DNS Zones and Zone Files Explained

zone-files-iconDNS is comprised logically of Domains but physically of zones.

A domain is a logical division of the DNS name space whereas a zone is physical, as the information is stored in a file called a zone file.

In most cases you have a 1 to 1 relationship between a Domain and a DNS Zone i.e. the domain mydomain.com would be stored in a zone file called mydomain.com.txt.

This tutorial is for beginners and you will learn:

  • What a DNS Zone Is.
  • What a Zone File is
  • How DNS Zones relate to Domains
  • Different Zone Types
  • How Zone transfer works

To Explain what zones and zone files and how they work are we are going to start with a simple analogy.

If you imagine that you (Bill) have organized a football league that has three teams.

Teams A,B,C and each team has 20 players in the squad.

What you need is for anyone to be able to contact any player on any of the teams.

So you could create a paper list and write the names and phone numbers on it. ( This was effectively the hosts file approach.

dns-zones-teams

This works but gets to be a problem if the league expands and you get,for example, 10 teams.

So an alternative is to create three lists one for teamA , one for teamB and one for teamC.

If another team gets added then you create another paper list for teamD.dns-zones-teams-2So now you have three lists but who manages the lists?
Well each team has a manager so you let the manager handle the list for the team. So

  • John manages teamA
  • Fred manages teamB
  • Jane manages teamC

Now the league organiser Bill wants the phone number of Steve who plays for TeamA. How does he get it?

Well he first needs to know who has the player list for TeamA.

So Bill needs a list with the name and phone numbers of all the managers..

The manager’s name isn’t really important just the phone number.

dns-zones-teams-3

So if someone wants to find the phone number of Steve on team A they contact Bill who returns the phone number of the manager of Team A (John). They then contact John for the phone number of steve . As shown in the diagram below:dns-zones-teams-4If you compare this to IP addresses and Domain names

  • Steve = A web server, for example
  • Phone number = the IP address
  • TeamA = a Domain Name
  • Bill,John,Fred,Jane are name servers.
  • The lists are zones or zone files

Notice Bill doesn’t have a list of players but managers i.e it doesn’t contain host names (A records) but Manager names (name server records NS records).

Also Bill needs to know who has the team list for all of the teams below him, but John only needs to know the phone number for the Top of the Tree, which in this case is Bill as we have only two levels, but it doesn’t have to be.

i.e you traverse the tree from top to bottom and not from bottom to top. See Understanding DNS lookups

Primary and Secondary Zones and Zone Transfer

What happens when a Manager goes on holiday?

Well all they need to do is to photocopy their list and give it to someone else (Barry for example), and tell Bill the Contact number of the person so Bill can update his list.

Notice: In DNS there are always two name servers for resilience.

In the Diagram below I have modified Bills list to include Barry.

We also need to add a note in Johns list to include Barry as he needs to send him the list and list updates.

dns-zones-teams-5

A zone can be either a primary or secondary zone.

Note: Primary zones are now called master zones and secondary zones are now called slave zones.

The primary zone is the master record, and it is the one that gets changed by the administrator.

To keep things simple only john can update the list. He has the master copy (primary zone).

When he changes the list he neds to send a copy to Barry who has a copy (secondary zones or slave zones).

On DNS these changes are copied to the secondary zones in a process called zone transfer.

Zone transfer is normally from primary to secondary, but it is requested by the DNS server responsible for the secondary zone.

In our illustration Barry would request an updates list from John.

However the primary servers can be configured to notify secondary servers of changes.

At it’s most basic a zone transfer is simply a file copy.

A DNS server hosting a primary zone is normally called a primary name server(master) ,and one hosting a secondary zone is a secondary name server (slave).

A DNS server can store and manage multiple zone files, and they can be a mixture of primary and secondary zones.

In out analogy John could have a copy of TeamB list in case Fred goes on holiday.

Therefore a DNS server can be both a primary and secondary name server.

Primary and secondary name servers are both considered as authoritative for a domain.

DNS Zones and Domains

The use of zones and zone files is what allows DNS to be a distributed and resilient system.

DNS Zones provide a very easy and simple method of grouping domain data from multiple domains together for storage.

For domains to share a zone and hence a zone file the domains must be contiguous.

A domain administrator would be responsible for creating zones, and delegating responsibility for these zones to an administrator and DNS server.

To illustrate we will refer to the diagram below which shows a section of the domain name system which has been divided into 3 zones.

dns-zones-illustration

You should note that you cannot create a zone that includes Domain1 sub domain 1 and Domain 3 because they are not contiguous.

Zone File Storage

In our analogy the data is stored on a paper list and kept by the team manager.

A zone file is a text based file with a format defined in RFC 1035 and 1034 and is stored on a DNS server (name server).

Zone files contain the IP and name data, MX records and other service records.

They also contain glue data that connects them to the other DNS servers.

Referring to the diagram above the DNS server responsible for zone 1 will contain records that tell it:

  • Which DNS servers have data for Domain2.
  • Which DNS servers have data for Domain3 sub domain1 ( i..e. zone3).
  • List of Root servers (root hints)
  • List of forwarding servers (if using forwarding)

The DNS server responsible for Domain 1 -sub domain 1 and 2 – i.e. Zone 2 has no knowledge of who has data for domain3 sub domain1 – i.e. Zone 3 and doesn’t need any.

Zone File Structure and Record Contents

The DNS zone file consists of directives and resource records.

Directives begin with a $. There are three Directives

  • $TTL – Time to Live value for the zone.
  • $ORIGIN – Defines base name -used in domain name substitution
  • $INCLUDE– Include a file

The $TTL directive must appear at the top of the Zone File before the SOA record.

The SOA (start of authority) must be present in a zone file, and defines the domain global values mainly to do with zone transfer.

dns-sone-entry-template

An example record is shown below .

dns-sone-entry

For more detail see this chapter from the Pro Bind and DNS book.

Zone Delegation

When an administrator of a domain decides to allocate responsibility of a child domain to someone else e.g. sub domain 1 of domain 3. then they will delegate the zone.

This means that the zone file is stored on another DNS server than the parent domain. However the parent domain will keep track on the location of the zone by creating glue records to the name servers responsible for the zone data.

We saw this with Bill Needing to know who had the list for Teams A.B.C.

Caching and TTL

Caching is the process of temporarily storing data and is used frequently in networking, and on the Internet.

DNS server and hosts cache DNS lookup data which means that they may be able to quickly resolve a lookup if it is already stored in the cache.

In our example above when someone requested the phone number of Steve, Bill remembers that information for a short time in case someone else needs to know it.

The problem with caching data is what happens if the data changes, but the cache is still holding the old data?

To ensure that clients and servers don’t hold on to old data for too long DNS records have a TTL (time to live value) which tells the client/server how long it can store data in its cache.

Caching greatly reduces the load on the root DNS servers.

Reverse Mapping Zones

Reverse mapping zones provide the data for reverse lookups i.e IP address to name.

In our analogy we would use the phone number to find the name of the player.

Reverse mapping is not mandatory but is used frequently by applications like email to prevent spamming.

Therefore without it some applications may not work correctly.

Reverse mapping uses the domains IN-ADDR.ARPA for IPv4 addresses and IP6.ARPA for IPv6 addresses.

Most DNS admin tools will automatically create the reverse mapping entry when you create the host entry.
For more details see chapter 3 of the Pro DNS and Bind book.

References and resources:

Related Tutorials

Please rate? And use Comments to let me know more

45 comments

  1. so a zone can be defined as the area/portion in the DNS namespace that the DNS server is responsible for?

    Very clear and succinct explanation!

    1. Correct and a Zone is associated with a zone file which is used to store that part of the namespace
      Rgds
      Steve

  2. Does the zone files stored in memory? I am confused, example from the Primary server I have those db files for different zones stored in my named path. I have read that the zones are stored in memory?

    1. It will certainly be cached in memory and I would depends on the zone size how much would get cached but I would imagine on most systems the entire zone.
      However for the discussion on zone files this doesn’t really mater you just need to understand that that is the way the actual records are arranged.
      Rgds
      Steve

  3. Hi Steve,

    “Also Bill needs to know who has the team list for all of the teams below him, but John only needs to know the phone number for the Top of the Tree, which in this case is Bill as we have only two levels, but it doesn’t have to be.”

    Please explain the text between quotes above mentioned in your site

    Regards,
    Swaminathan Shanmugam

      1. Hello,

        I am seeing you have answered already for the same question posted by “ABHISHEK KALIYATH says:
        June 1, 2020 at 1:46 pm”

        with the below text
        “Regarding john traversing back. John will need to find information for other players in other teams and he will use Bill to do this.”

        But I am seeing that there is a text “you traverse the tree from top to bottom and not from bottom
        to top”.
        What does this mean…..

        Regards,
        Swaminathan Shanmugam

        1. It means you start at the . level and go down. rather than starting at your current level and going up a level.
          So you go from your current level straight to the top and then come down.
          Does that make sense?
          Rgds
          Steve

          1. Hi Steve ,

            I understand from your reply that if any request comes to any level (John) looking for the information in another level, if John knows he will provide the information else it will be routed to the root level (Bill), even if many levels are between John and Bill to follow the DNS search order from top to bottom .
            Correct me if I am wrong.

            Thanks,
            Regards,
            Swaminathan Shanmugam

          2. Thanks for your explanation and it is understood clearly

            Regards,

            Swaminathan Shanmugam

  4. HI,

    There is an error in your WordPress configuration and website is showing error. Please fix.

    Thanks

  5. Hi Steve, I am using dns.zone python library. I don´t understand why I enter the next register:
    @ IN A 2.8.7.6
    If I enter again it creates the register in the file zone and it contains two entrances with @ IN A 2.8.7.6

    But when I read the file dns file zone with the library it does not contain that

    {“test.local.net.”: {“serial”: “2021032572”, “filename”: “/opt/dns_zone_files/test-local-net-api”, “NS”: [“127.0.0.1.test.local.net.”], “1.34.3.9”: [“test@2.test.local.net.”], “2.4.35.0”: [“apiservices-test.test.local.net.”], “2.8.7.6”: [“home.test.local.net.”]}

  6. As files are also logical, a better way to put first sentence might be, DNS system has domains divided logically/abstraction-wise and divided into domains when it comes to storage-wise with different possible combinations of mappings between both these divisions.

  7. Hi Steve,

    Lucky to find your site while i was searching out for DNS information and explanation in depth.
    thanks a lot .

    Regard,
    Vivek

  8. Hello Steve;
    Thanks, excellent information about DNS ZOnes
    Question:
    For Domain MyDomain.com is it possible to have two Zone Files located on two different DNS Servers ? Example, One Zone File in a DNS Server at Michigan and a another one in a DNS Server at London ?Thanks in advance.

  9. So if someone wants to find the phone number of Steve on team A they contact Bill who contacts the manager of Team A (John) using the phone number returned by Bill and John tells them.
    A bit confused with this long sentence – is this correct interpretation? -> So if someone wants to find the phone number of Steve on team A, they first contact Bill and then contacts the manager of Team A (John) using the phone number returned by Bill and John tells them.

    Also regarding – “but John only needs to know the phone number for the Top of the Tree” – why does John need to know this because he never traverses back – right? Only someone contacts John.

    1. Hi
      That should be:
      So if someone wants to find the phone number of Steve on team A they contact Bill who returns the phone number of the manager of Team A (John). They then contact John for the phone number of steve . As shown in the diagram below:

      Regarding john traversing back. John will need to find information for other players in other teams and he will use Bill to do this.
      A final point there are two methods used in DNS one is where the local name server (manager) contacts the central server and the central server follows the trail and returns the address. This method would impose a lot of strain on the central (root) servers and isn’t used.
      The other is the local server contacts the central server and the central server return the address of the next name server in the list etc.
      In this case bill would return the phone number of John and then the next query would be to John to retrieve the phone number of steve.

      1. Thanks for clarifying – Had couple more questions.

        1. Is it a 1 to 1 mapping between zone file and domain name ? i.e. does each domain have its own zone file.
        2. In a single Name Server, will there be multiple zone files i.e. will a single Name server represent multiple domains?
        3. A single zone file (which is a .txt file) will have DNS records such as A, NS, MX records etc. for a domain – correct?
        4. Does an ‘Authoritative Name Server’ respond (to a recursive resolver) with all DNS records for a domain or responds with only the ‘A’ record for the requested domain?
        5. When does a Recursive resolver cache information ?
        6. Which DNS records are cached by Recursive resolver? – all domain records?
        5. Why are NS records for a domain duplicated in its zone file ? – I read many articles but could not get my head round this one. Some posts say caching, some say consistency check etc. Could you give an analogy specifically on what happens if NS records are “NOT” present on a ‘Authoritative Name Server’?

        1. 1. no a zone file can contain multiple domains
          2. Maybe depends on design
          3. Yes
          4.Only the reqested information is returned not the the entire zone file
          5. I believe caching can be restricted but probably implementation dependent.
          6 As 4
          7. Not sure what you mean regarding duplicates

          1. Hi Steve, regarding no. 7, my question has been asked in many forums but could not get a conclusive answer. Question – Why does an authoritative Name Server require NS record for a domain? The delegating Name Server definitely needs it to inform the resolver but why duplicate the same information / NS record in an authoritative server. Some posts say that this is how a master authoritative Nameserver knows about other (slave) authoritative Nameservers – I get this part. But some other posts mention about “caching” behavior of recursive resolvers based on an “authoritative response” i.e. a resolver caches only authoritative responses and only authoritative NS record for a domain get cached (not the delegating NS record) – can you elaborate the caching behavior in resolvers i.e. how caching works when it receives authoritative and non-authoritative responses?

          2. Sorry but I’ve never investigated it. The only authoritative NS record for a domain get cached (not the delegating NS record) statement makes sense but I’m afraid I can’t verify it.
            Rgds
            Steve

  10. Hello Steve,

    Thank you very much for the excellent article about DNS with the analogy in explaining the components of DNS.

    Luckily I got your article when I was searching for the explanation …….

    Please keep going ………

    Regards,

    Swaminathan Shanmugam

  11. I wanna talk wrt browser point of view.

    Suppose I bought a domain say xyz.com from Godaddy.
    Bydefault godaddy will assign default name servers say – ns1.domaincontrol.com ns2.domaincontrol.com

    Now suppose i changed them to custom nameservers from cloudflare – rachael.cloudflare.com monk.cloudflare.com

    Now browser will try to ask the cloudflare name servers about the IP address and get the server IP that was mapped to xyz.com.

    but how did the browser reach to the NS of cloudflare in first place ? Where did the browser go exactly to find out that the domain has cloudflare name servers. Who is responsible for maintaining the NS records of a domain. Where ?

    1. Hi
      DNS works from the top down so If a client doesn’t already know the IP address it goes straight to a root name server which know the IP addresses of all servers that have a copy of the .com domain space. ANyone of these can resolve the query.

  12. Hi bro, Iam really fond of writings on your site. They are organized cleanly, easy to read and remember, in spite of English being my 3rd language. All the best.

  13. Hi Steve,

    It is really great work, thanks a lot! I really like the way you explain things. In many other sources, they seem to give explanations in such an abstract way that your different and very pedagogical way of teaching things is so refreshing – and efficient.

    I arrived here through my research to better understand the distinction between “domain” and “domain name”. I found the original definition of “domain” here https://tools.ietf.org/html/rfc920, but since you seem to know so much in this domain of expertise, I wondered if you’d know a better explanation, with examples, of what the exact difference between a domain and a domain name, is. I guess the purpose of the DNS is closely connected to this question, which I don’t understand either. For example, with such powerful computers today, I don’t get why the decentralised DNS is so useful. Would it really be difficult to store copies of all zone-related information on many places?

    Anyway, whatever time or will (or absence thereof) you have to answer my request, I am deeply thankful for the great contents of your website. Sorry for the English errors I might make.

    Best regards,

    Phil

    1. Hi
      Tks for the nice comment.
      A domain is an area of administration you can think of like a city or country and the domain name is the name of that area of administration like London or England.

      You could store local copies of zone data on many computers but then you have the overhead of keeping them synchronised and the network overhead involved.
      However you do get local copies stored as your computer and “local” DNS servers on the Internet have a cache which is a local copy of recently resolved domain names.
      Hope that make sense
      Rgds
      Steve

      1. Thanks a lot for the help! I hope you create a lot of content, you are very clear, and most websites lack this good pedagogy.

      2. This article helps a lot. THANKS!
        One question: If the zone file(s) is stored on the DNS Server (Name Server), does one need a web hosting account on that web host to be able to edit the zone files – even though you’ve purchased the domain name from the same company?

        1. There is very little that you can do with a domain name that you have purchased .
          You are not able to edit the zone files directly.
          You can make changes like adding sub domains and email exchange records via a web interface provided by hosting/domain provider. Exactly what yo can do is determined by your provider.
          rgds
          steve

  14. Hi Steve,

    It was a great explanation and analogy made to understand the concept in a simple way.
    I have a quick question, relating to the analogy.
    When Bill gets a request from a client, how does he knows that it has to be sent to John, Fred or Jane?
    Does the request will be sent to all the managers and they respond only if they have a team member?

    Thanks,
    Rithin

    1. He knows who to send it to as the request is for Jim in TeamA and he knows who manages TeamA and so he sends it to them.
      Does that make sense?
      Rgds
      Steve

  15. Best explanation on the topic that I’ve seen, and I’ve seen a lot.
    Just one silly suggestion: change de the names of the team managers to Alice, Bob and Charlie. Barry should be the backup of team B and Bill should be named Ron for root.

  16. Hi Steve,
    I have read that there are 13 root servers in the world.So, my question is does all the root servers have separate copy of domain names or they share data between them? Like ,suppose i want to add a ‘top level domain ‘ so do I have to change in all root servers or I will make change in one root server and others root servers get updated automatically?

    1. The way DNS works is that one server will hold the master and the others will hold slave copies. The master will be updated and will in turn update the slaves.(master=primary and slave= secondary zones).

  17. Hi Steve, so am I correct in saying that a primary zone is restricted to one dns server, but each server can have up to 255 secondary zones? And secondary zones are basically backups of said primary zones. Thanks Steve. 😉

    1. A zone can have only one primary and yes secondary zones are backups but a dns client doesn’t know the difference between a primary and secondary.
      A DNS server can host multiple primary zones and multiple secondary zones.

      Does that make sense?
      rgds
      steve

Leave a Reply to ABHISHEK KALIYATH Cancel reply

Your email address will not be published. Required fields are marked *