Recently I was doing a bit of promotional work for my blog by participating in some IT related forums. I was going through the post as you do when an interesting question came up. The poster was reading up on about DNS Zones, what their purpose is and how they work. He was having trouble understanding the following paragraph in a study book he was reading:

A DNS zone contains all the domain names the domain with the same domain name contains,
except for domain names in delegated subdomains. For example, the top-level
domain ca (for Canada) has subdomains called,, and, for the provinces
Alberta, Ontario, and Quebec. Authority for the,, and
domains may be delegated to nameservers in each province. The domain ca contains
all the data in ca plus all the data in,, and However, the zone ca
contains only the data in ca (see Figure 2-10), which is probably mostly pointers to
the delegated subdomains.,, and are separate zones from the ca

Can you understand that?? No wonder he was having trouble, talk about over complicating things! Anyway I explained how it all works but it got me thinking… I remembered when I first started out learning networking technologies back in the day. I was reading up on the more advanced DNS topics and DNS zones just blew me away. I looked everywhere to find a better explanation of it but couldn’t find one find. It took lots of research going to several different sites before I finally understood it and put everything together. Everywhere I read about DNS zones I came across similar paragraphs to the one above. You would think that after all these years there would be better articles explaining how it works? Not so, which is what prompted me to write this.

What Are DNS Zones

A DNS Zone is a portion of the DNS namespace that has been delegated to other servers/administrators. It is quite hard to explain without examples so I’ll just jump straight in with one. Look at the following diagram

DNS Zones Explained

DNS Zones Explained

I have a DNS domain (and zone) name called
This domain is hosted on my DNS server called
My company is massive like Microsoft and I have offices all over the world.
I create a subdomain for my UK branch called and I create it on the same DNS server.

Now imagine this DNS namespace being further split up into cities like
Can you imagine how many subdomains, DNS A records etc must be stored on this one server? This DNS server would contain every record of all my worldwide organisations and most likely kill the server.
In the above example we have one top level domain name and then 2 subdomains. These ARE ALL ONE DNS ZONE. Think of a zone as a database or part of it. So all these domains are stored in one zone on one server.

The problem is that it is too much for one server and too much for the admin team to manage this entire “zone”. So it is split up…using zones as follows.

Delegating DNS Zones

Delegating DNS Zones

ServerA still hosts the zone for, this server is in the USA.
Now we create a new zone called but we create this on the UK DNS server of is configured to push all queries for the domain to

The key differences here is that:

  1. ServerA DOES NOT contain any records at all for the domain name or city subdomains. It only contains a pointer to ukserverA to redirect queries there. This means the entire DNS namespace can be split throughout an organisation.
  2. By splitting the entire namespace like this it removes unnecessary bandwidth and queries. If the whole namespace existed in the US then the UK would have to query the US servers for UK queries. Moving the UK subdomain into a zone on a UK server keeps the queries local.
  3. Once a zone is created you can set permissions on it and delegate control of it out to different staff. If we wanted 3 domains to be administered by 3 different teams they would need to be in different zones.

Don’t confuse DNS Zones with DNS Domains

One last thing I thought I’d point out…Don’t associate a zone with a domain. A DNS zone can contain multiple domains or just one domain, the important thing to remember is that it is used for delegating control of portions of the namespace. Different zones can also be on the same server so again some examples will help.

This time we have 3 departments/domains in a UK office called., dep2, etc…
As these domains will be in the same company AND location there is no need to distribute the namespace TO DIFFERENT SERVERS. That would be overkill. But what I do want to do is to allow each department control of their own domain. If I had one zone with all three domains in it I could not achieve this so instead we create 3 zones for the 3 domains BUT KEEP THEM ON THE SAME SERVER.

A lot of people get confused thinking that zones are used to “physically” move the data of domains to different servers (to distribute the load on servers and bandwidth). Although this is true it is not what zones where designed for and it is VERY IMPORTANT to remember this distinction. DNS Zones are used to delegate administrative rights to different parts of the namespace, it is a security feature…which is different to simply moving or storing portions of the name space somewhere else; they are security boundaries.

Print Friendly, PDF & Email