I'm trying to understand DNS a bit better, but I still don't get A and NS records completely.

As far as I understood, the A record tells which IP-address belongs to a (sub) domain, so far it was still clear to me. But as I understood, the NS record tells which nameserver points belongs to a (sub) domain, and that nameserver should tell which IP-address belongs to a (sub) domain. But that was already specified in the A record in the same DNS file. So can someone explain to me what the NS records and nameservers exactly do, because probably I understood something wrong.

edit: As I understand you correctly, a NS record tells you were to find the DNS server with the A record for a certain domain, and the A record tells you which ip-address belongs to a domain. But what is the use of putting an A and an NS record in the same DNS file? If there is already an A record for a certain domain, then why do you need to point to another DNS server, which would probably give you the same information?


Solution 1:

Some examples out of the fictitious foo.com zone file

 ....... SOA record & lots more stuff .......
 foo.com.      IN        NS        ns1.bar.com.

 foo.com.      IN        A         192.168.100.1
 ....... More A/CNAME/AAAA/etc. records .......

A Record = "The host called foo.com lives at address 192.168.100.1"
NS Record = "If you want to know about hosts in the foo.com zone, ask the name server ns1.bar.com"

Solution 2:

This is an old question, but I think the other answers aren't really touching on the source of the confusion. NS records at the apex follow a different set of rules than NS records beneath the apex.

  • The NS records at the apex do not define a referral. Instead, they provide the authoritative definition for those NS records.
  • Any NS records beneath the apex do define a referral. This NS record is not considered authoritative, and neither is an A record sharing the same name.

From those rules, we can derive two different behaviors for what happens when an A record exists on a DNS server with the same name:

  • If the NS record does not define a referral, other data can exist alongside of it in the same zone. Since the server considers itself authoritative for both the NS record and the A record, there is no conflict. This is why other data commonly lives alongside the NS records at the apex of a zone.
  • If the NS record does define a referral, then the A record is effectively "masked" by a zone cut. This A record is not authoritative, and must not show up in the answer section of an authoritative response. It can potentially be used as glue data which shows up in the additional section of the referral, but that's it.

Confusing? Yeah, it is. Drop a note in the comments if you have trouble following this and I'll see what I can do.

Solution 3:

an A record maps a name to an IP address. e.g.

binary.example.com.         IN  A       192.168.1.42

states that binary.example.com. resolves to 192.168.1.42

an NS record maps a name to another nameserver, i.e. another DNS server that serves that domain. i.e. "I've no idea of the IP address of this name, but if you go ask that nameserver over there, it might know"

binary.example.com.            IN      NS      otherbox.example.com
otherbox.example.com.          IN       A      192.168.1.2

If you ask a DNS server that has the above 2 records for binary.example.com. (or www.binary.example.com. or foo.bar.binary.example.com). it'll tell you that you'll have to go ask 192.168.1.2 to translate those names (well, or the dns server could do that for you, or it could have the resolved names cached and return them to you.)

Solution 4:

It is important to have both NS and A record in zone if you need to delegate sub-zone to different DNS server.

E.g. we have dns server ns1.bar.com authoritative for zone bar.com. And we need to delegate foo.bar.com to ns1.foo.bar.com. So we need to create zone foo.bar.com and put there this records:

foo.bar.com.     IN NS ns1.foo.bar.com.
ns1.foo.bar.com. IN A  10.10.10.10

If we won't have A record delegation won't work. Such record pairs are called glue records.

Glue records is only way for DNS system to find the exact IP of authoritative DNS server for non-root zone. If you check any domain for NS record using dig or see traffic dump with wireshark you'll see that there's 'additional' section in answer.

;; ANSWER SECTION:
foo.bar.com.             10800   IN      NS      ns1.foo.bar.com.

;; ADDITIONAL SECTION:
ns1.foo.bar.com.         7972    IN      A       10.10.10.10

when doing recursive request, e.g. www.foo.bar.com your dns client will ask for DNS authoritative for foo.bar.com zone and get answer ns1.foo.bar.com.

To go further it needs to send A request for ns1.foo.bar.com, which is served by... ns1.foo.bar.com. To break out loop, delegating DNS server should add this additional section, with A record.

Server ns1.foo.bar.com should have the same records in its zone, so it can be authoritative for foo.bar.com zone.

Solution 5:

The NS records specify the servers which are providing DNS services for that domain name.

The A records point host names (such as www, ftp, mail) to one or more IP addresses.