all 3 comments

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 13 points14 points  (1 child)

A DNS server can either a) return results for records it owns itself, or b) go fetch data from other DNS servers, or both.

Thus the DNS servers for reddit.com can serve things like www.reddit.com and images.reddit.com, directly. It could, theoretically, also query google's DNS servers to find out the IP address for www.google.com.

There are several types of records that exist in DNS, the most popular being A, AAAA, and PTR. A records return an IP address based on a domain name (e.g. you look for www.google.com, you get AAAA records do the same, but return an IPv6 address (so www.google.com is now 2000:8:8:4::4 with AAAA). PTR records allow you to query either an IPv4 or IPv6 address and get back a name, so the reverse of the A and AAAA records.

There are some other record types used for DNS itself (NS, SOA, etc), and for other things like SRV and TXT records. SRV records get seen a lot on the windows AD side, as it allows a client to find the name/address of domain controllers and the like. They can also be used with internet services for federating things like chat or voice/video communications. TXT records can serve a variety of reasons as well, such as indicating valid ownership of a domain name (web service provider gives you a code via email and asks you place it in a TXT record to prove that email account has administrative access to the domain), or for things like email to list which SMTP servers should be authorized to send on the behalf of the domain.

[–]2HornsUp[S] 2 points3 points  (0 children)

Thanks for the incredibly quick reply. This helped more than you know.

[–]cat5easyCCNA R&S/Security/Wireless 0 points1 point  (0 children)

In addition to /u/a_cute_epic_axis's answer, DNS can also be used as a sort of content / URL filter. If you control the DNS server, if you have someone trying to go to a website you don't want them to, it can be configured to send them to a webpage that just says "this is a blacklisted site" instead of fetching the actual IP address. See OpenDNS.

Sure, it's not fool-proof, but it is just another layer of security.