00:00:02
dns is the domain name system and we
00:00:04
often refer to this as the service that
00:00:06
converts the fully qualified domain
00:00:09
names that we might type into our
00:00:11
browser to something our networks might
00:00:13
use like an ip address but what you may
00:00:16
not realize about dns is that this is
00:00:18
not simply a standalone server that
00:00:21
provides this resource there are
00:00:23
multiple servers across the internet
00:00:25
that provide these translations and they
00:00:27
work on a hierarchy across all of the
00:00:30
different fully qualified domain names
00:00:32
this is also a very distributed database
00:00:34
because we have many different dns
00:00:36
servers on the internet there are 13
00:00:39
root server clusters in actuality this
00:00:42
consists of over a thousand different
00:00:44
servers there are hundreds of generic
00:00:46
top-level domains these are the domains
00:00:48
that are the dot-com the org the.net and
00:00:51
others and then there are also
00:00:53
country-level top-level domains like
00:00:56
us.c for canada or dot uk for the united
00:01:00
kingdom
00:01:01
here's a very simple visual
00:01:03
representation of this hierarchy from
00:01:05
the perspective of professormesser.com
00:01:08
we'll start at the top with a period
00:01:10
this designates the end of the fully
00:01:12
qualified domain name and working
00:01:14
backwards we would have a dot com a
00:01:16
dotnet a dot edu and others obviously
00:01:20
professormesser.com would be the next
00:01:22
layer in this hierarchy so you can see
00:01:24
underneath dot com we have dot professor
00:01:27
messer and of course there may be
00:01:28
multiple servers at professormesser.com
00:01:31
if you go to my website then you're
00:01:33
visiting www.professormesser.com
00:01:36
but i might have a mail server which is
00:01:38
mail.professor
00:01:40
and on very large networks you might
00:01:42
have organizational domain names for
00:01:44
example
00:01:46
east.professormesser.com and
00:01:47
west.professormesser.com
00:01:49
and in the east there may be certain
00:01:51
servers in the west there might be other
00:01:53
servers having this hierarchy allows us
00:01:56
to configure a very specific structure
00:01:58
and this works across every fully
00:02:01
qualified domain name on the internet
00:02:03
if you'd like to see visually how this
00:02:06
translation operates and your system
00:02:08
supports the dig command you can run at
00:02:10
the command line dig
00:02:12
www.professormesser.com
00:02:15
the results of this command show us a
00:02:17
summary of what we requested it shows
00:02:19
the information that was sent asking
00:02:21
specifically for an address associated
00:02:24
with www.professormesser.com
00:02:27
and then you can see in the answer
00:02:28
section there are actually three
00:02:30
different ip addresses associated with
00:02:33
my web server and you can see those ip
00:02:35
addresses are listed here the reason
00:02:37
there are three different addresses for
00:02:40
my web server is for redundancy if one
00:02:42
of those ip addresses is no longer
00:02:44
available your device can use any of
00:02:47
these other ip addresses to communicate
00:02:49
back to www.professormesser.com
00:02:53
if you're not on a system that supports
00:02:54
the dig command you can use nslookup
00:02:57
professormesser.com this will go out to
00:02:59
your locally configured dns server and
00:03:02
provide answers for the
00:03:04
professormesser.com ip addresses and you
00:03:06
can see the results of this query show
00:03:09
exactly the same three ip addresses
00:03:12
behind the scenes the dns server has a
00:03:14
large database that contains fully
00:03:17
qualified domain names i p addresses and
00:03:20
other details that can help your systems
00:03:22
perform this translation between fully
00:03:24
qualified domain name and ip address we
00:03:27
refer to these as resource records and
00:03:30
in this video we'll look at a number of
00:03:31
different types of resource records that
00:03:33
are used on a dns server there are over
00:03:36
30 different record types we won't go
00:03:38
through all 30 of those in this video
00:03:41
those record types might be ip addresses
00:03:43
certificates host names and other
00:03:46
details as you can imagine a dns server
00:03:49
is a critical resource if a dns server
00:03:51
isn't available you can make the request
00:03:53
to visit www.professormesser.com
00:03:56
but there's nothing behind the scenes to
00:03:58
make the translation between the fully
00:04:00
qualified domain name and the ip address
00:04:03
this is why we tell people if you're
00:04:04
making a change to dns make sure you
00:04:07
have very good backups of the previous
00:04:09
configuration and that you know exactly
00:04:11
what you're changing in that dns server
00:04:15
many dns servers have a very simple
00:04:17
configuration file that's written in
00:04:19
text and this is an example of one of
00:04:21
those dns configurations the section at
00:04:23
the top is the start of authority record
00:04:25
this has some mail exchanger records
00:04:27
inside of it a list of ip addresses and
00:04:30
fully qualified domain names and you've
00:04:32
got some canonical or alias names that
00:04:34
you've also assigned inside of this dns
00:04:37
server this makes it relatively easy if
00:04:39
you need to make changes to a dns
00:04:41
server's configuration because you can
00:04:43
use any text editor to modify or update
00:04:46
this configuration file
00:04:48
you might also find that the dns service
00:04:50
that you're using can provide you with a
00:04:52
web-based front-end to the configuration
00:04:54
so instead of understanding all of those
00:04:56
different records and understanding
00:04:57
where they go in the configuration file
00:04:59
you can put them all into a web-based
00:05:01
front-end and make your changes from
00:05:03
there
00:05:04
the first record we'll look at and
00:05:06
perhaps one of the most common records
00:05:07
you see in a dns server is an address
00:05:10
record we often refer to these as an a
00:05:12
record or a quad a record the a records
00:05:15
are address records for ipv4
00:05:18
so this a record will have a fully
00:05:20
qualified domain name and the associated
00:05:23
ipv4 address the quad a records are for
00:05:27
ipv6 the same thing applies we'd have a
00:05:29
fully qualified domain name and we would
00:05:31
associate the ipv6 associated with that
00:05:35
domain name here's an example of an a
00:05:37
record that's on the professormesser.com
00:05:40
dns server you can see that i am
00:05:42
specifying that www.professormesser.com
00:05:45
is an internet address using the a
00:05:48
record and the ip address associated
00:05:51
with that fully qualified domain name is
00:05:53
162.159.246.164.
00:05:57
if you're configuring this in a dns text
00:05:59
file then you also have the option to
00:06:01
add remarks or other comments on that
00:06:03
record line
00:06:05
if the front end to your dns server is
00:06:06
in a web based configuration it's the
00:06:09
same information but we've separated out
00:06:11
the a record the host name the ip
00:06:13
address and the time to live for this ip
00:06:16
address the time to live in a dns server
00:06:19
is specifying how long an in-station
00:06:21
will remember this match between fully
00:06:24
qualified domain name and ip address
00:06:26
this 15 minute time to live means that a
00:06:28
device will make the request to a dns
00:06:30
server and store or cache that
00:06:33
information for 15 minutes after 15
00:06:35
minutes that information is removed from
00:06:37
the cache and if this device needs to
00:06:39
communicate back to the www server it
00:06:41
will need to request again the ip
00:06:44
address for that particular record
00:06:46
here's the same thing but from the
00:06:47
perspective of ipv6 where we're
00:06:49
configuring a quad a record and we have
00:06:52
a hostname an ipv6 address and again a
00:06:55
time to live
00:06:56
another important record in a dns is
00:06:59
where all of your emails should be
00:07:00
delivered this is a mail exchanger
00:07:03
record or an mx record to make this work
00:07:06
you would need two separate records
00:07:08
inside of your dns server the first
00:07:10
would be the mx record you can see the
00:07:12
mail exchange record in this server
00:07:14
points to mail.mydomain
00:07:16
to be able to obtain the ip address for
00:07:19
mail.mydomain.name
00:07:21
we would need to look at an a record and
00:07:23
you can see there is an a record for the
00:07:26
mail.mydomain.name which is 123.12.41
00:07:31
and it is a linux server dns servers
00:07:34
have many different functions they can
00:07:36
provide one of those is to store text
00:07:38
information that can then be used for
00:07:40
other purposes we would store the text
00:07:42
information in a text record or txt
00:07:45
record this is usually public
00:07:47
information since people are able to
00:07:49
query these text records on your server
00:07:51
these text records were originally
00:07:53
designed for very informal purposes but
00:07:55
today we have very specific uses for a
00:07:58
txt or text record in our dns server for
00:08:01
example we might use this for
00:08:03
verification purposes we might be making
00:08:05
a configuration change to our domain and
00:08:08
that domain change requires that you add
00:08:10
something very specific to a text record
00:08:13
in your dns server this is because the
00:08:15
dns server configuration is usually very
00:08:18
secure and only authorized individuals
00:08:20
would have access to make changes to a
00:08:22
dns server's configuration
00:08:24
we also use this text record extensively
00:08:27
for email security and you'll see in a
00:08:29
moment how we're able to add information
00:08:31
to a text record that can help verify
00:08:34
the origination of a particular email
00:08:37
if you want to see some example of text
00:08:39
records you can look at the text records
00:08:40
that are on the professormesser.com dns
00:08:42
server if you're running dig you can use
00:08:44
digg professormesser.com
00:08:46
and then txt and then it will show all
00:08:49
of the text records that i have
00:08:51
currently configured on my dns server
00:08:54
you can see that i have two currently
00:08:55
configured one for a stripe verification
00:08:58
and another one that is used for
00:08:59
mailgun.org which is used to send out my
00:09:02
email messages
00:09:04
if dig isn't available you can also view
00:09:06
these using nslookup you would use
00:09:08
nslookup dash type equals txt and then
00:09:11
the domain name such as google.com or
00:09:14
professormesser.com
00:09:16
you can see when you perform a
00:09:17
google.com lookup that google has a
00:09:19
number of text records on their device
00:09:22
which include things like a facebook
00:09:24
domain verification a google site
00:09:26
verification and a docusign text record
00:09:29
a common text record you might find is
00:09:31
an spf record or a sender policy
00:09:34
framework this is a list of all of the
00:09:37
email servers that are authorized to
00:09:39
send messages using your fully qualified
00:09:41
domain name this was created to help
00:09:43
prevent others from spoofing your fully
00:09:45
qualified domain name and sending email
00:09:48
as if you had sent it yourself a mail
00:09:51
server receiving an email that says it
00:09:53
was from
00:09:54
professormesser.com will query the
00:09:56
professormesser.com dns server retrieve
00:09:59
this spf record in the dns server and be
00:10:02
able to determine is this something that
00:10:04
really came from an authorized host
00:10:08
here's the same process for creating a
00:10:10
text-based dns record and you can see
00:10:12
just paste in the text that is
00:10:14
associated with the record that you'd
00:10:16
like to add in this example you can see
00:10:18
that i'm adding the spf record into my
00:10:21
dns server and again i have a ttl of 15
00:10:24
minutes
00:10:26
we can even take this email security one
00:10:28
step further and provide a digital
00:10:31
signature that we can associate with
00:10:33
outgoing mail we do this through the use
00:10:35
of a dkim text record or domain keys
00:10:38
identified mail this is going to be
00:10:40
validated by the mail servers as that
00:10:42
message is traversing the network and
00:10:44
the public key associated with this
00:10:46
digital signature is added to a text
00:10:48
record in your dns server
00:10:51
here's the same configuration for that
00:10:53
dchem record except we're making the
00:10:54
configuration change in this web-based
00:10:56
front-end and you can see it's a large
00:10:58
bit of text that is the public key for
00:11:01
all of the digital signatures that have
00:11:03
been sent from my domain
00:11:06
now that we have a way to verify
00:11:08
messages that have been sent and to
00:11:09
digitally sign messages that are being
00:11:12
sent we need some way to determine what
00:11:14
we do with those messages if the
00:11:16
verification fails we would use dmarc
00:11:19
for that purpose this is the domain
00:11:21
based message authentication reporting
00:11:23
and conformance this is an extension of
00:11:26
the spf and dkim processes that we've
00:11:28
already seen except dmarc takes the
00:11:31
extra step to determine the disposition
00:11:33
that should be used when someone
00:11:35
receives a message that can't be
00:11:37
validated you might create a dmarc
00:11:39
record on your dns server that says if a
00:11:42
message is not validated simply accept
00:11:44
it or maybe send it to a spam folder or
00:11:47
simply reject the email entirely the
00:11:50
mail servers behind the scenes keep
00:11:52
track of how many mail messages have
00:11:54
been validated and how many have failed
00:11:56
the validation and then you can receive
00:11:58
a report that shows exactly how many
00:12:00
messages we're able to get through based
00:12:03
on the spf or dkim configuration and
00:12:06
here's an example of adding one of those
00:12:07
dmarc text records to your dns you can
00:12:10
see that the content specifies what to
00:12:12
do with the email messages and where to
00:12:14
send the report so that you can examine
00:12:16
how your mail has been distributed
00:12:28
you
