Forward and Reverse DNS Lookup Explained

1. What Is a DNS Lookup?

A DNS lookup is the process of querying the Domain Name System to translate between human-readable hostnames and machine-usable IP addresses. There are two directions this translation can run:

  • Forward DNS lookup — resolves a domain name to an IP address (name → IP). This is what happens every time you type a URL in a browser.
  • Reverse DNS lookup — resolves an IP address back to a domain name (IP → name). Used for email authentication, security logging, and troubleshooting.
  Forward Lookup:                    Reverse Lookup:
  google.com  ──DNS query──▶  ?      8.8.8.8  ──DNS query──▶  ?
  google.com  ◀──DNS reply──  142.250.190.46   ◀──DNS reply──  dns.google
  (name → IP)                        (IP → name)

Related pages: How DNS Works | DNS Record Types | dig Command | nslookup Command | DNS Overview

2. Forward DNS Lookup — Name to IP

A forward DNS lookup starts with a hostname (domain name) and returns the corresponding IP address. This is the most common DNS operation — it underpins every website visit, email delivery, API call, and cloud service connection.

The A Record (IPv4)

The A record (Address record) is the core record type for forward lookups in IPv4 networks. It maps a fully qualified domain name (FQDN) to a 32-bit IPv4 address. 

; Zone file entry — A record syntax:
; <name>    <TTL>  <class>  <type>  <IP address>
example.com.  3600   IN       A       93.184.216.34
www.example.com.  300  IN     A       93.184.216.34

; A domain can have multiple A records (round-robin load balancing):
google.com.   60    IN       A       142.250.183.14
google.com.   60    IN       A       142.250.183.46
google.com.   60    IN       A       142.250.183.78
Multiple A records and TTL: A short TTL (e.g., 60 seconds) means resolvers must re-query frequently — useful during migrations when IPs change. A longer TTL (e.g., 86400 seconds / 24 hours) reduces DNS query load but means changes take longer to propagate globally. Before migrating a service, lower the TTL 24–48 hours in advance so resolvers worldwide expire the old cache quickly.

The AAAA Record (IPv6)

The AAAA record (Quad-A record) maps a hostname to a 128-bit IPv6 address. When a client supports both IPv4 and IPv6, modern operating systems query for both A and AAAA simultaneously (using Happy Eyeballs) and use whichever responds first. See IPv6 Addressing for IPv6 address format details. 

example.com.   3600   IN   AAAA   2606:2800:220:1:248:1893:25c8:1946

; Verify with dig:
$ dig example.com AAAA
;; ANSWER SECTION:
example.com. 3598 IN AAAA 2606:2800:220:1:248:1893:25c8:1946

3. The Forward Lookup Resolution Process — Step by Step

When your browser needs to connect to www.example.com, the OS goes through a precisely ordered resolution sequence before a single TCP byte is sent. 

  You type: www.example.com in browser

  Step 1: Local hosts file check
  ┌─────────────────────────────────────────────┐
  │ OS checks /etc/hosts (Linux) or             │
  │ C:\Windows\System32\drivers\etc\hosts       │
  │ If match found → use it immediately (done)  │
  └─────────────────────────────────────────────┘
          │ No match
          ▼
  Step 2: Local DNS cache check
  ┌─────────────────────────────────────────────┐
  │ OS checks its DNS resolver cache            │
  │ If valid TTL still active → use cached IP   │
  └─────────────────────────────────────────────┘
          │ Cache miss / expired
          ▼
  Step 3: Recursive resolver query
  ┌─────────────────────────────────────────────┐
  │ OS sends DNS query to configured resolver   │
  │ (e.g., 8.8.8.8 or ISP's DNS)               │
  │ Resolver checks its own cache first         │
  └─────────────────────────────────────────────┘
          │ Cache miss
          ▼
  Step 4: Root server query
  ┌─────────────────────────────────────────────┐
  │ Resolver queries a root server (.)          │
  │ 13 root server clusters worldwide           │
  │ Root returns: "Ask .com TLD servers"        │
  └─────────────────────────────────────────────┘
          │
          ▼
  Step 5: TLD server query
  ┌─────────────────────────────────────────────┐
  │ Resolver queries .com TLD server            │
  │ TLD returns: "Ask ns1.example.com"          │
  └─────────────────────────────────────────────┘
          │
          ▼
  Step 6: Authoritative server query
  ┌─────────────────────────────────────────────┐
  │ Resolver queries ns1.example.com            │
  │ Authoritative server returns A record:      │
  │ www.example.com → 93.184.216.34             │
  │ (with TTL, e.g., 300 seconds)               │
  └─────────────────────────────────────────────┘
          │
          ▼
  Step 7: Answer returned and cached
  ┌─────────────────────────────────────────────┐
  │ Resolver caches answer for TTL seconds      │
  │ Returns 93.184.216.34 to client             │
  │ Client caches it locally                    │
  │ Browser connects to 93.184.216.34:443       │
  └─────────────────────────────────────────────┘

DNS Server Roles

Server Type Role Examples Has Authoritative Records?
Root Nameserver Top of the DNS hierarchy — knows which TLD servers handle each extension a.root-servers.net through m.root-servers.net (13 clusters) Only for the root zone (.)
TLD Nameserver Manages a top-level domain — delegates to domain registrant's NS servers a.gtld-servers.net (.com), ns1.nic.uk (.uk) Only for their TLD zone
Authoritative Nameserver Holds the actual DNS records for a domain — the definitive source ns1.example.com, ns1.cloudflare.com Yes — for their specific zones
Recursive Resolver Performs the full root→TLD→authoritative query chain on behalf of clients; caches results 8.8.8.8 (Google), 1.1.1.1 (Cloudflare), ISP DNS servers No — only caches answers
Forwarding Resolver Passes all queries to another resolver upstream rather than performing its own recursive resolution; common in enterprise and home routers Home router DNS (192.168.1.1 forwarding to 8.8.8.8) No

4. CNAME Records and Resolution Chains

A CNAME (Canonical Name) record is an alias — it maps one hostname to another hostname rather than directly to an IP address. The resolver follows the chain until it reaches a record with an actual IP address. 

; DNS zone entries:
www.example.com.     300  IN  CNAME  example.com.
example.com.        3600  IN  A      93.184.216.34

; Resolution chain for www.example.com:
Step 1: Query www.example.com → returns CNAME → example.com
Step 2: Query example.com → returns A → 93.184.216.34
Final: www.example.com = 93.184.216.34
Real-world CNAME use — CDN: A content delivery network like Cloudflare or Akamai uses CNAME to redirect traffic to their edge servers: 
; Website owner's DNS:
www.mysite.com.    CNAME    mysite.cdn.example.net.

; CDN's DNS (returns different IPs based on user location):
mysite.cdn.example.net.    A    104.16.249.249   (US user)
mysite.cdn.example.net.    A    198.41.215.162   (EU user)
CNAME restriction: A CNAME cannot coexist with other record types for the same name. You cannot have both a CNAME and an MX record for example.com — this is why the apex domain (bare domain without www) must use an A record directly, not a CNAME.

5. TTL — Time To Live and Its Impact

Every DNS record carries a TTL (Time To Live) value in seconds. When a recursive resolver caches a DNS answer, it keeps it for exactly TTL seconds, then must re-query for a fresh answer. TTL is a critical operational parameter with real-world consequences.

TTL Value Duration Effect Best Used For
60 1 minute Rapid propagation — changes visible globally within minutes Active migrations, failovers, blue/green deployments
300 5 minutes Fast update cycle — good balance of freshness and query load Dynamic content, frequently changing IPs
3600 1 hour Moderate caching — most web services Standard web hosting, email servers
86400 24 hours Maximum caching — very low query load Stable infrastructure, rarely-changing services 
; dig shows TTL in the ANSWER section:
$ dig example.com

;; ANSWER SECTION:
example.com.   299    IN    A    93.184.216.34
               ↑
               TTL = 299 seconds remaining until cache expires
               (was 300 seconds when first cached; counts down)
Migration strategy: Before changing an IP address, lower the TTL to 300 (or even 60) seconds at least 24 hours in advance. This ensures caches worldwide expire quickly when you make the change. After the migration, raise the TTL back to its normal value.

6. Reverse DNS Lookup — IP to Name

A reverse DNS lookup starts with an IP address and returns the corresponding hostname. This is the inverse of the normal forward lookup. Where forward lookups use A records in regular forward zones, reverse lookups use PTR (Pointer) records in special reverse zones under the .arpa top-level domain.

Why Reverse DNS Exists

  • Email deliverability: Receiving mail servers check that the sending IP has a PTR record matching the mail server's HELO hostname — a missing or mismatched PTR is one of the most common causes of email being rejected as spam.
  • Security logging: Syslog, firewall logs, and network monitoring tools automatically perform reverse lookups to show hostnames instead of raw IPs — making logs far more readable and actionable.
  • Network troubleshooting: Tools like traceroute display hostnames for each hop IP, making path analysis much easier.
  • Identity verification: Some services verify that a connecting IP's PTR record matches its claimed hostname (forward-confirmed reverse DNS / FCrDNS).

7. The PTR Record and in-addr.arpa Zone

Reverse DNS uses a special trick to fit into the normal DNS hierarchy: the IP address is written backwards and appended with .in-addr.arpa. This reversed format means the DNS hierarchy still works left-to-right from least specific to most specific — just like forward DNS.

How in-addr.arpa Is Constructed

  Forward zone:   example.com  →  93.184.216.34
  ┌─────────────────────────────────────────────────┐
  │ IP address:  93  . 184 . 216 .  34              │
  │              ↓      ↓     ↓     ↓               │
  │ Reversed:    34  . 216 . 184 .  93              │
  │              ↓                                  │
  │ + .in-addr.arpa:                                │
  │              34.216.184.93.in-addr.arpa.        │
  └─────────────────────────────────────────────────┘

  PTR record entry in reverse zone:
  34.216.184.93.in-addr.arpa.   3600   IN   PTR   example.com.

  Why reversed? The DNS hierarchy reads left-to-right from
  least-specific to most-specific. In an IP address:
  93 = most specific (host) — put it at the front so DNS
  can delegate by the left portion (93.in-addr.arpa,
  184.93.in-addr.arpa, etc.)

Reverse Zone Examples

IP / Subnet Reverse Zone Name PTR Query Format
8.8.8.8 8.8.8.in-addr.arpa. 8.8.8.8.in-addr.arpa.
192.168.1.50 1.168.192.in-addr.arpa. 50.1.168.192.in-addr.arpa.
10.20.30.40 30.20.10.in-addr.arpa. 40.30.20.10.in-addr.arpa.
203.0.113.0/24 subnet 113.0.203.in-addr.arpa. X.113.0.203.in-addr.arpa.
Who controls PTR records? PTR records must be created by whoever owns the IP address block — the ISP or hosting provider — not the domain owner. If you host a mail server at 198.51.100.25 (owned by your ISP), you must ask your ISP to create a PTR record for that IP pointing to your mail server hostname. You cannot create it yourself in your domain's DNS zone.

8. IPv6 Reverse DNS — ip6.arpa

IPv6 uses the same conceptual approach as IPv4 for reverse DNS, but with the .ip6.arpa. zone instead of .in-addr.arpa.. The full 128-bit IPv6 address is expanded to its full form, all colons removed, each hex digit becomes a separate label, and the entire string is reversed. 

  IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

  Step 1: Expand to full form (no abbreviations):
  2001:0db8:85a3:0000:0000:8a2e:0370:7334

  Step 2: Remove colons, write as flat hex string:
  20010db885a3000000008a2e03707334

  Step 3: Insert dots between each hex digit:
  2.0.0.1.0.d.b.8.8.5.a.3.0.0.0.0.0.0.0.0.8.a.2.e.0.3.7.0.7.3.3.4

  Step 4: Reverse the order:
  4.3.3.7.0.7.3.0.e.2.a.8.0.0.0.0.0.0.0.0.3.a.5.8.8.b.d.0.1.0.0.2

  Step 5: Append .ip6.arpa.:
  4.3.3.7.0.7.3.0.e.2.a.8.0.0.0.0.0.0.0.0.3.a.5.8.8.b.d.0.1.0.0.2.ip6.arpa.

  PTR record:
  4.3.3.7...2.ip6.arpa.  IN  PTR  myserver.example.com.

  ! dig handles this automatically:
  $ dig -x 2001:db8:85a3::8a2e:370:7334

9. Forward-Confirmed Reverse DNS (FCrDNS)

FCrDNS (also called forward-confirmed rDNS or matching PTR) is a security verification technique that checks both the PTR record of an IP and the A record of the resulting hostname — confirming they point to each other. This prevents PTR records being set to arbitrary hostnames. 

  FCrDNS Verification (used by email servers):

  Step 1: Connecting mail server IP = 198.51.100.25
  Step 2: PTR lookup → dig -x 198.51.100.25
          Returns: mail.example.com.
  Step 3: Forward lookup → dig mail.example.com A
          Returns: 198.51.100.25

  ✅ PASS: IP → PTR hostname → back to same IP
  (Forward-confirmed: the PTR is authentic)

  ✗ FAIL example:
  Step 2: PTR lookup → Returns: mail.spoofed-name.com.
  Step 3: Forward lookup → Returns: 10.0.0.1 (different IP!)
  ❌ FAIL: PTR not confirmed by forward lookup — suspicious
Why FCrDNS matters for email: When Gmail's mail server receives an email from 198.51.100.25 claiming to be from example.com, it checks:
  1. Does 198.51.100.25 have a PTR record? → Should return mail.example.com
  2. Does mail.example.com resolve back to 198.51.100.25? → Must match
  3. Does example.com have an SPF record listing 198.51.100.25 as authorised?
Failing steps 1 or 2 strongly suggests spam or spoofing. Many mail servers reject outright; others assign a high spam score.

10. Forward vs Reverse Lookup — Full Comparison

Feature Forward Lookup Reverse Lookup
Direction Name → IP address IP address → Name
Primary record type A (IPv4), AAAA (IPv6) PTR (Pointer)
Zone type Forward zone (e.g., example.com) Reverse zone (in-addr.arpa / ip6.arpa)
Zone owner Domain registrant / DNS admin IP block owner (ISP / hosting provider)
Query input Hostname (e.g., www.example.com) IP address (e.g., 93.184.216.34)
Query output IP address(es) Hostname(s)
Who initiates Client applications (browser, email client, API) Mail servers, security tools, syslog, traceroute
Mandatory? Yes — essential for all internet connectivity Not strictly required but critical for email and security
dig command dig example.com dig -x 93.184.216.34
nslookup command nslookup example.com nslookup 93.184.216.34

11. Practical dig and nslookup Examples

Forward Lookups

! Basic A record lookup
$ dig google.com
;; ANSWER SECTION:
google.com.   60   IN   A   142.250.190.46

! IPv6 address lookup
$ dig google.com AAAA
;; ANSWER SECTION:
google.com.   60   IN   AAAA   2a00:1450:4009:80c::200e

! Follow CNAME chain
$ dig www.example.com
;; ANSWER SECTION:
www.example.com.   300   IN   CNAME   example.com.
example.com.      3600   IN   A       93.184.216.34

! Query a specific DNS server (bypass your resolver)
$ dig @1.1.1.1 google.com

! Short output (just the IP) — great for scripts
$ dig google.com +short
142.250.190.46

! Windows nslookup
C:\> nslookup google.com
Server:  192.168.1.1
Address: 192.168.1.1

Name:    google.com
Addresses:  142.250.190.46

Reverse Lookups

! dig reverse lookup (automatic in-addr.arpa construction)
$ dig -x 8.8.8.8
;; QUESTION SECTION:
;8.8.8.8.in-addr.arpa.    IN   PTR

;; ANSWER SECTION:
8.8.8.8.in-addr.arpa.  86399  IN  PTR  dns.google.

! Another example — Google's other DNS server
$ dig -x 8.8.4.4
;; ANSWER SECTION:
4.4.8.8.in-addr.arpa.  21599  IN  PTR  dns.google.

! Reverse lookup using nslookup (Windows/Linux)
$ nslookup 142.250.190.46
46.190.250.142.in-addr.arpa   name = lhr25s29-in-f14.1e100.net.

! Manual in-addr.arpa query (equivalent to dig -x)
$ dig 34.216.184.93.in-addr.arpa PTR

12. Common Issues and Troubleshooting

For a broader network connectivity diagnostic workflow, see Troubleshooting Connectivity.

Symptom Likely Cause Diagnostic & Fix
Website unreachable — browser says "can't find server" A record missing, wrong IP, or DNS server unresponsive dig example.com — check status (NXDOMAIN = domain issue; SERVFAIL = resolver/delegation issue). Try dig @8.8.8.8 example.com to rule out local resolver.
Recent IP change not taking effect — old IP still returned Stale TTL cache in resolver or local OS Check remaining TTL: dig example.com — look at TTL in ANSWER. Windows: ipconfig /flushdns. Linux: sudo systemd-resolve --flush-caches. Wait for TTL to expire globally.
Email marked as spam or rejected by receiving servers Missing PTR record for mail server IP, or PTR doesn't match HELO hostname dig -x <mail-server-IP> — should return your mail hostname. Contact ISP/hosting provider to create matching PTR record.
Intermittent resolution — works sometimes, fails others Multiple A records with load balancing; one server has issues; or low TTL causing frequent re-queries dig example.com multiple times — check if different IPs returned. Ping each IP individually to identify the failing one.
dig +trace shows failure at authoritative step Authoritative nameserver is down, unreachable, or lame delegation (NS points to server not serving zone) Check NS servers: dig example.com NS. Directly query each NS: dig @ns1.example.com example.com +norecurse. If REFUSED or timeout, the NS is not serving the zone.
PTR lookup returns wrong hostname PTR record not updated after IP or hostname change Contact the IP block owner (ISP) to update the PTR record. Verify FCrDNS: PTR hostname must forward-resolve back to the same IP.

13. Common Misconceptions

  • "A record and PTR record always exist in pairs."
    Not necessarily. A PTR record is optional (though important for mail). Many IPs have no PTR record at all. And critically, A records and PTR records are managed independently — the A record is in your domain zone (which you control), while the PTR record is in the reverse zone managed by the IP address owner (your ISP). You can have an A record pointing to an IP with no PTR record.
  • "Changing the A record immediately updates everyone."
    DNS changes propagate only as fast as the TTL allows. If your TTL is 86400 seconds (24 hours), every resolver that cached the old record will continue returning the old IP for up to 24 hours. Pre-reduce TTL before any DNS change, and wait for the old TTL to expire before making the cutover.
  • "Reverse DNS is the same as just looking up the PTR record manually."
    The dig -x command and nslookup <IP> both automatically construct the reversed .in-addr.arpa query — you don't need to do the reversal yourself. But internally, that is exactly what happens: the tool reverses the IP octets and appends .in-addr.arpa. before sending the query.
  • "A missing PTR record only affects email."
    Missing PTR records can affect: email deliverability, security tool fingerprinting, syslog hostname resolution, access control on some SSH/FTP servers (which check for matching PTR), and network monitoring readability. Email is the most visible impact but not the only one.

14. Key Points & Exam Tips

  • Forward lookup: name → IP. Uses A record (IPv4) or AAAA record (IPv6).
  • Reverse lookup: IP → name. Uses PTR record in .in-addr.arpa (IPv4) or .ip6.arpa (IPv6).
  • PTR zone construction: reverse the IP octets and append .in-addr.arpa. — e.g., 93.184.216.34 becomes 34.216.184.93.in-addr.arpa.
  • PTR records are owned by the IP block owner (ISP/hosting), not the domain owner — contact your ISP to create or update PTR records.
  • TTL controls how long resolvers cache a DNS answer. Low TTL = fast propagation but more queries. High TTL = less load but slow updates.
  • CNAME aliases one hostname to another — resolvers follow the chain until reaching an A/AAAA record. Cannot coexist with other record types at the same name.
  • Resolution order on most OS: hosts file → local DNS cache → recursive resolver → root → TLD → authoritative.
  • Authoritative server holds official records (aa flag in dig). Recursive resolver caches and queries on clients' behalf.
  • FCrDNS: IP → PTR hostname → forward lookup back to same IP — confirms PTR authenticity. Critical for email deliverability.
  • Tools: dig example.com (forward), dig -x 8.8.8.8 (reverse), nslookup example.com (forward), nslookup 8.8.8.8 (reverse).

Related pages: How DNS Works | DNS Record Types | dig Command | nslookup Command | DNS Overview

15. Forward and Reverse DNS Lookup Quiz

1. A browser needs to connect to api.example.com. The OS checks the local hosts file (no match), then the local DNS cache (miss), then queries the recursive resolver at 8.8.8.8 (also a cache miss). What is the correct sequence of servers the recursive resolver queries next?

Correct answer is C. When a recursive resolver has no cached answer, it starts from the top of the DNS hierarchy. Step 1: queries a root server (.) — the root returns the address of the .com TLD servers. Step 2: queries the .com TLD server — the TLD returns the NS records for example.com. Step 3: queries example.com's authoritative nameserver — the authoritative server returns the A record for api.example.com. This delegation chain is always root → TLD → authoritative, never reversed.

2. A mail server at IP 198.51.100.25 has its PTR record set to "mail.example.com". When a receiving mail server performs an FCrDNS check, what additional lookup must succeed for the check to pass?

Correct answer is D. FCrDNS (Forward-Confirmed reverse DNS) requires a two-step verification: (1) Reverse lookup of the IP (198.51.100.25) returns a PTR hostname (mail.example.com). (2) Forward lookup of that PTR hostname (mail.example.com → A record) must return the same original IP (198.51.100.25). If both steps agree, the PTR is "forward-confirmed" — proving the PTR wasn't set to an arbitrary hostname. A mismatch (PTR → hostname → different IP) fails the check and is treated as potentially fraudulent.

3. What is the correct in-addr.arpa PTR record query name for IP address 10.20.30.40?

Correct answer is B. IPv4 reverse DNS uses the .in-addr.arpa. zone. The IP octets are reversed so the DNS delegation hierarchy works left-to-right from coarsest to finest: 10 (first octet, most general) becomes the rightmost component. For 10.20.30.40: reverse the octets → 40.30.20.10, then append .in-addr.arpa. → 40.30.20.10.in-addr.arpa. The dig -x 10.20.30.40 command constructs this automatically.

4. A network engineer updates an A record for web.example.com from 192.0.2.10 to 192.0.2.50. The TTL was set to 86400 seconds (24 hours) before the change. Some users still reach the old IP 6 hours after the change. What is the cause and correct long-term remedy?

Correct answer is A. This is classic TTL propagation lag. When a resolver (at ISP, Google, Cloudflare, or a corporate proxy) cached the A record with TTL 86400, it will keep using that cached answer for up to 86400 seconds (24 hours) — even after the record changed on the authoritative server. The authoritative server was updated instantly, but caches worldwide haven't expired yet. The standard remedy is to reduce TTL well in advance of planned changes: set TTL = 300 at least 24 hours before the change, make the change, then restore TTL to 86400 after confirming the new IP is propagating.

5. A company hosts mail on a dedicated server at IP 203.0.113.10. They created an A record in their DNS zone: mail.company.com → 203.0.113.10. But their email is being rejected by Gmail as spam. A PTR lookup of 203.0.113.10 returns NXDOMAIN. What must the company do to fix this?

Correct answer is C. PTR records live in reverse zones (.in-addr.arpa.) which are managed by whoever owns the IP address block — not the domain owner. The company owns company.com (their forward zone) but not the 203.0.113.0/24 reverse zone — that belongs to their ISP or hosting provider. They must ask that provider to create a PTR record in the reverse zone mapping 203.0.113.10 → mail.company.com. Creating a PTR record in their own company.com zone would do nothing — reverse lookups don't query forward zones.

6. A zone file has these records:
www.example.com. CNAME example.com.
example.com. A 93.184.216.34
What IP address does a browser receive when resolving www.example.com, and how many DNS queries did the resolver make?

Correct answer is B. The resolver follows the CNAME chain automatically. Step 1: query www.example.com → returns CNAME pointing to example.com. Step 2: query example.com → returns A record 93.184.216.34. The browser receives the final IP (93.184.216.34) and connects to it. The CNAME chain is transparent to the application. This is not a loop — it's a single-hop alias. The resolver performs two lookups internally before returning the answer, but the application only sees the final IP.

7. A security engineer is investigating an unknown IP address (198.51.100.99) appearing in firewall logs. Which command performs a reverse DNS lookup to identify the hostname, and what format does the DNS query use internally?

Correct answer is D. Both dig -x and nslookup <IP> automatically handle the reverse zone construction. Internally, both tools reverse the IP octets (198.51.100.99 → 99.100.51.198) and append .in-addr.arpa. to form the PTR query: 99.100.51.198.in-addr.arpa. IN PTR. The -x flag in dig is specifically for reverse lookups. Option B's syntax is valid nslookup but the description is wrong — it does reverse the IP internally. D is the most complete and accurate answer.

8. What is the key difference between an authoritative nameserver and a recursive resolver, and which one returns the aa flag in a dig response?

Correct answer is A. The authoritative nameserver (e.g., ns1.example.com) holds the primary DNS records for its zone and returns the aa (Authoritative Answer) flag in responses. When you query your ISP's recursive resolver (e.g., 8.8.8.8), it fetches the answer from the authoritative server and caches it — but the response you receive from 8.8.8.8 does NOT carry the aa flag, because 8.8.8.8 is not authoritative for example.com. You only see aa when you query the authoritative server directly: dig @ns1.example.com example.com.

9. A company plans to migrate their web server to a new IP address at 2:00 AM next Saturday. The current A record TTL is 86400 seconds. On Monday (5 days before), what should the DNS engineer do to ensure minimal disruption?

Correct answer is C. This is the standard DNS migration best practice. With TTL 86400, if you change the A record at 2:00 AM Saturday, resolvers that cached it 1 second before your change will serve the old IP for up to 23h 59m 59s. By reducing TTL to 300 on Monday (5 days before), every resolver that re-queries after Monday will cache only for 5 minutes. By Saturday, all caches worldwide will hold only a 300-second cache — so after making the IP change, the new IP propagates globally within 5 minutes. After confirming success, restore the TTL to 86400.

10. The dig output below shows an empty ANSWER section. What does this mean, and how is it different from an NXDOMAIN response?
status: NOERROR, ANSWER: 0

Correct answer is B. This is an important distinction in DNS troubleshooting. NOERROR with ANSWER: 0 means the DNS infrastructure confirmed the domain name exists (the zone is valid, the authoritative server responded) but no record of the requested type was found — for example, dig example.com AAAA on a domain with no IPv6 address, or dig example.com MX on a domain with no mail servers configured. NXDOMAIN (Non-Existent Domain) means the domain name itself is not registered or not delegated in DNS — there is no such domain. The diagnostic action is completely different: NXDOMAIN → investigate domain registration/delegation; NOERROR empty → the domain is fine, just add the missing record type.

← Back to Home