Articles in this section

See more

Common DNS Request Types

Avatar
gellwood
  • Updated
Follow

Overview

 

This article explains the DNS Request Types that can be collected and listed in a report. Each record type has its own purpose in the DNS infrastructure. When thinking DNS, the first record type that comes to mind is the A Record which is the IPv4 IP address belonging to the hostname of the domain. 

Note:

This list is by no means exhaustive.  A more complete list, including the relevant RFC for each record type can be found here: https://en.wikipedia.org/wiki/List_of_DNS_record_types

 

 

 

With regards to blocked security domains , please note that Cisco Umbrella blocks A, AAAA, ANY, CNAME, PTR, SRV, PRIVATE, SPF/DNS, NULL, SIG, HTTPS (Type65), and TXT records, so queries for other record types (MX, SOA, and NS) will be allowed, even though the category is blocked.  However, requests for MX records of domains that have been categorized as "DNS Tunneling VPN" will be refused.

 

A Note on "Allowed" Security Categories in Umbrella Reports:

Cisco Umbrella is committed to DNS security. DNS record types observed to be capable of facilitating malicious connections (e.g. A/AAAA) or tunneling traffic (TXT, SRF, etc) or allowing bypass of standard DNS (Type65, etc) are enforced. Some record types that are reference records like MX, SOA, NS are permitted even if tagged in a security category. If you believe a record type that is not blocked should be blocked, contact us at umbrella-support@cisco.com to request. We monitor for new threat types to ensure that all records capable of delivering a malicious connection are enforced - without blocking request types that may hinder informational requests on the domain's ownership or mail servers. 

 

To validate if an "Allowed" Malware request is due to an alternate record type request, open your Activity search and add the DNS record type column. This is surfaced transparently to reporting - and does not indicate a failure to protect or a coverage gap. 

 

 

 

 

 

 

 

For content filtering categories, types other than AAAA, A records will not be blocked. Destination lists will also not block all record types, NS for example is not blocked. 

To view the record type of a request in the Activity Search, toggle the "DNS Types" column.

If a domain is "blocked", queries for address record types A and AAAA will return IP addresses that belong to Umbrella block pages.  Queries for DNS record types ANY, CNAME, PTR, SRV, SIG, or TXT will return "REFUSED".  (Note:  when querying for domains classified as Dynamic DNS, address record types A and AAAA will be blocked, but queries for other DNS record types will not return "REFUSED".) The full list of types we return "REFUSED" on are: 3-5,7-10, 12, 16, 30, 33, 38, 64, 65, 99, 245, 253, 255, 65280-65534.

Exceptions:

  • DNS Tunneling domains will "block" all record types.
  • Dynamic DNS category we only block A/AAAA records

 

DNS Lookup Types & Functions

 

 

 DNS  Lookup  Type

 Description 

Function
 A  IPv4 address record

 Returns a 32-bit IP address, which typically maps a domain’s hostname to an IP address, but also used for DNSBLs  and storing subnet masks
 AAAA  IPv6 address record

 Returns a 128-bit IP address that maps a domain’s hostname to an IP address
 ANY  All cached records

 If the domain is not blocked, Umbrella will return NOTIMP to requests for this type.
 CNAME  Canonical name record

 Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name
 MX  Mail exchange record

 Maps a domain name to a list of message transfer agents for that domain
 NS  Name server record

 Delegates a DNS zone to use the specified authoritative name servers
 PTR  Pointer record

 Pointer to a canonical name that returns the name only and is used for implementing reverse DNS lookups
 SIG  Signature

 Signature record
 SOA  Start of authority  record

 Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain  administrator, the domain serial number, and several timers relating to refreshing the zone
 SRV  Service locator

 Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX
 TXT  Text record

 Carries extra data, sometimes human-readable, most of the time machine-readable such as opportunistic encryption,  DomainKeys, DNS-SD, etc.

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.