DNS - The "Domain Name System" Protocol (aka "Route 53")


DNS record types

Type Description Details
A Address record used to map a hostname to an IPv4 address
AAAA IPv6 Address record like A but for IPv6
CAA Certificate Authority Authorization used by domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name
  • the lack of any CAA records authorizes normal unrestricted issuance
  • the presence of a single blank issue tag disallows all issuance
CNAME Canonical NAME
  • declare an alias of one name to another : the DNS lookup will continue by retrying the lookup with the new name
  • maps a domain name to another domain name :
    alias-domain.com	CNAME	real-domain.com
  • this is used to
    • run distinct services on the same host with a single IP address, so that each service can have its own DNS entry :
      • www.example.com
      • ftp.example.com
    • run multiple websites on the same host (aka virtual hosts)
MX Mail eXchange maps a domain name to a list of MTA for that domain
NS Name Server delegates a DNS zone to use the given authoritative name servers
PTR Pointer
  • inverse of A / AAAA records : map IP addresses to names
  • used to perform reverse DNS lookups
  • addresses are saved in the reverse order : the PTR record for would be stored as
SOA Start Of Authority
  • details about a DNS zone :
    • primary name server
    • administrator's email address
    • domain serial number
    • timers
  • details in DNS SOA records article
SRV Service Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX
TXT Text
  • originally for arbitrary human-readable text in a DNS record
  • since the early 1990s, this record more often carries machine-readable data that doesn't fit the format of other records

DNS : how to list the subdomains of a domain ? Let's do a Reverse IP lookup !

Some CLI solutions exist, but they rely on permissions given by the DNS servers themselves (which are seldom granted). So better forget this method. Here are some alternatives :

Ask Wolfram Alpha :

  1. Go to http://www.wolframalpha.com/
  2. Enter the domain name in the search box, then Compute
  3. Then click the Subdomains and More buttons (when available)

With Nmap :

How to enumerate the subdomains of a domain ?

Other websites/tools :

  1. Netcraft
  2. yougetsignal
  3. MY-IP-neighbors.com

DNS SOA records

A DNS SOA record specifies authoritative information about a DNS zone, including (complete details on format) :

How to get a domain's SOA record ?

With dig :

dig google.com soa returns :
;google.com.			IN	SOA

google.com.		86400	IN	SOA	ns1.google.com. dns-admin.google.com. 2013121300 7200 1800 1209600 300

With nslookup :

nslookup set type=soa google.com returns :
 origin = ns1.google.com
 mail addr = dns-admin.google.com
 serial = 2013121300
 refresh = 7200
 retry = 1800
 expire = 1209600
 minimum = 300

DNS status codes

The status of a domain name can be seen in its whois information, via the command line or with online tools such as whois.domaintools.com.
In this article we will explain what the most common domain status codes mean: