Author: Anurag | Posted: 05-08-2009
Hello all!
Few days back I visited Official Google Apps forum (one of my favorite places 
) and answered many questions. It was quite after some time i was there and found few cases/questions/problems as really interesting.
Here’s one of the questions asked there by a admin named aol985 about SPF records.
His question -
As described in http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786 , I set SPF record for mashfilm.ru domain to “v=spf1 include:aspmx.googlemail.com ~all”. But aspmx.googlemail.com currently does not resolves. Is it correct?
Nice one!
He is right on fact that aspmx.googlemail.com does NOT resolve. Ok why?
anurag@root]$ dig aspmx.googlemail.com a
; <<>> DiG 9.3.4-P1.1 <<>> aspmx.googlemail.com a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42050
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;aspmx.googlemail.com. IN A
;; Query time: 100 msec
;; SERVER: 66.33.216.208#53(66.33.216.208)
;; WHEN: Wed Aug 5 02:48:00 2009
;; MSG SIZE rcvd: 38
[anurag@root]$
Thus no A record which means it won’t resolve, BUT one must remember that a zone can have many records working side by side offering their own feature, like – MX records can be there with/without A, same with txt records, and few other also.
Now observing the spf record by Google – “v=spf1 include:aspmx.googlemail.com ~all”
here include:aspmx.googlemail.com
means to include the spf record of aspmx.googlemail.com which makes sense as:
[anurag@root]$ dig aspmx.googlemail.com txt
; <<>> DiG 9.3.4-P1.1 <<>> aspmx.googlemail.com txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30134
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;aspmx.googlemail.com. IN TXT
;; ANSWER SECTION:
aspmx.googlemail.com. 7178 IN TXT "v=spf1 redirect=_spf.google.com"
;; Query time: 14 msec
;; SERVER: 66.33.216.208#53(66.33.216.208)
;; WHEN: Wed Aug 5 02:54:02 2009
;; MSG SIZE rcvd: 82
[anurag@root]$
Now it means spf record for aspmx.googlemail.com is “v=spf1 redirect=_spf.google.com”
Now trying to understand _spf.google.com
underscore right in start makes it different from a sub-zone since it can’t be used as a domain but will still remain a working sub zone in terms of DNS.
So now since it can’t be used as a sub domain i.e which can be used to be attached with web server and can supply pages via ftp, there is no meaning of A record for it here.
Checking txt string of _spf.google.com
[anurag@root]$ dig _spf.google.com txt
; <<>> DiG 9.3.4-P1.1 <<>> _spf.google.com txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52983
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_spf.google.com. IN TXT
;; ANSWER SECTION:
_spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
;; Query time: 29 msec
;; SERVER: 66.33.216.208#53(66.33.216.208)
;; WHEN: Wed Aug 5 02:57:26 2009
;; MSG SIZE rcvd: 229
[anurag@root]$
And here we got it!
So much information in just one hostname!
“v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all” is a part of SPF record which Google makes its Google Apps users to use.
Thus using
“v=spf1 include:aspmx.googlemail.com ~all” in spf tells that “this domain allows all of the server on this ip range – ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 as authorized to send email on behalf of that domain.
So that’s how spf works in this case.
(11 votes, average: 4.64 out of 5)
Loading ...
Author: Anurag | Posted: 02-02-2009
After recieving lots of emails regarding SRV records issue in Google Apps, i finally tried that in myeslf……unfortunately thats true that Google has missing info. about SRV records.
As per refering to official Google’s help here .
It has missing info. about the location servers.
Here are those missing SRV records…
_xmpp-client._tcp.YOURDOMAIN.TLD. IN SRV 5 0 5222 talk.l.google.com.
_xmpp-client._tcp.YOURDOMAIN.TLD. IN SRV 20 0 5222 talk1.l.google.com.
_xmpp-client._tcp.YOURDOMAIN.TLD. IN SRV 20 0 5222 talk2.l.google.com.
_xmpp-client._tcp.YOURDOMAIN.TLD. IN SRV 20 0 5222 talk3.l.google.com.
_xmpp-client._tcp.YOURDOMAIN.TLD. IN SRV 20 0 5222 talk4.l.google.com.
so finally saying…..just forget everything and have these SRV records to get your domain’s Gtalk working from external IM services…
I created a public G.docs spreadsheet here for easy viewing.
Feel free to post for any issues…
FAQ ON GApps SRV Records
[faq list Google Apps SRV Records]
[faq ask Google Apps SRV Records]
Hope this will help you out
(16 votes, average: 4.44 out of 5)
Loading ...
Author: Anurag | Posted: 10-01-2009
Glue records….i wonder WHY most of Engineers, DNS specialist call them as Advanced DNS stuff!
i totally disagree to it …..
as per me:
Glue records – MOST fundamental DNS record which actually start the lookup!
Lets understand how to come in basic scenario……
Observe two sites – harisri.in & anuragbhatia.com
There’s a basic difference in terms of DNS in both sites. Nameservers of harisri.in are ns1.anuragbhatia.com & ns2.anuragbhatia.com which belongs to a totaly seprate zone, but nameservers for anuragbhatia.com are ns1.anuragbhatia.com, ns2.anuragbhatia.com & so….. i.e domain is having nameservers which are sub zones of domain itself.
Working of DNS in both cases
anuragbhatia.com
Query for ns starts:
ISP->Root servers-gtld servers->returing ns – ns1.anuragbhatia.com, ns2.anuragbhatia.com and so with ip’s 66.117.40.216, 69.26.176.28…….
and thus got ip of resolvers…..so work of DNS is over.
Now observe route for DNS lookup of harisri.in
Query for ns starts:
ISP->root server->cc tld server- in servers->returning ns – ns1.anuragbhatia.com & ns2.anuragbhatia.com
Now important here is nameservers are given in form of hostnames (NOT ip) and thus a lookup will continue for resolving ns1.anuragbhatia.com and so in way as
ns1.anuragbhatia.com – seprating ns1. and lookng for anuragbhatia.com, got nameservers – ns1.anuragbhatia.com, and ns2.anuragbhatia.com with ip’s and now on those dns servers query will ask for ip for ns1.anuragbhatia.com (confusing here? …yes i know!) 
This means if we want to get ns for anuragbhatia.com we will get ns1.anuragbhatia.com & ns2.anuragbhatia.com with ip’s BUT if we want ns for harisri.in, we will get ns in hostnames and a seprate lookup will be done to resolve those hostnames and important is ….whenever a domain has nameservers of any other domain, then nameserver’s host names are resolved on dns of 2nd and NOT via glue records……..
Thus now we can understand glue records as the MOST fundamental dns records which provide glue for a hostname on root servers.
And interesting fact is glue records are on root servers and NOT dns servers, though we MUST have corresponding A records on DNS hosting for every glue record.
A more interesting thing about these records is these have many names as per different registrars…….some call it nameservers records, some call it child nameservers, some give it as option for registering nameservers etc.
Thus a nameserver woeks with three most fundamental records:
- Glue records (on root server of that tld)
- A records corresponding to glue on dns host
- NS records at dns host for deligating zone on those specific servers.
FAQ
Are glue records essential part of DNS?
Yes! they are…..you can have your site working without any glue records but at the end the nameservers you are using must have glue, e.g you can have nameservers of your site as ns1.your-web-host.com and your-web-host.com might have namesevers dns1.nameserver.com and then namesevers.com will be having ns1.nameserver.com thus….at last glue is on ns1.nameserver.com
How many glue records one can create?
Its virtually infinite but you might experience issues becoz of registrar limits.
Glue records, much similar to A records, can i use them as substitute to A records?
No, no and NEVER think of that.It will not work, as i already said that we MUST have A records entries for every glue record, thus as general glue records without any a is virtually nothing.
I guess reason for its not working can be to prevent load on root servers, like if that way is allowed then people might use too many glue records without giving any load on their dns servers!
I can’t see any option like glue records in my domain control panel. What to do?
Contact your registrar/reseller, if they can’t help then shift your domain to any other registrar like – name, aapkadomain etc.
Is it necessary to have glue records if i want to use hostnames as nameservers for domains?
Confusing question, for now my answer is yes. I have tried using hostnames on name.com and Direct i when i didn’t had any glue records, all worked fine but when i tried entering those as namesevers for a domain on eNom, it gave errors.
i had nameservers like ns21.anuragbhatia.com & ns22.anuragbhatia.com which have A entried on namserver hosting anuragbhatia.com itself. And finally when i provided glue to those nameservers, they worked fine with eNom also. Thus thats all depends on regitsrar’s policies, and it will be always better to have glue for nameserver records.
What will happen if we have un-matched set a record and glue records for a given hostname?
Nothing will wrk! 
i mean to say you will get arbit results. In fact a few months back it took me 1hr to find out a similar issue where i get different ip for a hostname from different locations. So all i can say – be careful!!!
Author: Anurag | Posted: 29-11-2008
Most of people face issue in using Google sites is redirection……i,e www.domain.com works fine (becoz of presence of cname record) BUT domain.com fails here……
SO lets see the possible ways out to the issue:
- use redirection offered by Registrar (eNom, Godaddy, name.com etc…)
- use redirection offered by third party dns hosts. (only redirection and NOT dns hosting)
In this post, i will consider #2 as for #1 instructions are already available (Google for them!) and also i guess most of you people are reading this post because you were unable to do the #1!
since we are using free services, they are perfect for blogger, small biz sites (having low traffic…i.e less then 10,000 visitors per day)
We can use any of following host for setting redirection:
- Everydns
- Editdns
- Zoneedit
here i like #1 the most as for redirection as its really fast and simple (though as dns host it is worst!)
and so i will be giving steps for setting up redirection only in everydns…..and anyone can easily use any other service….as steps will be quite similar…
Everydns
To use its redirection, follow these steps:
- Get a free account at http://everydns.com
- now login and then add you domain as webhop….
i.e you need to add your-domain.com webhop to http://www.your-domain.com(look at pic. below)
adding domain in everydns
- Now wait for 10-15mins…..
(so that a zone file is created for your domain on everydns)
- Now you need to get the ip of everydns redirection server……..which is running redirection script and will be doing redirection of your domain.
This can be done easily by doing an “A record” lookup for your domain on everydns nameservers…..
you can either simply use any dns lookup tool like e.g http://zoneedit.com/nslookup.htm here just
put your domain in first field, select record type – a in second fiend and put ns of everydns to which you want to query….so you can use ns1.everydns.net in 3rd
- so from here we get ip of server is – 64.158.219.5plz not if you get error like – no a records were found for domain.com on server ns1.everydns.net
Its just means that everydns server’s are ot hosting your domain yet…wait sometime to see that….
Incase you are on linux, just put up dig command with “a” and “@” parameters…..
so the command here as per this example will be
dig domain.com a @ns1.everydns.net
[anurag@root ~]$ dig domain.com a @ns1.everydns.net
; <<>> DiG 9.3.4-P1 <<>> domain.com a @ns1.everydns.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21777
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;domain.com. IN A
;; ANSWER SECTION:
domain.com. 3600 IN A 64.158.219.5
;; AUTHORITY SECTION:
domain.com. 86400 IN NS ns1.everydns.net.
domain.com. 86400 IN NS ns2.everydns.net.
domain.com. 86400 IN NS ns3.everydns.net.
domain.com. 86400 IN NS ns4.everydns.net.
;; ADDITIONAL SECTION:
ns1.everydns.net. 7200 IN A 71.6.202.220
ns2.everydns.net. 7200 IN A 204.152.184.150
ns3.everydns.net. 7200 IN A 208.76.56.56
ns4.everydns.net. 7200 IN A 208.96.6.134
;; Query time: 35 msec
;; SERVER: 71.6.202.220#53(71.6.202.220)
;; WHEN: Sat Nov 29 01:08:52 2008
;; MSG SIZE rcvd: 192
[anurag@root ~]$
- now just delete all A records present at your dns hosting for “domain.com”
- create new A record for domain.com (or root zone…or whatever your dns host calls it) pointing to 64.158.219.5
Hope that will help you in redirection setup
Author: Anurag | Posted: 02-11-2008
OK ok, I agree its one of the BIGGEST confusions of world!
MOST of web host state that if you have changed your domain’s name server’s to there’s server then also it will take around 24-48 hours for DNS changes to propagate.
WRONG!!!
Correct sentence would be
If you have changed your domain’s name server’s to theirs server then also it might take around 24-48 hours for DNS changes to propagate.
no no…Still that’s just a bit of “truth!”
What I mean to say it’s just creates a wrong image of DNS working in eyes of a newbie. Let me be clear in one thing – There is NO such think like propagation between world dns server…blah..blah blah….that’s just a wrong picture.
Now lets think over it and shoot it!
Question:
What happens when you change name servers of your domain or either change the DNS records like A, MX etc?
Answer:
Case 1 – You changed any DNS Record
You modified a DNS record and hit submit key
Now all these are done on Primary Name server (generally ns1)
as soon as you change, SOA serial number on Primary name server increases its value. Now it’s a simple thing that secondary name servers keep on checking primary name server for SOA serial number up gradation as per “refresh” parameter of SOA.
When as per “refresh” secondary ns will check primary ns and detects SOA serial is increased, it will initialize a XEFR Zone transfer (XEFR – incremental of AXFR) and thus this will transfer the change to secondary name server. And thus ALL servers hosting DNS zone of your domain are updated.
BUT that was strictly behind the scene work, and here forward screen is a bit frustrating!
Lets say if I had a dns record for domain.com pointing to 11.22.33.44 and it had TTL of 3600 (1hr), my friend in same city opens it he gets through the site and finds issue with server, and I just change the hosting to other server by modifying A record to my other server say 44.33.22.11 and then here’s complexity.
I am using 2 name servers and then just say refresh value in my SOA is 300 (5mins)
now just after changing name server’s I ask my friend in other location to check site, here it is possible he sees site up, possible he sees down. As e.g. if at time of opening he hits primary DNS revolver, he will get new server’s ip BUT incase he hits secondary DNS server before 5mins of my updating to primary ns, then he will get to old faulty server and thus site will be down for him.
On other side, site will be down for 1hr for my friend who was in my city (who informed me) because as soon as he opened my site, old site’s record was cached in ISP’s revolver and thus he will keep on getting to old server until record expires as per TTL.
Thus two things effect – TTL & SOA (both, are you sure….no no…read more carefully)
That kind of working is just followed by most of private server cluster’s (common in corporate offices) but these days most of world’s dns host use advanced method and “push up” changes to secondary (slave) name servers as soon as changes are done on primary ns. This means they initialize a XEFR zone transfer without looking at refresh periods
Case 1 – You changed Name Servers of a domain
Now here two factors affect propagation largely old friend TTL & Domain Registrar
TTL affects same as done in last case as dns records get cached on ISP’s end (or any other local revolver) and thus lookup gives old records.
Registrar – yea! our domain registrar. In simple words its quality effects DNS migration! Lol
Ok how? – here it is
There are MANY poor “companies” who call themselves registrar and fool people! We can call them reseller but believe me in domain registration market you will find LOTS of good quality of resellers.
They technically effect situation as poor companies make users to operate on a CMS! Yup
They make user to login at a CMS and give a feel of domain control panel using forms!!!
This means when one changes name servers, the data is recorded BUT not comes in effect because it’s recorded! As soon as you fill up that form, it goes to company Tech. People and they modify name servers BY hands (through original control panel of a good Registrar). This makes an average delay of 5-6 hours in name server updating. Generally small web hosting company use this kind of setup, in which they registrar domain for customers and give customers a feeling that he is managing domain himself.
On other side if you use an Original Domain Registrar or a reseller having proper setup of this stuff, you will see changing name servers will take place in less then 10 seconds!
So this is actually DNS Propagation – propagation of DNS Zone file across DNS servers (hosting that domain….). I am ending up with few FAQ’s regarding the subject. Feel free to as if any confusion is still there.
[faq list DNS Propogation]
(10 votes, average: 4.60 out of 5)
Loading ...
NOTE: You can download this post as pdf directly by clicking here
