DNS Series Glossary — The Terms That Keep Showing Up

TL;DR

This is the shared glossary for the entire DNS series. If a term appears in Parts 1-4 and you want the short, practical meaning, start here.

Authoritative server: A DNS server that is the source of truth for a zone (it answers from zone data, not by recursion).
Recursive resolver: The DNS server that resolves names on behalf of clients by querying other DNS servers.
Stub resolver: The client-side resolver in your OS or runtime that forwards lookups to a recursive resolver.
Zone: An administrative portion of the DNS namespace (for example, example.com).
Zone file: Text representation of DNS records for a zone.
Delegation: Parent zone pointing authority for a child zone to another nameserver set.
Root zone: The top of the DNS hierarchy (.), which delegates to TLDs.
TLD: Top-level domain, such as .com, .org, .io, country-code TLDs, etc.

A record: Maps a name to an IPv4 address.
AAAA record: Maps a name to an IPv6 address.
CNAME record: Alias from one name to another name; not allowed at the zone apex in normal DNS.
Alias/ANAME (provider feature): Cloud DNS feature that behaves like A/AAAA at the apex while following a target hostname.
NS record: Declares authoritative nameservers for a zone.
SOA record: Start of authority metadata for a zone (serial, timers, primary NS, admin mailbox).
MX record: Declares mail exchangers for a domain.
TXT record: Free-form text record commonly used for verification and email/auth policy.
SRV record: Publishes service endpoint host+port tuples for service discovery.
PTR record: Reverse DNS mapping from IP address to hostname.
CAA record: Restricts which certificate authorities can issue certs for a domain.

TTL (Time To Live): Cache lifetime for a DNS answer.
Negative caching: Caching of failed lookups (for example, NXDOMAIN) for a defined period.
NXDOMAIN: Response meaning the queried name does not exist.
Propagation (practical): Time until clients stop using stale cached answers and see new ones.
Split-horizon DNS: Different answers for the same name depending on client network/view.
Anycast DNS: Multiple geographically distributed servers sharing one IP prefix for low-latency reachability.
ndots: Resolver setting controlling when a query is treated as absolute versus search-domain-expanded.

Service discovery: Mechanism for finding live service instances dynamically.
Consul catalog: Consul’s registry of services, instances, and health.
CoreDNS plugin: Extension module that adds behavior to CoreDNS (for example, kubernetes, forward, cache).
Headless service (Kubernetes): Service without cluster IP; DNS returns pod endpoints directly.
NodeLocal DNSCache: Per-node DNS cache in Kubernetes that reduces load and improves lookup reliability.

Cache poisoning: Injecting forged DNS data into a resolver cache.
Spoofing: Returning forged DNS responses to redirect traffic.
DNSSEC: DNS Security Extensions; signs DNS records to provide authenticity/integrity.
DNSKEY: Public key record used by DNSSEC.
DS record: Delegation signer record in parent zone linking trust to child zone.
RRSIG: DNSSEC signature record over an RRset.
NSEC/NSEC3: DNSSEC records proving non-existence of names.
DoT: DNS over TLS.
DoH: DNS over HTTPS.
Registrar lock: Domain control protection against unauthorized transfer or critical changes.
Subdomain takeover: Taking control of a dangling DNS name pointing to deprovisioned third-party infrastructure.