What Is a DNS Zone
Learn what a DNS zone is and how it organises the records that define your domain's online presence.
Answer snapshot
A DNS zone is the unit of administration for DNS — the collection of records (A, MX, TXT, etc.) for a single domain or subtree, served by one set of authoritative nameservers. A domain is a name; a zone is the records-and-authority pair that answers queries for that name. Delegation creates new zones: example.com is one zone, blog.example.com can be delegated to its own zone with its own nameservers.
What you'll learn
- Understand the difference between a DNS zone and a domain
- Learn the structure of a zone file and the records it contains
- Understand zone delegation, subzones, and the zone hierarchy
- Use dig to query zone data and verify zone configuration
A DNS zone is a segment of the DNS namespace that contains the records for a specific domain or group of domains. It defines how traffic for that domain is handled and where it should go. Every domain that is resolvable on the internet belongs to at least one DNS zone, and understanding zones is essential to managing DNS effectively.
Zone vs. Domain
These terms are related but distinct. A domain is a name in the DNS hierarchy, like example.com. A zone is the administrative unit that contains the DNS records for that domain. The difference becomes clear with delegation:
example.comis a domain. Its zone contains records forexample.com,www.example.com,mail.example.com, and so on.- If you delegate
blog.example.comto different nameservers,blog.example.combecomes its own zone. The domainexample.comstill includesblog.example.comin its hierarchy, but the zone forexample.comno longer contains the records forblog.example.com.
In short, a domain is a name; a zone is the collection of records managed by a specific set of authoritative nameservers.
How DNS Zones Work
Each zone holds the essential DNS records that guide users to your website, email, and other services. The authoritative DNS server for a zone is responsible for serving these records when queried by recursive resolvers.
When a resolver needs to find the A record for www.example.com, it follows the delegation chain: the root servers point to the .com TLD servers, which point to the authoritative servers for the example.com zone. That zone then provides the answer.
Every zone must contain at least two records:
- An SOA record (Start of Authority) that identifies the primary nameserver, the responsible party, and timing parameters like refresh intervals and TTL minimums
- One or more NS records that identify the authoritative nameservers for the zone
Zone File Format
A zone file is the text representation of a DNS zone. While modern DNS platforms like DNScale store zone data in databases, the zone file format remains the standard way to represent and exchange DNS data. Here is a simplified example:
$ORIGIN example.com.
$TTL 3600
@ IN SOA ns1.dnscale.eu. admin.example.com. (
2024010101 ; Serial
7200 ; Refresh
3600 ; Retry
1209600 ; Expire
300 ; Minimum TTL (negative caching)
)
IN NS ns1.dnscale.eu.
IN NS ns2.dnscale.eu.
IN A 192.0.2.1
IN AAAA 2001:db8::1
IN MX 10 mail.example.com.
IN TXT "v=spf1 include:_spf.example.com ~all"
www IN CNAME example.com.
mail IN A 192.0.2.10Key elements of this format:
$ORIGINsets the base domain for relative names in the file$TTLsets the default TTL for records that do not specify one@is shorthand for the zone origin (example.com.in this case)- The trailing dot (
.) after domain names indicates a fully qualified domain name (FQDN) - Records without a trailing dot are relative to the
$ORIGIN
You can import zone files into DNScale using the zone import feature.
Types of DNS Zones
Primary Zone
The primary zone (also called the master zone) is the authoritative source of DNS data. All changes to zone records are made on the primary. In DNScale, every zone you create is a primary zone, and changes are replicated across edge nodes automatically.
Secondary Zone
A secondary zone (also called a slave zone) is a read-only copy of a primary zone, used for redundancy and load distribution. Secondary servers periodically fetch zone updates from the primary through zone transfers (AXFR/IXFR). For more on this architecture, see What Is Secondary DNS and Multi-Provider DNS Deployment.
Reverse Zone
A reverse zone maps IP addresses back to domain names using PTR records. Reverse zones use a special naming convention:
- IPv4:
2.0.192.in-addr.arpafor the192.0.2.0/24network - IPv6: Under the
ip6.arpadomain
Reverse DNS is important for email deliverability, network diagnostics, and security verification.
Forward Zone
The term forward zone simply refers to a standard zone that maps domain names to IP addresses and other records — the opposite of a reverse zone. Most zones you work with day to day are forward zones.
Zone Delegation
Zone delegation is the mechanism that makes the DNS hierarchy work. When a zone delegates a subdomain, it creates NS records pointing to the nameservers responsible for that subdomain's zone.
For example, if example.com delegates api.example.com:
; In the example.com zone file
api IN NS ns1.api-provider.com.
api IN NS ns2.api-provider.com.This tells resolvers that api.example.com and everything below it is managed by a different set of nameservers. The example.com zone no longer contains A, AAAA, or other records for api.example.com — it only contains the delegation NS records.
To verify delegation with dig:
# Check which nameservers are authoritative for a domain
dig NS example.com +short
ns1.dnscale.eu.
ns2.dnscale.eu.
# Check delegation for a subdomain
dig NS api.example.com +short
ns1.api-provider.com.
ns2.api-provider.com.For a detailed guide on setting up nameserver delegation with DNScale, see DNS Delegation by Region.
Subzones
A subzone is created whenever a portion of a zone is delegated to different nameservers. The parent zone retains authority over everything except the delegated portion. Common reasons to create subzones include:
- Organizational separation — different teams manage different parts of the DNS namespace
- Geographic distribution — using regional nameservers for specific subdomains
- Service isolation — keeping a high-traffic subdomain on dedicated infrastructure
- Security boundaries — limiting who can modify records for specific subdomains
Querying Zone Data with dig
You can use dig to inspect various aspects of a zone:
# Query the SOA record to see zone metadata
dig SOA example.com
;; ANSWER SECTION:
example.com. 3600 IN SOA ns1.dnscale.eu. admin.example.com. 2024010101 7200 3600 1209600 300
# List the nameservers for a zone
dig NS example.com
# Query a specific record type
dig A example.com
dig AAAA example.com
dig MX example.com
# Query a specific nameserver directly
dig example.com @ns1.dnscale.eu
# Attempt a zone transfer (will fail against properly secured servers)
dig AXFR example.com @ns1.dnscale.euTip: When troubleshooting DNS issues, always query the authoritative nameserver directly (using
@ns1.dnscale.eu) to confirm what the zone actually contains, then compare with what public resolvers return.
Zone Security
Protecting your zone is critical. Several mechanisms help secure zone data:
- DNSSEC signs zone records cryptographically, allowing resolvers to verify that responses have not been tampered with
- CAA records specify which certificate authorities are allowed to issue SSL/TLS certificates for your domain
- SPF, DKIM, and DMARC protect your domain against email spoofing by adding policy records to your zone
- Zone transfer restrictions prevent unauthorized parties from downloading your entire zone file
- Access controls — DNScale supports multi-user accounts so you can limit who can modify zone records
For a broader overview of DNS threats, see DNS Attacks and Threats.
Managing Zones in DNScale
When you create a zone in DNScale, the platform automatically:
- Creates the SOA record with appropriate timing parameters
- Adds NS records for the DNScale nameservers in your selected region
- Generates system records that DNScale manages
- Replicates the zone to all edge nodes in your region via database replication
You can manage records through the dashboard, the API, Terraform, or DNSControl. For importing existing zones, DNScale supports multiple zone import methods.
After creating a zone, you must update your domain registrar to point to the correct DNScale nameservers for your region. See DNS Delegation by Region for specific instructions.
Conclusion
DNS zones are the organisational framework behind every domain. They define the boundary of administrative control, contain the records that make your services reachable, and enable the delegation hierarchy that makes DNS scalable. By managing your zones carefully through DNScale, you keep records consistent and served across the anycast network.
Frequently asked questions
- What is the difference between a domain and a zone?
- A domain is a name in the DNS hierarchy (example.com). A zone is the administrative unit holding the records for that domain, served by a specific set of authoritative nameservers. The same domain can be split across multiple zones via delegation — example.com could be one zone, while blog.example.com is a separately delegated zone.
- What is the zone apex?
- The zone apex is the bare domain itself — example.com without any subdomain. The SOA record and the authoritative NS records always live at the apex. The apex has restrictions other names don't: you can't put a CNAME there (it would conflict with the SOA and NS), and many providers offer ALIAS or ANAME records to work around that limitation.
- Can a single domain have records in multiple zones?
- Indirectly, yes — through delegation. example.com is in the example.com zone; api.example.com is normally in the same zone, but if you delegate it (NS records at api.example.com pointing elsewhere), api.example.com becomes its own zone hosted by whichever provider you delegated to. Resolvers follow the delegation chain transparently.
- What is in a zone file?
- Zone files are plain-text representations of a zone's records, in the format defined by RFC 1035. Each line is a record: name, TTL, class (IN), type (A, MX, etc.), and rdata. The first record is typically the SOA, followed by NS records, then everything else. DNScale lets you import and export zone files directly — useful for migrating between providers.
- How do I see all records in a zone?
- From the DNScale dashboard, the zone view lists every record with its type, name, content, and TTL. Programmatically: GET /v1/zones/{zone_id}/records via the API, or dnscontrol get-zones / terraform state list for IaC-managed zones. AXFR is also supported for authorised secondaries (TSIG-authenticated).
Related guides
Fundamentals
FQDN Explained - Fully Qualified Domain Names in DNS
What an FQDN is, how it differs from a hostname or relative DNS name, why the trailing dot matters, and how FQDNs behave in zone files, terminals, and Kubernetes.
Fundamentals
127.0.0.1 and Localhost Explained
What 127.0.0.1 and localhost mean, how loopback networking works, why localhost is not public DNS, and how to debug local resolver issues.
Fundamentals
ARP Explained - How IP Addresses Reach Local Devices
What ARP does, how IPv4 devices map IP addresses to MAC addresses on a local network, and how ARP differs from DNS.
Fundamentals
Managed DNS vs Self-Hosted DNS — Pros, Cons, and When to Choose Each
Compare managed DNS services with self-hosted DNS servers. Understand the trade-offs in cost, complexity, security, and reliability to decide which approach fits your infrastructure.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free