Recently I was doing a bit of promotional work for my blog by participating in some IT related forums. I was going through the post as you do when an interesting question came up. The poster was reading up on about DNS Zones, what their purpose is and how they work. He was having trouble understanding the following paragraph in a study book he was reading:
A DNS zone contains all the domain names the domain with the same domain name contains,
except for domain names in delegated subdomains. For example, the top-level
domain ca (for Canada) has subdomains called ab.ca, on.ca, and qc.ca, for the provinces
Alberta, Ontario, and Quebec. Authority for the ab.ca, on.ca, and qc.ca
domains may be delegated to nameservers in each province. The domain ca contains
all the data in ca plus all the data in ab.ca, on.ca, and qc.ca. However, the zone ca
contains only the data in ca (see Figure 2-10), which is probably mostly pointers to
the delegated subdomains. ab.ca, on.ca, and qc.ca are separate zones from the ca
Can you understand that?? No wonder he was having trouble, talk about over complicating things! Anyway I explained how it all works but it got me thinking… I remembered when I first started out learning networking technologies back in the day. I was reading up on the more advanced DNS topics and DNS zones just blew me away. I looked everywhere to find a better explanation of it but couldn’t find one find. It took lots of research going to several different sites before I finally understood it and put everything together. Everywhere I read about DNS zones I came across similar paragraphs to the one above. You would think that after all these years there would be better articles explaining how it works? Not so, which is what prompted me to write this.
What Are DNS Zones
A DNS Zone is a portion of the DNS namespace that has been delegated to other servers/administrators. It is quite hard to explain without examples so I’ll just jump straight in with one. Look at the following diagram
I have a DNS domain (and zone) name called DNS-Zones.com.
This domain is hosted on my DNS server called serverA.DNS-Zones.com.
My company is massive like Microsoft and I have offices all over the world.
I create a subdomain for my UK branch called Uk.DNS-Zones.com and I create it on the same serverA.DNS-Zones.com DNS server.
Now imagine this Uk.DNS-Zones.com DNS namespace being further split up into cities like London.uk.DNS-Zones.com.
Can you imagine how many subdomains, DNS A records etc must be stored on this one server? This DNS server would contain every record of all my worldwide organisations and most likely kill the server.
In the above example we have one top level domain name DNS-Zones.com and then 2 subdomains. These ARE ALL ONE DNS ZONE. Think of a zone as a database or part of it. So all these domains are stored in one zone on one server.
The problem is that it is too much for one server and too much for the admin team to manage this entire “zone”. So it is split up…using zones as follows.
ServerA still hosts the zone for DNS-Zones.com, this server is in the USA.
Now we create a new zone called uk.DNS-Zones.com but we create this on the UK DNS server of UkserverA.uk.DNS-Zones.com.
ServerA.DNS-Zones.com is configured to push all queries for the uk.DNS-Zones.com domain to UkserverA.uk.DNS-Zones.com.
The key differences here is that:
- ServerA DOES NOT contain any records at all for the uk.DNS-Zones.com domain name or city subdomains. It only contains a pointer to ukserverA to redirect uk.DNS-Zones.com queries there. This means the entire DNS namespace can be split throughout an organisation.
- By splitting the entire namespace like this it removes unnecessary bandwidth and queries. If the whole namespace existed in the US then the UK would have to query the US servers for UK queries. Moving the UK subdomain into a zone on a UK server keeps the queries local.
- Once a zone is created you can set permissions on it and delegate control of it out to different staff. If we wanted 3 domains to be administered by 3 different teams they would need to be in different zones.
Don’t confuse DNS Zones with DNS Domains
One last thing I thought I’d point out…Don’t associate a zone with a domain. A DNS zone can contain multiple domains or just one domain, the important thing to remember is that it is used for delegating control of portions of the namespace. Different zones can also be on the same server so again some examples will help.
This time we have 3 departments/domains in a UK office called. dep1.Uk.com, dep2, etc…
As these domains will be in the same company AND location there is no need to distribute the namespace TO DIFFERENT SERVERS. That would be overkill. But what I do want to do is to allow each department control of their own domain. If I had one zone with all three domains in it I could not achieve this so instead we create 3 zones for the 3 domains BUT KEEP THEM ON THE SAME SERVER.
A lot of people get confused thinking that zones are used to “physically” move the data of domains to different servers (to distribute the load on servers and bandwidth). Although this is true it is not what zones where designed for and it is VERY IMPORTANT to remember this distinction. DNS Zones are used to delegate administrative rights to different parts of the namespace, it is a security feature…which is different to simply moving or storing portions of the name space somewhere else; they are security boundaries.