DNS Configuration - CompTIA A+ 220-1101 - 2.6

00:02

DNS is the domain name system, and we often

00:05

refer to this as the service that

00:06

converts the fully qualified domain names that we might

00:10

type into our browser to something our networks might

00:13

use, like an IP address.

00:16

But what you may not realize about DNS

00:18

is that this is not simply a standalone server that

00:21

provides this resource.

00:23

There are multiple servers across the internet that

00:25

provide these translations and they

00:27

work on a hierarchy across all of the different fully

00:31

qualified domain names.

00:32

This is also a very distributed database,

00:35

because we have many different DNS servers on the internet.

00:38

There are 13 root server clusters.

00:41

In actuality, this consists of over 1,000 different servers.

00:45

There are hundreds of generic top-level domains.

00:47

These are the domains that are the .com, the .org, the .net,

00:51

and others.

00:52

And then there are also country-level top-level

00:55

domains, like .us, .ca for Canada,

00:59

or .uk for the United Kingdom.

01:01

Here's a very simple visual representation

01:04

of this hierarchy from the perspective

01:06

of professormesser.com.

01:08

We'll start at the top with a period.

01:10

This designates the end of the fully qualified domain name.

01:13

And working backwards, we would have a .com, a .net, a .edu,

01:18

and others.

01:19

Obviously, professormesser.com would be the next layer

01:23

in this hierarchy.

01:24

So you can see underneath .com, we have .professormesser.

01:27

And of course, there may be multiple servers

01:30

at professormesser.com.

01:31

If you go to my website, then you're

01:33

visiting www.professormesser.com,

01:36

but I might have a mail server, which

01:38

is mail.professormesser.com.

01:41

And in very large networks, you may have organizational domain

01:44

names-- for example, east.professormesser.com

01:47

and west.professormesser.com.

01:49

And in the east, there may be certain servers.

01:52

In the west, there might be other servers.

01:54

Having this hierarchy allows us to configure a very specific

01:58

structure, and this works across every fully qualified domain

02:02

name on the internet.

02:03

If you'd like to see visually how this translation operates

02:07

and your system supports the dig command,

02:10

you can run at the command line dig www.professormessor.com.

02:15

The results of this command show us

02:17

a summary of what we requested.

02:19

It shows the information that was sent asking specifically

02:22

for an address associated with www.professormesser.com.

02:27

And then you can see in the ANSWER SECTION,

02:29

there are actually three different IP addresses

02:32

associated with my web server, and you

02:35

can see those IP addresses are listed here.

02:37

The reason there are three different addresses for my web

02:40

server is for redundancy.

02:42

If one of those IP addresses is no longer available,

02:45

your device can use any of these other IP addresses

02:48

to communicate back to www.professormesser.com.

02:53

If you're not on a system that supports the dig command,

02:55

you can use nslookup professormesser.com.

02:58

This will go out to your locally configured DNS server

03:02

and provide answers for the professormesser.com IP

03:06

addresses, and you can see the results

03:08

of this query show exactly the same three IP addresses.

03:13

Behind the scenes, the DNS server

03:14

has a large database that contains fully qualified domain

03:18

names, IP addresses, and other details that

03:21

can help your systems perform this translation between fully

03:24

qualified domain name and IP address.

03:27

We refer to these as resource records, and in this video,

03:30

we'll look at a number of different types of resource

03:33

records that are used on a DNS server.

03:35

There are over 30 different record types.

03:38

We won't go through all 30 of those in this video.

03:41

Those record types might be IP addresses, certificates,

03:44

host names, and other details.

03:47

As you can imagine, a DNS server is a critical resource.

03:51

If a DNS server isn't available, you

03:53

can make the request to visit www.professormesser.com,

03:56

but there's nothing behind the scenes

03:58

to make the translation between the fully qualified domain

04:01

name and the IP address.

04:03

This is why we tell people, if you're making a change to DNS,

04:06

make sure you have very good backups

04:08

of the previous configuration and that you

04:10

know exactly what you're changing in that DNS server.

04:15

Many DNS servers have a very simple configuration file

04:18

that's written in text, and this is an example of one

04:21

of those DNS configurations.

04:23

The section at the top is the Start of Authority Record.

04:25

This has some mail exchanger records inside of it,

04:28

a list of IP addresses, and fully qualified domain names,

04:32

and you've got some canonical or alias

04:34

names that you've also assigned inside of this DNS server.

04:38

This makes it relatively easy if you

04:39

need to make changes to a DNS server's configuration

04:43

because you can use any text editor to modify or update

04:46

this configuration file.

04:48

You might also find that the DNS service that you're using

04:51

can provide you with a web-based front end to the configuration,

04:54

so instead of understanding all of those different records

04:57

and understanding where they go in the configuration file,

05:00

you can put them all into a web-based front end

05:02

and make your changes from there.

05:04

The first record will look at and perhaps one

05:06

of the most common records you see in a DNS server

05:09

is an address record.

05:11

We often refer to these as in A record or a AAAA record.

05:15

The A records are address records for IP version 4.

05:18

So this a record will have a fully qualified domain

05:21

name and the associated IP version 4 address.

05:25

The quad A records are for IPv6.

05:28

The same thing applies.

05:29

We'd have a fully qualified domain name,

05:31

and we would associate the IPv6 associated with that domain

05:35

name.

05:36

Here's an example of an A record that's

05:38

on the professormesser.com DNS server.

05:41

You can see that I am specifying that www.professormesser.com

05:45

is an internet address using the A record,

05:49

and the IP address associated with that fully qualified

05:52

domain name is 162.159.246.164.

05:57

If you're configuring this in a DNS text file,

06:00

then you also have the option to add remarks or other comments

06:03

on that record line.

06:05

If the front end to your DNS server

06:06

is in a web-based configuration, it's the same information,

06:10

but we've separated out the A record, the hostname, the IP

06:13

address, and the time to live for this IP address.

06:17

The time to live in a DNS server is

06:19

specifying how long an end station will remember

06:22

this match between fully qualified domain name and IP

06:25

address.

06:26

This 15 minute time to live means

06:28

that a device will make the request to a DNS server

06:31

and store or cache that information for 15 minutes.

06:34

After 15 minutes, that information

06:36

is removed from the cache, and if this device

06:38

needs to communicate back to the www server,

06:41

it will need to request, again, the IP address

06:44

for that particular record.

06:46

Here's the same thing, but from the perspective

06:48

of IPv6, where we're configuring a quad A record,

06:51

and we have a hostname, an IPv6 address, and, again, a time

06:55

to live.

06:57

Another important record in a DNS is where all of your emails

07:00

should be delivered.

07:01

This is a mail exchanger record or an MX record.

07:05

To make this work, you would need two separate records

07:08

inside of your DNS server.

07:09

The first would be the MX record.

07:11

You can see the mail exchange record in this server points

07:14

to mail.mydomain.name.

07:16

To be able to obtain the IP address for mail.mydomain.name,

07:21

we would need to look at an A record,

07:23

and you can see there is an A record

07:25

for the mail.mydomain.name, which is 123.12.41.41,

07:31

and it is a Linux server.

07:33

DNS servers have many different functions they can provide.

07:36

One of those is to stored text information that can then

07:39

be used for other purposes.

07:41

We would store the text information

07:43

in a text record or TXT record.

07:46

This is usually public information.

07:48

Since people are able to query these text

07:50

records on your server, these text records

07:52

were originally designed for very informal purposes.

07:55

But today, we have very specific uses for a TXT or text

08:00

record in our DNS server.

08:01

For example, we might use this for verification purposes.

08:05

We might be making a configuration change

08:07

to our domain, and that domain change

08:09

requires that you add something very specific to a text

08:12

record in your DNS server.

08:14

This is because the DNS server configuration is usually

08:17

very secure, and only authorized individuals

08:20

would have access to make changes to a DNS server's

08:23

configuration.

08:24

We also use this text record extensively for email security,

08:28

and you'll see in a moment how we're able to add information

08:31

to a text record that can help verify

08:34

the origination of a particular email.

08:37

If you want to see some example of text records,

08:39

you can look at the text records that

08:41

are on the professormesser.com DNS server.

08:43

If you're running dig, you can use dig professormesser.com

08:46

and then txt.

08:48

And then it will show all of the text records

08:50

that I have currently configured on my DNS server.

08:54

You can see that I have two currently configured,

08:56

one for a stripe verification, and another one that

08:59

is used for mailgun.org, which is used to send out my email

09:02

messages.

09:04

If dig isn't available, you can also

09:06

view these using an nslookup.

09:07

You would use nslookup-type=txt, and then the domain name such

09:13

as google.com or professormesser.com.

09:16

You can see when you perform a google.com lookup that Google

09:19

has a number of text records on their device, which include

09:22

things like a Facebook domain verification, a Google site

09:26

verification, and a DocuSign text record.

09:29

A common text record you might find

09:31

is an SPF record, or a sender policy framework.

09:35

This is a list of all of the email servers that

09:38

are authorized to send messages using your fully

09:41

qualified domain name.

09:42

This was created to help prevent others

09:44

from spoofing your fully qualified domain name

09:47

and sending email as if you would send it yourself.

09:50

A mail server receiving an email that

09:52

says it was from professormesser.com

09:55

will query the professormesser.com DNS server,

09:58

retrieve this SPF record in the DNS server,

10:02

and be able to determine is this something that really

10:05

came from an authorized host?

10:08

Here's the same process for creating a text-based DNS

10:11

record, and you can see, you just

10:12

paste in the text that is associated with the record

10:16

that you'd like to add.

10:17

In this example, you can see that I'm adding the SPF

10:19

record into my DNS server, and, again,

10:22

I have a TTL of 15 minutes.

10:26

We can even take this email security one step further

10:29

and provide a digital signature that we can

10:32

associate with outgoing mail.

10:34

We do this through the use of a DKIM text record,

10:37

or Domain Keys Identified Mail.

10:39

This is going to be validated by the mail servers

10:42

as that message is traversing the network,

10:44

and the public key associated with this digital signature

10:47

is added to a text record in your DNS server.

10:51

Here's the same configuration for that DKIM record,

10:54

except we're making the configuration

10:55

change in this web-based front end, and you can see,

10:58

it's a large bit of text that is the public key for all

11:02

of the digital signatures that have been sent from my domain.

11:06

Now that we have a way to verify messages that have been sent

11:09

and to digitally sign messages that are being sent,

11:12

we need some way to determine what we do with those messages

11:16

if the verification fails.

11:18

We would use DMARC for that purpose.

11:20

This is the Domain-based Message Authentication Reporting

11:23

and Conformance.

11:25

This is an extension of the SPF and DKIM processes

11:28

that we've already seen, except DMARC takes the extra step

11:32

to determine the disposition that

11:34

should be used when someone receives a message that

11:36

can't be validated.

11:38

You might create a DMARC record on your DNS server that

11:41

says, if a message is not validated,

11:44

simply accept it, or maybe send it to a spam folder,

11:47

or simply reject the email entirely.

11:50

The mail servers behind the scenes

11:52

keep track of how many mail messages have been validated

11:55

and how many have failed the validation,

11:57

and then you can receive a report that shows exactly how

12:00

many messages were able to get through based on the SPF

12:04

or DKIM configuration.

12:06

And here's an example of adding one of those DMARC text records

12:09

to your DNS.

12:10

You can see that the content specifies

12:12

what to do with the email messages

12:14

and where to send the report so that you can examine how

12:17

your mail has been distributed.