DNS ¶

In Azure, Azure DNS is used to host DNS zones for providing name resolution. By using Azure DNS, we will be able to manage zone and records in the same way we used to do in on-premises; however, the only difference is that everything is managed from the Azure portal

How it ensures relability?

DNS domains in Azure DNS are hosted on Azure's global network of DNS name servers, providing resiliency and HA. Azure DNS uses anycast networking, so each DNS query is answered by the closest available DNS server.

Another most asked question is:

Can I use my own domain name?

Azure DNS also supports private DNS domains so that you can use your own custom domain names rather than being stuck with the Azure-provided names.

DNS query resolve¶

This is done in 4 steps as shown below

DNS recursor/resolver - The DNS recursor is a server designed to receive queries from client machines through applications such as web browsers. Typically the recursor is then responsible for making additional requests in order to satisfy the client’s DNS query.

After receiving a DNS query from a web client, a recursive resolver will either respond with cached data, OR send a request to a root nameserver, followed by another request to a TLD nameserver, and then one last request to an authoritative nameserver.

Root nameserver - A root server accepts a recursive resolver's query which includes a domain name, and the root nameserver responds by directing the recursive resolver to a TLD nameserver, based on the extension of that domain (.com, .net, .org, etc.).
TLD nameserver - The top level domain server hosts the last portion of a hostname (In example.com, the TLD server is “com”).
Authoritative nameserver - The authoritative nameserver is the last stop in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor/Resolver that made the initial request.

Various steps taken to resovle the DNS quey are shown below

Basics¶

DNS zones¶

A DNS zone is used to host the DNS records for a particular domain. To start hosting your domain in Azure DNS, you need to create a DNS zone for that domain name. Each DNS record for your domain is then created inside this DNS zone.

How zone is managed?

These zones differentiate between distinctly managed areas in the DNS namespace. A DNS zone is a portion of the DNS namespace that is managed by a specific organization or administrator.

Zone files must always start with a Start of Authority (SOA) record, which contains important information including contact information for the zone administrator.

These are of 2 types: public and private

Public Zone¶

DNS resolver can be accessed from public internet.

Private Zone¶

The records contained in a private DNS zone aren't resolvable from the Internet. DNS resolution against a private DNS zone works only from virtual networks that are linked to it using private network link

Auto registration in private DNS

When you link a virtual network with a private DNS zone with auto registration setting enabled, a DNS record gets created for each virtual machine deployed in the virtual network.

TTL¶

The time to live, or TTL, specifies how long each record is cached by clients before being requeried. In the below example, the TTL is 3600 seconds or 1 hour.

record set example

www.amarjitdhillon.com    3600    IN    A    134.170.185.46

Record set¶

Azure DNS manages all DNS records using record sets. A record set (also known as a resource record set) is the collection of DNS records in a zone that have the same name and are of the same type. Most record sets contain a single record.

record set example

www.amarjitdhillon.com    3600    IN    A    134.170.185.46
www.amarjitdhillon.com    3600    IN    A    134.170.188.221

Exception in record set

The SOA and CNAME record types are exceptions. The DNS standards don't permit multiple records with the same name for these types, therefore these record sets can only contain a single record.

DNS Records¶

Azure DNS supports all common DNS record types including A, AAAA, MX, CAA, CNAME, PTR, SOA, SRV, and TXT records

CNAME¶

What is CNAME?¶

When the "www" subdomain is set to be an alias for the root domain name, a subdomain like www.samplesite.webname.com will have a CNAME record that points to the root domain webname.com.

CNAME Example¶

Suppose blog.adhillon.com has a CNAME record with a value of adhillon.com (without the ‘blog’). This means when a DNS server hits the DNS records for blog.adhillon.com, it actually triggers another DNS lookup to adhillon.com, returning adhillon.com’s IP address via its A record. In this case we would say that adhillon.com is the canonical name (or true name) of blog.adhillon.com

IP update scenario

Oftentimes, when sites have subdomains such as blog.adhillon.com or test.adhillon.com, those subdomains will have CNAME records that point to a root domain (adhillon.com). This way if the IP address of the host changes, only the DNS A record for the root domain needs to be updated and all the CNAME records will follow along with whatever changes are made to the root.

Here are some of the cases in which CNAME has to be used:

Uses of CNAME Records

To send visitors from several websites owned by the same person or group to the main website
To give each network service, such as File Transfer Protocol (FTP) or email, its own hostname and point it to the root domain
To give each customer a subdomain on the domain of a single service provider and use CNAME to point the subdomain to the customer's root domain
To register the same domain in more than one country and point the versions for each country to the main domain.

CAA records¶

CAA records allow domain owners to specify which Certificate Authorities (CAs) are authorized to issue certificates for their domain. This record allows CAs to avoid mis-issuing certificates in some circumstances

CAA record for AWS
$ dig CAA aws.amazon.com

; <<>> DiG 9.10.6 <<>> CAA aws.amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33510
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;aws.amazon.com.            IN  CAA

;; ANSWER SECTION:
aws.amazon.com.     31  IN  CNAME   tp.8e49140c2-frontier.amazon.com.
tp.8e49140c2-frontier.amazon.com. 60 IN CNAME   dr49lng3n1n2s.cloudfront.net.

;; AUTHORITY SECTION:
dr49lng3n1n2s.cloudfront.net. 60 IN SOA ns-905.awsdns-49.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 29 00:39:57 EST 2022
;; MSG SIZE  rcvd: 192

MX record¶

A DNS mail exchange (MX) record directs email to a mail server. The MX record indicates how email messages should be routed in accordance with the Simple Mail Transfer Protocol (SMTP, the standard protocol for all email).

check MX record for Google

$ dig MX google.com

; <<>> DiG 9.10.6 <<>> MX google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1277
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.            IN  MX

;; ANSWER SECTION:
google.com.     222 IN  MX  10 smtp.google.com.

;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 29 00:37:31 EST 2022
;; MSG SIZE  rcvd: 60

NS record¶

NS stands for ‘nameserver,’ and the nameserver record indicates which DNS server is authoritative for that domain (i.e. which server contains the actual DNS records). Basically, NS records tell the Internet where to go to find out a domain's IP address. A domain often has multiple NS records which can indicate primary and secondary nameservers for that domain.

Do you need NS record for your website?

Without properly configured NS records, users will be unable to load a website or application.

A record¶

The "A" stands for "address" and this is the most fundamental type of DNS record: it indicates the IP address of a given domain. It allows you to use memonic names, such as www.amarjitdhillon.com, in place of IP addresses like 162.0.232.222

A records only hold IPv4 addresses. If a website has an IPv6 address, it will instead use an AAAA record.

Use dig command to find A record like shown below

using dig to find dns records

$ dig amarjitdhillon.com

; <<>> DiG 9.10.6 <<>> amarjitdhillon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25476
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;amarjitdhillon.com.        IN  A

;; ANSWER SECTION:
amarjitdhillon.com. 1200    IN  A   162.0.232.222

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 29 00:33:13 EST 2022
;; MSG SIZE  rcvd: 63

We can also get the IP using the nslookup as shown below

$ nslookup amarjitdhillon.com
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   amarjitdhillon.com
Address: 162.0.232.222

AAAA record¶

DNS AAAA records match a domain name to an IPv6 address. DNS AAAA records are exactly like DNS A records, except that they store a domain's IPv6 address instead of its IPv4 address.

TXT record¶

This record is used to associate text with a domain.

SOA (Start of authority)¶

The DNS ‘start of authority’ (SOA) record stores important information about a domain or zone such as the email address of the administrator, when the domain was last updated, and how long the server should wait between refreshes.

$ nslookup -type=SOA contoso.com
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
contoso.com
    origin = ns1-205.azure-dns.com
    mail addr = azuredns-hostmaster.microsoft.com
    serial = 1
    refresh = 3600
    retry = 300
    expire = 2419200
    minimum = 300