DNS for Network Engineers: Name Resolution Made Simple

What is DNS and why do network engineers care?

DNS (Domain Name System) is often called "the internet's phone book," but for network engineers, it's much more than simple name-to-address translation. DNS is a distributed database system that enables scalable, hierarchical naming for internet resources. Without DNS, users would need to memorize IP addresses like 172.217.160.142 instead of typing google.com.

Think of DNS like a sophisticated address system for a massive city. Instead of requiring everyone to memorize numerical coordinates, the system uses meaningful names organized in a hierarchy: specific addresses (www.example.com) within neighborhoods (example.com) within districts (.com). This hierarchy makes the system scalable and manageable even with billions of addresses.

For network engineers, DNS is critical infrastructure that affects performance, security, and reliability. DNS failures can make entire networks unreachable, while DNS performance directly impacts user experience. Modern applications rely on DNS for service discovery, load distribution, and dynamic scaling—making DNS knowledge essential for managing contemporary network infrastructure.

The DNS hierarchy: How delegation works

DNS uses a tree-like hierarchy starting from the root zone and branching down through top-level domains (TLDs), second-level domains, and subdomains. This hierarchical structure enables distributed management while maintaining global consistency.

Understanding the DNS tree structure

The hierarchy levels:

• Root zone (.): The top of the DNS tree, managed by ICANN
• Top-level domains (.com, .org, .net): Managed by registry operators
• Second-level domains (example.com): Owned and managed by organizations
• Subdomains (www.example.com): Created and managed by domain owners

Delegation example:

# DNS hierarchy for www.engineering.example.com
Root (.)
├── com. (Top-level domain)
    └── example.com. (Second-level domain)
        └── engineering.example.com. (Subdomain)
            └── www.engineering.example.com. (Host)

How delegation enables scalability:

Each level of the hierarchy can delegate authority to the next level. The .com registry delegates authority for example.com to the domain owner, who can then create subdomains like engineering.example.com and delegate authority for those subdomains to specific name servers. This distributed approach allows DNS to scale to billions of names without central bottlenecks.

Authority and zones

A DNS zone is a portion of the DNS namespace managed by a specific organization or system. Zones don't necessarily follow domain boundaries—you might delegate subdomains to separate zones for administrative or performance reasons.

Zone delegation scenarios:

• Geographic delegation: us.example.com managed by US team, eu.example.com by European team
• Departmental delegation: engineering.example.com managed by engineering, sales.example.com by sales team
• Service delegation: api.example.com managed by API team, cdn.example.com by infrastructure team

DNS record types: Beyond A and CNAME

DNS supports many record types, each serving specific purposes in modern networking. Understanding when to use each record type is crucial for effective DNS management.

Core address records

A record (IPv4 address):

# A record examples
www.example.com.     300  IN  A  203.0.113.10
mail.example.com.    300  IN  A  203.0.113.20
ftp.example.com.     300  IN  A  203.0.113.30

AAAA record (IPv6 address):

# AAAA record examples  
www.example.com.     300  IN  AAAA  2001:db8:85a3::8a2e:370:7334
mail.example.com.    300  IN  AAAA  2001:db8:85a3::8a2e:370:7335
ipv6.example.com.    300  IN  AAAA  2001:db8::1

CNAME record (canonical name alias):

# CNAME record examples
www.example.com.      300  IN  CNAME  web-server.example.com.
blog.example.com.     300  IN  CNAME  wordpress.hosting.com.
shop.example.com.     300  IN  CNAME  ecommerce-platform.example.com.

Mail and service records

MX record (mail exchange):

MX records specify mail servers for a domain, with priority values for failover ordering.

# MX record configuration
example.com.     300  IN  MX  10  mail1.example.com.
example.com.     300  IN  MX  20  mail2.example.com.
example.com.     300  IN  MX  30  backup-mail.partner.com.

SRV record (service location):

SRV records enable service discovery by specifying the location of services within a domain.

# SRV record format: _service._protocol.domain
_sip._tcp.example.com.    300  IN  SRV  10  5  5060  sip1.example.com.
_sip._tcp.example.com.    300  IN  SRV  20  5  5060  sip2.example.com.
_minecraft._tcp.example.com. 300 IN SRV  0   5  25565 game.example.com.

Infrastructure and security records

NS record (name server):

# NS records delegate authority
example.com.      86400  IN  NS  ns1.example.com.
example.com.      86400  IN  NS  ns2.example.com.
engineering.example.com. 86400 IN NS ns1.eng.example.com.
engineering.example.com. 86400 IN NS ns2.eng.example.com.

TXT record (text data):

TXT records store arbitrary text data, commonly used for verification and security policies.

# TXT record applications
example.com.           300  IN  TXT  "v=spf1 include:_spf.google.com ~all"
_dmarc.example.com.    300  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
google-verify.example.com. 300 IN TXT "google-site-verification=abc123def456"

PTR record (reverse DNS):

# PTR records for reverse DNS lookups
10.113.0.203.in-addr.arpa.  300  IN  PTR  www.example.com.
20.113.0.203.in-addr.arpa.  300  IN  PTR  mail.example.com.

DNS resolution process: Step by step

Understanding how DNS resolution works helps network engineers troubleshoot problems and optimize performance. DNS resolution involves multiple steps and several different servers working together.

The complete resolution flow

Resolving www.example.com:

1. Application request: Browser needs IP address for www.example.com
2. Local cache check: Operating system checks its DNS cache
3. Recursive resolver: If not cached, query goes to configured DNS server (often ISP or 8.8.8.8)
4. Root server query: Recursive resolver asks root server about .com
5. TLD server query: Root server refers resolver to .com name servers
6. Authoritative query: .com server refers resolver to example.com name servers
7. Final resolution: example.com name server returns A record for www.example.com
8. Response caching: Result cached at multiple levels for future use

Query types explained:

• Recursive query: Client asks resolver to find the complete answer
• Iterative query: Server provides referral to next server in hierarchy
• Non-recursive query: Query for data the server already has cached

Caching and TTL behavior

DNS caching occurs at multiple levels to improve performance and reduce query load. Time-To-Live (TTL) values control how long records can be cached.

Cache hierarchy:

• Browser cache: Typically caches for minutes
• Operating system cache: Caches based on record TTL
• Recursive resolver cache: Caches for TTL duration
• Authoritative server cache: May cache glue records and delegation information

TTL considerations:

# Different TTL strategies
# Short TTL for frequently changing records
api.example.com.       60   IN  A  203.0.113.50

# Medium TTL for regular services  
www.example.com.       300  IN  A  203.0.113.10

# Long TTL for stable infrastructure
ns1.example.com.       86400 IN A  203.0.113.100

DNS server types and roles

Different types of DNS servers serve specific roles in the DNS ecosystem. Understanding these roles helps in designing robust DNS architecture.

Authoritative name servers

Authoritative servers hold the official records for specific zones and provide definitive answers for domains they serve.

Primary (master) server:

• Contains the master copy of zone data
• Accepts dynamic updates and zone transfers
• Serves as the source of truth for the zone

Secondary (slave) server:

• Receives zone data via zone transfers from primary
• Provides redundancy and load distribution
• Can serve queries but cannot accept updates

Zone transfer configuration example:

# BIND configuration for primary server
zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com.zone";
    allow-transfer { 203.0.113.11; 203.0.113.12; };
    notify yes;
};

# BIND configuration for secondary server
zone "example.com" {
    type slave;
    file "/var/cache/bind/example.com.zone";
    masters { 203.0.113.10; };
};

Recursive resolvers

Recursive resolvers perform the complete DNS resolution process on behalf of clients, following referrals and caching results.

Recursive resolver characteristics:

• Client-facing: Accept queries from end users and applications
• Iterative querying: Follow referrals through the DNS hierarchy
• Caching: Store results to improve performance
• Forwarding: May forward queries to other resolvers

Popular recursive resolvers:

• Google Public DNS: 8.8.8.8, 8.8.4.4
• Cloudflare DNS: 1.1.1.1, 1.0.0.1
• OpenDNS: 208.67.222.222, 208.67.220.220
• Quad9: 9.9.9.9, 149.112.112.112

Forwarders and conditional forwarding

DNS forwarders redirect queries to other DNS servers, useful for network segmentation and performance optimization.

Conditional forwarding example:

# BIND conditional forwarding configuration
zone "internal.company.com" {
    type forward;
    forwarders { 10.1.1.10; 10.1.1.11; };
    forward only;
};

zone "partner.org" {
    type forward;
    forwarders { 172.16.1.10; };
    forward first;
};

DNS zone management and configuration

Effective DNS zone management requires understanding zone files, record syntax, and common configuration patterns.

Zone file structure and syntax

DNS zone files contain the actual DNS records for a domain, following a specific format and syntax.

Complete zone file example:

# Zone file for example.com
$TTL 86400
$ORIGIN example.com.

; SOA record defines zone properties
@    IN  SOA  ns1.example.com. admin.example.com. (
            2024090601  ; Serial number (YYYYMMDDXX format)
            3600        ; Refresh interval (1 hour)
            1800        ; Retry interval (30 minutes)  
            604800      ; Expire time (1 week)
            86400       ; Minimum TTL (1 day)
)

; Name server records
@    IN  NS   ns1.example.com.
@    IN  NS   ns2.example.com.

; Address records
@    IN  A    203.0.113.10
www  IN  A    203.0.113.10
mail IN  A    203.0.113.20
ftp  IN  A    203.0.113.30

; IPv6 addresses
@    IN  AAAA 2001:db8::10
www  IN  AAAA 2001:db8::10

; Mail server
@    IN  MX   10 mail.example.com.

; Aliases
blog IN  CNAME www.example.com.
shop IN  CNAME ecommerce.hosting.com.

; Service records
_sip._tcp IN SRV 10 5 5060 sip.example.com.

; Text records for verification
@    IN  TXT  "v=spf1 mx include:_spf.google.com ~all"
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

SOA record parameters explained

The Start of Authority (SOA) record contains important zone management information:

• Serial number: Version number for zone transfers (increment when making changes)
• Refresh interval: How often secondary servers check for updates
• Retry interval: How long to wait before retrying failed zone transfers
• Expire time: How long secondary servers serve cached data if primary is unreachable
• Minimum TTL: Default TTL for records without explicit TTL

Best practices for zone management

Serial number management:

• Use YYYYMMDDXX format (year, month, day, revision)
• Always increment when making changes
• Use automated tools to prevent mistakes

TTL optimization:

• Short TTLs (60-300 seconds) for load-balanced services
• Medium TTLs (300-3600 seconds) for regular websites
• Long TTLs (3600-86400 seconds) for stable infrastructure

Dynamic DNS and automated management

Modern networks require dynamic DNS updates for cloud environments, containerized applications, and auto-scaling services.

DDNS protocols and mechanisms

RFC 2136 Dynamic Updates:

The standard protocol for dynamic DNS updates allows authorized clients to add, modify, or delete DNS records programmatically.

# nsupdate command examples
# Add a new A record
server 203.0.113.10
zone example.com
update add newserver.example.com. 300 A 203.0.113.50
send

# Delete a record
server 203.0.113.10  
zone example.com
update delete oldserver.example.com. A
send

# Replace a record
server 203.0.113.10
zone example.com  
update delete api.example.com. A
update add api.example.com. 60 A 203.0.113.60
send

Cloud DNS integration

Cloud platforms provide APIs for DNS management, enabling infrastructure-as-code approaches.

AWS Route 53 API example:

# AWS CLI commands for Route 53
# Create a new record
aws route53 change-resource-record-sets \
  --hosted-zone-id Z123456789 \
  --change-batch '{
  "Changes": [{
    "Action": "CREATE",
    "ResourceRecordSet": {
      "Name": "api.example.com",
      "Type": "A",
      "TTL": 300,
      "ResourceRecords": [{"Value": "203.0.113.50"}]
    }
  }]
}'

# Update existing record
aws route53 change-resource-record-sets \
  --hosted-zone-id Z123456789 \
  --change-batch '{
  "Changes": [{
    "Action": "UPSERT",
    "ResourceRecordSet": {
      "Name": "www.example.com",
      "Type": "A", 
      "TTL": 60,
      "ResourceRecords": [{"Value": "203.0.113.51"}]
    }
  }]
}'

Service discovery patterns

DNS enables service discovery in microservices architectures and container orchestration platforms.

Kubernetes DNS example:

# Kubernetes service DNS naming
# Service: api-service in namespace: production
# DNS name: api-service.production.svc.cluster.local

# Pod accessing service
curl http://api-service.production.svc.cluster.local:8080/health

# Cross-namespace access
curl http://database.infrastructure.svc.cluster.local:5432

DNS security: DNSSEC and beyond

DNS security is crucial because DNS attacks can redirect users to malicious servers, intercept traffic, or disrupt services. DNSSEC provides cryptographic validation of DNS responses.

Understanding DNSSEC

DNSSEC (DNS Security Extensions) uses digital signatures to verify DNS data integrity and authenticity, preventing DNS spoofing and cache poisoning attacks.

DNSSEC record types:

• RRSIG: Resource Record Signature, contains digital signature
• DNSKEY: Public key used for signature verification
• DS: Delegation Signer, creates chain of trust
• NSEC/NSEC3: Proves non-existence of records

DNSSEC validation process:

1. Resolver requests DNS record with DNSSEC validation
2. Authoritative server returns record plus RRSIG signature
3. Resolver retrieves DNSKEY record to verify signature
4. Resolver follows chain of trust up to root zone
5. If signatures verify, record is authenticated

Implementing DNSSEC:

# Generate DNSSEC keys
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
dnssec-keygen -a RSASHA256 -b 2048 -f KSK -n ZONE example.com

# Sign the zone
dnssec-signzone -o example.com \
  -k Kexample.com.+008+12345.key \
  example.com.zone Kexample.com.+008+54321.key

# Configure BIND to serve signed zone
zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com.zone.signed";
    allow-update { none; };
};

DNS over HTTPS (DoH) and DNS over TLS (DoT)

Modern DNS security includes encrypting DNS queries to prevent eavesdropping and manipulation.

DNS over TLS (DoT):

# Configure unbound for DNS over TLS
server:
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
    
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 8.8.8.8@853#dns.google

DNS over HTTPS (DoH):

DoH uses HTTPS to encrypt DNS queries, making them indistinguishable from regular web traffic.

DoH endpoints:

• Cloudflare: https://1.1.1.1/dns-query
• Google: https://dns.google/dns-query
• Quad9: https://dns.quad9.net/dns-query

DNS load balancing and traffic management

DNS provides several mechanisms for distributing traffic across multiple servers and managing failover scenarios.

Round-robin DNS

The simplest load balancing approach uses multiple A records with the same name but different IP addresses.

# Round-robin DNS configuration
www.example.com.  300  IN  A  203.0.113.10
www.example.com.  300  IN  A  203.0.113.11  
www.example.com.  300  IN  A  203.0.113.12
www.example.com.  300  IN  A  203.0.113.13

Round-robin limitations:

• No health checking of servers
• Uneven distribution due to client caching
• Cannot consider server capacity or response time
• Failover requires manual intervention

Weighted and geographic DNS

Advanced DNS providers offer intelligent traffic management based on various factors.

Geographic DNS routing:

• US users: Directed to us-east.example.com (203.0.113.10)
• European users: Directed to eu-west.example.com (198.51.100.10)
• Asian users: Directed to asia-pacific.example.com (192.0.2.10)

Weighted DNS example:

# AWS Route 53 weighted routing
# 70% of traffic to new servers, 30% to old servers
api.example.com  300  IN  A  203.0.113.20  ; Weight: 70
api.example.com  300  IN  A  203.0.113.30  ; Weight: 30

Health checks and failover

Modern DNS services integrate with health monitoring to automatically route traffic away from failed servers.

Health check configuration:

# Conceptual health check configuration
health_checks:
  - name: web_server_1
    target: 203.0.113.10:80
    path: /health
    interval: 30s
    timeout: 5s
    
  - name: web_server_2  
    target: 203.0.113.11:80
    path: /health
    interval: 30s
    timeout: 5s

dns_records:
  - name: www.example.com
    type: A
    values:
      - ip: 203.0.113.10
        health_check: web_server_1
      - ip: 203.0.113.11  
        health_check: web_server_2

Troubleshooting DNS problems

DNS problems can be challenging to diagnose because they often manifest as connectivity issues. Systematic troubleshooting approaches help identify and resolve DNS-related problems quickly.

Essential DNS troubleshooting tools

dig command examples:

# Basic DNS lookup
dig www.example.com A

# Query specific server
dig @8.8.8.8 www.example.com A

# Trace full resolution path
dig +trace www.example.com A

# Query specific record types
dig example.com MX
dig example.com NS
dig example.com SOA

# Reverse DNS lookup
dig -x 203.0.113.10

# Check DNSSEC validation
dig +dnssec www.example.com A

nslookup alternatives:

# nslookup basic usage (less preferred than dig)
nslookup www.example.com
nslookup www.example.com 8.8.8.8

# Interactive mode
nslookup
> set type=MX
> example.com
> server 1.1.1.1
> example.com

host command examples:

# Simple lookups
host www.example.com
host -t MX example.com
host -t NS example.com

# Reverse lookup
host 203.0.113.10

Common DNS problems and solutions

Resolution failures:

• Symptom: "Name or service not known" errors
• Causes: Misconfigured resolvers, firewall blocking, server failures
• Diagnosis: Test with multiple DNS servers, check network connectivity

Slow DNS resolution:

• Symptom: Applications timeout or respond slowly
• Causes: High latency to DNS servers, overloaded resolvers, large TTLs
• Solutions: Use faster DNS servers, implement caching, optimize TTLs

Cache poisoning indicators:

• Symptom: Queries return incorrect IP addresses
• Diagnosis: Compare results from different DNS servers
• Solutions: Flush caches, implement DNSSEC, use secure resolvers

Systematic DNS debugging process

Step-by-step troubleshooting:

1. Verify the problem: Reproduce the issue and gather symptoms
2. Check local resolution: Test DNS queries from the affected system
3. Test alternative resolvers: Try different DNS servers (8.8.8.8, 1.1.1.1)
4. Trace the resolution path: Use dig +trace to follow the query
5. Check authoritative servers: Query the domain's name servers directly
6. Verify network connectivity: Ensure DNS traffic can reach servers
7. Review recent changes: Check for configuration or infrastructure changes

Enterprise DNS architecture patterns

Large organizations require robust DNS architectures that provide performance, security, and manageability at scale.

Split-horizon DNS

Split-horizon (split-brain) DNS provides different answers to the same query depending on the source of the query, enabling internal and external users to access different resources.

Split-horizon use cases:

• Internal vs external services: Internal users reach servers on private IPs
• Geographic optimization: Users in different regions get different answers
• Security segmentation: Limit service visibility based on network location

Split-horizon configuration example:

# Internal view (BIND configuration)
view "internal" {
    match-clients { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
    zone "example.com" {
        type master;
        file "/etc/bind/zones/example.com.internal";
    };
};

# External view  
view "external" {
    match-clients { any; };
    zone "example.com" {
        type master; 
        file "/etc/bind/zones/example.com.external";
    };
};

Internal zone records:

# Internal users see private IP addresses
www.example.com.    IN  A  10.1.1.10
mail.example.com.   IN  A  10.1.1.20
db.example.com.     IN  A  10.1.2.10

External zone records:

# External users see public IP addresses  
www.example.com.    IN  A  203.0.113.10
mail.example.com.   IN  A  203.0.113.20
# Internal services not visible externally

DNS forwarding and conditional forwarding

Large organizations use DNS forwarding to optimize query performance and implement policy controls.

Forwarding strategies:

• Upstream forwarding: Forward all external queries to ISP or public resolvers
• Conditional forwarding: Forward specific domains to designated servers
• Selective forwarding: Forward based on client location or policy

High availability DNS design

Redundancy strategies:

• Multiple authoritative servers: Primary and secondary name servers in different locations
• Anycast DNS: Same IP addresses announced from multiple geographic locations
• Recursive resolver clusters: Multiple resolvers with load balancing
• Cross-datacenter replication: Zone data synchronized across facilities

DNS performance optimization

DNS performance directly affects user experience and application response times. Optimization strategies can significantly improve overall network performance.

Caching strategies

Multi-tier caching architecture:

• Application-level caching: Cache results in application memory
• Local resolver caching: Operating system and stub resolvers
• Recursive resolver caching: Network-level DNS caches
• CDN integration: Content delivery networks with DNS optimization

Cache optimization techniques:

• Appropriate TTL values: Balance freshness with performance
• Negative caching: Cache NXDOMAIN responses to avoid repeated failures
• Prefetching: Proactively refresh cached records before expiration
• Cache warming: Pre-populate caches with frequently accessed records

Monitoring and metrics

Key DNS metrics to track:

• Query response time: Average and percentile response times
• Query volume: Queries per second and patterns over time
• Cache hit ratio: Percentage of queries served from cache
• Resolution failure rate: Percentage of queries that fail
• DNSSEC validation rate: Percentage of queries with successful validation

IPv6 and DNS considerations

IPv6 introduces additional considerations for DNS configuration and management.

IPv6 DNS record management

Dual-stack DNS configuration:

# Supporting both IPv4 and IPv6
www.example.com.    300  IN  A     203.0.113.10
www.example.com.    300  IN  AAAA  2001:db8::10

mail.example.com.   300  IN  A     203.0.113.20
mail.example.com.   300  IN  AAAA  2001:db8::20

IPv6 reverse DNS:

# IPv6 reverse DNS in ip6.arpa domain
0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR www.example.com.

IPv6 considerations:

• Happy Eyeballs: Clients try IPv6 first, fallback to IPv4
• Connectivity testing: Ensure IPv6 DNS servers are reachable
• Performance monitoring: Track IPv6 vs IPv4 resolution performance

Practical DNS management workflows

Effective DNS management requires established workflows for common tasks and changes.

Change management procedures

DNS change workflow:

1. Plan the change: Identify affected records and impact
2. Lower TTLs: Reduce TTLs in advance to minimize cache impact
3. Test in staging: Validate changes in non-production environment
4. Implement change: Update DNS records during maintenance window
5. Verify propagation: Confirm changes are visible globally
6. Restore TTLs: Return TTL values to normal after change propagates
7. Monitor: Watch for any issues following the change

Emergency DNS procedures:

• Service outage: Quickly redirect traffic to backup servers
• DDoS mitigation: Point DNS to DDoS protection services
• Security incident: Isolate compromised services via DNS

Testing DNS configurations

Thorough testing ensures DNS changes work correctly before they affect users.

Testing checklist:

• Resolution testing: Verify all record types resolve correctly
• Propagation testing: Check multiple global DNS servers
• Application testing: Ensure applications work with DNS changes
• Failover testing: Verify redundancy and failover mechanisms
• Performance testing: Measure resolution times and cache behavior

Automated testing tools:

# DNS testing script example
#!/bin/bash
DOMAIN="example.com"
RECORDS=("A" "AAAA" "MX" "NS" "TXT")
SERVERS=("8.8.8.8" "1.1.1.1" "9.9.9.9")

for record in "${RECORDS[@]}"; do
    for server in "${SERVERS[@]}"; do
        echo "Testing $record record for $DOMAIN via $server"
        dig @$server $DOMAIN $record +short
    done
done

Key principles for DNS success

• Design DNS architecture for redundancy and performance from the start
• Use appropriate TTL values balancing freshness with cache efficiency
• Implement monitoring to detect DNS issues before they affect users
• Maintain careful change control procedures for DNS modifications
• Consider security implications and implement DNSSEC where appropriate
• Plan for IPv6 dual-stack operations in modern network designs
• Use automation for DNS management in dynamic environments

Your DNS journey: Next steps

Start by auditing your current DNS infrastructure to identify improvement opportunities. Practice with DNS tools like dig and nslookup to become comfortable diagnosing issues. Consider implementing DNSSEC for enhanced security, and explore dynamic DNS solutions for cloud and containerized environments.

Remember that DNS is often invisible when working correctly but becomes critical during outages. Invest time in understanding DNS internals—it will pay dividends when troubleshooting complex network issues. Use our IP Prefix Calculator when planning DNS server addressing and reverse DNS zones to ensure your DNS infrastructure uses properly sized subnets.