Dns¶
40 cards — 🟢 8 easy | 🟡 10 medium | 🔴 7 hard
🟢 Easy (8)¶
1. What happens when a client queries for an A record vs an AAAA record for the same hostname?
Show answer
An A record returns an IPv4 address (e.g., 10.0.1.50), while an AAAA record returns an IPv6 address (e.g., 2001:db8::1). Both can exist for the same hostname, and the client's network stack or application decides which to use (dual-stack).2. What happens when you create a CNAME record at the zone apex (e.g., example.com)?
Show answer
It violates the DNS RFC and is illegal. A CNAME at the zone apex conflicts with the mandatory SOA and NS records that must also exist there. Use ALIAS, ANAME, or A records instead if your DNS provider supports them.3. What happens when a recursive resolver receives a query for a domain it has never seen before?
Show answer
It walks the DNS hierarchy: first querying root servers (.) to find the TLD servers, then the TLD servers (e.g., .com) to find the authoritative nameservers, then the authoritative server for the final answer. Each response is cached per its TTL.4. What happens when you send email to a domain that has no MX record?
Show answer
The sending mail server falls back to the domain's A record as the delivery target (per RFC 5321). However, many modern mail systems treat missing MX records as suspicious, and email delivery may be unreliable or rejected by spam filters.5. What happens when a mail server receives email from an IP address that has no PTR record?
Show answer
Many receiving mail servers perform a reverse DNS lookup to verify the sender. A missing PTR record causes this check to fail, which often results in the email being rejected or marked as spam. PTR records are also used by SSH host verification and logging systems.6. What role do root nameservers play in DNS resolution?
Show answer
Root nameservers are the starting point for recursive resolution. They do not know individual domain answers but direct resolvers to the correct TLD nameserver (e.g., .com, .org). Their IP addresses are bootstrap data built into resolver software.7. What is the difference between an A record and an AAAA record?
Show answer
An A record maps a hostname to an IPv4 address. An AAAA record maps a hostname to an IPv6 address. Both can coexist for the same hostname (dual-stack).Name origin: AAAA is called 'quad-A' because an IPv6 address is 4x the size of IPv4 (128 bits vs 32 bits).
Remember: A = Address (IPv4). AAAA = quad-A (IPv6). CNAME = Canonical Name (alias). MX = Mail Exchange. NS = Name Server. PTR = Pointer (reverse DNS).
8. What does an NS record specify?
Show answer
An NS record declares which nameservers are authoritative for a DNS zone. For example, example.com NS ns1.provider.com delegates authority for example.com to that nameserver.Remember: NS = Name Server. Every zone must have at least 2 NS records for redundancy. The parent zone (e.g., .com) holds the delegation NS records.
Gotcha: NS records at the zone apex and the parent zone must match. Mismatches cause 'lame delegation' — queries fail because the parent points to the wrong server.
🟡 Medium (10)¶
1. What happens if you change a DNS record's IP address while the TTL is set to 86400 seconds?
Show answer
Some clients and resolvers will continue using the old cached IP for up to 24 hours. The correct strategy is to lower the TTL to 60 seconds at least 48 hours before a planned migration, keep it low during the change, then raise it back to the normal value once the new IP is verified.2. What happens when you edit a BIND zone file but forget to increment the SOA serial number?
Show answer
Secondary (slave) nameservers compare the serial to their cached copy. If the serial has not increased, they assume nothing changed and do not transfer the updated zone. The change only takes effect on the primary server, causing inconsistent DNS responses depending on which server a client queries.3. What happens when an internal client resolves a hostname in a split-horizon DNS setup but is connected from an unexpected network?
Show answer
Split-horizon DNS uses BIND views with match-clients rules to serve different zone files based on the source IP. If a client connects from a network not matching the internal view (e.g., VPN misconfiguration), it falls through to the external view and receives the public IP instead of the private one, making internal services unreachable.4. What happens when you run "dig +trace" against a domain compared to a normal dig query?
Show answer
A normal dig query asks your configured recursive resolver and returns the final answer. "dig +trace" bypasses the recursive resolver and performs iterative resolution from the root servers down, showing each delegation step. This reveals where in the chain a resolution problem occurs.5. What happens when a DNS server is configured with "allow-transfer { any; }" instead of restricting zone transfers?
Show answer
Anyone on the internet can perform an AXFR query and download the entire zone file, exposing all hostnames, IP addresses, and internal network topology. Zone transfers should be restricted to secondary nameserver IPs only (e.g., allow-transfer { 10.0.1.11; }).6. What is negative caching in DNS and why does it cause problems?
Show answer
Resolvers cache "does not exist" (NXDOMAIN) answers. If a record is queried before it is created, the NXDOMAIN may be cached, making the new record invisible to that resolver until the negative cache TTL expires.Gotcha: the negative cache TTL comes from the SOA record's minimum field (last number in the SOA). Lower this before creating records that might be queried prematurely.
Debug clue: if a newly created record does not resolve, wait for the SOA minimum TTL to expire, or flush the resolver cache.
7. Name three ways a recursive resolver can give misleading answers.
Show answer
Resolvers may: synthesize answers (e.g., redirect NXDOMAIN to a search page), block domains (filtering/censorship), or behave differently due to local policy (ISP-specific overrides). Comparing results from multiple resolvers reveals discrepancies.8. What does dig +trace do and when should you use it?
Show answer
It performs iterative resolution from root servers down, showing each delegation step. Use it to find where in the DNS chain a resolution problem occurs, bypassing your configured recursive resolver.Example: dig +trace example.com shows: root -> .com TLD -> example.com authoritative. If delegation fails at the TLD level, you know NS records are wrong at the registrar.
Remember: dig +trace bypasses your local resolver. dig +short uses your resolver. Compare both to isolate whether the issue is caching or authoritative.
9. What are glue records and when are they needed?
Show answer
Glue records are A/AAAA records for nameservers included in the parent zone's delegation. They are needed when the authoritative nameserver's hostname is inside the zone it serves (e.g., ns1.example.com serving example.com), to break the circular dependency.10. When does DNS use TCP instead of UDP?
Show answer
DNS uses TCP for: large responses that exceed the UDP limit (~512 bytes without EDNS), truncated responses (TC flag set), zone transfers (AXFR/IXFR), and newer encrypted transports like DNS-over-TLS.Gotcha: firewalls that block TCP port 53 can break DNSSEC (large responses) and zone transfers. Always allow both TCP and UDP on port 53.
Fun fact: EDNS (Extension mechanisms for DNS, RFC 6891) increased the UDP payload size to 4096 bytes, reducing the need for TCP fallback.
🔴 Hard (7)¶
1. What happens when a Kubernetes pod with the default ndots:5 setting tries to resolve "api.github.com"?
Show answer
Because "api.github.com" has fewer than 5 dots, the resolver first appends each search domain suffix (e.g., api.github.com.default.svc.cluster.local, api.github.com.svc.cluster.local, api.github.com.cluster.local) before trying the absolute name. This generates 4+ failed queries before the real lookup succeeds, adding latency. Override with dnsConfig for pods making many external calls.2. What happens when CoreDNS in a Kubernetes cluster receives a query for a service name with no namespace qualifier?
Show answer
CoreDNS appends the pod's namespace from the search domain in /etc/resolv.conf. So a query for "my-service" from a pod in the "default" namespace resolves to my-service.default.svc.cluster.local. If the service exists in a different namespace, the lookup fails with NXDOMAIN unless the full name (my-service.other-ns) is used.3. What happens when a DNSSEC-validating resolver receives a DNS response with an invalid signature?
Show answer
The resolver rejects the response entirely and returns a SERVFAIL to the client, even if the underlying data is correct. This is by design — DNSSEC prioritizes authenticity over availability. A misconfigured DNSSEC zone (expired signatures, wrong keys) causes total resolution failure for validating resolvers, while non-validating resolvers continue to work.4. What happens when a client queries an SRV record and receives multiple entries with different priorities and weights?
Show answer
The client must first group entries by priority (lower number = higher priority) and attempt the lowest priority group first. Within the same priority group, entries are selected randomly proportional to their weight values. This enables both failover (via priority) and load distribution (via weight) at the DNS level.5. What happens when /etc/resolv.conf has "search example.com" and a user queries for a short name like "app"?
Show answer
The resolver first tries "app.example.com" (appending the search domain) before trying "app" as an absolute name. If an internal service named "app.example.com" exists, it resolves silently. This becomes dangerous when internal and external names collide — a query intended for an external service may resolve to an internal IP or vice versa, causing subtle routing or security issues.6. Why is changing authoritative nameservers riskier than changing individual records?
Show answer
Changing nameservers modifies the parent zone's NS delegation. This involves more moving parts: parent zone TTL, old NS still serving stale data, multiple cache layers. An A record change stays within one authoritative service.7. Why can dig and an application resolve the same hostname differently?