Domain Name System (DNS)
See also: Active Directory#DNS, dnsmasq
DNS Server implementations
- CoreDNS – written in Go, Cloud Native Computing Foundation graduated project.
- DNSMasq – can also do DHCP.
- Knot DNS – scalable DNS resolver
- Knot Resolver (
kresd)
Fast public DNS servers
| IP | Name |
|---|---|
| 9.9.9.9 | Quad9 |
| 1.1.1.1 | Cloudflare |
| 8.8.4.4 | Google Public DNS-2 |
| 212.82.225.12 | Clara-2 DE |
Find out with namebench.
Resource Records
Format: <name> [<ttl>] [<class>] <type> <rdata>
SRV
https://de.wikipedia.org/wiki/SRV_Resource_Record
_service._proto.name. TTL class SRV priority weight port target.
Sender Policy Framework (SPF)
Send mail from MX and A entries, prohibit all others:
example.com 28800 TXT 10 v=spf1 mx a -all
Check with spfquery.
Mail Autoconfig
https://tools.ietf.org/html/rfc6186
_submission._tcp SRV 0 1 587 smtp.example.com. _imap._tcp SRV 0 1 143 imap.example.com.
Test domains
RFC-2606 reserves 4 different TLDs for testing and documentation examples:
.example.invalid.localhost
DO NOT use .local for testing or local purposes! It's reserved for mDNS – if you hand out .local DNS entries, you'll interfere with Avahi/Zeroconf hostname resolution.
Dynamic DNS
Free providers
update DNS from DHCP
- DNS, DDNS, and DHCP on a Linux router – Part 2 # Making the DHCP server update DNS (Mikael Hansson, oxcrag.net, 2022)
- Turris Omnia script DNSMasq → Kresd (for reference only, doesn't work without Turris' version of OpenWRT)
Split DNS
If you want to serve the same content both locally and from outside of your LAN, you can use Split DNS. A local DNS resolver responds to local clients with a LAN IP and the public DNS responds with a WAN IP. A similar thing can be done with hairpin NAT on the network layer, which routes traffic to the external IP back to the LAN.
Reverse DNS lookups (rDNS)
A regular lookup ("forward DNS") tells you the IP address for a given hostname. A reverse DNS lookup tells you the canonical DNS address for a given IP. This doesn't have to be populated for every IP and not all forward DNS entries also have a reverse entry.
In most DNS servers this has to be set explicitly, to prevent leaking DNS names for IP addresses where this is not needed.
.mail servers use this to find out if the mail hostname a system authenticates with is also the hostname which actually belongs to the system. Many mail systems discard incoming mail as spam when the reverse DNS entry doesn't point to the hostname they got mail from.
rDNS entries have to be set by the provider of the IP, not the provider of the target domain. The reverse DNS database of the Internet is rooted in the .arpa top-level domain1.
Linux
On Linux systems, you can use dig -x $IP to look up rDNS entries.
Troubleshooting
flush DNS cache
try one of the following:
resolvectl flush-caches
nmcli general reload dns-full
systemd-resolve --flush-caches
systemctl restart nscd
systemctl restart dnsmasq
systemctl restart named
service networking restart