DNS Zones and Zone Files Explained

zone-files-iconDNS is comprised logically of Domains but physically of zones.

A domain is a logical division of the DNS name space whereas a zone is physical, as the information is stored in a file called a zone file.

In most cases you have a 1 to 1 relationship between a Domain and a DNS Zone i.e. the domain mydomain.com would be stored in a zone file called mydomain.com.txt.

This tutorial is for beginners and you will learn:

  • What a DNS Zone Is.
  • What a Zone File is
  • How DNS Zones relate to Domains
  • Different Zone Types
  • How Zone transfer works

To Explain what zones and zone files and how they work are we are going to start with a simple analogy.

If you imagine that you (Bill) have organized a football league that has three teams.

Teams A,B,C and each team has 20 players in the squad.

What you need is for anyone to be able to contact any player on any of the teams.

So you could create a paper list and write the names and phone numbers on it. ( This was effectively the hosts file approach.


This works but gets to be a problem if the league expands and you get,for example, 10 teams.

So an alternative is to create three lists one for teamA , one for teamB and one for teamC.

If another team gets added then you create another paper list for teamD.dns-zones-teams-2So now you have three lists but who manages the lists?
Well each team has a manager so you let the manager handle the list for the team. So

  • John manages teamA
  • Fred manages teamB
  • Jane manages teamC

Now the league organiser Bill wants the phone number of Steve who plays for TeamA. How does he get it?

Well he first needs to know who has the player list for TeamA.

So Bill needs a list with the name and phone numbers of all the managers..

The manager’s name isn’t really important just the phone number.


So if someone wants to find the phone number of Steve on team A they contact Bill who contacts the manager of Team A (John) using the phone number returned by Bill and John tells them. As shown in the diagram below:dns-zones-teams-4If you compare this to IP addresses and Domain names

  • Steve = A web server, for example
  • Phone number = the IP address
  • TeamA = a Domain Name
  • Bill,John,Fred,Jane are name servers.
  • The lists are zones or zone files

Notice Bill doesn’t have a list of players but managers i.e it doesn’t contain host names (A records) but Manager names (name server records NS records).

Also Bill needs to know who has the team list for all of the teams below him, but John only needs to know the phone number for the Top of the Tree, which in this case is Bill as we have only two levels, but it doesn’t have to be.

i.e you traverse the tree from top to bottom and not from bottom to top. See Understanding DNS lookups

Primary and Secondary Zones and Zone Transfer

What happens when a Manager goes on holiday?

Well all they need to do is to photocopy their list and give it to someone else (Barry for example), and tell Bill the Contact number of the person so Bill can update his list.

Notice: In DNS there are always two name servers for resilience.

In the Diagram below I have modified Bills list to include Barry.

We also need to add a note in Johns list to include Barry as he needs to send him the list and list updates.


A zone can be either a primary or secondary zone.

Note: Primary zones are now called master zones and secondary zones are now called slave zones.

The primary zone is the master record, and it is the one that gets changed by the administrator.

To keep things simple only john can update the list. He has the master copy (primary zone).

When he changes the list he neds to send a copy to Barry who has a copy (secondary zones or slave zones).

On DNS these changes are copied to the secondary zones in a process called zone transfer.

Zone transfer is normally from primary to secondary, but it is requested by the DNS server responsible for the secondary zone.

In our illustration Barry would request an updates list from John.

However the primary servers can be configured to notify secondary servers of changes.

At it’s most basic a zone transfer is simply a file copy.

A DNS server hosting a primary zone is normally called a primary name server(master) ,and one hosting a secondary zone is a secondary name server (slave).

A DNS server can store and manage multiple zone files, and they can be a mixture of primary and secondary zones.

In out analogy John could have a copy of TeamB list in case Fred goes on holiday.

Therefore a DNS server can be both a primary and secondary name server.

Primary and secondary name servers are both considered as authoritative for a domain.

DNS Zones and Domains

The use of zones and zone files is what allows DNS to be a distributed and resilient system.

DNS Zones provide a very easy and simple method of grouping domain data from multiple domains together for storage.

For domains to share a zone and hence a zone file the domains must be contiguous.

A domain administrator would be responsible for creating zones, and delegating responsibility for these zones to an administrator and DNS server.

To illustrate we will refer to the diagram below which shows a section of the domain name system which has been divided into 3 zones.


You should note that you cannot create a zone that includes Domain1 sub domain 1 and Domain 3 because they are not contiguous.

Zone File Storage

In our analogy the data is stored on a paper list and kept by the team manager.

A zone file is a text based file with a format defined in RFC 1035 and 1034 and is stored on a DNS server (name server).

Zone files contain the IP and name data, MX records and other service records.

They also contain glue data that connects them to the other DNS servers.

Referring to the diagram above the DNS server responsible for zone 1 will contain records that tell it:

  • Which DNS servers have data for Domain2.
  • Which DNS servers have data for Domain3 sub domain1 ( i..e. zone3).
  • List of Root servers (root hints)
  • List of forwarding servers (if using forwarding)

The DNS server responsible for Domain 1 -sub domain 1 and 2 – i.e. Zone 2 has no knowledge of who has data for domain3 sub domain1 – i.e. Zone 3 and doesn’t need any.

Zone File Structure and Record Contents

The DNS zone file consists of directives and resource records.

Directives begin with a $. There are three Directives

  • $TTL – Time to Live value for the zone.
  • $ORIGIN – Defines base name -used in domain name substitution
  • $INCLUDE– Include a file

The $TTL directive must appear at the top of the Zone File before the SOA record.

The SOA (start of authority) must be present in a zone file, and defines the domain global values mainly to do with zone transfer.


An example record is shown below .


For more detail see this chapter from the Pro Bind and DNS book.

Zone Delegation

When an administrator of a domain decides to allocate responsibility of a child domain to someone else e.g. sub domain 1 of domain 3. then they will delegate the zone.

This means that the zone file is stored on another DNS server than the parent domain. However the parent domain will keep track on the location of the zone by creating glue records to the name servers responsible for the zone data.

We saw this with Bill Needing to know who had the list for Teams A.B.C.

Caching and TTL

Caching is the process of temporarily storing data and is used frequently in networking, and on the Internet.

DNS server and hosts cache DNS lookup data which means that they may be able to quickly resolve a lookup if it is already stored in the cache.

In our example above when someone requested the phone number of Steve, Bill remembers that information for a short time in case someone else needs to know it.

The problem with caching data is what happens if the data changes, but the cache is still holding the old data?

To ensure that clients and servers don’t hold on to old data for too long DNS records have a TTL (time to live value) which tells the client/server how long it can store data in its cache.

Caching greatly reduces the load on the root DNS servers.

Reverse Mapping Zones

Reverse mapping zones provide the data for reverse lookups i.e IP address to name.

In our analogy we would use the phone number to find the name of the player.

Reverse mapping is not mandatory but is used frequently by applications like email to prevent spamming.

Therefore without it some applications may not work correctly.

Reverse mapping uses the domains IN-ADDR.ARPA for IPv4 addresses and IP6.ARPA for IPv6 addresses.

Most DNS admin tools will automatically create the reverse mapping entry when you create the host entry.
For more details see chapter 3 of the Pro DNS and Bind book.

References and resources:

Related Tutorials

Please rate? And use Comments to let me know more
[Total: 6    Average: 4/5]


  1. Hi Steve,

    It was a great explanation and analogy made to understand the concept in a simple way.
    I have a quick question, relating to the analogy.
    When Bill gets a request from a client, how does he knows that it has to be sent to John, Fred or Jane?
    Does the request will be sent to all the managers and they respond only if they have a team member?


    1. He knows who to send it to as the request is for Jim in TeamA and he knows who manages TeamA and so he sends it to them.
      Does that make sense?

  2. Best explanation on the topic that I’ve seen, and I’ve seen a lot.
    Just one silly suggestion: change de the names of the team managers to Alice, Bob and Charlie. Barry should be the backup of team B and Bill should be named Ron for root.

  3. Hi Steve,
    I have read that there are 13 root servers in the world.So, my question is does all the root servers have separate copy of domain names or they share data between them? Like ,suppose i want to add a ‘top level domain ‘ so do I have to change in all root servers or I will make change in one root server and others root servers get updated automatically?

    1. The way DNS works is that one server will hold the master and the others will hold slave copies. The master will be updated and will in turn update the slaves.(master=primary and slave= secondary zones).

  4. Hi Steve, so am I correct in saying that a primary zone is restricted to one dns server, but each server can have up to 255 secondary zones? And secondary zones are basically backups of said primary zones. Thanks Steve. 😉

    1. A zone can have only one primary and yes secondary zones are backups but a dns client doesn’t know the difference between a primary and secondary.
      A DNS server can host multiple primary zones and multiple secondary zones.

      Does that make sense?

  5. Hi Steve, I like the article and I understand it – but I still can’t relate your zones to the zones that bind uses on an actual server – in this case I’m trying to find out what the zone(s) would be for a DNS server on my own small LAN. I built my own router for my LAN, based on ubuntu with pppoe and DHCP and bind9 to serve my LAN’s hosts (laptops mainly). It all works out of the box, but it doesn’t do dynamic updates. So suddenly I discover that bind9 is mega complicated. What zone would I have to configure it with? To follow your metaphor, just one team with a list of phone numbers, right? Everybody else is the ‘rest of the world’. Or what?

  6. If this explanation was above my understanding level, what would you recommend I read to better understand DNS Zones?

    I think I’ve read 12 articles so far and I’m batting zero. 🙁

    1. If you send me an email to steve@steves-internet-guide.com or reply to this comment with a couple of paragraphs or notes explaining what you things zone files are and what they do, and also a list of questions that you have about them then I will try to update/rewrite the tutorial or find something else that will help you

Leave a Reply

Your email address will not be published. Required fields are marked *