Glossary

DNS vocabulary

Terms are listed alphabetically. See also RFC 9499 (DNS Terminology, 2023) for the IETF’s comprehensive glossary.

A record

A DNS record that maps a domain name to an IPv4 address. The most fundamental record type, comprising 55% of all DNS queries. Defined in RFC 1035. See Record Type Reference.

AAAA record

A DNS record that maps a domain name to an IPv6 address (128-bit). Pronounced “quad-A.” Defined in RFC 3596. Represents 19% of DNS queries.

Anycast

A routing methodology where a single IP address is advertised from multiple locations via BGP. DNS queries to an anycast address are automatically routed to the nearest instance. Used by root servers and public resolvers.

Authoritative name server

A DNS server that holds the definitive records for a zone and can answer queries without consulting other servers. Returns responses with the AA (Authoritative Answer) flag set.

Bailiwick

The scope of authority for a DNS server. A resolver only trusts records from a server that fall within that server’s zone of authority. Records outside bailiwick are rejected to prevent cache poisoning.

BIND

Berkeley Internet Name Domain. The most widely used DNS server software, originally written at UC Berkeley in 1984. Maintained by ISC (Internet Systems Consortium). See DNS Software.

Cache poisoning

An attack where false DNS records are injected into a resolver’s cache, redirecting users to malicious servers. The Kaminsky attack (2008) demonstrated a fundamental vulnerability in DNS caching.

CAA record

Certificate Authority Authorization. A DNS record specifying which certificate authorities are permitted to issue TLS certificates for a domain. Defined in RFC 8659.

CNAME

Canonical Name record. Creates an alias from one domain name to another. Cannot coexist with other record types at the same name, so it cannot be used at the zone apex.

CoreDNS

A flexible, plugin-based DNS server written in Go. The default DNS server in Kubernetes since version 1.13 (December 2018). CNCF graduated project.

DDI

DNS, DHCP, and IP Address Management — the three core network services typically managed together in enterprise environments. Leading vendors include Infoblox and BlueCat. See Enterprise DNS.

DKIM

DomainKeys Identified Mail. An email authentication method that uses cryptographic signatures to verify that an email was sent by the domain it claims to be from. The public key is published as a DNS TXT record. See DKIM.

DMARC

Domain-based Message Authentication, Reporting, and Conformance. A policy framework published as a DNS TXT record that tells receiving mail servers how to handle messages that fail SPF and DKIM checks. See DMARC.

DNSSEC

DNS Security Extensions. A suite of specifications (RFC 4033-4035) that add cryptographic authentication to DNS responses, preventing spoofing and cache poisoning. Uses DNSKEY, RRSIG, DS, and NSEC/NSEC3 records. See DNSSEC.

DNS-over-HTTPS (DoH)

An encrypted DNS transport protocol (RFC 8484) that sends DNS queries as HTTPS traffic on port 443, making them indistinguishable from web browsing. See DNS Privacy.

DNS-over-TLS (DoT)

An encrypted DNS transport protocol (RFC 7858) that wraps DNS queries in TLS on dedicated port 853. Easier to identify and block than DoH. See DNS Privacy.

DNS-over-QUIC (DoQ)

An encrypted DNS transport protocol (RFC 9250) using QUIC on port 853/UDP. Eliminates TCP head-of-line blocking while providing full encryption. See DNS Privacy.

EDNS

Extension Mechanisms for DNS (RFC 6891). Uses the OPT pseudo-record to extend DNS beyond its original limitations, including larger UDP payloads (beyond the original 512-byte limit), DNS cookies, client subnet, and DNSSEC signaling. See EDNS.

Empty non-terminal (ENT)

A domain name that exists in the zone’s name tree but has no resource records of its own. Exists because it is the parent of another name. Returns NODATA, not NXDOMAIN. Affects wildcard matching.

FQDN

Fully Qualified Domain Name. A complete domain name that specifies its exact position in the DNS hierarchy, ending with a dot representing the root. Example: www.example.com.

GeoDNS

DNS-based geographic routing that returns different IP addresses based on the querier’s geographic location. Used by CDNs to direct users to the nearest edge server.

Glue record

An A or AAAA record in the parent zone that provides the IP address of a name server whose hostname is within the delegated zone. Required to break circular dependencies. See Zones and Delegation.

GSLB

Global Server Load Balancing. Extends DNS-based load balancing to multi-data-center environments using health checks, GeoDNS, and failover policies. See CDNs and Load Balancing.

ICANN

Internet Corporation for Assigned Names and Numbers. The organization that coordinates DNS root zone management, TLD delegation, and IP address allocation. Founded September 30, 1998. See ICANN and IANA.

IANA

Internet Assigned Numbers Authority. The function within ICANN that maintains the root zone, allocates IP address space, and manages protocol parameter registries. See ICANN and IANA.

Iterative query

A DNS query mode where the queried server returns the best answer it has (often a referral to another server) rather than performing full resolution itself. Recursive resolvers use iterative queries when walking the DNS hierarchy.

Lame delegation

A misconfiguration where NS records in the parent zone point to a server that does not actually serve the delegated zone. Causes SERVFAIL responses.

mDNS

Multicast DNS (RFC 6762). Enables zero-configuration name resolution on local networks using multicast address 224.0.0.251 on port 5353. Resolves .local hostnames. Used by Apple Bonjour and Avahi.

MX record

Mail Exchange record. Specifies the mail servers responsible for accepting email for a domain, with a priority value. Lower priority numbers indicate preferred servers. See SPF.

Negative caching

Caching of negative DNS responses (NXDOMAIN or NODATA). The TTL for negative caching is derived from the SOA record’s MINIMUM field. Prevents repeated queries for names that do not exist.

NS record

Name Server record. Declares the authoritative name servers for a zone. NS records at delegation points create the hierarchical zone structure.

NXDOMAIN

Non-Existent Domain. Response code 3. The queried domain name does not exist. The strongest negative assertion in DNS. Per RFC 8020, nothing exists below an NXDOMAIN name either.

OPT record

A pseudo-record (TYPE 41) used by EDNS to carry extension metadata. Exists only in the wire protocol, never in zone files.

QNAME minimization

A privacy technique (RFC 9156) where recursive resolvers send only the minimum number of labels needed at each step of resolution, rather than sending the full query name to every server in the chain. See Optimization.

Recursive resolver

A DNS server that performs full resolution on behalf of clients, walking the DNS hierarchy from root to authoritative servers and caching results. Also called a recursive name server or caching resolver.

Resource Record (RR)

A single entry in a DNS zone, consisting of a name, type, class, TTL, and RDATA. See Record Type Reference.

RRset

A set of resource records with the same name, type, and class. All records in an RRset must have the same TTL (RFC 2181). DNSSEC signs entire RRsets, not individual records.

Root server

One of the 13 logical DNS root servers (A through M) that form the top of the DNS hierarchy. Operated by 12 independent organizations across approximately 1,900 anycast instances worldwide. See Root Servers.

Serve-stale

A resolver behavior (RFC 8767) that returns expired cache entries when authoritative servers are unreachable, improving resilience during outages. See Optimization.

SERVFAIL

Server Failure. Response code 2. The server encountered an internal error while processing the query. Common causes include DNSSEC validation failure, authoritative server timeout, and lame delegation. See Response Codes.

SOA record

Start of Authority record. Contains administrative information about a zone including the primary name server, admin contact, serial number, and timing parameters. Required as the first record in every zone. One per zone.

SPF

Sender Policy Framework. An email authentication method published as a DNS TXT record that specifies which IP addresses are authorized to send email for a domain. See SPF.

Split-horizon DNS

A configuration where the same domain name resolves to different addresses depending on the source of the query. Typically distinguishes between internal (private IP) and external (public IP) resolution. See Enterprise DNS.

SRV record

Service record (RFC 2782). Specifies the host and port for specific services. Format: _service._protocol.name SRV priority weight port target. Used by SIP, LDAP, Kerberos, Active Directory, and Minecraft.

Stub resolver

A lightweight DNS client built into the operating system that generates DNS queries and sends them to a configured recursive resolver. Does not perform iterative resolution itself.

TLD

Top-Level Domain. The highest level of the DNS hierarchy below the root. Includes generic TLDs (.com, .org, .net), country-code TLDs (.uk, .de, .jp), and new gTLDs (.app, .xyz, .dev).

TSIG

Transaction Signature (RFC 8945). Shared-secret HMAC authentication for DNS messages, used to secure zone transfers and dynamic updates.

TTL

Time to Live. A value in seconds included in every DNS response that specifies how long a record may be cached before it must be re-queried. See Caching and TTL.

UDRP

Uniform Domain-Name Dispute-Resolution Policy. An ICANN-administered process for resolving disputes between trademark holders and domain registrants. See Domain Seizures.

Wildcard record

A DNS record with an owner name starting with * that matches queries for names that do not have explicit records. Only matches one additional label — *.example.com matches foo.example.com but not bar.foo.example.com.

Zone

A contiguous portion of the DNS namespace managed by a specific set of authoritative name servers. A zone ends where delegation to a child zone occurs.

Zone apex

The top of a zone — the domain name at the delegation point. For example.com, the zone apex is example.com itself. CNAME records cannot be used at the zone apex because the apex must have SOA and NS records.

Zone transfer

The process of replicating DNS zone data from a primary server to secondary servers. AXFR (RFC 5936) transfers the complete zone; IXFR (RFC 1995) transfers only changes since a given serial number. Both use TCP.