Documentation - Records
DNS Records allow the user to set the IP address that will be returned by Refract DNS when an application performs a DNS request. Muiltiple DNS records can be created for a single domain but only one record of a particular record type can be enabled at a time.
For example a user creates three A records for the domain www.refractdns.com however only one A record can be enabled at a time. Enabling a different record will automatically disable the currently active A record.
If there are no DNS records configured in Refract DNS then all DNS requests are passed to the upsteam DNS server.
Refract DNS is not a DNS server and therefore it does not allow the user to configure every type of DNS record. Currently the supported record types are:
If an application makes a request for a record type not supported by Refract DNS the query is proxied to the upstream DNS server.
Creating and Editing
DNS Records can be created and edited using the Refract DNS desktop application.
A DNS Record consists of the following data:
- Domain - the domain for the DNS record. Domains can come in several formats. Required
- Friendly Name - a human readable description of the Domain.
- Description - this is a short description of the the IP address that the DNS records points at. This could be the name of a server or any other friendly description. .
- Regex - indicates the Domain value is a regular expression.
- Record Type - the type of DNS record to create. See below for which record types are supported. Required
- Blacklist - adds the domain to the blacklist. If checked no Value is required.
- Value - the value that will be returned by this DNS record. The format of the Value is determined by the Record Type.
- Activate on creation - enables the DNS record when the records is saved.
- Groups - a list of groups that the DNS record belongs to.
Refract DNS supports domain names in multiple formats:
- Fully Qualified - the domain name entered must match exactly the domain requested by the application. For example www.refractdns.com will only match a request for www.refractdns.com.
- Wildcard - a domain prefixed with an asterisk (*) is considered a wildcard record. Wildcard records will match any domain request that ends with the domain specified after the asterisk. For example the record *.refractdns.com will match the domains www.refractdns.com, hello.world.refractdns.com and example.refractdns.com.
- Regex - a regular expression can be used to match a domain name. To indicate that a domain value is a regular expression the Regex checkbox must be checked when the record is created.
When trying to match a domain Refract DNS will try to match records in the following order:
- Fully Qualified
The following Record Types are supported:
- A - an IPV4 record, e.g. 127.0.0.1
- AAAA - an IPV6 record, e.g. 2001:0db8:0000:0000:0000:ff00:0042:8329
- CNAME - a CNAME value that points at another domain. This value will be used for both A and AAAA record requests.
When entering a Value the user must make sure that they enter the value in the correct format.
A domain can be marked as Blacklisted. When a domain is blacklisted no Value needs to be set when creating the record. When a request for a blacklisted domain is received Refract DNS will return the appropriate blacklist IP configured in the Settings.
Changing the values in the settings will allow the user to either blackhole requests or forward traffic to another IP for potential analysis.
Blacklisting a domain only means that when a DNS request for the domain is made that the blacklist IP will be returned. It does not block or stop traffic from reaching those domains if the real IP is used explicitly by the application, i.e. if the application uses the IP of the blacklisted domain instead of the domain name then traffic will still reach the remote domain.
Blacklisting a domain via the Refract DNS Manager is only designed for scenarios where the user needs to easily turn on and off individuals blocks. It is not designed for the situation where thousands of domains need to be blocked. If you have a large number of domains that need to be blocked please read the Blacklisting documentation on how this can be achieved.
When blacklisting a domain via the Refract DNS Manager the blacklisting is created for either an A or AAAA record. To completely blacklist a domain you should create a record for both the A and AAAA record types.