Published: 23 February 2024
Contributors: Chrystal R. China, Michael Goodwin
A DNS zone is a distinct logical entity within the domain namespace of the Domain Name System (DNS), delegated to an administrator, organization, or other legal entity responsible for managing it. It represents a segment of the DNS database and contains all the records for a specific domain, including all subdomains and IP addresses.
The DNS is a hierarchical, decentralized framework that translates user-friendly domain names into computer-friendly IP addresses to resolve user queries (think of the DNS as a phonebook for the internet). DNS zones streamline DNS management and orchestration. Zoning enables businesses and teams to interact exclusively with the domain names in their allotted portion of the DNS namespace, walling off the domains that aren’t pertinent to their workflows.
As such, zones simplify the process of delegating authority and distributing DNS query load across different zones, enhancing the overall efficiency and scalability of DNS services.
Get a live demo of IBM® NS1 Connect to access premium DNS and advanced traffic steering solutions.
Subscribe to the IBM newsletter
DNS zones serve as digital boundaries of authority that allow system administrators to manage their respective zones under a specific set of administrative policies, as laid out by a domain registrar or a hosting provider. Each zone starts from a node in the DNS namespace and extends to all the nodes (domains and subdomains) over which a DNS name server (the mechanism responsible for connecting URLs and IP addresses) has authority. The DNS operates within a hierarchical framework.
The DNS defines a domain namespace, which specifies top-level domains (for example, “.com,” “.edu” and the newer “.internal” for private networks1), second-level domains (for example, “ibm.com”), and lower-level domains or subdomains (for example, “support.ibm.com”). Each of these levels can constitute a DNS zone.
At every level of the DNS system, a name server containing a zone file holds the correct records for each respective zone type. The zone levels/types include:
The root zone of a DNS system, represented by a dot at the end of the domain name (for example, "www.example.com."), is the primary DNS zone. The DNS server that hosts root or primary zone data serves as the authoritative source for queries about a domain; contains all the DNS records for the domain (including the primary zone file); and is the location where zone modifications occur.
The root domain “ibm.com.,” for instance, belongs to the IBM Corporation. IBM assumes responsibility for setting up the authoritative DNS server that holds the correct DNS records for the domain.
Thirteen logical servers govern the root zone; recursive DNS queries start by contacting one of the primary DNS servers in the root zone and requesting information for the next level down the hierarchy.
The TLD is part of the root zone and the next highest level of the DNS. TLDs are responsible for deploying the lookup process.
When a user enters a domain name for an uncached request (where neither the OS nor the web browser has temporarily stored—or “cached”—data about previous DNS lookups), DNS resolvers initiate the search by communicating with the TLD server.
The TLD also helps communicate the purpose of domain names, so every TLD reveals the purpose of the domain that precedes it in the hierarchy (“.gov” for US government entities, “.org” for organizations, “.com” for commercial sites, and so on).
A secondary zone is a read-only copy of the primary zone, used to create a redundancy and implement load balancing for DNS queries.
DNS requests are typically distributed across the primary and secondary servers. If the primary server is down, the secondary servers can take on all or part of the load by using zone transfers. Secondary zones also check in with the primary servers to ensure that replicas are up to date.
The forward lookup zone translates domain names into IP addresses. When a DNS resolver receives a query for a human-readable hostname, it consults A or AAAA mapping records in the forward lookup zone to find the corresponding IP address.
As a counterpoint to forward lookup zones, reverse lookup zones map IP addresses back to domain names by using PTR records (pointer records).
This process can be useful for deploying services that require domain verification, or for logging purposes when teams need to understand the domain associated with an IP address (for troubleshooting and spam filtering, for example). Queries in reverse DNS lookup zones use the in-addr.arpa or ip6.arpa domains.
Stub zones contain only the records that the system needs to identify the authoritative name servers for a zone. They serve as a pointer, reducing dependence on recursive servers for querying upper-level zones to locate the authoritative server. The proximity of stub zones to authoritative servers helps reduce DNS query traffic and shorten resolution times.
When teams work with DNS zones, they typically deploy a few major components and processes.
Zones are defined in zone files, that is, plain text files that live on DNS servers and include all the mappings and information necessary to resolve a domain name.
Each line of a zone file specifies a resource record (a single piece of information about the nature of the domain, typically organized by data type). Resource records ensure that when a user submits a query, the DNS can quickly translate domain names into actionable information that directs users to the correct server.
DNS zone files start with two mandatory records: the global time to live (TTL)—which indicates how long records should be stored in the local DNS cache—and the start of authority (SOA record)—which specifies the primary authoritative name server for the DNS zone.
After the two primary records, a zone file can contain several other record types, including:
- A records, which map to IPv4 addresses, and AAAA records, which map to IPv6 addresses.
- Mail exchange records (MX records), which specify an SMTP email server for a domain.
- Canonical name records (CNAME records), which redirect hostnames from an alias to another domain (the “canonical domain”).
- Name server records (NS records), which indicate that a DNS server is attached to a specific authoritative name server.
- Pointer records (PTR records), which specify a reverse DNS lookup.
- Text records (TXT records), which indicate the sender policy framework record for email authentication.
The parent, or primary domain, empowers DNS zones that are created under a TLD.
The process of granting authority typically involves creating namespace records in the parent zone that point to the authoritative name server for the child zone, which is a separate, fully functional subdomain or subzone of another zone (for example, “exemplar.example.com”). The authoritative name server is ultimately responsible for locating specific sites for recursive DNS name servers.
Consequently, when a DNS resolver queries a domain name, it traverses the DNS hierarchy from the root zone downwards, following delegations until it reaches the authoritative name server for the target zone, where it can retrieve the final answer.
The delegated, hierarchical structure streamlines query routing by driving traffic from the parent zone directly to the appropriate child zone server, minimizing superfluous traffic and processing in unrelated parts of the DNS infrastructure.
DNS zone transfers maintain optimal system functionality, especially in environments where redundancy and high availability are priorities.
A full zone transfer copies the entire contents of a zone file from the primary server to secondary servers, creating an exact replica of the zone. Full zone transfers are commonly used during initial configuration of secondary servers or when secondary servers need to be re-synced after lengthy downtime.
Incremental zone transfers only comprise changes to the zone since the last transfer. Because they require significantly less bandwidth and processing power to maintain syncing processes, incremental zone transfers can be useful in dynamic zones that undergo frequent changes.
Dynamic DNS (DDNS) enables devices and services to implement real-time, automatic updates to DNS records without manually editing zone files. This helps ensure that the associated domain names always resolve to the correct IP addresses. DDNS is also widely used for scenarios where IP addresses frequently change, as is the case with dynamic host configuration protocol (DHCP) environments.
Zoned structures enable systems to handle the vast array of domain names on the internet and prevent any one entity from being overwhelmed with responsibility for the entire DNS system.
Businesses that manage DNS zones get granular control over their respective zones, enabling them to manage DNS records according to their unique needs without waiting for changes to circulate through a central system.
DNS zones facilitate the distribution of internet traffic across different servers by allowing zone administrators to configure DNS records for load balancing and failover.
Delegation of authority within zones means that DNS resolvers can reduce the number of hops needed to resolve a domain name, ultimately accelerating the routing and data retrieval processes.
IBM® NS1 Connect Managed DNS service delivers resilient, fast, authoritative DNS connections to prevent network outages and keep your business online, all the time.
Optimize end-user experience and improve network resilience at a lower cost with IBM NS1 Connect global server load balancing, a new approach powered by DNS and real-time device performance data.
IBM Cloud® DNS Services offers public and private authoritative DNS services with fast response time, unparalleled redundancy and advanced security—managed through the IBM Cloud web interface or by API.
The DNS makes it possible for users to connect to websites using URLs rather than numerical Internet protocol addresses.
DNS servers translate the website domain names users search in web browsers into corresponding numerical IP addresses. This process is known as DNS resolution.
A Domain Name System (DNS) record is a set of instructions used to connect domain names with internet protocol (IP) addresses within DNS servers.
Cyberattacks are attempts to steal, expose, alter, disable, or destroy another's assets through unauthorized access to computer systems.
Read why large enterprises may want to build and host their own authoritative DNS service.
Learn about how computer networks operate, the architecture used to design networks, and how to keep networks secure.
Footnotes
1 "ICANN to reserve the ".internal" top-level domain for private networks," (link resides outside ibm.com), TechSpot, 29 January 2024