Appendix B: Glossary

DNS terminology defined as a practitioner would explain it at a whiteboard. 60+ terms from the course.

Appendix B: Glossary

Definitions written the way you'd explain them to a colleague, not the way an RFC would define them.

A record Maps a hostname to an IPv4 address. The most basic record type. example.com. A 203.0.113.10 means "this hostname is at this IP." The record you query first when you're debugging almost anything.

AAAA record Same as A, but for IPv6 addresses. The name comes from the fact that an IPv6 address is 128 bits, four times the 32-bit IPv4 address (four A's). example.com. AAAA 2001:db8::1.

Authoritative nameserver The nameserver that holds the actual zone data for a domain. When you ask "what is the IP address for example.com?", you're ultimately asking the authoritative nameserver. It's the source of truth; everything else is cached copies.

Auth code (EPP authorization code) The password required to transfer a domain from one registrar to another. Also called the transfer key or EPP token. Must be provided when initiating a transfer; if it's wrong or expired, the transfer fails.

AXFR Full zone transfer. A mechanism for copying an entire DNS zone from a primary to a secondary nameserver. dig AXFR example.com @ns1.example.com attempts to pull the whole zone. If zone transfers are restricted (as they should be), this will be refused from unauthorized sources.

Blue/green deployment A deployment strategy using two identical production environments. Traffic is routed to one (blue) while the other (green) receives the new deployment. DNS TTL manipulation is the switch mechanism.

CAA record Certification Authority Authorization. A DNS record specifying which certificate authorities are allowed to issue TLS certificates for a domain. example.com. CAA 0 issue "letsencrypt.org" means only Let's Encrypt can issue certificates. CAs check CAA records before issuance.

CNAME (Canonical Name) An alias. www.example.com. CNAME example.com. means "to find www, resolve example.com instead." CNAMEs cannot coexist with other records at the same name — you can't have both a CNAME and an MX record at example.com. This is why CNAMEs can't be used at the apex (root) of a domain, which must have an SOA record.

CoreDNS The DNS server used inside Kubernetes clusters. Handles internal service discovery (resolving servicename.namespace.svc.cluster.local) and forwards external queries to upstream resolvers.

DDoS (Distributed Denial of Service) via DNS Using DNS amplification or reflection to overwhelm a target with traffic. Open resolvers respond to forged queries with large responses directed at the attack target. EDNS0's ability to return large UDP responses makes DNS a high-amplification-factor attack vector.

Delegation The mechanism by which a parent zone points to the authoritative nameservers for a child zone. .com delegates to the nameservers listed for example.com. The delegation is the NS record at the parent plus the glue A records for those nameservers.

DKIM (DomainKeys Identified Mail) Email signing system. The sending mail server signs email headers and body with a private key. The public key is published as a DNS TXT record at a selector subdomain (mail._domainkey.example.com). Receiving servers verify the signature against the published key.

DMARC Domain-based Message Authentication, Reporting, and Conformance. A DNS policy record at _dmarc.example.com that tells receiving mail servers what to do with email that fails SPF/DKIM alignment. Policies: none (monitor only), quarantine (treat as spam), reject (discard).

DNS (Domain Name System) A distributed, hierarchical database that maps names to data. Its most visible function is resolving hostnames to IP addresses, but it also stores MX records for email routing, TXT records for policy publication, SRV records for service discovery, and more.

DNSSEC DNS Security Extensions. Adds cryptographic signatures to DNS responses, allowing resolvers to verify that the data came from the authoritative server and hasn't been tampered with in transit. Protects against cache poisoning. Does not encrypt DNS queries.

DoH (DNS over HTTPS) DNS queries sent inside HTTPS connections on port 443. Provides privacy against passive query surveillance. Harder for network operators to block or inspect than cleartext DNS.

DoQ (DNS over QUIC) DNS queries over QUIC transport. Faster connection establishment than DoT, no head-of-line blocking between concurrent queries. Specified in RFC 9250 (2022).

DoT (DNS over TLS) DNS queries over TLS on port 853. Standard for encrypted stub-to-resolver DNS. Easier to block than DoH (distinct port) but also easier to manage in enterprise environments.

DS record (Delegation Signer) The DNSSEC record published in the parent zone that ties it to the child zone's DNSKEY. The trust anchor. If example.com is signed with DNSSEC, the .com zone publishes a DS record that hashes the example.com DNSKEY. This creates the chain of trust from the root downward.

EDNS0 (Extension Mechanisms for DNS) An extension to the DNS message format that allows larger UDP payloads (required for DNSSEC responses), options, and the DO (DNSSEC OK) bit. Specified in RFC 6891.

EPP (Extensible Provisioning Protocol) The protocol used between domain registrars and registries to register, renew, transfer, and modify domain names. EPP status codes on a domain registration show its current operational state.

EPP status codes State flags on a domain registration. clientTransferProhibited: transfer lock set by the registrar. serverTransferProhibited: set by the registry (stronger, requires registry action to remove). clientHold / serverHold: domain is suspended (DNS stops resolving). clientDeleteProhibited: can't be deleted (registry lock).

Forwarder A resolver configured to forward queries it can't answer from cache to a specific upstream resolver, rather than performing recursive resolution itself. Enterprise DNS typically forwards to a central resolver which then either answers from cache or resolves recursively.

Glue records A records published in the parent zone for a domain's own nameservers. When example.com uses ns1.example.com as its nameserver, the parent (.com) zone needs to publish the IP address of ns1.example.com — because you can't ask ns1.example.com how to find ns1.example.com. These are the glue records.

gTLD (Generic Top-Level Domain) A TLD that isn't a country code: .com, .net, .org, .info, and the 1,200+ new gTLDs added since 2012 (.app, .cloud, .brand, etc.).

HTTPS record A DNS record (RFC 9460) that advertises HTTPS service parameters: supported protocols (h2, h3), IP hints, alternate ports. Allows browsers to optimize connection setup by learning protocol support from DNS before initiating a connection.

IXFR (Incremental Zone Transfer) Like AXFR but only transfers the changes since the secondary's current SOA serial. More efficient for large zones with frequent updates.

Kaminsky attack A DNS cache poisoning attack discovered by Dan Kaminsky in 2008. By flooding a resolver with forged responses, an attacker could inject false records into the resolver's cache. Mitigated by source port randomization and query ID randomization.

MX record (Mail Exchanger) Specifies the mail server(s) responsible for receiving email for a domain. example.com. MX 10 mail.example.com. The number is priority — lower number = higher priority. Multiple MX records provide failover.

ndots A resolver configuration setting. ndots:5 (Kubernetes default) means: if the query name has fewer than 5 dots, append search domain suffixes before trying the name as-is. Causes unnecessary NXDOMAIN lookups for external hostnames queried from inside Kubernetes pods.

NS record (Nameserver) Identifies the authoritative nameservers for a zone. Both the parent zone (delegation) and the zone itself have NS records. If they disagree, the zone's own NS records are authoritative, but the parent's delegation is what resolvers actually follow.

NSEC / NSEC3 DNSSEC record types that provide authenticated denial of existence. If you ask for a name that doesn't exist in a signed zone, the response includes an NSEC/NSEC3 record proving the name is absent (signed by the zone's key). NSEC3 uses hashed names to prevent zone enumeration.

NXDOMAIN "Non-Existent Domain" — the DNS response code when a queried name doesn't exist. Not to be confused with SERVFAIL (server error) or REFUSED (resolver won't answer). If you're getting NXDOMAIN, the name doesn't exist in DNS.

Passive DNS A technique for recording and querying historical DNS resolutions. Passive DNS databases are built by sensors at recursive resolvers that log what names were resolved to what IP addresses and when. Useful for threat intelligence, attribution, and monitoring newly registered domains.

PTR record (Pointer) Reverse DNS: maps an IP address to a hostname. Stored under in-addr.arpa for IPv4. 10.113.0.203.in-addr.arpa. PTR example.com. Required for mail server deliverability (many mail servers check that the sending IP has a PTR record matching the SMTP hostname).

Recursive resolver The resolver that does the actual work of resolution: asks the root, follows delegations to TLD servers, follows delegations to authoritative servers, returns the answer. Your ISP's DNS is a recursive resolver. 8.8.8.8 is a recursive resolver. Your /etc/resolv.conf points to one.

Registrar The company through which you register domain names. The registrar maintains a commercial relationship with the registry (the TLD operator) and provides the customer-facing interface for domain management. GoDaddy, Namecheap, Cloudflare Registrar, Gandi are all registrars.

Registry The organization that operates a TLD. Verisign operates .com and .net. AFNIC operates .fr. PIR operates .org. The registry maintains the authoritative data for all domains in its TLD and operates the TLD nameservers.

Registry lock A domain protection mechanism set at the registry level (not just the registrar). Requires out-of-band verification to remove, making it resistant to attacks that compromise the registrar account. Sometimes called "domain lock" or "server-side lock."

RRSIG A DNSSEC record type containing a cryptographic signature over a DNS record set (RRset). Any resolver doing DNSSEC validation checks the RRSIG against the zone's DNSKEY to verify the record's authenticity.

Resolver A generic term for any component that answers DNS queries. Can mean: the stub resolver in an operating system, the recursive resolver at your ISP or cloud provider, or (less commonly) an authoritative server.

Root zone The top of the DNS hierarchy. Operated by IANA/ICANN, with root server infrastructure distributed globally (13 root server addresses, each served by anycast nodes in hundreds of locations). The root zone contains NS records for all TLDs.

RRset (Resource Record Set) A set of DNS records of the same type and name. All the MX records for example.com form an RRset. DNSSEC signs RRsets, not individual records.

SERVFAIL Server Failure — the DNS response code when the authoritative server had a problem answering the query. Common causes: DNSSEC validation failure, the authoritative server is unreachable, zone transfer broken on a secondary. Different from NXDOMAIN (the name doesn't exist) and REFUSED (the server won't answer this query).

SOA record (Start of Authority) The record that defines the zone's administrative parameters: the primary nameserver, the responsible party's email address, and the serial number, refresh, retry, expire, and minimum TTL values. Every zone has exactly one SOA record. The serial number increments with each zone change; secondaries use it to decide whether to refresh.

SPF (Sender Policy Framework) An email authentication mechanism. A DNS TXT record at the sending domain lists which IP addresses and mail servers are authorized to send email on behalf of that domain. Receiving mail servers check SPF to evaluate whether the sending server is authorized.

Split-horizon DNS Different DNS responses depending on who's asking. Internal resolvers get internal records (private IP addresses, internal service names); external resolvers get only the public-facing records. Implemented by having separate zone configurations for internal and external views.

SRV record (Service) A DNS record that publishes a service's location: hostname, port, priority, and weight. _https._tcp.example.com. SRV 10 5 443 web.example.com. Applications that understand SRV can discover services and their ports from DNS without configuration files.

Stub resolver The DNS client running on your operating system. It forwards queries to the configured recursive resolver and returns results to applications. /etc/resolv.conf configures it. It doesn't do recursive resolution itself.

Subdomain takeover A vulnerability where a subdomain's CNAME record points to infrastructure that no longer exists, and an attacker claims that infrastructure. The attacker now controls what subdomain.yourdomain.com serves. Requires auditing DNS records against live infrastructure and removing records for decommissioned services.

TLD (Top-Level Domain) The last label in a domain name: .com, .org, .fr, .app. gTLDs are generic (no country affiliation); ccTLDs are country codes. Some gTLDs are restricted (.gov, .edu); most are open registration.

TLSA record A DNSSEC-secured record type (DANE) that publishes TLS certificate information in DNS. Allows TLS clients to verify a server's certificate against the DNS record, without relying on CAs. Requires DNSSEC to be meaningful.

TTL (Time to Live) How long a DNS record can be cached by resolvers. Once a resolver retrieves a record, it can serve it from cache for up to TTL seconds without asking again. High TTLs = slower propagation of changes; low TTLs = more DNS queries. The knob you adjust before making changes.

TXT record A general-purpose text record. Used for SPF, DKIM, DMARC, domain verification tokens, ACME DNS challenges for TLS certificate issuance, and anything else that needs to publish arbitrary text in DNS.

UDRP (Uniform Domain-Name Dispute-Resolution Policy) ICANN's mandatory arbitration process for challenging domain registrations. A complainant must prove: (1) the domain is confusingly similar to a trademark they own, (2) the registrant has no legitimate interest, (3) the domain was registered and used in bad faith. Takes 45-60 days. Used for recovering phishing and typosquat domains.

Wildcard record A record matching any subdomain that doesn't have a more specific match. *.example.com. A 203.0.113.10 means any subdomain of example.com that isn't explicitly defined resolves to that IP. Wildcards only apply at a single level; *.example.com does not match a.b.example.com.

WHOIS The legacy protocol for querying domain registration data: registrant, registrar, nameservers, registration and expiry dates. Being replaced by RDAP. Increasingly incomplete due to GDPR privacy requirements, with registrant contact data redacted for privacy-protected registrations.

Zone A portion of the DNS namespace managed by a single organization. example.com and everything under it is a zone (unless a subdomain has been delegated as its own zone). The zone data is stored in a zone file on the authoritative nameserver.

Zone file The configuration file containing all the DNS records for a zone. Follows a specific format defined in RFC 1035. Transferred between primary and secondary nameservers via AXFR/IXFR.

Zone transfer The mechanism for copying zone data from a primary authoritative nameserver to one or more secondaries. AXFR transfers the whole zone; IXFR transfers only the changes. Zone transfers should be restricted to authorized secondary servers.