Tech Study Guide
DNS Records, Responses, and Transport
DNS record types, response codes, EDNS, UDP and TCP transport, truncation, reverse DNS, mail records, and operational debugging.
DNS Records, Responses, and Transport
DNS operations are not only A records and TTLs. Operators need to recognize response codes, understand when DNS uses UDP or TCP, know why EDNS changes packet size behavior, and separate record-data problems from resolver, firewall, and transport problems.
Command Examples
dig example.com A
dig example.com AAAA
dig example.com MX
dig example.com TXT
dig +bufsize=1232 example.com DNSKEY
dig +tcp example.com DNSKEY
dig -x 203.0.113.10
Example output and meaning:
| Command | Example output | What it does |
|---|---|---|
dig example.com A |
A/AAAA answers, TTLs, resolver status, SERVFAIL, NXDOMAIN, or timeout. |
Proves name-resolution behavior at the caller. |
dig example.com AAAA |
A/AAAA answers, TTLs, resolver status, SERVFAIL, NXDOMAIN, or timeout. |
Proves name-resolution behavior at the caller. |
dig example.com MX |
A/AAAA answers, TTLs, resolver status, SERVFAIL, NXDOMAIN, or timeout. |
Proves name-resolution behavior at the caller. |
Records Operators Should Recognize
| Record | Meaning | Common operational issue |
|---|---|---|
| A / AAAA | IPv4 / IPv6 address data. | Broken dual stack when AAAA exists but IPv6 path is bad. |
| CNAME | Alias to another canonical name. | Long chains add latency and each target has its own failure modes. |
| NS | Authoritative nameservers for a zone. | Parent and child NS sets can drift. |
| SOA | Zone authority metadata. | Negative caching and serial drift depend on SOA data. |
| MX | Mail exchangers. | MX targets must be names, not raw addresses. |
| TXT | Text metadata. | SPF, DKIM, and verification records often break through quoting or splitting mistakes. |
| SRV | Service discovery with priority, weight, port, and target. | Target is a name and must not be an address literal. |
| PTR | Reverse DNS. | Reverse zones are delegated separately from forward zones. |
| CAA | Certificate authority authorization. | Incorrect CAA can block certificate issuance. |
Response Codes
The answer section is not the whole result. The DNS response code tells you whether the server considered the query successful.
| Code | Meaning | Operator interpretation |
|---|---|---|
| NOERROR | Query completed. | The name may still have NODATA for the requested type. |
| NXDOMAIN | Name does not exist. | Can be negatively cached. |
| SERVFAIL | Server failed to complete the query. | Often DNSSEC, upstream timeout, lame delegation, or resolver policy. |
| REFUSED | Server refuses the query. | Common with recursion disabled or ACL policy. |
| FORMERR | Server did not understand the query. | Can point to EDNS, middlebox, or software compatibility issues. |
NODATA is not a response code. It is a NOERROR response where the name exists but has no record set for the requested type.
UDP, TCP, EDNS, and Truncation
Classic DNS uses UDP for most queries and TCP for zone transfers and responses that need reliable transport. Modern DNS also uses TCP when UDP responses are truncated. EDNS allows clients and servers to signal larger UDP payload sizes and options, but middleboxes and firewalls can still break large DNS responses.
Operational rules:
- test both UDP and TCP port 53,
- do not assume DNS is always a tiny UDP packet,
- watch the
TCtruncated flag in responses, - consider DNSSEC and large TXT records when packet size changes,
- avoid blocking all ICMP because it can break path MTU behavior for large DNS responses.
Reverse DNS and Mail Records
Reverse DNS lives under in-addr.arpa for IPv4 and ip6.arpa for IPv6. Forward and reverse zones are independent, so fixing an A record does not fix PTR data.
Mail-related DNS commonly spans MX, SPF in TXT, DKIM selector records, DMARC policy records, PTR, and sometimes MTA-STS or TLS reporting records. A mail incident can be a DNS incident even when web traffic works.
Debugging Flow
- Read the full
digoutput, including status, flags, authority, and additional sections. - Query A and AAAA separately.
- Check response code and whether the result is NXDOMAIN or NODATA.
- Test the same query over UDP and TCP.
- Test with a conservative EDNS buffer size.
- Check reverse DNS separately from forward DNS.
- For mail, inspect MX, SPF, DKIM, DMARC, PTR, and CAA.
Study Cards
What is NODATA?
A successful DNS response where the name exists but has no record set for the requested type.
Why test DNS over TCP?
Large or truncated responses, DNSSEC, and firewall differences can make TCP 53 fail while UDP appears fine, or the reverse.
What can a bad CAA record break?
Certificate issuance by a certificate authority that is not authorized by the zone's CAA policy.