relies entirely on DNS as the trust medium — without correct SPF, DKIM, DMARC, and BIMI records, modern mail filtering will reject or junk your messages. These four records form an interdependent system; DMARC requires both SPF and DKIM to be meaningful.

RecordExampleDescription
SPF (Sender Policy Framework)
example.com TXT "v=spf1 include:_spf.google.com ip4:203.0.113.0/24 -all"
• Lists authorized mail sending IPs for the domain
• receiving servers verify sending IP is permitted
• -all (hard fail) vs ~all (soft fail).
DKIM (DomainKeys Identified Mail)
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
• Publishes public key for verifying DKIM signatures
• receiving servers use this key to verify messages are signed by the sending domain
DMARC
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
• Policy combining SPF and DKIM alignment
• specifies action (none/quarantine/reject) on authentication failures
• enables aggregate and forensic reporting
BIMI (Brand Indicators for Message Identification)
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"
• Enables brand logo to appear in email clients
• requires strict DMARC policy
• some providers require VMC (Verified Mark Certificate).
MTA-STS
_mta-sts.example.com TXT "v=STSv1; id=20260309"
• Signals that the mail domain requires TLS for inbound SMTP
• combined with a policy file at https://mta-sts.example.com/.well-known/mta-sts.txt.
SMTP TLS Reporting
_smtp._tls.example.com TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"
• Requests TLS failure reports from mail senders
• enables monitoring of STARTTLS and MTA-STS enforcement failures

Table 14: DNS Performance and Load Balancing

DNS is often the simplest lever for distributing load and directing users to geographically optimal endpoints. The techniques below range from basic round-robin to sophisticated latency-based global routing.

TechniqueExampleDescription
DNS Round-Robin
example.com A 1.1.1.1, example.com A 2.2.2.2 (two records)
• Multiple A/AAAA records with same name
• resolver rotates responses
• simplest form of load distribution
• no health checking
• unequal distribution possible due to caching
GeoDNS / Geographic DNS
EU clients → eu.example.com, US clients → us.example.com
• Returns different IPs based on client's geographic location
• reduces latency by directing to nearest datacenter
• requires specialized DNS provider or GeoIP capability
Latency-Based Routing
AWS Route 53 returns lowest-latency endpoint per region
• Routes DNS queries to lowest-latency endpoint
• measured from resolver to endpoint
• more accurate than pure geo routing
Weighted DNS
80% weight to new server, 20% to old server
• Assigns percentage weight to each record set
• enables gradual traffic shifting for blue-green deployments or A/B testing
Health-Check Failover
Route 53 removes unhealthy A record from DNS responses
• DNS provider monitors endpoint health and removes failing endpoints from rotation
• provides automatic failover without TTL expiry
Anycast DNS
Root servers, 1.1.1.1, 8.8.8.8 use anycast
• Same IP advertised from multiple PoPs
• client routes to nearest BGP-closest node
• provides both load distribution and DDoS resilience
DNS TTL for Blue-Green Deployments
Reduce TTL to 60s before cutover, increase after
• Lower TTL before planned migrations ensures rapid DNS propagation
• standard practice: reduce 24h before cutover, raise again after confirming stability

Table 15: DNS Standards and Protocol Details

DNS was designed in 1983 and has been extended continuously through RFCs. Understanding the protocol-level constraints — message size limits, transport choices, flag semantics — prevents hard-to-diagnose production issues.

ConceptExampleDescription
DNS over UDP (port 53)
Standard DNS query via UDP port 53
• Default transport
• 512-byte limit for standard responses
• EDNS0 extends this up to 4096+ bytes
• lower overhead than TCP
DNS over TCP (port 53)
Zone transfers and responses exceeding UDP limit
• Used when response exceeds UDP payload limit (TC bit set), for zone transfers, and as primary transport in DNS over TLS
• RFC 7766 modernizes TCP handling
EDNS0 (Extensions)
OPT RR: payloadSize=4096, DO=1
• Extends DNS with larger UDP payloads, the DO (DNSSEC OK) flag, client subnet, and DNS cookies
• required for DNSSEC
• negotiated in OPT pseudo-record
DNS over TLS (DoT, port 853 TCP)
Resolver connects to 1.1.1.1:853 with TLS
• Encrypts DNS queries over TLS on TCP port 853
• standardized in RFC 7858
• supported by Android Private DNS, Stubby, and all major public resolvers
DNS over HTTPS (DoH, port 443)
GET/POST to https://cloudflare-dns.com/dns-query
• DNS transported over HTTPS on port 443
• defined in RFC 8484
• indistinguishable from web traffic
• deployed in Chrome, Firefox, and all major public resolvers
DNS over QUIC (DoQ, port 853 UDP)
kdig @9.9.9.9 example.com +quic
• DNS transported over QUIC on UDP port 853 (RFC 9250, 2022)
• offers TLS 1.3, 0-RTT resumption, and connection migration
• lower latency than DoT
• deployed by Quad9, Cloudflare
DNS Message ID
16-bit random query ID matched in response
• 16-bit identifier used to correlate responses to queries
• Kaminsky attack exploited predictable IDs
• source port randomization substantially mitigates this
Truncation (TC flag)
UDP response with TC=1 triggers TCP retry
• When response exceeds UDP payload limit, TC bit signals client to retry over TCP
• critical to monitor in high-DNSSEC environments
DNS Compression
Pointer references earlier label occurrence in message
• Label compression in DNS messages reduces size by pointing to earlier occurrences of domain name labels
• part of original RFC 1035 spec
Multi-Packet TCP DNS (RFC 7766)
Persistent TCP connection with multiple query-response pairs
• Modernizes DNS over TCP
• recommends persistent connections and pipelining for efficiency
• enables multiple queries over single connection

Table 16: Advanced DNS Configurations

Production-grade DNS deployments go beyond simple zone hosting. Split-horizon, DNSSEC signing configurations, dynamic updates, and logging policies are the building blocks of a well-operated authoritative DNS service.

ConfigurationExampleDescription
BIND Named ACL
acl "internal" { 10.0.0.0/8; 192.168.0.0/16; };
• Named list of IP/CIDR ranges used to control access for queries, transfers, and updates
• reusable across multiple allow-* statements
BIND View Blocks
view "internal" { match-clients { internal; }; zone ... };
• Serves different zone content to different query sources
• implements split-horizon DNS with named match conditions
BIND Forwarders
forwarders { 8.8.8.8; 8.8.4.4; };
• Delegates unresolved queries to designated upstream servers
• forward only forces exclusive forwarding
• forward first falls back to recursion on failure
Dynamic DNS Update (RFC 2136)
nsupdate -k keyfile.key then update add host.example.com 60 A 10.0.0.5
• Allows authorized clients to modify zone records programmatically
• secured with TSIG
• used by DHCP servers, Kubernetes, and automation pipelines
DNSSEC Inline Signing (BIND)
dnssec-policy "standard" { algorithm rsasha256; }; inline-signing yes;
• BIND automatically signs zone data and maintains RRSIG records
• separate signed-zone file maintained internally
• simplifies DNSSEC operations
DNSSEC Policy (knot, BIND)
dnssec-policy "modern" { dnskey-ttl 3600; ksk-lifetime P365D; }
• Declarative DNSSEC key lifecycle management
• defines algorithms, key lengths, TTLs, rotation schedules
• reduces manual key management
RPZ Response Policy Zones
zone "rpz.feed" { type slave; masters { 10.0.0.1; }; }; then response-policy { zone "rpz.feed"; };
• External threat-feed zones used by BIND/Unbound for DNS firewall functionality
• automatically block malicious domains via policy-driven resolution
DNS Logging
logging { channel query-log { file "/var/log/named/queries.log"; }; category queries { query-log; }; };
• Configures detailed query/response logging
• essential for security monitoring, debugging, and audit trails
Minimal EDNS Response
dig ANY example.com → server returns minimal response
• RFC 8482 allows servers to return minimal responses to ANY queries
• prevents DNS amplification
• most authoritative servers now implement this

Table 17: DNS Protocol Enhancements and Modern Features

DNS protocol development is active: the 2020s brought encrypted transports from experimental to production-deployed, automated key management, zone integrity verification, and DDR for seamless upgrade paths. This table captures the most significant advances from 2019 to 2026.

FeatureExampleDescription
DoH (DNS over HTTPS)
Firefox and Chrome send DNS to cloudflare-dns.com/dns-query by default
• RFC 8484 (2018)
• DNS embedded in HTTPS (port 443)
• first widely deployed encrypted DNS transport
• now supported by all major browsers and public resolvers
DoT (DNS over TLS)
Android 9+ "Private DNS" setting uses DoT
• RFC 7858 (2016)
• dedicated TLS on port 853
• standard for Android Private DNS and native-OS encrypted DNS on Linux (systemd-resolved).
DoQ (DNS over QUIC)
Quad9 and Cloudflare support +quic on port 853
• RFC 9250 (2022)
• DNS over QUIC transport (UDP 853)
• TLS 1.3, 0-RTT resumption, connection migration
• less head-of-line blocking than DoT
• growing deployment
DDR (Discovery of Designated Resolvers)
OS queries _dns.resolver.arpa SVCB to discover resolver's encrypted endpoints
• RFC 9462 (2023)
• clients automatically discover encrypted DNS support from their configured resolver via SVCB records
• enables transparent upgrade from plaintext to DoH/DoT/DoQ
DNSSEC Key Automation (CDS/CDNSKEY)
Parent registry polls _cds.example.com periodically and auto-updates DS
• RFC 7344 / RFC 8078
• child publishes CDS/CDNSKEY signaling desired DS state
• parent automatically updates delegation
• eliminates manual registry portal interaction for key rollovers
ZONEMD (Zone Message Digest)
Root zone includes ZONEMD record with SHA-384 hash
• RFC 8976 (2021)
• cryptographic digest of entire zone at zone apex
• enables consumers of zone transfers or zone files to verify integrity
• root zone adopted 2023.
NSEC3 Parameter Hardening (RFC 9276)
NSEC3 record with iterations=0, salt=-
• RFC 9276 (2022) guidance: NSEC3 iterations MUST be 0, salt SHOULD be empty
• high iteration counts enable DoS without meaningful security benefit
• Google treats >100 iterations as broken DNSSEC
HTTPS/SVCB Records
Browser receives HTTPS hint enabling HTTP/3 on first connection
• RFC 9460 (2023)
• service binding records replace HINFO-style hints
• carry ALPNs, port, IP hints
• enable HTTP/3 upgrade signaling and alternative connection endpoints
Extended DNS Errors (EDE)
SERVFAIL + EDE code 6 "DNSSEC Bogus"
• RFC 8914 (2020)
• EDNS0 option carrying additional error detail beyond 4-bit RCODE
• resolvers can explain why they returned SERVFAIL rather than just that they did
DNS Flag Day 2019
Non-EDNS-compliant servers began receiving EDNS queries; workarounds removed
• Industry-coordinated date when DNS software vendors dropped EDNS workarounds
• servers not properly handling EDNS OPT queries became unreachable
DNS Flag Day 2020
IP fragmentation issues addressed; min MTU guidance
• Second industry-coordinated update
• addressed IP fragmentation problems with large DNS packets
• promoted use of DNS cookies and TCP fallback
DELEG Record (Draft)
example.com DELEG "alpn=dot ipv4hint=1.2.3.4 dohpath=/dns-query"
• Internet Draft
• proposes new record type providing enhanced delegation with encrypted resolver hints
• extends NS delegation to include transport and capability information
Back to Networking
Next Topic: IP Addressing and Subnetting Cheat Sheet

More in Networking

  • DHCP Cheat Sheet
  • IP Addressing and Subnetting Cheat Sheet
  • Azure Networking Cheat Sheet
  • Network Administration Cheat Sheet
  • Network Routing Protocols Cheat Sheet
  • Quality of Service - QoS Cheat Sheet
View all 27 topics in Networking

References

Official Documentation

  1. IETF RFC 1034 — Domain Concepts and Facilities: https://datatracker.ietf.org/doc/html/rfc1034
  2. IETF RFC 1035 — Domain Implementation and Specification: https://datatracker.ietf.org/doc/html/rfc1035
  3. IETF RFC 1876 — LOC Resource Record (Geographic Location): https://datatracker.ietf.org/doc/html/rfc1876
  4. IETF RFC 1995 — Incremental Zone Transfer (IXFR): https://datatracker.ietf.org/doc/html/rfc1995
  5. IETF RFC 1996 — NOTIFY: https://datatracker.ietf.org/doc/html/rfc1996
  6. IETF RFC 2136 — Dynamic Updates in DNS (DNS UPDATE): https://datatracker.ietf.org/doc/html/rfc2136
  7. IETF RFC 2181 — DNS Specification Clarifications: https://datatracker.ietf.org/doc/html/rfc2181
  8. IETF RFC 2308 — Negative Caching of DNS Queries: https://datatracker.ietf.org/doc/html/rfc2308
  9. IETF RFC 2535 — DNSSEC (original): https://datatracker.ietf.org/doc/html/rfc2535
  10. IETF RFC 2782 — SRV Service Location Records: https://datatracker.ietf.org/doc/html/rfc2782
  11. IETF RFC 3403 — NAPTR (Dynamic Delegation Discovery): https://datatracker.ietf.org/doc/html/rfc3403
  12. IETF RFC 4034 — DNSSEC Resource Records: https://datatracker.ietf.org/doc/html/rfc4034
  13. IETF RFC 4035 — DNSSEC Protocol Modifications: https://datatracker.ietf.org/doc/html/rfc4035
  14. IETF RFC 4255 — SSHFP Record: https://datatracker.ietf.org/doc/html/rfc4255
  15. IETF RFC 4398 — CERT Resource Record: https://datatracker.ietf.org/doc/html/rfc4398
  16. IETF RFC 5011 — Automated Updates of DNSSEC Trust Anchors: https://datatracker.ietf.org/doc/html/rfc5011
  17. IETF RFC 5155 — NSEC3 Hashed Authenticated Denial of Existence: https://datatracker.ietf.org/doc/html/rfc5155
  18. IETF RFC 5452 — DNS Source Port Randomization: https://datatracker.ietf.org/doc/html/rfc5452
  19. IETF RFC 5936 — AXFR Zone Transfer: https://datatracker.ietf.org/doc/html/rfc5936
  20. IETF RFC 6672 — DNAME Redirection in DNS: https://datatracker.ietf.org/doc/html/rfc6672
  21. IETF RFC 6698 — TLSA / DANE: https://datatracker.ietf.org/doc/html/rfc6698
  22. IETF RFC 6840 — DNSSEC Operations Clarifications: https://datatracker.ietf.org/doc/html/rfc6840
  23. IETF RFC 6891 — EDNS0 (Extension Mechanisms for DNS): https://datatracker.ietf.org/doc/html/rfc6891
  24. IETF RFC 7344 — Automated Updates of DNSSEC Delegation Trust (CDS): https://datatracker.ietf.org/doc/html/rfc7344
  25. IETF RFC 7477 — CSYNC Child-to-Parent Synchronization: https://datatracker.ietf.org/doc/html/rfc7477
  26. IETF RFC 7553 — URI Resource Record: https://datatracker.ietf.org/doc/html/rfc7553
  27. IETF RFC 7766 — DNS over TCP (updated): https://datatracker.ietf.org/doc/html/rfc7766
  28. IETF RFC 7816 — QNAME Minimization: https://datatracker.ietf.org/doc/html/rfc7816
  29. IETF RFC 7858 — DNS over TLS (DoT): https://datatracker.ietf.org/doc/html/rfc7858
  30. IETF RFC 7873 — DNS Cookies: https://datatracker.ietf.org/doc/html/rfc7873
  31. IETF RFC 7929 — OPENPGPKEY Record: https://datatracker.ietf.org/doc/html/rfc7929
  32. IETF RFC 8078 — Managing DS Records from the Parent via CDS/CDNSKEY: https://datatracker.ietf.org/doc/html/rfc8078
  33. IETF RFC 8162 — SMIMEA Record for S/MIME Certs: https://datatracker.ietf.org/doc/html/rfc8162
  34. IETF RFC 8198 — Aggressive Use of DNSSEC-Validated Cache: https://datatracker.ietf.org/doc/html/rfc8198
  35. IETF RFC 8460 — SMTP TLS Reporting: https://datatracker.ietf.org/doc/html/rfc8460
  36. IETF RFC 8461 — MTA-STS (SMTP MTA Strict Transport Security): https://datatracker.ietf.org/doc/html/rfc8461
  37. IETF RFC 8482 — Minimal Responses to DNS Queries: https://datatracker.ietf.org/doc/html/rfc8482
  38. IETF RFC 8484 — DNS over HTTPS (DoH): https://datatracker.ietf.org/doc/html/rfc8484
  39. IETF RFC 8767 — Serving Stale Data to Improve DNS Resiliency: https://datatracker.ietf.org/doc/html/rfc8767
  40. IETF RFC 8914 — Extended DNS Errors (EDE): https://datatracker.ietf.org/doc/html/rfc8914
  41. IETF RFC 8945 — TSIG (Transaction Signatures): https://datatracker.ietf.org/doc/html/rfc8945
  42. IETF RFC 8976 — ZONEMD (Message Digest for DNS Zones): https://datatracker.ietf.org/doc/html/rfc8976
  43. IETF RFC 9250 — DNS over Dedicated QUIC Connections (DoQ): https://datatracker.ietf.org/doc/html/rfc9250
  44. IETF RFC 9276 — Guidance for NSEC3 Parameter Settings: https://datatracker.ietf.org/doc/html/rfc9276
  45. IETF RFC 9460 — SVCB and HTTPS Resource Records: https://datatracker.ietf.org/doc/html/rfc9460
  46. IETF RFC 9462 — Discovery of Designated Resolvers (DDR): https://datatracker.ietf.org/doc/html/rfc9462
  47. IANA DNS Parameters Registry: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
  48. IANA Root Servers: https://www.iana.org/domains/root/servers
  49. BIND 9 Documentation (ISC): https://bind9.readthedocs.io/en/latest/
  50. BIND 9 ARM — Zone Configuration Reference: https://bind9.readthedocs.io/en/latest/reference.html
  51. BIND 9 DNSSEC Guide: https://bind9.readthedocs.io/en/latest/dnssec-guide.html
  52. BIND 9 delv Man Page: https://bind9.readthedocs.io/en/latest/manpages.html#delv-dns-lookup-and-validation
  53. Unbound DNS Documentation (NLnet Labs): https://unbound.docs.nlnetlabs.nl/en/latest/
  54. Knot DNS Documentation: https://www.knot-dns.cz/docs/latest/html/
  55. Knot Resolver Documentation: https://knot-resolver.readthedocs.io/en/stable/
  56. kdig Man Page (Knot DNS Utils): https://www.knot-dns.cz/docs/latest/html/man_kdig.html
  57. PowerDNS Documentation: https://doc.powerdns.com/
  58. PowerDNS Recursor Documentation: https://doc.powerdns.com/recursor/
  59. drill Man Page (NLnet Labs): https://nlnetlabs.nl/documentation/ldns/man/drill.html
  60. ISC DNS Security / RPZ: https://www.isc.org/rpz/
  61. dnsrpz.info — RPZ Community Resource: https://dnsrpz.info/
  62. IETF Draft DELEG Record: https://datatracker.ietf.org/doc/draft-dnsop-deleg/
  63. IETF RFC 4025 — IPSECKEY Resource Record: https://datatracker.ietf.org/doc/html/rfc4025
  64. Let's Encrypt CAA Record Guide: https://letsencrypt.org/docs/caa/
  65. BIMIGROUP — BIMI Standard: https://bimigroup.org/
  66. Microsoft Windows Server DNS Zone Types: https://learn.microsoft.com/en-us/windows-server/networking/dns/zone-types
  67. Microsoft nslookup Documentation: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup
  68. Azure Private DNS Resolver Architecture: https://learn.microsoft.com/en-us/azure/dns/private-resolver-architecture
  69. AWS Route 53 DNS Routing Policies: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-latency.html
  70. AWS Route 53 DNS Failover: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html
  71. AWS Route 53 Weighted Routing: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html
  72. GRC DNS Benchmark: https://www.grc.com/dns/benchmark.htm
  73. Mozilla MDN — DNS Prefetching: https://developer.mozilla.org/en-US/docs/Web/Performance/Guides/dns-prefetch
  74. Mozilla MDN — Subdomain Takeover: https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers
  75. Wireshark Official Site: https://www.wireshark.org/

Technical Blogs & Tutorials

  1. Cloudflare Learning — What is DNS?: https://www.cloudflare.com/learning/dns/what-is-dns/
  2. Cloudflare Learning — DNS A Record: https://www.cloudflare.com/learning/dns/dns-records/dns-a-record/
  3. Cloudflare Learning — AAAA Record: https://www.cloudflare.com/learning/dns/dns-records/dns-aaaa-record/
  4. Cloudflare Learning — CNAME Record: https://www.cloudflare.com/learning/dns/dns-records/dns-cname-record/
  5. Cloudflare Learning — MX Record: https://www.cloudflare.com/learning/dns/dns-records/dns-mx-record/
  6. Cloudflare Learning — TXT Record: https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/
  7. Cloudflare Learning — NS Record: https://www.cloudflare.com/learning/dns/dns-records/dns-ns-record/
  8. Cloudflare Learning — PTR Record: https://www.cloudflare.com/learning/dns/dns-records/dns-ptr-record/
  9. Cloudflare Learning — SOA Record: https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/
  10. Cloudflare Learning — CAA Record (via letsencrypt): https://letsencrypt.org/docs/caa/
  11. Cloudflare Learning — How DNSSEC Works: https://www.cloudflare.com/learning/dns/dnssec/how-dnssec-works/
  12. Cloudflare Learning — DNS Cache Poisoning: https://www.cloudflare.com/learning/dns/dns-cache-poisoning/
  13. Cloudflare Learning — DNS Security: https://www.cloudflare.com/learning/dns/dns-security/
  14. Cloudflare Learning — DNS over TLS: https://www.cloudflare.com/learning/dns/dns-over-tls/
  15. Cloudflare Learning — Recursive DNS: https://www.cloudflare.com/learning/dns/what-is-recursive-dns/
  16. Cloudflare Learning — DNS Server Types: https://www.cloudflare.com/learning/dns/dns-server-types/
  17. Cloudflare Learning — Root Servers: https://www.cloudflare.com/learning/dns/glossary/dns-root-server/
  18. Cloudflare Learning — Reverse DNS: https://www.cloudflare.com/learning/dns/glossary/reverse-dns/
  19. Cloudflare Learning — Primary/Secondary DNS: https://www.cloudflare.com/learning/dns/glossary/primary-secondary-dns/
  20. Cloudflare Learning — Round-Robin DNS: https://www.cloudflare.com/learning/dns/glossary/round-robin-dns/
  21. Cloudflare Learning — DNS Amplification DDoS: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
  22. Cloudflare Learning — BGP Hijacking: https://www.cloudflare.com/learning/security/glossary/bgp-hijacking/
  23. Cloudflare Learning — Anycast: https://www.cloudflare.com/learning/cdn/glossary/anycast-network/
  24. Cloudflare Blog — DNSSEC Done Right: https://blog.cloudflare.com/dnssec-done-right/
  25. Cloudflare Blog — DNS over QUIC Deployment: https://blog.cloudflare.com/dns-over-quic-with-1dot1dot1dot1/
  26. Cloudflare Blog — .de TLD DNSSEC Outage May 2026: https://blog.cloudflare.com/de-tld-outage-dnssec/
  27. Cloudflare Learning — SPF Record: https://www.cloudflare.com/learning/email-security/what-is-an-spf-record/
  28. Cloudflare Learning — DKIM Record: https://www.cloudflare.com/learning/email-security/what-is-a-dkim-record/
  29. Cloudflare Learning — DMARC: https://www.cloudflare.com/learning/email-security/what-is-dmarc/
  30. Palo Alto Networks — DNS Tunneling: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
  31. Palo Alto Networks — DNS Rebinding: https://www.paloaltonetworks.com/cyberpedia/what-is-dns-rebinding
  32. Palo Alto Networks — Fast-Flux DNS: https://unit42.paloaltonetworks.com/fast-flux-101-how-cybercriminals-improve-the-resiliency-of-their-infrastructure/
  33. IBM Think — DNS Zones and Zone Files: https://www.ibm.com/think/topics/dns-zone
  34. IBM Think — DNS TTL: https://www.ibm.com/think/topics/time-to-live
  35. Varonis — DNS TTL Explained: https://www.varonis.com/blog/dns-ttl
  36. Varonis Blog — TTL for Deployments: https://www.varonis.com/blog/dns-ttl
  37. BigRock Blog — Recursive vs Iterative DNS: https://www.bigrock.in/blog/products/domains/recursive-vs-iterative-dns
  38. PowerDMARC — What is DNS Forwarding: https://powerdmarc.com/what-is-dns-forwarding/
  39. Tailscale — Why Split DNS: https://tailscale.com/learn/why-split-dns
  40. A10 Networks — NXDOMAIN Attack Explained: https://www.a10networks.com/blog/dns-nxdomain-flood/
  41. ControlD Blog — DNS Response Codes: https://controld.com/blog/dns-return-codes/
  42. NS1 — What is GeoDNS: https://ns1.com/resources/what-is-geodns
  43. DNSimple — ALIAS Record: https://support.dnsimple.com/articles/alias-record/
  44. Quad9 Blog — DNS over QUIC and DNS over HTTP/3: https://quad9.net/news/blog/quad9-enables-dns-over-http-3-and-dns-over-quic/
  45. APNIC Blog — DDR Discovery of Designated Resolvers: https://blog.apnic.net/2024/01/16/discovery-of-designated-resolvers/
  46. APNIC Blog — DNSSEC NSEC3 parameter security: https://blog.apnic.net/2022/10/26/nsec3-hardening/
  47. APNIC Blog — QNAME Minimisation and Privacy: https://blog.apnic.net/2020/09/04/qname-minimisation/
  48. RIPE Labs — NSEC3 Hash Iterations in the Wild: https://labs.ripe.net/author/peter_spacek/nsec3-hash-iterations-in-the-wild/
  49. RIPE Labs — DNS Flag Day 2020: https://labs.ripe.net/author/suzanne_taylor_muzzin/dns-flag-day-2020/
  50. Verisign Blog — ZONEMD Added to Root Zone: https://blog.verisign.com/security/verisign-adds-zone-digest-zonemd-to-root-zone/
  51. Verisign Blog — Root KSK-2024 Rollover: https://blog.verisign.com/domain-names/root-ksk-rollover/
  52. ISC Blog — Serve Stale Data: https://www.isc.org/blogs/serve-stale/
  53. ISC Blog — DNSSEC Key Rollover Best Practices: https://www.isc.org/blogs/dnssec-key-rollover/
  54. Krebs on Security — DNS Hijacking Explained: https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
  55. SANS Internet Storm Center — DNS Security: https://isc.sans.edu/forums/diary/DNS+Security+Primer/
  56. CISA — DNS Infrastructure Tampering Alert: https://www.cisa.gov/news-events/alerts/2019/01/24/dns-infrastructure-tampering
  57. Dnsflagday.net — DNS Flag Day 2019: https://dnsflagday.net/2019/
  58. Dnsflagday.net — DNS Flag Day 2020: https://dnsflagday.net/2020/
  59. IETF Blog — HTTPS/SVCB Records Deployment: https://www.ietf.org/blog/svcb-https/
  60. NLnet Labs Blog — NSEC3 Iteration Count Guidance: https://www.nlnetlabs.nl/blog/2022/06/08/nsec3-insecure-opt-out/
  61. Systemd Documentation — resolvectl: https://www.freedesktop.org/software/systemd/man/latest/resolvectl.html
  62. What's My DNS — Propagation Checker: https://www.whatsmydns.net/
  63. ICANN WHOIS Lookup: https://lookup.icann.org/
  64. Qualys SSL Labs — DANE Checker: https://www.ssllabs.com/ssltest/
  65. DNSVIZ — DNSSEC Visualization Tool: https://dnsviz.net/
  66. Zonemaster DNS Testing Tool: https://zonemaster.net/
  67. MXToolbox DNS & Email Lookup: https://mxtoolbox.com/

GitHub Repositories & Code Examples

  1. ISC BIND 9 GitHub Repository: https://github.com/isc-projects/bind9
  2. NLnet Labs Unbound GitHub: https://github.com/NLnetLabs/unbound
  3. NLnet Labs Knot Resolver GitHub: https://github.com/CZ-NIC/knot-resolver
  4. PowerDNS GitHub Repository: https://github.com/PowerDNS/pdns
  5. getdns API Library (DNS with TLS/QUIC): https://github.com/getdnsapi/getdns
  6. dnspython Library (Python DNS toolkit): https://github.com/rthalley/dnspython
  7. MiekGieben Go DNS Library: https://github.com/miekg/dns
  8. CoreDNS (Cloud-native DNS server): https://github.com/coredns/coredns
  9. Trust-DNS Rust DNS Library: https://github.com/hickory-dns/hickory-dns
  10. Pi-hole DNS Sinkhole: https://github.com/pi-hole/pi-hole
  11. ZDNS — Fast DNS Scanner: https://github.com/zmap/zdns
  12. Subfinder — Subdomain Discovery: https://github.com/projectdiscovery/subfinder
  13. DNS2TCP — DNS Tunneling Detection: https://github.com/alex-sector/dns2tcp
  14. Fierce DNS Recon Tool: https://github.com/mschwager/fierce

Academic Papers

  1. Kaminsky, D. — "It's the End of the Cache as We Know It" (Black Hat 2008): https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf
  2. Herzberg & Shulman — "Fragmentation Considered Poisonous" (CCS 2013): https://www.cs.huji.ac.il/~shunter/pubs/fragmentation-poisonous-ccs13.pdf
  3. Brandt et al. — "Domain Validation++ For MitM-Resilient PKI" (CCS 2018): https://dl.acm.org/doi/10.1145/3243734.3243790
  4. Nosyk et al. — "The Reality of DNSSEC Deployments" (IMC 2022): https://dl.acm.org/doi/10.1145/3517745.3561427
  5. Müller et al. — "Rolling with Confidence: Managing DNSSEC Key Rollovers" (PAM 2019): https://link.springer.com/chapter/10.1007/978-3-030-15986-3_1
  6. Singanamalla et al. — "Oblivious DNS over HTTPS" (PETS 2021): https://petsymposium.org/2021/files/papers/issue4/popets-2021-0075.pdf
  7. Bernstein et al. — "High-Speed High-Security Signatures" (CHES 2011): https://eprint.iacr.org/2011/368.pdf
  8. Shulman & Waidner — "One Key to Sign Them All Considered Vulnerable" (USENIX NSDI 2017): https://www.usenix.org/system/files/conference/nsdi17/nsdi17-shulman.pdf
  9. Ruohonen — "Fast Flux Networks" (arXiv 2021): https://arxiv.org/abs/2108.09498
  10. Houser et al. — "An Investigation on Information Leakage of DNS over TLS" (CoNEXT 2019): https://dl.acm.org/doi/10.1145/3359989.3365430
  11. Zhu et al. — "Connection-Oriented DNS to Improve Privacy and Security" (IEEE S&P 2015): https://ieeexplore.ieee.org/document/7163065

Video Resources

  1. Cloudflare — How DNS Works (YouTube): https://www.youtube.com/watch?v=nyH0nYhMW9M
  2. NetworkChuck — DNS Explained (YouTube): https://www.youtube.com/watch?v=Wj0od2ag5sk
  3. PowerCert — DNS Explained in 100 Seconds (YouTube): https://www.youtube.com/watch?v=UVR9lhUGAyU
  4. IETF — DNS over QUIC (RFC 9250) Explained: https://www.youtube.com/watch?v=dj1VPAleqDs
  5. Professor Messer — DNS for CompTIA (YouTube): https://www.youtube.com/watch?v=ol6RCmDM4gE
  6. LiveOverflow — DNS Cache Poisoning Attack (YouTube): https://www.youtube.com/watch?v=ueJMzHoXOqo
  7. DNS-OARC — DNS OARC 2024 Workshop Videos: https://www.youtube.com/c/DNSOARC
  8. NANOG — NANOG 93 DNS Talks: https://www.nanog.org/events/nanog-93/

Industry Best Practice Guides & Books

  1. NIST SP 800-81-2 — Secure DNS Deployment Guide: https://csrc.nist.gov/publications/detail/sp/800-81/2/final
  2. ICANN DNSSEC Deployment Initiative: https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
  3. ICANN Best Practices for Zone Management: https://www.icann.org/resources/pages/zone-management-best-practices
  4. DNSSEC For Dummies — Nominet: https://www.nominet.uk/resources/technology/dnssec/
  5. CIS Controls — DNS Filtering: https://www.cisecurity.org/controls/
  6. Paul Albitz & Cricket Liu — "DNS and BIND" (O'Reilly): https://www.oreilly.com/library/view/dns-and-bind/9781449308025/
  7. ISC DNS Security Recommendations: https://www.isc.org/dns-security/
  8. ENISA — Improving DNS Security: https://www.enisa.europa.eu/publications/improving-dns-security
  9. M3AAWG — Email Authentication Best Practices: https://www.m3aawg.org/sites/default/files/m3aawg_sender_best_comm_practices-2015-04.pdf
  10. CISA — Encrypted DNS Deployment Guide: https://www.cisa.gov/sites/default/files/2023-01/CISA_Encrypted_DNS_Deployment_Guide.pdf

Other

  1. Root Servers.net — Root Server Technical Operations: https://root-servers.org/
  2. DNS Flag Day Website — 2019 and 2020 Events: https://dnsflagday.net/
  3. DNSSEC Deployment Survey — APNIC: https://stats.labs.apnic.net/dnssec
  4. DNS Privacy Project (dnsprivacy.org): https://dnsprivacy.org/
  5. Stubby — DNS Privacy Daemon (DoT): https://dnsprivacy.org/dns_privacy_daemon_-_stubby/
  6. Systemd-resolved Configuration Guide: https://systemd.io/RESOLVED-VPNS/
  7. ICANN CZDS — Centralized Zone Data Service: https://czds.icann.org/
  8. Root Zone DNSSEC Trust Anchor — IANA: https://www.iana.org/dnssec/files
  9. Verisign Root Zone Management: https://www.verisign.com/en_US/domain-names/dns-infrastructure/root-zone-management/index.xhtml
  10. DKIM.org — DKIM Signing Standard: http://www.dkim.org/
  11. SPF Project (openspf.org archived): http://www.open-spf.org/
  12. Open Resolver Project: https://openresolverproject.org/
  13. Internet Society — DNSSEC Deployment Maps: https://www.internetsociety.org/deploy360/dnssec/
  14. Cloudflare Radar — DNS Statistics: https://radar.cloudflare.com/
  15. APNIC DNS Measurement Data: https://stats.labs.apnic.net/