Configuring and Testing DNS

DNS Basics

DNS is a system for attaching information to a domain name. Its main use and the one most people are familiar with is to convert a human friendly domain name, like www.he.net, into a computer friendly IP address, such as 216.218.186.2

Remember that a domain name isn't necessary. We could type into the browser URL bar http://216.218.186.2, except, numbers are hard to remember. In fact, I had to use DNS just now to find that IP address so that I could type it. Welcome to the Domain Name System.

When I type into the browser URL bar http://www.he.net the browser silently uses DNS to find the IP address it should send requests to.

Common Record Types

DNS is made up of DNS records. Each record has a type and each type has a purpose. There are many types and additional types are specified as time goes on.

The most common record types are:

• A
• AAAA
• MX
• TXT

A

A records are the type discussed above. They map a domain name to an IPv4 address. The value of an A record is an IPv4 address.

A Record Example

he.net. 86400 IN A 216.218.248.2

AAAA

AAAA (Pronounced Quad-A) records are basically the same as A records. They map a domain name to an IPv6 address. An IPv6 only user will use this record and if one doesn't exist then the site isn't IPv6 capable and the user cannot connect. IPv6 users tend to run dual-stack, which means they are IPv6 and IPv4 capable so that they can fallback to using the A record if a AAAA record doesn't exist. The value of a AAAA record is an IPv6 address.

AAAA Record Example

he.net. 86400 IN AAAA 2001:470:0:76::2

MX

Mail exchange records specify the domain name that mail should be delivered to for a domain. Domains aren't required to use the same server for web as for mail. Actually, there are numerous advantages to having one server handle mail and another handle webhosting. The value of an MX record is a domain name. It is possible to specify more than one MX record and prioritize them.

MX Record Example

he.net. 86400 IN MX 1 he.net

TXT

Text records are for storing text. They are basic, yet powerful. TXT records are used for specifying configurations such as for SPF, DKIM, and DMARC. They are also used as a method of authorization. The value of a TXT record is a string.

TXT Record Example

he.net. 86400 IN TXT "v=spf1 mx a include:_prefixes.he.net a:mailhost.lightning.net a:admin.he.net a:corp.he.net a:tickets.he.net a:abuse.he.net a:ipv6.he.net a:tunnelbroker.net ip4:64.71.139.96/27 ip4:216.218.186.2 ip6:2001:470:0::/48 ~all"

Time-To-Live (TTL)

DNS records don't change much so resolving a record again after already resolving it would be a waste of time and bandwidth. DNS caches aggressively to reduce the amount of computing power required to run the system and to improve load times for the end-user. Time-To-Live is the amount of seconds a record is allowed to remain cached before the answer must be checked for changes.

The TTL can be set for each record. In the following record the TTL is 86,400 seconds (24 hours).

he.net. 86400 IN A 216.218.248.2

As an example, if I were to change the value of the record from 216.218.248.2 to 127.0.0.1, for the next 24 hours the record could resolve to 216.218.248.2 if it has been looked up and stored in the cache or 127.0.0.1 if it hasn't been looked up before and stored in the cache. Users could see the old site or the new site for the next 24 hours.

That is why DNS TTLs are ALWAYS lowered to 300 (5 minutes) or less and then allowed to expire before making any changes. The correct process for changing the A record value is:

1. Lower the TTL from 24 hours to 5 minutes.
2. Wait 24 hours for cached answers to expire.
3. Change the value from 216.218.248.2 to 127.0.0.1
4. When everything is working and there are no more pending changes, raise the TTL back to 24 hours.

By lowering the TTLs and allowing the previously cached values to expire, changes only take 5 minutes to propogate at the most. Any changes are seen quickly and a mistake doesn't bring down the site for 24 hours because of a bad record that was cached.

Nameservers

DNS records for a domain can exist in multiple places. A domain has a set of nameservers that are authoritative. When a DNS resolver needs to lookup a record for a domain, it asks one of the authoritative nameservers. Authoritative nameservers will only answer queries pertaining to domains they are authoritative for.

Caching nameservers perform a different job. They store answers for the TTL period. By placing a caching nameserver nearby a group of computers, those computers can all get fast responses. And if one computer queries for a record that another has already queried for the caching nameserver will already have the answer. The caching nameserver only needs to go to the authoritative nameserver for an answer if it doesn't already have it or if the TTL has expired and the answer needs to be refreshed.

So domains, like example.com, have authoritative nameservers and those are set at the domain's registrar. Computers, like the one you are on right now have caching nameservers that they use for queries.

HE operates authoritative nameservers for its free dns.he.net service. They are:

• ns1.he.net
• ns2.he.net
• ns3.he.net
• ns4.he.net
• ns5.he.net

example.com might decide to use HE as their DNS provider and change the authoritative nameservers at their registrar to as many of the above as allowed. One is all that is needed, but having more provides redundancy.

You might decide to use HE's free caching nameserver and set your computer's DNS to 74.82.42.42. Then, when you visit example.com, your computer asks 74.82.42.42 (its caching DNS server) for the IP address of example.com. 74.82.42.42 sees that it doesn't have that answer cached. So it looks up which nameservers are authoritative for example.com and finds that they are ns1.he.net - ns5.he.net. It then queries ns1.he.net for example.com's IP address and stores the answer in its cache for any other computers that ask the same question.

Querying DNS

There are many tools available for performing DNS lookups.

Tools

Websites exist for checking DNS records, however, they are inflexible and might not provide the same result as your own computer. It is better to learn to use command line tools. Dig is my favorite and comes standard on many platforms. NSLookup and host are two other popular utilities.

Using Command Line

Dig is by far the most powerful and easiest to use. NSLookup and host exist largely for legacy reasons. Just use dig.

dig

I want to check how my computer resolves he.net into an IPv4 address.

$ dig he.net A

; DiG 9.9.5-3ubuntu0.19-Ubuntu he.net A
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 49566
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;he.net.        IN  A

;; ANSWER SECTION:
he.net.      86397  IN  A  216.218.186.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 19 08:15:19 PDT 2019
;; MSG SIZE  rcvd: 40

Configuring Website DNS

DNS doesn't change much so it is heavily cached. Always lower TTLs and wait for previous TTLs to expire before making changes to DNS.

Troubleshooting DNS

Troubleshooting DNS is easy. Use a DNS lookup tool to query DNS records and verify that the records match your expectations. There are a few key DNS concepts to keep in mind.

• DNS relies heavily on caching. Know whether a result is a cached result or fresh result.
• DNS responsibilities are delegated to an authoritative source. Understand which DNS servers are authoritative for a domain and how to query them directly.

DNS Lookup Tools

dig, host, and nslookup are popular command line tools for querying DNS servers. I prefer `dig` for its flexibility.

Common DNS Errors

The bare minimum records are:

• AAAA records
• A records
• NS records

Websites that send email should have:

• MX records
• TXT SPF record
• TXT DMARC record
• TXT DKIM records

Online Tools

There are lots of websites that can assist with debugging DNS by providing lots of information about a website's DNS records.

• tools.jschmedes.corp.he.net/troubleshooter