# DNS
**DNS** (Domain Name Resolution) is a protocol that translates domain names into IP addresses.


# DNS Resolvers
* https://www.joindns4.eu/for-public
* https://quad9.net/
* run your own

# DNS Servers
[bind9](bind)



# Local DNS
In order to have LAN-only DNS names (e.g. a home network) you need to have a DNS server running. Its address should be handed out by the existing DHCP server in order for local (fake) domain names to work. In turn, the DNS server should forward external requests to some other resolver.


# DNS Leaks
DNS leaks occur when your computer uses wrong (usually ISP default) DNS servers when using a VPN. This is a privacy threat as it effectively negates the benefit a VPN provides.
You can test for a dns leak here: https://www.dnsleaktest.com/
Note that this usually affects only windows boxes. @research need more info here

ISPs can also employ transparent DNS proxies in order to bypass explicit DNS configuration, ensuring a DNS request only reaches the ISP's server, not your desired choice.
When using OpenVPN, you can usually fix a DNS leak by adding ``block-outside-dns`` to the config file of the VPN server you're connecting to. This ensures your system will reject any DNS responses from network adapters other than your VPN's tunnel.
On linux, this option has no effect.


# DNS hijacking
Your ISP modifies your DNS requests to use their servers, or something like OpenDNS.
To get around this, you can use unbound with DNS-over-TLS (DoT) for making encrypted queries.


# DNS records
`A` IPv4 address
`AAAA` IPv6 address
`PTR` hostname; reverse of A record
`NS` DNS name server
`SOA` meta info about zone
`CNAME` hostname alias
`MX` smtp server

## CAA
Specify which CAs are allowed to issue certs for your domains with CAA records
SSLMate's CAA record generator can be used for this, see https://sslmate.com/caa/
```bind
ctq.ro.	CAA	0 issue "letsencrypt.org"
0 iodef "mailto:bofh@ctq.ro"
```


See also
--------
https://desec.io/signup free DNS hosting for your domains