A Quick Overview of the Top Seven DNS Record Types
If you're new to DNS (and/or passive DNS), you may need a little backfill to help you quickly come up-to-speed. An example of this is the topic of DNS record types. While there are many complex and obscure DNS record types, many may not be familiar with even the most common record types.
This blog article is meant to quickly introduce seven of the most commonly encountered DNS record types.
What we cover today will be old news to experts, but hopefully helpful to at least some of our newer users.
So what are the "top seven" DNS record types? Let's go through my picks…
(1) "A" Records: These records map domain names to traditional (IPv4) "dotted quad" addresses. For example:
www.farsightsecurity.com. 3600 IN A 126.96.36.199
To keep this short and simple, we won't spend time explaining how to look up "A" records, nor how to interpret things like the "3600" in the middle of that record. For now, we just want you to think, 'An "A" record maps the domain name (that's on the left-hand side of the record) to an IPv4 address (that's on the right-hand side of the DNS record)'.
(2) "AAAA" Records: "quad A" records map domain names to IPv6 addresses.
Why do we need IPv6 addresses? Well, the Internet is beginning to use IPv6 addresses because the available supply of available IPv4 addresses is now largely "used up" (aka assigned/allocated). Continued Internet growth requires a supply of new IP addresses. Fortunately, IPv6 addresses (as well as other technologies, such as NAT) are helping to meet the Internet's demand for additional address space.
An example Quad A record:
www.farsightsecurity.com. 3600 IN AAAA 2620:11c:f004::104
Note that a name can have both "A" and "AAAA" records defined, as www.farsightsecurity.com does above.
(3) "CNAME" Records: CNAME records make it possible for one domain name to point at another domain name. This can be convenient for things like virtual hosting environments. An example of a CNAME record is:
admissions.uoregon.edu. 300 IN CNAME drupal-cluster3.uoregon.edu.
Many CNAMEs may point to the same target domain name. For example, checking DNSDB, we can see that multiple domain names point at drupal-cluster3.uoregon.edu including:
admissions.uoregon.edu. admissions1.uoregon.edu. admissions2.uoregon.edu. campuspartners.uoregon.edu. convocation.uoregon.edu. enroll.uoregon.edu. enrollment.uoregon.edu. financialaid.uoregon.edu. oem.uoregon.edu. orientation.uoregon.edu. registrar.uoregon.edu. secureservices.uoregon.edu. ssem.uoregon.edu. transfer.uoregon.edu. visit.uoregon.edu.
(4) "TXT" Records: TXT records are something of a "catch-all" record, and will often be used to share miscellaneous information about a domain. For example, TXT records are often used to share SPF details (see http://www.openspf.org/ ) describing a domain's email sending policies:
farsightsecurity.com. 3600 IN TXT "v=spf1 mx -all"
(5) "MX" Records: MX records define the Mail eXchanger records for a domain, or where inbound mail for a domain should get directed:
farsightsecurity.com. 3600 IN MX 10 mail.fsi.io.
In this case, mail intended for farsightsecurity.com email addresses gets sent to us via the host mail.fsi.io.
(6) "NS" Records: NS records specify the name servers used by a domain. For example:
ucla.edu. 3600 IN NS ns3.dns.ucla.edu. ucla.edu. 3600 IN NS ns2.dns.ucla.edu. ucla.edu. 3600 IN NS ns1.dns.ucla.edu. ucla.edu. 3600 IN NS ns4.dns.ucla.edu.
In this case, checking Farsight DNSDB, our historical passive DNS database that dates back to 2010, we can see that literally hundreds of UCLA-related hosts use ns.dns.ucla.edu for their authoritative DNS, including:
alumni.ucla.edu. art.ucla.edu. athletics.ucla.edu. classics.ucla.edu. engineering.ucla.edu. finance.ucla.edu. grandchallenges.ucla.edu. honors.ucla.edu. [...]
Regular DNS doesn't have the ability to search the right-hand side of NS records and then return all matches found, only passive DNS databases with wildcard search functionality can perform that sort of "magic" for arbitrary name servers of interest.
(7) "PTR" Records: While "A" and "AAAA" records map domain names –> IP addresses, PTR records go the "other direction," mapping IP addresses –> domain names.
For instance, consider 188.8.131.52 (as used by www.farsightsecurity.com). If we check the PTR record for that IP, we see:
184.108.40.206.in-addr.arpa. 86400 IN PTR archive.farsightsecurity.com.
There are a couple of surprising things about PTR records.
– First of all, the left-hand side of a PTR record is actually formed by reversing the four chunks of the IP address (in this case 220.127.116.11 becomes 18.104.22.168), and then ".in-addr.arpa" gets added to the end of the address.
While that may seem like a big change, it's actually just a matter of convenience/formatting, and is done because the left hand side of a DNS record must ALWAYS be a name, not just a raw IP address.
– You may also wonder:
'Why doesn't 22.214.171.124 have a PTR that maps to www.farsightsecurity.com, instead of archive.farsightsecurity.com as shown in the example from this section? Didn't the earlier "A" record example in this article show www.farsightsecurity.com mapping to that IP address?'
The answer to this question is that multiple domain names may be configured to point at a single IP address via "A" or "AAAA" records, while PTR records will normally only return one of those domains.
One of the nice things about DNSDB is that it will associate IP addresses with domain names beyond what's explicitly defined in PTR records.
For example, checking DNSDB for 126.96.36.199, and limiting results to just the last week, we can see that 188.8.131.52 was actually used by:
archive.farsightsecurity.com. farsightsecurity.com. fastrpz.com. fsi.io. www.farsighsecurity.com. www.farsightsecurity.com. www.fastrpz.com. www.fsi.io.
Without access to passive DNS, you might be hard-pressed to discover those associations!
We hope that this whirlwind tour of some DNS record types was helpful if you're new to DNS.
Joe St Sauver Ph.D. is a Scientist for Farsight Security, Inc..
← Blog Home