What is DNS?
In short, DNS (Domain Name System) is the method by which we translate the human side of the internet e.g. a typed domain name, into the machine side of the internet e.g. an IP address. This makes it easier for users to access resources across the internet, as using a domain name e.g. google.com, is easier than forcing people to remember the complex alphanumeric combination of an IP address e.g. 2a00:1450:4009:81d::200e:
What is a DNS Record?
DNS servers record useful information about a specific domain. There are a great number of DNS record types; some of the most common are outlined below:
A | Provides the IPv4 address of a given domain name |
AAAA | Provides the IPv6 address of a given domain name |
PTR | Provides the domain name of a given IP address |
TXT | Provides text information about the domain |
CNAME | Redirects one domain to another |
NS | Lists nameservers for the domain (where the domain records are stored) |
MX | Lists which mail servers receive email for a domain |
Why is this useful for my organisation?
DNS records can be used in a variety of ways, but one area of particular benefit to organisations is through email authentication i.e. confirming that the sender of an email is who they say they are. Email authentication better protects your organisation from being a target of, or vehicle for, email spoofing and phishing attacks.
This is done using 3 main standards:
SPF (Sender Policy Framework) – SPF is a TXT record specifying the mail servers that are permitted to send mail on behalf of your domain, simply by listing their IP addresses. If an email comes from a server other than those specified, it will fail an SPF check by the receiver.
DKIM (Domain Keys Identified Mail) – DKIM is a TXT record that adds a digital signature to emails, which has been privately encrypted by the sending domain. This contains the sender’s public decryption key which only decrypts mail that has been sent by them. In this way the recipient can verify the email by using the public key to decrypt it.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) – DMARC requires that either SPF, DKIM, or both, are already set up. It then adds ‘alignment’ checks against these for additional verification. Policies can be built into DMARC to decide whether failing emails are rejected, quarantined, or simply reported on.