Summary: Quick reference for common DNS terminology covering record types, zone types, resolution concepts, DNSSEC, and Active Directory DNS.
| Record | Full Name | Purpose |
|---|---|---|
| A | Address | Maps a hostname to an IPv4 address |
| AAAA | IPv6 Address | Maps a hostname to an IPv6 address |
| CNAME | Canonical Name | Alias pointing to another hostname — cannot coexist with other records at the same name |
| MX | Mail Exchanger | Specifies mail servers for a domain; lower preference value = higher priority |
| NS | Name Server | Identifies the authoritative name servers for a zone |
| PTR | Pointer | Maps an IP address to a hostname — used for reverse DNS lookups |
| SOA | Start of Authority | Defines the primary name server, admin contact, zone serial number, and refresh/retry/expire/TTL values for a zone |
| SRV | Service | Specifies the hostname and port for a network service (e.g. LDAP, Kerberos, SIP) |
| TXT | Text | Stores arbitrary text — used for SPF, DKIM, DMARC, and domain ownership verification |
| CAA | Certification Authority Authorisation | Specifies which CAs are permitted to issue certificates for a domain |
| DNAME | Delegation Name | Redirects an entire subtree of the DNS namespace to another domain |
| DS | Delegation Signer | Holds the hash of a child zone's DNSKEY — used in DNSSEC chain of trust |
| Zone Type | Description |
|---|---|
| Primary zone | The writable master copy of a zone — changes are made here |
| Secondary zone | A read-only copy of a primary zone, updated via zone transfer |
| Stub zone | Contains only NS and SOA records for a zone — used to direct queries to the correct authoritative servers without hosting the full zone |
| Forward lookup zone | Maps hostnames to IP addresses (A/AAAA records) |
| Reverse lookup zone | Maps IP addresses to hostnames (PTR records); named using the in-addr.arpa or ip6.arpa convention |
| AD-integrated zone | Zone stored in Active Directory rather than flat files — enables multi-master replication and secure dynamic updates |
| Conditional forwarder | Forwards queries for a specific domain to a designated server rather than to the normal resolver chain |
| Term | Description |
|---|---|
| Recursive query | The client asks a resolver to do all the work and return a final answer |
| Iterative query | The server returns the best referral it has; the client follows up with the next server in the chain |
| Authoritative answer | A response served directly from the zone's authoritative name server |
| Non-authoritative answer | A cached response from a resolver that is not the zone's authoritative server |
| Forwarder | A DNS server to which queries are forwarded when the local server cannot resolve them from its own zones or cache |
| Root hints | A list of root DNS server addresses used as the starting point when no forwarder is configured |
| TTL | Time to Live — how long (in seconds) a record may be cached before it must be refreshed |
| Negative TTL | How long a NXDOMAIN response is cached; defined in the zone SOA record |
| NXDOMAIN | Non-existent domain — the queried name does not exist in DNS |
| NOERROR / NODATA | The name exists but there is no record of the requested type |
| FQDN | Fully Qualified Domain Name — a complete domain name including all labels to the root, e.g. host.example.com. (trailing dot denotes root) |
| Resolver | A DNS client or server that performs recursive resolution on behalf of end clients |
| Zone transfer | Replication of zone data from a primary to a secondary server; AXFR transfers the full zone, IXFR transfers only incremental changes |
| Split-horizon DNS | Serving different DNS responses for the same name depending on the source of the query — commonly used to return internal IPs to internal clients and public IPs to external clients |
| DNS scavenging | Automatic removal of stale dynamically registered records that have not been refreshed within a defined period |
| Aging | The process of tracking when a dynamic DNS record was last refreshed — records that exceed the no-refresh and refresh intervals become eligible for scavenging |
| Term | Description |
|---|---|
| DNSSEC | DNS Security Extensions — adds cryptographic signatures to DNS responses to allow validation that records are authentic and unmodified |
| RRSIG | Resource Record Signature — a digital signature covering a set of DNS records |
| DNSKEY | Public key record used to verify RRSIG signatures in a zone |
| DS | Delegation Signer — stored in the parent zone; links to the child zone's DNSKEY to establish the chain of trust |
| NSEC | Next Secure — proves authenticated denial of existence by listing the next name in the zone |
| NSEC3 | Hashed version of NSEC — prevents zone enumeration by exposing hashed names rather than plaintext |
| Chain of trust | The validation path from the root zone down through parent zones to the authoritative zone, each link verified by a DS record |
Active Directory relies heavily on DNS for service location. Key records are registered automatically by domain controllers.
| Record / Concept | Description |
|---|---|
| SRV record | Used by clients to locate AD services — Kerberos (_kerberos._tcp), LDAP (_ldap._tcp), and Global Catalog (_gc._tcp) all use SRV records |
_msdcs zone |
A subdomain (e.g. _msdcs.example.com) that holds records for AD-specific services including DC locator, Kerberos, and replication |
| Dynamic DNS update | Domain-joined computers and DCs automatically register and update their DNS records; requires the DNS server to allow secure dynamic updates |
| Site-specific SRV records | DCs register SRV records scoped to their AD site (e.g. _ldap._tcp.SiteName._sites.example.com) to allow clients to prefer local DCs |
| Global Catalog | A DC holding a partial replica of all objects in the forest; located via _gc._tcp SRV records on port 3268 (LDAP) or 3269 (LDAPS) |
| PDC Emulator | The DC holding the PDC Emulator FSMO role; located by clients via _ldap._tcp.pdc._msdcs SRV records |