Computer Network 📂 Application Layer · 2 of 3 71 min read

DNS Explained

Master DNS end-to-end — from the root zone and TLD hierarchy to forward and reverse zone files, SOA records, and all six DNS server types. Understand authoritative (AA=1) vs non-authoritative (AA=0) answers with an animated comparison. Query DNS with nslookup and dig, trace every resolution step, and build your own BIND9 authoritative server on Linux. Includes Kaminsky 2008, Dyn 2016, and MyEtherWallet BGP hijack incidents.

Section 01

DNS — The Internet's Distributed Phone Book

The World's Largest, Fastest, Most Resilient Phone Book
Imagine trying to remember the exact office address of every business in every country in the world — millions of locations, changing daily. Impossible. So instead, you remember names — "Google," "Amazon," "BBC" — and the phone book tells you the address.

The Internet works the same way. Computers communicate using IP addresses (e.g. 142.250.80.46) — but humans remember names (google.com). DNS bridges this gap: a globally distributed database that translates human-readable domain names into machine-usable IP addresses.

What makes DNS remarkable is its scale: it handles over 1 trillion queries per day, responds in milliseconds anywhere on Earth, has no single point of failure, and has run continuously since 1983 — making it arguably the most reliable piece of infrastructure on the entire Internet.

DNS (Domain Name System) was designed by Paul Mockapetris in 1983 (RFC 882, 883, later replaced by RFC 1034/1035). Before DNS, every host on the Internet had to download a single text file called HOSTS.TXT from a server at SRI International — listing every known hostname and IP address. When the Internet grew from hundreds to thousands of hosts, this system collapsed. DNS replaced it with a distributed, hierarchical, delegated database that scales to billions of records.

📌
DNS: Three Core Design Principles

Distributed — no single server holds all DNS data. The data is spread across millions of servers worldwide. No one server can fail and take DNS down.

Hierarchical — DNS is a tree structure: root → TLD (.com, .uk) → domain (google, bbc) → subdomain (www, mail). Each level delegates authority to the level below it.

Delegated — each organisation controls its own portion of the namespace. Google controls google.com. The BBC controls bbc.co.uk. IANA controls the root. No central authority approves individual records.


Section 02

🏭 Animated: The DNS Hierarchy — Root, TLD, and Authoritative

The DNS namespace is a tree with a single root — represented by a dot (.). Every domain name, read right to left, traces a path from leaf to root through this tree. www.bbc.co.uk. reads: host "www" in domain "bbc" in second-level "co" in top-level "uk" under the root "."

▶ DNS Namespace Tree — Animated Hierarchy with Delegation Chain
👉 Click any node to explore its role
The DNS tree has four main levels. Click each node to understand what server type manages it, who is responsible, and how authority is delegated downward.

💡 The trailing dot (www.example.com.) represents the root and is always present — most software omits it for readability. When you type "google.com" your resolver appends the dot internally before querying.


Section 03

DNS Server Types — Four Different Roles

Not all DNS servers do the same job. There are four distinct server roles in the DNS ecosystem, each with a specific responsibility. Confusing them is the most common source of DNS configuration errors.

📌
Recursive Resolver
The "question-asker"
The server your device talks to. Receives queries from clients, then contacts root → TLD → authoritative servers on the client's behalf. Caches results. Examples: 8.8.8.8 (Google), 1.1.1.1 (Cloudflare), your ISP's resolver. Does NOT hold zone data.
✓ Caches answers · ✓ Recursive · ✓ Client-facing
🌐
Root Name Server
The "directory of directories"
13 named clusters (a–m.root-servers.net), 1,700+ physical servers worldwide via anycast. Only knows NS records for TLDs — never A records for domains. Never caches anything. Operated by 12 organisations including Verisign, NASA, ICANN, US Army, and Netnod.
✓ Anycast · ✓ Ultra-reliable · ✓ Knows all TLD NS
📋
Authoritative Name Server
The "definitive answer"
Holds the actual zone data for a specific domain. When queried, sets the AA (Authoritative Answer) flag. Returns the real A, AAAA, MX, CNAME records from its zone file. Examples: Google's ns1–ns4.google.com, Cloudflare's ns1/ns2.cloudflare.com for hosted domains.
✓ Authoritative (AA=1) · ✓ Holds zone data · ✓ Final answer
📈
Forwarding / Caching Resolver
The "smart middleman"
Forwards queries to an upstream resolver instead of contacting root/TLD directly. Caches responses. Used in corporate networks and home routers to reduce external query load. Your home router typically acts as a forwarding resolver — it forwards everything to your ISP's or Google's resolver.
✓ Reduces external queries · ✓ Local caching · ✓ Simple config
🔌
Primary vs Secondary
Master-slave zone replication
A Primary server holds the master copy of the zone file (read-write). A Secondary server obtains its data from the primary via Zone Transfer (AXFR/IXFR) and serves it read-only. You need at least two authoritative servers per domain for redundancy — ICANN requires it for all registered domains.
✓ Redundancy · ✓ Load distribution · ✓ Zone transfer
Split-Horizon DNS
Internal vs External views
Returns different answers based on who is asking. Internal queries (from 192.168.x.x) get private IP answers (e.g. server.company.com → 10.0.1.50). External queries get public IP answers (→ 203.0.113.1). Essential for enterprise networks with internal services not exposed externally. Both BIND and Windows DNS support Views for this.
✓ Security · ✓ Private addressing · ✓ Internal services

Section 04

Authoritative vs Non-Authoritative Answers — The Critical Distinction

Every DNS response carries a single bit — the AA flag (Authoritative Answer) — that tells the client whether the answer came directly from the server that owns the zone, or from a resolver that merely cached it. This distinction is one of the most important concepts in DNS and is frequently misunderstood.

Asking the Author vs Asking Someone Who Read the Book
Imagine you need to know the exact date a novel was published. You could ask:

Option A: The author herself — she knows definitively. Her answer is authoritative. It cannot be wrong.

Option B: A librarian who looked it up last month and remembers — probably correct, but she might be remembering wrong, or the information might have changed. Her answer is non-authoritative.

In DNS: the authoritative server is the author — it holds the zone file and its answers are definitive. The recursive resolver is the librarian — it caches answers and serves them from memory, which may be stale if the TTL has not expired yet. Both can give you the correct answer most of the time, but only one is guaranteed to be right at this exact moment.

The AA Bit — One Flag, Two Worlds

✅ Authoritative Answer — AA=1
PropertyDetail
SourceThe zone's own name server (ns1.example.com)
AA flagSet to 1 in the DNS response header
Data freshnessAlways current — read directly from zone file
TTL meaningTTL instructs the receiver how long to cache
Trust levelHighest — this is the ground truth
Who returns itOnly the primary or secondary authoritative servers
nslookup label(no "Non-authoritative" label shown)
ExampleQuerying ns1.google.com for google.com A records directly

When you query the authoritative server directly with dig google.com @ns1.google.com, you see flags: qr aa rd — the AA bit is set, confirming you got the real answer from the source.

📋 Non-Authoritative Answer — AA=0
PropertyDetail
SourceA recursive resolver's cache (8.8.8.8, 1.1.1.1)
AA flagSet to 0 in the DNS response header
Data freshnessPotentially stale — age depends on remaining TTL
TTL meaningRemaining TTL — how long ago this was cached
Trust levelHigh in practice, but not guaranteed current
Who returns itAny recursive resolver (your ISP, 8.8.8.8, etc.)
nslookup label"Non-authoritative answer:" printed as a warning
ExampleQuerying 8.8.8.8 for any domain — always non-auth

Non-authoritative answers are the norm for everyday usage — 99.9% of DNS queries go to a resolver cache. This is correct and expected behaviour, not an error. nslookup's "Non-authoritative answer" label alarms beginners but is completely normal.

🏭 Animated: AA Flag Comparison — Authoritative vs Cached Response

▶ Same Query, Two Very Different Paths — Authoritative vs Resolver Cache
Ready

💡 Notice the TTL difference: the authoritative server always returns the full TTL (e.g. 3600s). The resolver returns a decremented TTL — if it cached the record 2000 seconds ago, it returns 1600s remaining. This tells you exactly how old the cached answer is.

The DNS Response Header — Flags Decoded

📋 DNS Response Flags — What Each Bit Means
QR = 1
Query/Response — 0 = this is a query, 1 = this is a response. Every response you receive has QR=1.
AA = 1
Authoritative Answer — set only when the responding server is the zone owner. If AA=0, the answer came from cache — perfectly valid but potentially seconds, minutes, or hours old depending on TTL.
TC = 1
TrunCation — response was too large for UDP (>512 bytes, or >4096 with EDNS0). Client must retry over TCP on port 53 to get the full answer. Common with DNSSEC and large TXT records.
RD = 1
Recursion Desired — set by the client to ask the resolver to do recursive lookups. Recursive resolvers honour this. Authoritative-only servers may ignore it.
RA = 1
Recursion Available — set in the response by a resolver that supports recursion. Authoritative-only servers set RA=0 — they will not recursively resolve on your behalf.
AD = 1
Authenticated Data — DNSSEC: the resolver has verified the cryptographic signature chain for this answer. Means every record in the response has been validated against the zone's DNSKEY.
dig — READING THE FLAGS LINE (;; flags:)
dig google.com @8.8.8.8 dig google.com @ns1.google.com ───────────────────────────────── ───────────────────────────────── ;; flags: qr rd ra ;; flags: qr aa rd │ │ └─ Recursion │ │ └─ Authoritative ✓ │ └──── Recursion │ └──── Query response └─────── Query response └────────────── No RA (auth-only) ANSWER SECTION: ANSWER SECTION: google.com. 187 IN A 142.250.80.46 google.com. 300 IN A 142.250.80.46 ─── ─── TTL decremented Full TTL — zone owner (cached 113s ago) AA=1 confirms freshness

When Does Non-Authoritative Become a Problem?

🕑
After a DNS Change
Propagation delay
You updated your A record from 1.2.3.4 to 5.6.7.8. But resolvers worldwide still cache the old value for up to TTL seconds. Your authoritative server immediately returns the new IP (AA=1). Resolvers return the old IP (AA=0) until their cache expires. This "propagation delay" is why engineers lower TTLs before migrations.
💥
Cache Poisoning
Security attack on non-auth
An attacker injects a false record into a resolver's cache. All clients using that resolver receive the forged non-authoritative answer, redirecting them to an attacker-controlled server. The authoritative server's answer is correct — but clients never reach it. DNSSEC signatures prevent this by letting resolvers verify authenticity.
🔎
Debugging DNS Changes
Always query auth directly
When troubleshooting whether a DNS change has taken effect, always query the authoritative server directly: dig example.com @ns1.example.com. If the authoritative server returns the new value (AA=1) but your ISP's resolver still returns the old value (AA=0) — the change is correct, just cached at the resolver.
💡
Quick Reference: How to Identify Authoritative vs Non-Authoritative

In dig output:
  flags: qr aa rd → Authoritative (AA bit present)
  flags: qr rd ra → Non-Authoritative (no AA bit, RA=1 means from resolver)

In nslookup output:
  No label → Authoritative answer
  Non-authoritative answer: → Came from resolver cache

In dig TTL:
  TTL = exactly the configured value (e.g. 3600) → Fresh from authoritative
  TTL = odd number (e.g. 2847) → Cached at resolver (decremented since caching)


Section 05

🏭 Animated: Full DNS Resolution — Every Packet

The animation below shows the complete DNS resolution process for www.example.com — from the client's first query to the final answer, including every server contacted, every response type, and the caching behaviour.

▶ Complete DNS Resolution — Recursive Query with Caching
Ready

💡 Steps 1–2 show a cache hit (answer found locally — <1ms). Steps 3–10 show a full recursive lookup with 4 server interactions. Real-world resolution time: 20–200ms on first query, <1ms on cache hit. The average web page triggers 8–15 DNS lookups on first load.


Section 06

DNS Zones — Forward, Reverse, and Zone Files

A DNS zone is a portion of the DNS namespace that a specific administrator controls. Zones are stored in zone files — plain text files containing DNS resource records. Understanding zones is the key to running your own DNS server.

📌 Forward Zone — Name to IP

Translates domain names → IP addresses. The "normal" direction. Filename convention: db.example.com

; Forward zone file for example.com
; $ORIGIN sets the default domain suffix
$ORIGIN example.com.
$TTL    3600        ; Default 1-hour TTL

; SOA — Start of Authority record
@   IN  SOA  ns1.example.com.  admin.example.com. (
        2024070101  ; Serial (YYYYMMDDNN)
        3600        ; Refresh (1h)
        900         ; Retry (15min)
        604800      ; Expire (1 week)
        300  )      ; Negative TTL

; NS records — authoritative name servers
@       IN  NS   ns1.example.com.
@       IN  NS   ns2.example.com.

; A records — IPv4 addresses
@       IN  A    93.184.216.34    ; example.com itself
www     IN  A    93.184.216.34    ; www.example.com
mail    IN  A    93.184.216.35    ; mail.example.com
ns1     IN  A    93.184.216.36
ns2     IN  A    93.184.216.37

; AAAA — IPv6 address
www     IN  AAAA 2606:2800:220:1:248:1893:25c8:1946

; CNAME — alias (ftp → www)
ftp     IN  CNAME www

; MX — mail exchange, priority 10
@       IN  MX   10  mail.example.com.

; TXT — SPF record
@   IN  TXT  "v=spf1 mx a ~all"
🔄 Reverse Zone — IP to Name

Translates IP addresses → domain names (PTR records). Used for email anti-spam, logging, and security audits. Filename: db.216.184.93 (reversed octets)

; Reverse zone for 93.184.216.0/24
; Zone name: 216.184.93.in-addr.arpa.
$ORIGIN 216.184.93.in-addr.arpa.
$TTL    3600

@   IN  SOA  ns1.example.com. admin.example.com. (
        2024070101  ; Serial
        3600        ; Refresh
        900         ; Retry
        604800      ; Expire
        300  )      ; Negative TTL

@       IN  NS   ns1.example.com.
@       IN  NS   ns2.example.com.

; PTR records — IP last octet → hostname
; 93.184.216.34 → www.example.com
34      IN  PTR  www.example.com.
35      IN  PTR  mail.example.com.
36      IN  PTR  ns1.example.com.
37      IN  PTR  ns2.example.com.

; Why "in-addr.arpa"?
; IP octets are reversed: 93.184.216.34
; becomes 34.216.184.93.in-addr.arpa.
; This lets DNS tree work right-to-left
; just like forward lookups.
📋
The SOA Record — Zone Authority Metadata

The Start of Authority (SOA) record is the most important record in any zone file. It defines:
MNAME — primary name server for this zone
RNAME — email of zone administrator (@ replaced by .)
Serial — version number. Secondary servers transfer the zone when this increases. Convention: YYYYMMDDNN (e.g. 2024070101)
Refresh — how often secondaries check for updates
Retry — how often to retry if refresh fails
Expire — how long secondaries serve stale data if primary is unreachable
Minimum TTL — negative cache TTL (how long NXDOMAIN is cached)


Section 07

nslookup & dig — DNS Query Tools

Every network engineer needs to query DNS manually. Two tools are essential: nslookup (available on Windows, macOS, and Linux) and dig (more powerful, primarily Linux/macOS). Both send DNS queries and display the raw response — invaluable for troubleshooting.

🏭 Animated: nslookup & dig Query Examples

▶ DNS Query Tool — nslookup and dig Output Visualised

💡 dig shows the full DNS response including flags, authority section, and query time — far more useful than nslookup for debugging. The +short flag gives a minimal one-line answer. The @server syntax lets you query a specific DNS server directly, bypassing your default resolver.

Essential dig & nslookup Commands Reference

CommandWhat It Does
dig example.comDefault A record lookup for example.com
dig example.com MXQuery Mail Exchange records
dig example.com NSQuery Name Server records (who is authoritative)
dig example.com TXTQuery TXT records (SPF, DKIM, verification)
dig example.com ANYRequest all record types (many resolvers block this)
dig -x 8.8.8.8Reverse lookup: IP → hostname (PTR record)
dig example.com +shortMinimal output — just the answer
dig example.com @1.1.1.1Query specific resolver (1.1.1.1 = Cloudflare)
dig example.com +traceTrace full delegation from root to answer
dig example.com +dnssecRequest DNSSEC signatures in response
nslookup example.comBasic A lookup (Windows-friendly)
nslookup -type=MX example.comSpecify record type in nslookup
nslookup example.com 8.8.8.8Query specific server with nslookup

Section 08

Build Your Own DNS Server — BIND9 on Linux

BIND (Berkeley Internet Name Domain) is the world's most widely deployed DNS server software — powering a majority of DNS servers on the Internet. Setting up your own BIND9 authoritative server gives complete control over your domain's DNS records and teaches the inner workings of the protocol.

⚠️
Prerequisites Before Building Your DNS Server

Two public IP addresses — ICANN requires at least two authoritative name servers in different locations for any domain.
A registered domain name — purchased from a registrar (Namecheap, GoDaddy, Cloudflare).
Firewall rules — open UDP/TCP port 53 from anywhere.
Reverse DNS — contact your hosting provider to set PTR records for your server IPs (required for email deliverability).

Step-by-Step: BIND9 Authoritative Server Setup

1
Install BIND9 on Ubuntu/Debian
Install the package and check the service status. BIND9 includes the named daemon (the actual DNS server), bind9utils (dig, nslookup, named-checkzone), and bind9-doc (documentation).
2
Configure named.conf — Global Options
Edit /etc/bind/named.conf.options to set your server's behaviour: allow-query (who can query), recursion (only for internal use on authoritative servers), listen-on (which interfaces), and forwarders (for internal caching resolver).
3
Declare Zones in named.conf.local
Add zone declarations for both your forward zone (example.com) and reverse zone (216.184.93.in-addr.arpa). Each zone declaration points to the zone file and declares the server as primary (master) or secondary (slave).
4
Create Zone Files
Write the forward zone file (/etc/bind/db.example.com) and reverse zone file (/etc/bind/db.93.184.216) using the format shown in Section 05. Every change requires incrementing the SOA serial number.
5
Validate and Reload
Always validate before reloading: named-checkconf checks named.conf syntax. named-checkzone example.com /etc/bind/db.example.com checks zone file syntax. A syntax error in a zone file stops the entire BIND9 process — validate every time.
6
Register Your Nameservers at Your Registrar
Log into your domain registrar and set the NS records for your domain to point to your new servers (ns1.example.com, ns2.example.com). Also set "glue records" — provide the IPs of your nameservers directly to the registrar so the TLD can return them without a circular dependency.
── Step 1: Install BIND9 ─────────────────────────────────────────
$ sudo apt update && sudo apt install -y bind9 bind9utils
$ sudo systemctl status bind9         # Verify running
$ sudo systemctl enable bind9          # Start on boot

── Step 2: /etc/bind/named.conf.options ──────────────────────────
options {
    directory     "/var/cache/bind";
    recursion     no;             // Authoritative only — disable recursion
    allow-query   { any; };       // Accept queries from anywhere
    allow-transfer { none; };    // Restrict zone transfers
    listen-on     { any; };       // Listen on all interfaces
    dnssec-validation auto;       // Validate DNSSEC responses
    auth-nxdomain no;             // RFC 2308 compliant
};

── Step 3: /etc/bind/named.conf.local ────────────────────────────
// Forward zone
zone "example.com" {
    type     primary;
    file     "/etc/bind/zones/db.example.com";
    allow-transfer { 93.184.216.37; };  // Allow transfer to ns2
    notify   yes;
};

// Reverse zone (for 93.184.216.0/24)
zone "216.184.93.in-addr.arpa" {
    type     primary;
    file     "/etc/bind/zones/db.93.184.216";
};

── Step 4: Create zone directory ─────────────────────────────────
$ sudo mkdir -p /etc/bind/zones
# Copy zone files as shown in Section 05

── Step 5: Validate and apply ────────────────────────────────────
$ sudo named-checkconf                     # Check named.conf syntax
$ sudo named-checkzone example.com /etc/bind/zones/db.example.com
$ sudo systemctl reload bind9              # Apply changes

── Step 6: Test your server ──────────────────────────────────────
$ dig www.example.com @localhost           # Query your own server
$ dig -x 93.184.216.34 @localhost         # Test reverse lookup
$ dig example.com SOA @localhost          # Verify SOA record
EXPECTED OUTPUT — dig www.example.com @localhost
;; ANSWER SECTION: www.example.com. 3600 IN A 93.184.216.34 ← Your A record! ;; AUTHORITY SECTION: example.com. 3600 IN NS ns1.example.com. example.com. 3600 IN NS ns2.example.com. ;; Query time: 1 msec ← Local = instant ;; SERVER: 127.0.0.1#53(127.0.0.1) ← Your own server answered

Section 09

DNSSEC, DoH, DoT — Making DNS Secure

Classic DNS was designed in 1983 with no security — all responses are unsigned UDP packets that anyone can forge. Three major security extensions address this.

🔐
DNSSEC — DNS Security Extensions
DNSSEC (RFC 4033–4035) adds cryptographic signatures to DNS records. Each zone generates a public/private key pair. Records are signed with the private key. Resolvers verify signatures using the public key — published in DNS as DNSKEY records. The chain of trust goes from the root (ICANN signs TLDs) → TLD → domain. DNSSEC prevents DNS cache poisoning attacks (Kaminsky attack, 2008). About 20% of domains have DNSSEC enabled. All .gov domains are required to use it. Configure with: dnssec-keygen and dnssec-signzone in BIND9.
RFC 4033 | Cryptographic signatures | Chain of trust | Anti-spoofing
🔌
DNS over HTTPS (DoH)
DoH (RFC 8484) encrypts DNS queries inside HTTPS (port 443) — making them indistinguishable from normal web traffic. ISPs cannot see or modify your DNS queries. Supported by Chrome, Firefox (enabled by default), and Windows 11. Providers: Cloudflare (1.1.1.1), Google (8.8.8.8), NextDNS. Controversy: bypasses corporate DNS monitoring and parental controls. Firefox's DoH rollout in 2019 triggered ISP complaints in the UK.
RFC 8484 | HTTPS port 443 | Firefox default | Privacy
🔑
DNS over TLS (DoT)
DoT (RFC 7858) encrypts DNS queries inside TLS on port 853 (a dedicated port, unlike DoH). Easier for network admins to monitor and filter — you can block port 853 without blocking all HTTPS. Preferred by enterprise security teams who want encryption without losing visibility. Android 9+ supports Private DNS using DoT. Cloudflare 1.1.1.1 and Google 8.8.8.8 support both DoH and DoT. On Linux, configure via systemd-resolved with DNS=1.1.1.1 and DNSOverTLS=yes.
RFC 7858 | TLS port 853 | Enterprise-friendly | Android Private DNS
📰
2008 — The Kaminsky DNS Cache Poisoning Attack

Dan Kaminsky discovered a fundamental flaw in DNS: an attacker could forge UDP responses and inject false records into any resolver's cache — redirecting entire domains to attacker-controlled servers. By flooding the resolver with fake responses on thousands of source ports simultaneously (birthday attack), the attacker could win the race against the legitimate response. The flaw affected every DNS resolver in the world. An emergency coordinated patch was released in July 2008 — the largest coordinated security patch in Internet history. The fix: source port randomisation. The permanent fix: DNSSEC. Source: Kaminsky, "It's the End of the Cache as We Know It," Black Hat 2008; CERT Advisory CA-2008-06.


Section 10

Real-World DNS Incidents

💥
2016 — Dyn DDoS: Half the Internet Down for 6 Hours
On 21 October 2016, the Mirai botnet (100,000+ IoT devices: cameras, DVRs, routers) launched a 1.2 Tbps DDoS against Dyn — a major managed DNS provider. Twitter, Reddit, Netflix, GitHub, Spotify, CNN, and the New York Times were unreachable. Not because their servers failed — but because their domain names could not be resolved. Users who knew the IP addresses directly could still connect. The attack demonstrated that DNS is infrastructure-critical and that single-provider DNS dependency is a catastrophic single point of failure. Source: Dyn Analysis Summary, October 2016; Wired Magazine.
Mirai botnet | 1.2 Tbps | Dyn DNS | Twitter, Netflix, Reddit | Oct 2016
2010 — China Telecom BGP + DNS Hijack
For 18 minutes on 8 April 2010, China Telecom advertised BGP routes for ~15% of the global Internet routing table, including IP blocks belonging to the US military, Senate, NASA, and major companies. Traffic was briefly rerouted through Chinese servers. Chinese DNS resolvers returned incorrect answers for some international domains for users inside China, redirecting traffic to government-controlled IPs. This was the first large-scale demonstration of DNS weaponisation at a national level. Source: US-China Economic and Security Review Commission Annual Report 2010; MIT.
BGP hijack | DNS interception | 18 minutes | US military traffic
🔥
2019 — Amazon Route 53 DNS Hijack ($160,000 ETH Stolen)
Attackers compromised Amazon Route 53 (AWS's DNS service) via BGP route hijacking — redirecting DNS queries for MyEtherWallet (a cryptocurrency wallet) to a fake server in Russia. For 2 hours, users logging into MyEtherWallet were unknowingly submitting credentials to the attacker's server. Approximately $160,000 worth of Ethereum was stolen. The attack exploited DNS's reliance on BGP for routing — a flaw DNSSEC cannot fully fix because the routing itself was corrupted. Source: Ars Technica "DNS Hijacking Abuses BGP Routing to Compromise MyEtherWallet," April 2018.
Route 53 | BGP hijack | MyEtherWallet | $160K ETH | 2018

Section 11

Golden Rules — DNS Administration & Troubleshooting

📌 Rules Every DNS Administrator Must Follow
1
Always run two authoritative name servers in different locations. ICANN requires it for registered domains, and for good reason. If your single DNS server goes down, your entire domain — web, email, everything — becomes unreachable. Place ns1 and ns2 in different data centres, different cities, different ASNs. A single provider for both is better than one server, but still a single point of failure.
2
Lower TTLs before making changes — raise them after. Before changing an A record (IP address migration), lower the TTL to 60–300 seconds well in advance. This ensures the old value expires quickly after the change. After the new value is stable, restore TTL to 3600–86400 seconds for caching efficiency. Failing to do this causes 48-hour propagation delays because cached records don't expire.
3
Increment the SOA serial every time you modify a zone file. Secondary servers check if the serial has increased to decide whether to transfer the zone. If you forget to increment it, your secondary will serve stale data indefinitely. Use the YYYYMMDDNN format (e.g. 2024070101) — date-based serials are self-documenting and easy to understand.
4
Always run named-checkzone before reloading BIND9. A single misplaced character in a zone file crashes BIND9 and takes down all your zones — not just the one with the error. named-checkzone catches syntax errors before they reach production. Automate this in your deployment pipeline: no reload without a passing check.
5
Disable recursion on authoritative servers. An authoritative server should answer queries about its own zones only. Enabling recursion turns it into an open resolver — which can be abused for DNS amplification DDoS attacks (sending 60-byte queries that generate 3,000-byte responses, 50× amplification). Set recursion no; in named.conf.options on all authoritative servers exposed to the Internet.
6
Use dig +trace to diagnose resolution failures, not ping. When a domain is unreachable, ping example.com tells you almost nothing about DNS. dig example.com +trace shows you every step of the delegation chain — exactly which server is failing, what response it returns, and whether the problem is at root, TLD, or authoritative level. This is the single most powerful DNS troubleshooting command.
7
Monitor your authoritative servers for zone transfer attempts. Zone transfers (AXFR) return your complete zone file — every hostname, every IP, every internal server. Restrict transfers with allow-transfer { ns2_ip; }; in your zone configuration. Leaving AXFR open to any IP exposes your entire internal network map to attackers — a common reconnaissance technique in penetration testing.
🎓
The Complete Picture

DNS is the infrastructure beneath all Internet infrastructure. Every web request, every email, every API call starts with a DNS lookup. Understanding it end-to-end — from the root zone to a zone file entry, from a recursive resolution to a cached response, from dig +trace to named-checkzone — is foundational knowledge for any network engineer, system administrator, or security professional.

The hierarchy (root → TLD → SLD → host) is the architecture of the entire Internet namespace. The delegation model (NS records pointing to authoritative servers) is what makes it scalable to billions of domains with no central bottleneck. The TTL mechanism is what makes it performant — 1 trillion queries per day served mostly from cache, with a tiny fraction touching the actual authoritative servers.

When DNS breaks — as Dyn's 2016 outage proved — nothing works. When DNS is compromised — as the Kaminsky attack demonstrated — nothing is safe. Mastering DNS is not optional for anyone who works with networked systems.