DNS Glossary
- additional section
- additional information provided in a response, such as glue. A resolver or client may choose to ignore the additional section. A resolver or client should ignore unrelated data.
- answer
- the TTL and resource record data provided for the query. Note that the response includes the original query too (domain name and type).
- apex
- the SOA and NS records are located at the apex, the top-level of a zone. (Commonly the "@" a-sign is used to represent the apex domain name or current origin in a zone file.)
- authoritative
- The server that is responsible to provide the data. The data that came from a responsible server. (The flag that indicates the answer was authoritative.)
- authority section
- response section to provide SOA record for no answer responses or provide the referral NS delegations to query next.
- AXFR
- full zone transfer; always uses TCP instead of UDP.
- bailiwick
- the scope of authority, responses should only be trusted when come from server with its bailiwick.
- caching
- Stores the record up to the time-to-live time. The resolver doesn't have to lookup the same query frequently for long TTLs.
- ccTLD
- country-code TLD, like DE and NZ.
- class
- Defines the schema for the record types and resource record data. For common DNS it is the Internet (IN) class.
- CNAME
- The Canonical Name or alias resource record type. Its target (resource record data) is the new domain name to lookup using the original resource record type in the new query. (A CNAME cannot be at an apex as it cannot be at same name as another record type other than RRSIG.)
- delegation
- The zone uses a NS (name server) record to identify what authoritative server is next responsible for the domain. Basically an answer says "look here instead". This is provided in the authority section.
- DNSKEY
- a resource record type containing the public part of a cryptographic key used to verify a digital signature record (RRSIG).
- DNSSEC
- Additional records included with DNS responses to provide a chain of trust and signatures to help validate where the data comes from and wasn't modified.
- domain
- is a subtree of the DNS which defines who is responsible and lists all its immediate delegated subdomains or non-delegated leaf names. (Normally, for example for "www.example.org" the domain is just "example.org.")
- domain name
- a complete fully qualified name with all labels (separated by periods). Also called a fully qualified domain name (FQDN).
- DoS
- DNS via UDP can be used with spoofed sender address with queries that send back large responses to a targeted device to cause a Denial of Service.
- dot
- Single period as the domain name is the top-level root-domain. Domain names end with a dot.
- dynamic update
- Method to make updates to a DNS zone.
- EDNS
- Extension mechanisms for DNS helps provide further parameters and features to DNS.
- EDNS client subnet (ECS)
- A client can provide an IP address subnet which is sent to a server which may use it to provide custom information based on that, such as geo-located content.
- empty non-terminal
- a domain name without a resource record, but has a subdomain with a resource record. These are the in-between labels.
- Expire timer
- If a SOA polling failed, keep trying until this amount of time. (Contained in SOA record.) After it expires, do not serve the zone data anymore.
- flags
- attributes (or bits) that identify the query or what the iterative client can accept; or the attributes sent back from the responding server. Such as authoritative answer (AA bit), truncated, recursion desired bit, and recursion available.
- forwarder
- Accepts a query and asks a recursive server to provide a response which the forwarder returns back to its client.
- FQDN
- The fully qualified domain name includes the hostname and the domain name. It is the complete and usually unique name.
- glue
- The address record provided in the additional section which is associated with a NS (name server) delegation record. Allows providing an address to find the next server in a single transaction.
- gTLD
- generic TLD, such as AERO, BANK, CLUB, and WORK.
- id
- 16-bit transaction identifier number provided in the query and returned in the response to help match it with the original question. Answers can be spoofed.
- inverse queries
- obsolete feature to get the query by providing its value; this is not reverse lookups which are normal in-addr.arpa PTR lookups.
- iterative query
- the client chases down the answer, one query at a time.
- IXFR
- incremental zone transfer; only transfers changed records.
- label
- A label is a single part of a domain name between the periods; for example, www.example.net, has three labels.
- lame delegation
- Delegated name servers aren't really available or provide non-authoritative data.
- LDH
- letters, digits, hyphens, but note that the DNS does not restrict labels to LDH.
- master
- also known as the "primary" server is the main authoritative server where secondaries may poll and do zone transfers from.
- master file
- The plain text zone file loaded by the authoritative server.
- MX (mail exchange)
- Records that provide names of mail servers which will handle incoming email for a domain. The records have a priority number where lower numbers are tried first.
- negative answers
- failed DNS lookups
- negative cache TTL
- Last SOA field, previously called the "minimum" used to set the TTL for caching that no answer was authoritatively provided. So a resolver doesn't repeated send queries for a NXDOMAIN, for example.
- NOTIFY
- An authoritative server tells a secondary server that there is an updated zone to check for.
- NS
- the name server record creates a subzone or delegation by defining multiple name servers that are responsible for the domain. (The NS is in the parent zone and in the its own zone.)
- NXDOMAIN
- Status result for no such domain when there is no domain name or the domain name doesn't exist. Note if the domain name exists but with a different type, then there will be a "No error" response with no answer instead.
- poison
- DNS server accepts zone updates from a malicious source, or DNS resolver accepts DNS answer from non-authoritative source.
- PTR (pointer)
- The pointer record is used to map an IP address, written in reverse IP octet order, and commonly within the IN-ADDR.ARPA. domain, to provide the name for that address. Used for reverse name mapping.
- qname
- the query name is the domain name in the question.
- query
- client asking a DNS server a question with a domain name and the record type (and class).
- record
- The record contains the domain name, the TTL, the record type, and the resource record data. There may be multiple record types and/or multiple (even different) datas for the same domain name.
- record type
- The data type, for example: an IPv6 address (AAAA) or a pointer to a mail server (MX)
- recursive service
- A server that will do iterative queries on behalf of a client.
- referral
- a response without answer section but includes at least one authoritative name servers (that are closer) and additional section has the glue (IP for them).
- Refresh timer
- The wait before asking master for current SOA (to get serial number to see if should do a zone transfer). (Contained in SOA record.)
- Registrar
- The company that manages registrations and fees for domain names (by registrants), such as Godaddy and Joker.
- Registry
- The organization which operates a top-level domain. (For example, Verisign is the operator or registry for COM.)
- resource record data (rrdata)
- The data associated with a record type for a domain name.
- Retry timer
- Try polling again for SOA record after this amount of time after a refresh failed. (Contained in SOA record.)
- root
- Is the top of the DNS domains tree. The root-servers know about all the nameservers for the top-level domains (TLDs), but not the record data for subdomains.
- round-robin
- When multiple resource record data is provided for a single query, only a single data is randomly used. (Called a poor-man's load balancer when used with address records for example.)
- secondary
- also known as "slave" is another authoritative server hosting the same zone data.
- serial number
- Used by secondary authoritative servers to know if there is a new copy of the zone to transfer in.
- SPF
- Sender Policy Framework record to define authorized IP addresses for sending email for a domain. (Used a proposed record type, SPF, but now commonly provided in TXT records.)
- start of authority (SOA)
- Identifying record type for a domain. The resource record data provides seven attributes: main server name, contact email address, serial number, zone transfer refresh, retry, and expire timers, and cache timer for negative responses. As an answer this is used for secondary server polling. It is also returned in the authority section for when the domain name or domain name plus type pair doesn't exist.
- status
- The error code returned with the response, such as format error, server failure, no such name error, and refused. "No error" implies that a valid response is provided even if an answer is not provided.
- stealth
- servers or data not seen in public records
- stub
- A client that can do a single query. Normally a stub forwards a question to a full featured caching recursive server.
- TLD
- The top level or first label (from right hand side) of a domain name, such as COM or GOV, UK or US (ccTLDs), and NYC or NEWS (gTLD).
- truncated
- the response is larger than supported, indicates that the client should query again using TCP to get the full response.
- TSIG
- A DNS technique using shared secrets to authenticate DNS end-points (generally between servers).
- TTL
- The time-to-live is the time that a server may cache the answer (resource record data)
- TXT
- A record containing free-form textual data. It is commonly used to provide SPF.
- validator
- A resolver that fetches and understands DNSSEC records and verifies that the chain of trust is correct and the data isn't modified and is within a valid time period.
- wildcard
- An asterisk used as a left-hand-side label name in a zone file configuration will match any undefined name (at that record type).
- zone
- A single configuration of DNS records hosted on an authoritative server. This can contain subdomains or can delegate subdomains in another zone which are commonly hosted on a different server.
- zone transfer
- The act of transferring a zone file (using AXFR or IXFR) from one authoritative server to another for synchronized redundancy. Commonly, a secondary server will poll the other server for its SOA every REFRESH interval and uses serial number.