This article aims to explain what various DNS records are and how to use them. It is aimed at people hosting websites and email servers on a home server such as a raspberry pi.
How DNS Works
DNS stands for Domain Name System. In a nutshell, it's the system that we use to translate human readable domain names (e.g. samhobbs.co.uk) into the Internet Protocol (IP) addresses for those services (e.g. 195.166.151.235). The DNS system has a strict hierarchy, and lookups are performed recursively using a client/server model. This means that when your computer asks for the IP address for "subdomain.example.com", the DNS resolver you are using starts at the top and works backwards to find the address. The servers at the top of the pyramid (root name servers) direct clients to the name servers reponsibe for Top Level Domains (TLD, e.g. .com), and that server in turn is able to tell the client which name server is authoritative for the second level domain (e.g. example.com), and so on. Usually for small sites, the DNS records for your domain are managed by your Domain Name Registrar. The DNS resolver doesn't have to perform all these lookups every time, because each record has a Time To Live (TTL) in seconds, which tells the client how long they can cache the information for until it should be refreshed. That's Time To Live (live free), not Live (live electrical circuit), which is how I first read it! There are loads of different types of DNS record, so I've picked the most important ones you might need or want to use. These are:
- DNS A - used to map a host name to an IP address
- Mail Exchanger (MX) - used to tell clients which hostnames are used for email services
- Sender Policy Framework (SPF) - used to define which servers are allowed to send email from your domain name
- Pointer (PTR) - the opposite of DNS A, this record maps an IP address to the hostname
For a website, you only need a DNS A record. For an email server, you need at least a DNS A record and an MX record; PTR and SPF records will help you get your email through spam filters. I'll be illustrating how to set up the different types of record using Namecheap, my Domain Name Registrar, as an example. If you haven't registered a domain name yet, I'd recommend Namecheap -avoid GoDaddy if you can, since they have some pretty horrible pricing practices and consistently back the wrong side when it comes to internet censorship acts like SOPA and PIPA.
DNS A
This record is the most basic type. It maps a domain name to an IP address. Most home internet connections have IP addresses that are dynamically allocated from a pool controlled by your Internet Service Provider (ISP). This means that your Wide Area Network (WAN) IP address can change periodically, or when you power cycle your router. To get around this you can use dynamic dns to update your DNS records when your IP address changes. If you can get one, you should use a static IP address because it cuts out this additional layer of complexity. A DNS A record is really simple. This is what it looks like in the Namecheap control panel: The image above actually shows two separate records, one for my root domain name (that's the @, which you can read as "no subdomain"), and another for my domain name preceded by www.. The IP address is my static WAN IP, and I chose a high value for the TTL of 60000 seconds (over 16.5 hours) because it never changes, so it's helpful to allow DNS resolvers to cache the data for as long as possible. If you have a dynamic IP address you should choose a much lower value like 1800s. If you want to do a DNS lookup yourself from the terminal, you can install a utility called dig:
sudo apt-get update sudo apt-get install dnsutils
DNS A records can be looked up using this command:
dig samhobbs.co.uk
You should get output like this:
; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> samhobbs.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48863 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samhobbs.co.uk. IN A ;; ANSWER SECTION: samhobbs.co.uk. 45464 IN A 195.166.151.235 ;; Query time: 3 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sun Feb 01 14:39:41 GMT 2015 ;; MSG SIZE rcvd: 59
You can see in the answer section the IP address and the remaining number of seconds the information is valid for, as determined by the TTL. If you do a second lookup, you should see this number decrease.
Mail Exchanger (MX)
The MX record specifies the hostnames that are available to receive email for your domain. Since a domain can have more than one SMTP server, this is a prioritised list, where each domain name is given a number. The lower the number is, the higher the priority. The image below shows my MX settings: These settings are probably more complicated than yours will be - a basic MX record will have just one entry pointing to the hostname of your email server (ususally yourdomain.com or mail.yourdomain.com). You can see from the settings that I have two servers that can receive mail for my domain: samhobbs.co.uk and backup.samhobbs.co.uk (which is a different physical server in a different location, with a separate internet connection). When a client wants to know where to send an email addressed to foo@samhobbs.co.uk
, they look up the MX record, which tells them to try samhobbs.co.uk first and backup.samhobbs.co.uk if that fails (backup has a higher number = lower priority). They then look up the DNS A record for the hostname to get the IP address, and then make a connection and perform the transaction. My backup server is actually an MX backup - if my main server is unavailable, it accepts email from other servers addressed to my domain and forwards it on to the primary server when it is back online. In addition to performing MX backup services for my main server, the backup server accepts email sent to it directly (foo@backup.samhobbs.co.uk) which is what the third record is for. To look up MX records, use this command:
dig samhobbs.co.uk MX
The output should look like this:
; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> samhobbs.co.uk MX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35900 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samhobbs.co.uk. IN MX ;; ANSWER SECTION: samhobbs.co.uk. 60000 IN MX 10 samhobbs.co.uk. samhobbs.co.uk. 1800 IN MX 20 backup.samhobbs.co.uk. ;; Query time: 208 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sun Feb 01 15:16:01 GMT 2015 ;; MSG SIZE rcvd: 82
The MX record for backup.samhobbs.co.uk is separate (dig backup.samhobbs.co.uk
):
; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> backup.samhobbs.co.uk MX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33203 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;backup.samhobbs.co.uk. IN MX ;; ANSWER SECTION: backup.samhobbs.co.uk. 1800 IN MX 10 backup.samhobbs.co.uk. ;; Query time: 218 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sun Feb 01 15:33:26 GMT 2015 ;; MSG SIZE rcvd: 66
Sender Policy Framework (SPF)
The SPF record is used to tell other servers which IP addresses and hostnames are allowed to send email from your domain name. Some services such as gmail look for either a PTR record or an SPF record and flag email as spam if neither of these is found, so it's quite important to define one for your domain. The record itself is defined as a TXT record: The important part of the record is:
v=spf1 mx a ~all
The first part v=spf1
says that this record is SPF version 1. The middle of the record mx a
says that servers should accept email from servers with a matching MX record or DNS record. The end part ~all
defines what to do with sources that haven't matched one of the earlier statements, the tilde (~
) means soft fail. This lets the recipient server decide what to do with the message, normally this means it will be accepted but flagged as spam. A minus (-
) means the recipient server should reject the message, but most services don't implement this so it's a bit pointless. Note that earlier versions allowed you to specify "PTR" as a match in the middle part, but this is default behaviour now and the option is depreciated. If you want to do a DNS lookup for a SPF record, you can use this command:
dig samhobbs.co.uk txt
The output should look like this:
; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> samhobbs.co.uk txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61893 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samhobbs.co.uk. IN TXT ;; ANSWER SECTION: samhobbs.co.uk. 1800 IN TXT "v=spf1 mx a ~all" ;; Query time: 170 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sun Feb 01 15:49:41 GMT 2015 ;; MSG SIZE rcvd: 153
Pointer (PTR)
A pointer record is the opposite of a DNS A record: it maps an IP address to a hostname. If you can set one of these, it pretty much guarantees that you won't have any problems with your email being marked as spam. Unlike the other DNS records, you can't change this record with your DNS provider. For this one, you're at the mercy of your ISP, and since it changes the information associated with an IP address you will only be able to do this if you have a static IP address. Many ISPs won't let you change your PTR record. Luckily, my ISP (Plusnet) is one of the good ones, and they changed it to samhobbs.co.uk
without a charge :) To look up a PTR record you can use this command along with the IP address you got from the DNS A lookup:
dig -x 195.166.151.235
The output should look something like this:
; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> -x 195.166.151.235 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44108 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;235.151.166.195.in-addr.arpa. IN PTR ;; ANSWER SECTION: 235.151.166.195.in-addr.arpa. 43200 IN PTR samhobbs.co.uk. ;; Query time: 37 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Sun Feb 01 16:07:32 GMT 2015 ;; MSG SIZE rcvd: 85
That's it! Those four records are everything you should need to get your website and email server running properly. If you have any problems, let me know!
Comments
If for the moment everything
If for the moment everything ok, it was the damn white spaces.
On some servers my email ends up in the trash bin but I think that's because I do not have (PTR), I have to talk to my isp.
Create and install a Cacert certificate and I have it working correctly (I think)
And now to continue with Squirrelmail and the following, I hope I do not have many problems.
Thanks for the help.
I just found this in /var/log
I just found this in /var/log/mail.log
Sep 23 00:37:45 SRV001 postfix/smtpd[5452]: fatal: invalid "-o smtpd_recipient_restrictions" option value: missing '=' after attribute name
Sep 23 00:37:46 SRV001 postfix/master[746]: warning: process /usr/lib/postfix/sbin/smtpd pid 5452 exit status 1
Sep 23 00:37:46 SRV001 postfix/master[746]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
but in /etc/postfix/main.cf is ok, not?
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
CNAME DNS entry
Hello Sam,
Thanks a lot for your tutorials. I had to adapt a bit for Duster because some things have changed in the meantime, but I eventually got it to work and the idea of owning one’s data feels great. :)
I was wondering if there is any specific reason to setup two A Records instead of a CNAME for www that would point to @.
That’s about it; ’whish you a great day!
Add new comment