Introduction to DNS and MX records

 
By Stephen Alford, MCT, MCSE+Security, CCNA/DA, ASE

Technical Editor, Computer Security News

One of the major components that helps an e-mail message reach its intended recipient is a Mail Exchanger DNS record -- better known as an MX record. This tutorial explains what MX records are and how they work. It then describes how to create an MX record and Host record on your own DNS server.

Before I get into how an MX record works, you need to understand some DNS basics.

Computers are designed to work primarily with numbers. Human beings, on the other hand, tend to have an easier time understanding words. For example, if you wanted to visit my Web site, would you rather type www.brienposey.com or 24.235.10.4?

If you are like most people, it's a whole lot easier to remember a URL than an IP address. The problem is that if you enter a URL into your Web browser, your computer has no idea what you're talking about. Since it doesn't know what the URL means, it forwards it to a DNS server.

When you enter www.brienposey.com into a Web browser, your browser is smart enough to know that the site you're visiting exists somewhere within the brienposey.com domain. But, since brienposey.com isn't directly connected to your network, your browser has no idea where to find it.

Domain names are hierarchical in nature. Brienposey.com is a child of a top-tier domain named .com. Therefore, if your Web browser were to visit a .com-level DNS server, it could point the Web browser to brienposey.com. Unfortunately, your Web browser doesn't know the IP address of a DNS server for the .com domain either.

However, there is a domain called the root domain that exists above the .com domain. The root domain contains domains such as .com, .net, and .org.

A root hints file on your DNS server points to the IP addresses of the DNS servers for the root domain. The Web browser goes to the root domain and asks for the IP address of a DNS server associated with the .com domain. It then queries that DNS server for the IP address of a brienposey.com DNS server.

Once your computer knows the IP address of the brienposey.com DNS server, it can send a request to that DNS server and ask for the IP address of the server hosting it. You Web browser will cache the IP address and then communicate with the Web server directly without having to perform a DNS query each time (at least until the cached entry expires).

When your Web browser checks the DNS server to find the IP address of the server hosting the Web site, it's actually looking for a record that lists the IP address of the Web site. DNS servers generally contain many different types of records. While it is beyond the scope of this tutorial to discuss all of them, here is an overview of some of the more important DNS records you should know about.

Start of Authority (SOA) records

There are often multiple DNS servers that service a domain. Multiple DNS servers might be used for load balancing, fault tolerance, or both. But, only one DNS server within a domain is considered authoritative.

The authoritative DNS server contains a read/write copy of the records database. Non-authoritative DNS servers are read-only. A Start of Authority (SOA) record points to the domain's authoritative DNS server. It also contains a sort of sequence number that is updated every time a change is made to the records contained within the zone. This helps non-authoritative DNS servers stay in sync with the authoritative DNS server.

Name Server (NS) records

A Name Server (NS) record is similar to an SOA record in that it points to the domain's DNS servers. The similarities end there though. Each DNS server in the domain gets its own NS record, regardless of whether it is authoritative or not.

Host records and Alias records

Probably the most common type of DNS record is a Host record (also called an A record). A Host record is simply used to associate a computer on your network with an IP address.

For example, I have a server on my network named RELEVANT. I therefore also have a Host record on my DNS server that links the name RELEVANT to the server's IP address.

It just so happens that the server RELEVANT is hosting a Web site on my domain. However, when people want to visit my Web site, they do not enter relevant.brienposey.com, even though that is the fully qualified domain name (FQDN) of the server hosting the Web site.

Instead, they enter www.brienposey.com. This is where the Alias record (also called a CNAME record) comes into play. An Alias record's job is to associate an alternate name with a computer for which there is already a Host record. For example, suppose that the host record for relevant looked like this:

Relevant Host (A) 147.100.100.97

When someone enters www.brienposey.com, I want them to be directed to the relevant.brienposey.com server. Since there is no server on the network named "www," I set up an Alias record that associates www with relevant.brienposey.com. The Alias record looks something like this:

www  Alias (CNAME) relevant.brienposey.com

MX Records

MX records

An e-mail message finds its way to its destination via an MX record.

An e-mail address is made up of a recipient name and a domain name (recipient@brienposey.com). I already explained how DNS queries are used to locate a DNS server for a specific domain. The process works exactly the same way when you send an e-mail message to a recipient in another domain.

The difference is that your mail client isn't interested in the IP address of your Web server -- it needs to know the IP address of your mail server. That's where the MX record comes in.

An MX record stores the IP address of your SMTP server, so e-mail clients can determine where a message should be sent. They simply perform a DNS query against a domain's MX record to get the IP address of the organization's SMTP server.

How to create an MX record

1. To create an MX record on a Windows Server 2003 DNS server, select the DNS command from the server's Administrative Tools menu to open the DNS console.
2. Navigate through the console tree to DNS -> your server -> Forward Lookup Zones -> your domain.
3. Right click on the listing for your domain and select the New Mail Exchanger (MX) command. You will see the New Resource Record dialog box shown in Figure A.

Figure A


Use the New Resource Record dialog box to create an MX record.

4. The first field on this dialog box asks for the name of a parent or child domain. In most cases, this field will be left blank.
5. The fully qualified domain name (FQDN) is filled in automatically.
6. Just below that is a field asking for the FQDN of the mail server -- not the mail server's IP address. What this means is that, unless you have a Host record in place for the mail server, the MX record isn't going to work. (See next section to learn how to set up a Host [A] record.)
7. The last field on this dialog box is a priority number. If you are only planning on using one MX record, you don't have to worry about changing this number. But many organizations (including my own) have multiple Exchange servers.

Just about any back-end Exchange Server (with some exceptions) has the ability to receive SMTP mail. If your primary SMTP server goes down, and you have additional mail servers up and running that have MX records with lower priorities, mail can be sent to one of those alternate servers. (Keep in mind that you should not set up two or more MX records with identical priorities. Doing so can trigger mail loops under some circumstances.)

How to set up a Host record

As I explained in above, an MX record won't work without a Host record in place, so let me explain how to set up one up:

1. In the DNS console, right click on your domain listing and select the New Host (A) command from the shortcut menu to view the dialog box shown in Figure B.
2. Enter the server's name in the Name field. Be sure to use the simple name, not the fully qualified domain name (relevant -- not relevant.brienposey.com).
3. Now enter the server's IP address and click the Add Host button.

Figure B


Enter the server's name and IP address and click the Add Host button.

You don't have to worry about creating a PTR record unless you plan on supporting reverse DNS queries. Also, you usually don't want to check the
"Allow Any Authenticated User to Update DNS Records" checkbox for security reasons.

Back

Email