NetworkingNetwork+

DNS Implementation for CompTIA Network+ N10-009

DNS (Domain Name System) implementation encompasses how DNS servers are deployed, how zones are structured, how resolution works end-to-end, and how to configure DNS for reliability. CompTIA Network+ N10-009 tests DNS server roles, zone types (primary, secondary, stub), caching, forwarders, and split-horizon DNS. DNS troubleshooting is also directly tested — understanding DNS implementation is the foundation for diagnosing DNS failures.

8 min

3 sections · 7 exam key points

1 practice questions

DNS Server Roles

Authoritative DNS server: holds the actual DNS records for a zone (domain). When queried for names in its zone, it provides authoritative answers. Every public domain must have at least two authoritative name servers for redundancy — identified by NS records. The primary authoritative server holds the read-write copy of zone data; secondary servers hold read-only copies synchronized from the primary via zone transfer.

Recursive resolver (recursive nameserver): performs full DNS resolution on behalf of clients by querying multiple servers (root → TLD → authoritative). ISP DNS servers, Google (8.8.8.8), Cloudflare (1.1.1.1), and corporate internal DNS servers act as recursive resolvers. Clients are configured with resolver IP addresses (via DHCP or manual config).

Caching-only DNS server: performs recursive resolution but holds no authoritative zone data. It caches responses based on TTL values — subsequent queries for the same name are answered from cache without re-querying. All recursive resolvers cache; a caching-only server is dedicated to improving resolution speed.

DNS Zone Types

Forward lookup zone: maps hostnames to IP addresses (the standard A and AAAA records). Reverse lookup zone: maps IP addresses to hostnames (PTR records) — lives in in-addr.arpa (IPv4) or ip6.arpa (IPv6) zone. Primary zone: the read-write original copy of zone data. Secondary zone: a read-only copy synchronized from the primary via zone transfer (AXFR — full, IXFR — incremental). Secondary zones provide redundancy and reduce load on primary.

Stub zone: contains only NS records for another zone — a pointer to the authoritative servers. Used to maintain correct delegation information between separate DNS servers. Conditional forwarder: forwards queries for a specific domain to specified DNS servers (e.g., forward queries for partner.com to their DNS servers). Forwarder: forwards all non-locally-resolvable queries to another DNS server rather than querying root servers directly.

Split-Horizon and DNSSEC

Split-horizon DNS (split-brain DNS): the same domain name resolves to different IP addresses depending on where the query comes from. Internal DNS servers return internal (private) IP addresses for company servers; external DNS servers return public IPs. This allows employees to use internal servers directly while external users reach the public-facing IP.

DNSSEC (DNS Security Extensions): adds digital signatures to DNS records, allowing resolvers to verify record authenticity and detect tampering (man-in-the-middle or cache poisoning). DNSSEC does not encrypt DNS traffic — it only provides integrity. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries for privacy.

Key exam facts — Network+

Authoritative server: holds actual zone records; recursive resolver: performs full lookups
Primary zone: read-write; secondary zone: read-only copy from primary (zone transfer)
Forward lookup: hostname → IP; reverse lookup: IP → hostname (PTR in in-addr.arpa)
Forwarder: sends unresolvable queries to another DNS server
Conditional forwarder: forwards queries for a specific domain to specified servers
Split-horizon DNS: same domain resolves differently for internal vs external clients
DNSSEC adds cryptographic signatures for integrity; DoH/DoT adds encryption

Common exam traps

A DNS server can only serve one zone

A DNS server can host multiple zones — both authoritative zones for domains it manages and act as recursive resolver for client queries

DNSSEC encrypts DNS traffic

DNSSEC only provides integrity (digital signatures verifying record authenticity) — it does not encrypt query content. DNS over HTTPS (DoH) and DNS over TLS (DoT) provide privacy through encryption

Practice questions — DNS Implementation

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A company wants its internal users to reach the web server at 10.1.1.50, while external users reach the same domain at the public IP 203.0.113.10. Which DNS feature achieves this?

A.DNS forwarder

B.DNSSEC

C.Split-horizon DNS

D.Secondary zone

Explanation: Split-horizon (split-brain) DNS uses separate DNS zones/views for internal and external queries. Internal DNS servers return the private IP (10.1.1.50) for internal clients; external authoritative servers return the public IP (203.0.113.10). This allows employees to connect directly to internal servers while external users reach the DMZ public address.

Frequently asked questions — DNS Implementation

What is the difference between a DNS forwarder and a DNS root hint?

A forwarder directs unresolvable DNS queries to a specific DNS server (e.g., 8.8.8.8) rather than querying root servers. Root hints are the IP addresses of the 13 root nameserver clusters — used when no forwarder is configured and the resolver queries root servers directly. Forwarders are preferred in enterprise environments for efficiency, caching, and logging control.

Practice this topic

Network+practice questions

Test yourself on DNS Implementation

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime