Tag: DNS

What is an MX record in DNS?

The Domain Name System (DNS) is a complicated solution that links domain names to their IP addresses. The purpose is to make it easier for people. We remember names that we can easily write and keep in our memory and get to sites, that we need to know their location on the network – their IP addresses.

The DNS works with text commands that computers understand. These commands are called DNS records, and they are saved on DNS nameservers. In our case, we will explore the MX record and what other types of records you will need with it for a functional mail server.

What is the Mail Exchanger record (MX record)?

The MX record is a simple DNS record that holds the instruction for the sending email servers that tells them the name of the responsible server for accepting emails on behalf of the domain name.

For example, if we have a domain name called example.com, we need to add an MX record that links this domain name to the name of the host (mail server for receiving emails) for accepting emails like mail.example.com.

Then the senders need to get the A record or AAAA records of the mail.example.com, and they will know not only the name of the host but the IP address too.

In the zone of mail.example.com, you can’t have CNAME records, and you need to have A or AAAA records. CNAME doesn’t allow other records in the zone.

You can have multiple MX records that point to multiple hosts, like mail1.example.commail2.example.com, and so on, for redundancy.

The MX records have another important parameter, and it is the priority. It indicates the order of importance of accepting mail servers. A lower number means higher priority. You can have different hosts with the same priority or with different priorities. The senders will always try to send to the host with the lower priority first.

A common approach is to have one incoming mail server with a very high priority serving as a backup. Normally, it won’t receive emails, but in case all the rest with lower priority fail, it can receive the messages.

What happens if you don’t have MX records?

The MX records will point to the mail servers for receiving emails for your domain. If you are missing this pointer, the senders won’t know where to send the messages. It is like having a house without a mailbox. They either fail, or they will try to send the emails directly to the domain name, like example.com, and to its IP address (IPv4 or IPv6) with priority 0. The delivery is not guaranteed.

What other DNS records you need for your mail server?

When we talk about DNS, you will need the following DNS records so you can send and receive emails with lower bouncing rate and fewer missed emails for your inbox:

MX record – points which are the incoming mail servers (their hostnames).

A or AAAA records – you need A or AAAA records for your domain name and also for the hosts that you have. They point names to IP addresses.

SPF record – another text record. This one will show which servers can send emails on behalf of your domain.

DKIM record – To encrypt the sent messages and proof that the messages were not forged on the way.

DMARC record – To verify the SPF and the DKIM and to provide feedback to the domain owner or manager.

PTR record – the pointer record is opposite to the A or AAAA records and links IP address to a domain name. It is used for verification purposes as proof that the IP address is corresponding to the domain.

{ Add a Comment }

Domain Name System Security Extension (DNSSEC).

Domain Name System Security Extension (DNSSEC)

DNSSEC is a group of different protocols and specifications for adding a security layer to the Domain Name System and all its processes. From the look-ups to all the exchange of data.

Those extensions supply DNS resolvers security through authenticated denial of existence, cryptographic authentication of DNS information, and information integrity.

It was created by the Internet Engineering Task Force (IETF). Mainly because the Domain Name System’s design originally didn’t include security aspects. In the early times of its use, different vulnerabilities were detected. Then this DNSSEC was developed. Creators chose to give this system the shape of extensions to make it easier to add them to the rest of the DNS infrastructure already in use.

Learn more about how DNSSEC service works!

What is the Domain Name System (DNS)?

Let’s shortly review DNS as a context to understand the importance of DNSSEC and how exactly it works.

DNS is in charge of translating domain names we use to refer to the domains we want to visit into IP addresses, strings of numbers that computers use to communicate with each other.

Then, every time you type a domain name on your browser, this sent a query to get DNS information, the IP address associated with the requested domain. The DNS translation is done for the computers to look for it. Once the information is found, the query is responded including the needed IP address. With it, your browser can finally reach the domain you requested.

How does DNSSEC work?

DNSSEC authenticates DNS through digital signatures that work with public and private keys cryptography. DNS information is signed by its owner. The DNSSEC is present at every domain’s level (root, TLD, etc.). Through the use of two keys, one private and one public, every upper level can check the one below for verifying trustable data and for detecting and refusing untrustable data. It’s like a security chain.

When you enter a domain name in your browser, you produce a request. Then the search of DNS information to resolve the request gets triggered. When the resolver server in charge of that search gets the information, it will check the digital signature to know if it matches with the ones saved in the master DNS servers. Only in the case of a positive match will the verified IP address pass and access the computer that originated the request. 

The digital signature protects you as a user to know you really are establishing communication with the website you wanted. This stops possible redirections to fraudulent destinations. 

Besides, resolvers also can check if the digital signatures on the information they receive are valid. In a positive case, the information will be sent to users. If a digital signature doesn’t pass validation, the resolver will discard the information to avoid a possible attack. And the user will receive an error.

DNSSEC’s data origin authentication feature gives a chance for resolvers to cryptographically verify if the information they get really comes from the proper zone where it was originated.

And through the data integrity protection, resolvers can also check if the information suffers changes in transit, meaning after it was signed by the zone (information’s owner) with its private key.

Benefits of having DNSSEC

The security it provides makes the internet trustable.

It protects users against man-in-the-middle, spoofing, or cache poisoning attacks and avoids redirections to malicious websites. IP addresses are verified in every DNS resolution process via the digital signature, not to receive a forged IP address.

What to consider about DNSSEC?

It is not by itself a DDoS attacks’ protection.

Activating DNSSEC will add some weight to the network, causing a little delay. Your administrators will realize it, but not your users.

Conclusion

Security is a priority. Without DNS, your domain can’t exist online, but by itself is not safe. Activate DNSSEC to protect your domain, network, and users.

{ Add a Comment }

DNS SRV record explained

DNS SRV record

Let’s investigate one more complicated DNS recourse record, the DNS SRV record. It is a very important one that points not only to the service, its location but also the exact port that it uses for communication. Let’s see the DNS SRV record in detail.

What is the DNS SRV record?

The DNS SRV record (service record) is a DNS record that is used to show the service’s port and hostname. What makes it different from other DNS records is that it specifies port too, and not the only hostname. That way, you can set through which port you want to be used a specified service.

How to configure SRV record?

It is a very useful DNS record for setting up a multi-host configuration. Now you can use multiple servers with different services with the same domain.

The DNS SRV record is very commonly used for APT, DANE, SMTP, POP, IMAP, SIP like Skype, Slack, etc.

DNS SRV record syntax:

_Service._Proto.Name TTL Class SRV Priority Weight Port Target

The components of the DNS SRV record are TYPE, TTL, NAME, PRIORITY, WEIGHT, PORT, TARGET.

What is a port?

When we are talking about computer networking, a port is the endpoint of communication. It is an identifier of a process or a type of network service. The ports have their specific number that is always related to IP addresses. It makes the origin or the destination complete.

Ports and ports’ numbers are digital, but if we want to make an analogy, let’s see an example with radio. 

A particular radio frequency is dedicated to FM radio. Imagine the FM radio as the port, and the exact frequency of your favorite FM station, like 98.2 MHz, is the exact port number.

Common port numbers are 20 (FTP Data Transfer), 21 (FTP Command Control), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 67 (DHCP), 68 (DHCP), 80 (HTTP), 110 (POP3), 119 (NNTP), 123 (NTP), 143 (IMAP), 161 (SNMP), 194 (IRC), 443 (HTTPS).

What’s inside the DNS SRV record?

SERVICE – The short name of the service for which we are using the SRV.

PROTOCOL (PROTO) – here, we specify the protocol that we want to use for the communication like UDP, TCP, HTTP, HTTPS, etc.

NAME – the domain name for which the DNS SRV record is valid.

TTL – standard TTL field for a DNS record.

TYPE – SRV.

CLASS – Standard DNS field. You will see it with “IN”.

PRIORITY – You can have multiple hosts (servers) for the same service. The lower the number is, the higher the priority of the host is. The value must be between 0 and 65535. In case there are two hosts with the same priority, the weight parameter will determine the order.

WEIGHT – The weight is a selection mechanism for servers. A larger weight means a higher chance of getting connected. You can put higher weight (lower number) to a more powerful server, so it gets more connections. Again the number is between 0 and 65535.

PORT – The exact port like 53, 23, etc. It is a number between 0 and 65535.

TARGET – The hostname of the server that provides the service and ends with a “.”.

Conclusion

You now know what the SRV record is, why it is used and what’s inside one. Go ahead and use your newly-obtained knowledge for your configurations.

{ Add a Comment }

Introduction to the Domain Name System (DNS)

Domain Name System - DNS

Running an offline business successfully doesn’t mean it will directly succeed online. The Internet is a different realm. It’s vital to understand its rules, methods, and its DNS. It’s complex but key for your online strategy to be more effective. 

What is DNS? 

Domain Name System (DNS) is the infrastructure that makes the Internet experience for humans as simple as it is nowadays. Its functionality is vast, but to start, it has in its core the database with the existent domain names and their corresponding IP addresses.

[Continue reading…]

{ Add a Comment }