Know thy DNS: A primer on the top eight DNS records
DNS records tell servers precisely how to respond to a DNS query.
There are dozens of record types. And more deeply understanding at least some of them can help you better understand what’s happening on your network.
If you know which record types correspond to which type of activity, you can tell when they’re out of place or being used in the wrong way.
Most importantly, they are a trove of network security gold. Mining your DNS data can help you hunt for threats on your network. If you know which record types correspond to which type of activity, you can tell when they’re out of place or being used in the wrong way.
In this post, we’ll provide a quick overview of DNS records. Then, we’ll delve into each of the eight common record types. Finally, we’ll touch on how BlueCat can help you make better sense of all of it.
A quick DNS records overview
DNS (which stands for domain name system) records are officially called resource records. Furthermore, on BlueCat’s platform, we label them as DNS query types. These names are used interchangeably.
There are around 90 different official resource record types. Many of them are now obsolete. Furthermore, DNSSEC, a mechanism that provides authentication and integrity for DNS queries, also uses some specific ones.
DNS servers store records. When a DNS query is sent by a device, that query gets a response from those records with the help of DNS servers and resolvers.
A and AAAA DNS records
Firstly, address (A) records are the most common record type by far. In brief, A records map domain names to IPv4 addresses.
Secondly, as the internet gradually makes the transition to IPv6, there are AAAA records (spoken as “quad A”). An AAAA record is the IPv6 equivalent of an A record, responsible for mapping a domain name to an IPv6 address.
Address records are about the extent of an average end user’s encounter. (Certainly, even encounter is a strong word, as the DNS process happens in the background, unbeknownst to the average internet user.)
|A||Maps domain names to IPv4 addresses|
|AAAA||Maps domain names to IPv6 addresses|
|CNAME||Redirects a domain to a different domain|
|PTR||Resolves IPv4 or IPv6 addresses to domain names|
|NS||Provides a list of the authoritative name servers responsible for the domain|
|MX||Provides the domain names of mail servers that receive emails on behalf of a domain|
|SOA||Provides important details about a DNS zone; required for every DNS zone|
|TXT||Provides any type of descriptive information in text format|
Other common types of DNS records
There are other common types of records that admins and others who occupy the networking sphere may regularly encounter. We’ll delve into those now.
A canonical name (CNAME) record redirects a domain to a different domain.
For example, a user enters bluecat.ca in their web browser. Let’s say we own that domain and want to redirect them to bluecatnetworks.com instead. A CNAME record would tell the user’s device, “actually, this is the domain you really want—bluecatnetworks.com.”
To be sure, canonical name records are especially helpful when a single company registers multiple similarly named domains.
A pointer (PTR) record is the reverse of an A or AAAA record. A PTR record resolves IPv4 or IPv6 addresses to domain names. Reverse DNS lookups use PTR records.
Admins commonly use PTRs for IP addresses on internal enterprise networks. This can make it easy to lookup an IP address to see what domain it maps to on the network.
In addition, a barrage of anomalous PTR activity on the network can indicate performance issues.
A name server (NS) record provides a list of the authoritative DNS servers (also called name servers) responsible for the domain that you’re querying. At the end of the DNS query chain, an authoritative name server is the final arbiter for DNS resource records. Every time a user looks up bluecatnetworks.com, their device will go to our authoritative name server to get the answer, unless the lookup chain has already cached it elsewhere.
Moreover, it’s important to note that NS records point to the domain of the name server—not IP addresses.
A mail exchanger (MX) record stores the domain names of mail servers responsible for receiving emails on behalf of a domain.
These records can be helpful to identify authorized mail servers. An MX record is sometimes called an MX entry, particularly in configuring mail servers.
Every DNS zone requires a start of authority (SOA) record. RFC 1035 specifies SOA record formats.
The SOA record stores important information about the zone, such as its primary authoritative name server and the administrator’s email address.
Furthermore, SOA records are essential for zone transfers, helping to control the replication of DNS configuration information across multiple DNS servers. SOA records contain a zone’s serial number, which provides a key clue for secondary name servers. If the serial number increases, the secondary name server will assume that the zone has been updated and initiate a zone transfer.
A text (TXT) record can store any type of descriptive information in text format. For example, network antivirus providers can use TXT records to send and receive information. Furthermore, TXT records often use the sender policy framework (SPF) to publish authorized mail servers. Subsequently, SPF helps prevent spammers from sending emails on behalf of your domain.
Precisely because it can store anything, TXT records can also hide malicious commands. As a result, that can make them attractive to cybercriminals conducting DNS tunneling.
Use BlueCat to manage DNS records
The BlueCat platform provides powerful capabilities to monitor and manage your DNS traffic and configurations. Through a single pane of glass interface, you can manage, visualize, organize, filter, and monitor every DNS record query on your enterprise network.
To be sure, with BlueCat’s Intelligent Security platform you can more easily investigate all the intelligence from your DNS traffic to find possible threats lurking on your network. Surprisingly, most enterprises never analyze their DNS data for cyber threats. We like to call it taking a DNS Dumpster dive.
Flailing in the cloud?
Seven in 10 enterprises struggle to realize the full value of their cloud investments. New research by Enterprise Management Associates explains why and how to change that.
BlueCat Announces Partnership with UK-Based e92plus
BlueCat adds e92plus to its partner program to help deliver innovative IT solutions to enterprises in the UK and Ireland.
5 IT pros on joining enterprise and cloud provider DNS
Networking pros explore integrating enterprise and cloud DNS during the fifth Critical Conversation on Critical Infrastructure hosted in Network VIP.
DNS sinkhole: A tool to help thwart cyberattacks
A DNS sinkhole supplies a false domain name in response to a DNS query, preventing connections to malicious or unwanted domains. Learn more with BlueCat.
Four major DNS attack types and how to mitigate them
In a DNS attack, DNS is compromised or used as a vector. Learn about the different attack types and how to prevent, detect, and mitigate them with BlueCat.