DNS & Networking Glossary

A DNS record that maps a domain name to an IPv4 address.

An A record (Address record) is the most fundamental type of DNS record. It tells the internet which IPv4 address to connect to when someone types your domain name into a browser. For example, an A record for example.com might point to 93.184.216.34. Without an A record, browsers would not know where to find your website. Every website that is reachable by its domain name has at least one A record (or an AAAA record for IPv6).

A DNS record that maps a domain name to an IPv6 address.

An AAAA record (pronounced "quad-A") works exactly like an A record, but for IPv6 addresses instead of IPv4. IPv6 addresses are longer (like 2606:4700::6810:85e5) and were created because the world is running out of IPv4 addresses. If your server supports IPv6, adding an AAAA record ensures it is reachable on the modern internet. Many websites have both A and AAAA records so they work on both IPv4 and IPv6 networks.

Automatic Certificate Management Environment: the protocol used by Let's Encrypt and other CAs to issue and renew TLS certificates without human interaction.

ACME (Automatic Certificate Management Environment) is the protocol that lets a server prove it controls a domain and obtain a TLS certificate in a single automated workflow. The client (Certbot, acme.sh, Caddy, Traefik) generates a key pair, asks the CA for a challenge, satisfies it by serving a file at a well-known HTTP URL (http-01) or publishing a TXT record at `_acme-challenge.example.com` (dns-01), and receives the certificate. dns-01 is required for wildcard certificates and works even when port 80 is blocked. ACME is what makes free, 90-day, auto-renewed certs from Let's Encrypt operationally painless.

Application-Layer Protocol Negotiation: a TLS extension that lets client and server agree on a protocol (like HTTP/2 or HTTP/3) during the handshake.

ALPN (Application-Layer Protocol Negotiation) is a TLS extension that allows a client and server to negotiate which application protocol they will use as part of the TLS handshake, without requiring an extra round trip. The client sends a list of supported protocols (e.g., h2, http/1.1) inside the TLS ClientHello, and the server picks one. ALPN is how browsers and servers agree to speak HTTP/2 or HTTP/3 instead of falling back to HTTP/1.1. Without ALPN, modern web performance optimisations like multiplexed connections would not be practical over TLS.

A networking technique where the same IP address is advertised from multiple locations worldwide.

Anycast is a routing method where many servers in different geographic locations all share the same IP address. When you send a request to an anycast IP, the internet automatically routes you to the nearest server. CDNs like Cloudflare use anycast so that a user in Tokyo connects to a server in Japan while a user in London connects to one in Europe, both using the same IP address. This reduces latency and provides automatic failover if one location goes down.

The root of a registered domain (example.com itself, with no subdomain prefix), also called the zone apex, naked domain, or bare domain.

The apex domain is the domain you actually registered, with nothing in front of it: `example.com` rather than `www.example.com` or `blog.example.com`. It is also called the zone apex, naked domain, or bare domain. The apex is where the SOA and NS records live, and historically it cannot hold a CNAME because that would conflict with those required records. This is why pointing the apex at a CDN often requires provider-specific workarounds like ALIAS, ANAME, or CNAME flattening records. Picking apex versus www as the canonical hostname is a foundational decision for every site.

Authenticated Received Chain: an email header that preserves SPF, DKIM, and DMARC results across forwarding hops.

ARC (Authenticated Received Chain) solves a long-standing problem with email authentication: when a message is forwarded (through a mailing list, alias, or security gateway), the forwarder often rewrites the message in ways that break SPF and DKIM. ARC lets each intermediary cryptographically sign the authentication results it observed and pass that signed chain along. The final recipient can then trust the original verdict even if the message arrives from a different source. Without ARC, legitimate forwarded mail often fails DMARC and lands in spam.

A memory-hard password hashing function, winner of the 2015 Password Hashing Competition and the modern default for storing passwords.

Argon2 is a memory-hard key derivation function designed by Biryukov, Dinu, and Khovratovich, and the winner of the 2013-2015 Password Hashing Competition. It comes in three variants: Argon2d (GPU-resistant, side-channel exposed), Argon2i (side-channel resistant), and Argon2id (a hybrid, recommended for password hashing). Tuning three parameters (memory, iterations, parallelism) lets an operator force attackers to spend large amounts of RAM per guess, which crushes GPU and ASIC cracking economics. OWASP recommends Argon2id with at least 19 MiB of memory, 2 iterations, and 1 lane as a baseline for new password storage today.

Autonomous System Number: a unique identifier assigned to a network on the internet.

An ASN (Autonomous System Number) is a unique number that identifies a network or group of IP addresses managed by a single organization. Every ISP, hosting provider, and large company that operates its own network has an ASN. For example, Cloudflare is AS13335 and Google is AS15169. ASNs are used by routers to determine how to send traffic across the internet. When you look up an IP address, the ASN tells you which organization owns that part of the internet.

A nameserver that holds the original, definitive DNS records for a domain, as opposed to a cached copy.

An authoritative nameserver is the server that holds the original DNS records for a domain in its zone file. When a recursive resolver chases a query down through the DNS hierarchy (root, then TLD, then domain), the answer it ultimately reaches comes from the authoritative nameserver for that domain. Authoritative responses set the AA flag in the DNS reply, signalling that the data is canonical rather than cached. If a domain's authoritative nameservers go down or return wrong data, the domain effectively disappears from the internet. Most domains run at least two authoritative nameservers for redundancy.

A per-domain transfer secret (also called EPP code or auth-info) that the losing registrar issues so a registrant can move the domain to a new registrar.

An auth code (sometimes called EPP code, auth-info, or transfer secret) is a short string set per-domain at the registry. To move a domain like `example.com` from one registrar to another, the registrant requests the auth code from the current (losing) registrar, hands it to the new (gaining) registrar, and the registry uses it to authorise the transfer. Auth codes should be high-entropy and rotated after every transfer or whenever the domain may have been exposed. Long-lived, predictable, or leaked auth codes are one route to unauthorised domain transfers, which is part of why registry lock exists.

Full Zone Transfer: a DNS operation that copies an entire zone from a primary to a secondary nameserver.

AXFR (Authoritative Transfer, or Full Zone Transfer) is the DNS mechanism that copies an entire zone file from a primary nameserver to a secondary. It runs over TCP on port 53 because the data is often larger than a single UDP packet. AXFR was designed for legitimate zone replication between operators, but if a nameserver allows AXFR from arbitrary clients, anyone can download the full list of records for the zone. That is a serious information disclosure risk. Modern deployments restrict AXFR by IP allowlist and authenticate transfers with TSIG, and use IXFR for incremental updates.

The RDAP/WHOIS contact responsible for handling abuse reports (spam, phishing, malware) for a domain or IP block.

The abuse contact is the email address or role published in a domain's RDAP/WHOIS record (or an IP block's RIR record) for reporting abusive behaviour originating from that resource. ICANN requires every gTLD registrar to publish an abuse email and respond within defined timeframes, and RIRs require the same for IP allocations. A working abuse contact is the single most important piece of public contact data for security responders: when it is missing, role-shared with a parking team, or auto-bounced, takedowns stall. DNS Checker's WHOIS lookups extract abuse contacts into a dedicated field so they are easy to find.

The administrative point of contact for a registered domain, historically responsible for non-technical domain decisions.

The administrative contact (admin contact) is one of the legacy RDAP/WHOIS roles for a domain, originally intended for the person authorised to make administrative decisions like transfers and renewals. Since the 2018 GDPR-driven WHOIS redaction, most gTLD admin contacts are no longer publicly visible and many registrars now treat the role as equivalent to the registrant. The role still exists in RDAP responses and remains visible for many ccTLDs and corporate domains.

A password hashing function based on the Blowfish cipher, with a tunable cost factor that slows brute-force attacks even as hardware speeds up.

Bcrypt is a password hashing function published by Niels Provos and David Mazières in 1999. It applies a modified Blowfish key schedule repeatedly, controlled by a cost factor (typically 10 to 14) where each step doubles the work. A bcrypt hash like `$2b$12$...` encodes the version, cost, salt, and digest in one string, so verification needs only the hash itself. Bcrypt remains a safe choice for password storage when Argon2 or scrypt are not available, but its 72-byte password truncation and lack of memory-hardness make Argon2id the preferred default for new systems today.

Border Gateway Protocol: the routing system that determines how data travels across the internet.

BGP (Border Gateway Protocol) is the GPS of the internet. It is the protocol that routers use to figure out the best path to send your data from point A to point B across thousands of interconnected networks. When BGP has a problem (a "BGP leak" or "BGP hijack"), traffic can be sent to the wrong place, causing outages or security incidents. Major internet outages, like when a large cloud provider goes down, are often caused by BGP misconfigurations.

When a network announces IP prefixes it does not own over BGP, redirecting traffic for those addresses to itself, accidentally or maliciously.

A BGP hijack (also called a prefix hijack or route hijack) happens when an autonomous system advertises IP prefixes it has no right to originate. Other networks accept the announcement, and traffic destined for the legitimate owner gets routed to the hijacker instead, where it can be inspected, modified, or blackholed. Famous incidents include the 2008 Pakistan Telecom hijack of YouTube and the 2018 MyEtherWallet incident that stole crypto via DNS interception. RPKI Route Origin Validation, prefix filtering, and MANRS participation are the industry mitigations, but adoption is still incomplete.

Brand Indicators for Message Identification: a standard that displays a verified brand logo next to authenticated email in the inbox.

BIMI (Brand Indicators for Message Identification) lets domain owners publish a TXT record pointing to an SVG logo, and mail providers like Gmail, Yahoo, and Apple Mail will display that logo next to messages from the domain. To qualify, the sender must enforce DMARC with a policy of quarantine or reject, host the logo at an HTTPS URL, and in most cases hold a Verified Mark Certificate (VMC) proving trademark ownership. BIMI rewards strong email authentication with visible brand presence and helps recipients spot legitimate mail at a glance.

An attack that tries every possible password, key, or input until the correct one is found, defeated by sufficient entropy plus rate limiting.

A brute-force attack systematically enumerates candidates (passwords, encryption keys, TOTP codes, API tokens) until one works. Online brute force runs against a live service and is defeated by account lockouts, rate limiting, and CAPTCHA; offline brute force runs against a stolen password hash and is defeated by high entropy plus a slow hash like Argon2id or bcrypt. Dictionary attacks are a targeted variant that tries common passwords first. The math is brutal: a 6-character lowercase password falls in seconds on a GPU, while a 20-character random passphrase is computationally infeasible to crack today.

An agreement between two networks to exchange routing information directly over BGP, usually at an IXP or via private cross-connect.

BGP peering is the relationship between two autonomous systems that exchange routes over BGP so traffic can flow between them. Peering can be settlement-free (both networks benefit equally and pay nothing) or paid (transit). Peering most often happens at an Internet Exchange Point (IXP), where dozens of networks meet on a shared fabric, or via a private cross-connect inside a data center. Healthy peering relationships reduce latency, cost, and dependence on upstream transit providers.

An IP address or prefix that should never appear on the public internet, such as unallocated, reserved, or private space.

A bogon is an IP address or route that has no business appearing on the public internet. The category includes private RFC 1918 ranges (10.0.0.0/8, 192.168.0.0/16), loopback (127.0.0.0/8), link-local, multicast, and IANA-reserved or unallocated prefixes. Seeing a bogon as a packet source usually means a spoofed source address or a misconfigured router. Network operators filter bogons at the edge to drop obviously forged traffic, and Team Cymru publishes a maintained bogon list for this purpose.

A network of compromised devices controlled remotely by an attacker, typically used for DDoS, spam, or credential theft.

A botnet is a collection of internet-connected hosts (PCs, servers, routers, IoT devices) infected with malware that lets a remote operator control them as a unit. Botnets are used to launch DDoS attacks, send spam, mine cryptocurrency, brute-force credentials, and proxy malicious traffic. Each infected host (a bot or zombie) periodically calls home to a command-and-control server for instructions. Tracking the C2 channels (DNS queries, HTTPS beacons, peer-to-peer overlays) is one of the main ways security researchers identify and disrupt botnets.

A DNS record that specifies which certificate authorities are allowed to issue SSL certificates for a domain.

A CAA (Certificate Authority Authorization) record is a DNS record that tells certificate authorities (like Let's Encrypt or DigiCert) whether they are allowed to issue an SSL certificate for your domain. It is a security measure that prevents unauthorized parties from obtaining certificates for your domain. For example, if your CAA record only authorizes Let's Encrypt, other certificate authorities will refuse to issue certificates even if someone requests one.

An attack that injects forged DNS records into a resolver's cache, redirecting users to malicious servers.

DNS cache poisoning (also called DNS spoofing) tricks a recursive resolver into storing a forged answer for a domain. Once the bad record is cached, every user of that resolver gets sent to the attacker's IP until the TTL expires. Dan Kaminsky's 2008 demonstration was the canonical example: it exploited weak transaction-ID entropy plus the ability to retry against any subdomain to race legitimate responses, and forced an industry-wide patch within weeks. Modern defences layer source-port randomization (RFC 5452), 0x20 query-name case randomization, DNS cookies (RFC 7873), and DNSSEC validation, which cryptographically rejects forged answers regardless of how they arrived. Operators should validate DNSSEC and use a resolver that implements all four.

The preferred URL for a piece of content when multiple URLs serve the same or similar pages, declared via `<link rel="canonical">` so search engines consolidate signals on one address.

A canonical URL is the authoritative address a site wants search engines to treat as the master copy of a page that may be reachable through duplicates (tracking parameters, http vs https, www vs apex, paginated views, regional variants). The site declares it with `<link rel="canonical" href="https://example.com/page">` in the page head, or via the `Link: <...>; rel="canonical"` HTTP header for non-HTML resources. Google may still pick a different canonical if signals conflict (sitemaps, internal links, redirects). Getting canonicalization right consolidates ranking signals on one URL instead of splintering them across duplicates.

Content Delivery Network: a globally distributed network of servers that delivers web content faster.

A CDN (Content Delivery Network) is a network of servers spread across the world that stores copies of your website's files (images, CSS, JavaScript) closer to your visitors. Instead of every visitor connecting to your single origin server in one location, they connect to the nearest CDN server. This dramatically reduces loading times: a visitor in Sydney gets content from an Australian server instead of waiting for it to travel from a server in New York. Cloudflare, AWS CloudFront, and Fastly are popular CDNs.

An organisation that issues digital certificates after verifying the requester controls the domain or identity in the certificate, trusted by browsers and operating systems.

A Certificate Authority (CA) is an organisation that issues TLS/SSL certificates after validating the requester's control of the domain (DV), organisation (OV), or extended-vetted identity (EV). Browsers and operating systems ship with a root store listing CAs they trust; a certificate is trusted only if it chains up to one of those roots. Public CAs like Let's Encrypt, DigiCert, Sectigo, and Google Trust Services dominate the public web. Internal CAs issue private certificates for intranets and service-mesh mTLS. CA mis-issuance is rare but high-impact, which is why Certificate Transparency exists.

The ordered sequence of certificates from a server's leaf certificate up through one or more intermediate CAs to a trusted root, used by clients to verify trust.

A certificate chain is the path from a server's leaf certificate to a root CA the client already trusts, usually through one or two intermediate CA certificates in between. The server is responsible for sending the leaf plus all intermediates during the TLS handshake; only the root must already be in the client's trust store. A missing or wrong intermediate is a classic deployment bug: it works in Chrome (which can fetch intermediates via AIA) but breaks in older clients, curl, and many SDKs. Tools like SSL Labs and `openssl s_client -showcerts` expose exactly which certs the server hands over.

A public, append-only log system that records every SSL/TLS certificate issued, so unauthorized certs can be detected.

Certificate Transparency (CT, RFC 9162 for the v2 protocol) requires Certificate Authorities to submit every certificate they issue to public, append-only logs. Chrome has enforced CT-must-be-logged for all publicly trusted certificates since April 2018, and Apple's platforms enforce similar rules; a certificate without a valid Signed Certificate Timestamp (SCT) is rejected at handshake time. The practical operator surface is crt.sh, a free search index over the major logs. Searching for a domain there reveals every cert issued for it, which is how teams spot CA mis-issuance, shadow IT, and internal subdomains leaked through certificate names. CT complements CAA: CAA restricts who may issue, CT exposes what was actually issued.

The unbroken sequence of DNSSEC signatures from the root zone down to a domain that proves a DNS answer is authentic.

The DNSSEC chain of trust is the cryptographic ladder that a validating resolver climbs to prove a DNS answer has not been forged. Starting from a built-in trust anchor for the root zone, the resolver verifies that the root signs the DS record for the TLD, the TLD signs the DS record for the domain, and the domain signs its own records. If any link is missing or broken (for example, the parent zone has a DS but the child has no DNSKEY), validation fails and the resolver returns SERVFAIL. Most DNSSEC outages come from a broken chain after a key rollover, not from active attacks.

Classless Inter-Domain Routing: a notation for IP address ranges, like 192.0.2.0/24, used for routing and firewall rules.

CIDR (Classless Inter-Domain Routing) replaced the old class-A/B/C system in 1993 and is how IP address blocks are described today. The notation 192.0.2.0/24 means "the 256 addresses where the first 24 bits match 192.0.2.0," giving the range 192.0.2.0 to 192.0.2.255. A /16 covers 65,536 addresses, a /32 is a single host. CIDR is used everywhere: BGP routing tables, firewall rules, security group definitions, RIR allocations, and VPC subnets. Understanding it is essential when writing allowlists or reading IP intelligence data.

A DNS record that maps one domain name to another domain name (an alias).

A CNAME (Canonical Name) record creates an alias from one domain to another. Instead of pointing directly to an IP address like an A record, a CNAME says "this domain is the same as that domain." For example, www.example.com might have a CNAME pointing to example.com, which then has an A record with the actual IP. CNAMEs are commonly used for subdomains and for services like Heroku or AWS that give you a hostname instead of a static IP. A CNAME cannot coexist with other record types at the same name.

Google's three user-experience metrics for the web: Largest Contentful Paint (loading), Interaction to Next Paint (responsiveness), and Cumulative Layout Shift (visual stability).

Core Web Vitals are the three field metrics Google uses to evaluate page experience for ranking and reporting. LCP (Largest Contentful Paint) measures how quickly the biggest visible element renders, with a good target under 2.5 seconds. INP (Interaction to Next Paint) replaced FID in March 2024 and measures input responsiveness across the page lifetime, good under 200 ms. CLS (Cumulative Layout Shift) measures unexpected visual movement, good under 0.1. Real-user data comes from the Chrome User Experience Report (CrUX), so lab tools like Lighthouse are diagnostic; CrUX is the score that actually drives Search Console.

Content Security Policy: an HTTP header that tells browsers which sources of scripts, styles, and other resources are allowed to load.

CSP (Content Security Policy) is an HTTP response header that lets a site declare an allowlist of origins for scripts, styles, images, frames, and other resources. A strict CSP is one of the most effective defences against cross-site scripting: even if an attacker injects a `<script>` tag, the browser refuses to execute it unless the source matches the policy. CSP also supports nonces, hashes, and reporting endpoints that send violation reports back to the site owner. A weak or absent CSP is one of the most common findings in any modern web security audit.

An attack that takes usernames and passwords leaked from one breach and replays them against unrelated sites, exploiting password reuse.

Credential stuffing replays username/password pairs harvested from past data breaches against other services, betting that users reused the same credentials. Unlike brute force, the attacker is not guessing; they are testing known-valid pairs, so each attempt has a meaningful hit rate (typically 0.1-2%). It is automated with tools like Sentry MBA against login endpoints, mobile APIs, and IMAP. Defences include MFA (the single most effective control), breached-password screening with the Have I Been Pwned API, device fingerprinting, IP reputation, and detecting low-and-slow patterns that bypass per-IP rate limits.

The named combination of cryptographic algorithms a TLS connection uses for key exchange, authentication, encryption, and MAC.

A cipher suite is the bundle of algorithms negotiated during a TLS handshake. In TLS 1.2, a suite name like `ECDHE-RSA-AES128-GCM-SHA256` encodes key exchange (ECDHE), authentication (RSA), bulk encryption (AES-128-GCM), and MAC/PRF (SHA-256). TLS 1.3 drastically simplified this: only AEAD ciphers and forward-secret key exchanges remain, and suite names like `TLS_AES_128_GCM_SHA256` no longer name the key exchange or auth (those are negotiated separately). Choosing modern suites (forward-secret, AEAD) is the single biggest knob for TLS security after picking a current protocol version.

The infrastructure attackers use to send instructions to malware-infected hosts and collect stolen data.

Command and control (C2 or C&C) is the channel a botnet operator or APT uses to direct compromised systems and exfiltrate data. C2 traffic hides in plausible-looking protocols: DNS queries, HTTPS to legitimate-seeming domains, even posts to public APIs. Defenders detect C2 by looking for beaconing patterns, newly registered domains, DGA-generated hostnames, and connections to known-bad indicators. Disrupting C2 (via DNS sinkhole, takedown, or seizure) is one of the most effective ways to neutralise an active campaign.

Common Vulnerabilities and Exposures: a unique identifier (like CVE-2024-1234) assigned to a publicly disclosed security vulnerability.

CVE (Common Vulnerabilities and Exposures) is the global naming system for security vulnerabilities, maintained by MITRE under sponsorship from CISA. Each CVE ID uniquely identifies a single flaw across vendors, scanners, and advisories: `CVE-2024-3094` (the xz-utils backdoor) means the same thing in a Red Hat advisory, an NVD entry, and a vulnerability scanner report. CVE IDs do not score severity; the companion CVSS framework does that. Patch management programs revolve around tracking newly published CVEs against installed software.

Common Vulnerability Scoring System: a 0.0 to 10.0 severity score for security vulnerabilities, currently at version 4.0.

CVSS (Common Vulnerability Scoring System) is the open standard for rating the severity of security vulnerabilities. A CVSS Base Score (0.0 to 10.0) combines exploitability metrics (attack vector, complexity, privileges, user interaction) with impact metrics (confidentiality, integrity, availability) and maps to qualitative ratings: None, Low, Medium, High, Critical. CVSS v4.0 (2023) added the Threat and Environmental metric groups and replaced v3.1's scope concept. Most CVE entries on NVD include a CVSS vector and score.

A one-way function that maps arbitrary input to a fixed-size output, designed to be collision-resistant and irreversible.

A cryptographic hash function takes input of any length and produces a fixed-length digest (e.g. 256 bits for SHA-256). It must be one-way (no efficient way to recover input from the digest), second-preimage resistant (hard to find a different input with the same digest), and collision-resistant (hard to find any two inputs that hash to the same digest). Hashes underpin password storage (with a slow KDF wrapper), digital signatures, TLS certificate fingerprints, Git commit IDs, blockchain proofs, and DNSSEC NSEC3 hashing. MD5 and SHA-1 are broken for collision resistance and should not be used in new security contexts.

DNS-Based Authentication of Named Entities: uses DNSSEC-signed TLSA records to pin which TLS certificate a service is allowed to present.

DANE (DNS-Based Authentication of Named Entities) lets a domain publish TLSA records in DNS that pin which TLS certificate or public key is valid for a given service and port. Because the TLSA record is itself protected by DNSSEC, a client can verify it without trusting the public CA system. DANE sees the most real-world use with SMTP (Postfix and other MTAs use it to enforce TLS to receiving mail servers), where it complements MTA-STS. DANE requires the domain to have a fully working DNSSEC chain of trust, which is the main barrier to wider adoption.

A DNS record pointing at a resource the owner no longer controls (an unclaimed CDN hostname, deleted cloud bucket, expired domain), the prerequisite for most subdomain takeovers.

A dangling DNS record is a CNAME, A, or NS that points at infrastructure the domain owner has already abandoned: a CNAME to an Azure App Service that was deleted, an A record to an EC2 IP that was released back to the pool, an NS pointing to a registrar that no longer hosts the zone. Whoever claims the target next inherits whatever was at that hostname, which is the mechanic behind subdomain takeover. Routine zone audits, low TTLs on temporary records, and removing DNS entries before tearing down the resource (not after) prevent most danglers.

DomainKeys Identified Mail: an email authentication method that adds a digital signature to outgoing emails.

DKIM (DomainKeys Identified Mail) is an email security standard that lets the receiving mail server verify that an email was actually sent by the domain it claims to be from and was not modified in transit. It works by adding a cryptographic signature to every outgoing email, which the recipient can verify using a public key published in your DNS records. DKIM is one of three email authentication standards (along with SPF and DMARC) that help prevent email spoofing and improve deliverability.

The label that identifies which DKIM public key to use, published at selector._domainkey.example.com.

A DKIM selector is a short label (like `google`, `mail`, or `s1`) that points to a specific public key in DNS. When a mail server signs a message with DKIM, it adds a header naming the selector and the signing domain, for example `d=example.com; s=google`. The receiver looks up `google._domainkey.example.com` to fetch the public key and verify the signature. Selectors let a domain rotate keys without breaking older signed mail and let multiple providers (Google, Mailchimp, SES) each publish their own key under different selector names without conflict.

Domain-based Message Authentication: a policy that tells email servers what to do with unauthenticated emails.

DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM to give domain owners control over what happens when an email fails authentication. Your DMARC policy can tell receiving servers to deliver the email anyway (none), put it in spam (quarantine), or reject it outright (reject). DMARC also sends you reports about who is sending email using your domain, helping you detect spoofing and phishing attempts. It is published as a TXT record at _dmarc.yourdomain.com.

The DMARC tag that tells receivers how to treat mail that fails authentication: none, quarantine, or reject.

The `p=` tag in a DMARC record is the enforcement instruction. `p=none` asks receivers to deliver failing mail normally and just send reports back; it is the safe starting point during rollout. `p=quarantine` tells receivers to route failing mail to spam. `p=reject` tells them to block it outright at SMTP time, which is the policy required for full BIMI eligibility and the only one that actually stops spoofing. Most domains progress none, then quarantine with a low pct, then reject, monitoring DMARC aggregate reports at each step to avoid breaking legitimate mail.

Domain Name System: the phonebook of the internet that translates domain names to IP addresses.

DNS (Domain Name System) is what allows you to type "google.com" into your browser instead of memorizing 142.250.80.46. When you visit a website, your device asks a DNS server "what is the IP address for this domain?" and the DNS server responds with the correct address. This lookup happens in milliseconds, usually before you even notice. DNS is one of the most critical pieces of internet infrastructure. If DNS is down, websites become unreachable even if the servers are running perfectly.

A DDoS technique that abuses open resolvers to convert small spoofed queries into large responses aimed at a victim IP.

DNS amplification is a reflective DDoS attack: the attacker sends UDP DNS queries with the victim's IP spoofed as the source, the resolver answers, and the victim receives the response. A 60-byte query asking for ANY or DNSKEY can return 4,000+ bytes, giving an amplification factor of 50x or more. Open resolvers (recursive servers willing to answer anyone) are the abused infrastructure. Mitigations include disabling open recursion, BCP 38 source-address validation at network egress to block spoofing in the first place, and Response Rate Limiting (RRL) on authoritative servers to throttle repeated identical answers.

The process of DNS changes spreading across all DNS servers worldwide.

DNS propagation is the time it takes for a DNS change (like updating your website's IP address) to be recognized by all DNS servers around the world. When you change a DNS record, it does not update everywhere instantly. DNS servers cache records for a period defined by the TTL (Time to Live), so some servers may still serve the old record until their cache expires. Full propagation can take anywhere from a few minutes to 48 hours, though most changes are visible within 1-4 hours.

A browser attack that bypasses the same-origin policy by changing a hostname's DNS answer from an attacker-controlled IP to an internal IP after the page loads.

DNS rebinding tricks a browser into treating a malicious site and an internal service as the same origin. The attacker serves `attacker.com` from a public IP with a short TTL, the victim's browser loads JavaScript, and on the next lookup the same hostname resolves to `192.168.1.1` or another internal address. Because the origin (scheme + host + port) has not changed, the script can now talk to the local router, printer, or IoT device. Mitigations live at multiple layers: DNS rebinding protection in resolvers (dnsmasq, pfBlockerNG), HTTPS plus HSTS on internal services, host-header validation, and CSRF tokens.

An entry in the DNS database that provides information about a domain.

A DNS record is a single instruction stored in a domain's DNS zone that tells the internet something about the domain. Different record types serve different purposes: A records point to IPv4 addresses, MX records direct email, TXT records hold text data like SPF policies, NS records delegate to nameservers, and so on. A domain typically has many DNS records working together. Think of them as rows in a lookup table that DNS servers consult when someone asks about your domain.

A server that looks up DNS records on your behalf when you visit a website.

"DNS resolver" is the umbrella term for any component that issues DNS queries on a client's behalf. Three subtypes do different jobs: a stub resolver is the thin library built into every OS that hands off queries upstream; a recursive resolver (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9, the resolver an ISP ships) is the server that actually walks the hierarchy from root to TLD to authoritative nameserver and caches the result; a forwarding resolver sits in between (often on a home router or office DNS appliance) and proxies queries to a chosen recursive resolver without walking the tree itself. Most performance and privacy choices live at the recursive layer.

A DNS resolver configured to return a fake or controlled answer (often 0.0.0.0 or a logging server) for known-bad domains, blocking malware callbacks before traffic leaves the network.

A DNS sinkhole is a resolver that intentionally answers queries for malicious or unwanted domains with a controlled IP, usually `0.0.0.0`, `127.0.0.1`, or an internal collector that logs the attempt. When malware on an endpoint tries to reach its command-and-control hostname, the sinkhole answers with a dead address and the callback fails. It is the same primitive used by Pi-hole, NextDNS, and enterprise security DNS products to block ads, trackers, and phishing. Sinkholes are also how takedown operations like Conficker's stay effective: the original C2 names still resolve, but to researcher-controlled IPs.

Encoding arbitrary data inside DNS queries and responses to smuggle traffic past firewalls that allow DNS but block direct connections.

DNS tunneling encodes payload bytes into the labels of DNS query names (`<base32-data>.tun.attacker.com`) and into TXT or NULL record answers, turning DNS into a covert bidirectional channel. Because most networks let port-53 traffic out unfiltered, it is a reliable way to exfiltrate data or run interactive C2 from a compromised host. Tools like iodine and dnscat2 implement it; OilRig, FrameworkPOS, and DNSMessenger malware have used it in the wild. Detection looks for high-volume queries to one authoritative zone, abnormally long labels, high entropy in subdomain names, and unusual record-type mixes.

A DDoS technique (also called pseudo-random subdomain attack) that floods authoritative nameservers with queries for random non-existent subdomains, bypassing resolver caches.

DNS water torture, also known as a Pseudo-Random Subdomain (PRSD) attack, exhausts an authoritative nameserver by flooding it with queries for random labels under the target zone (`a8f3.example.com`, `kk21.example.com`, ...). Because every label is unique, caches never help; every query reaches the authoritative server, which must compute NXDOMAIN responses for all of them. Recursive resolvers in front of the victim also get hammered with thousands of pending queries. Mitigations include Response Rate Limiting, NXDOMAIN response caching, dropping queries with high-entropy random labels, and putting authoritatives behind anycast with enough capacity to soak the load.

DNS-based Blocklist (also called RBL): a list of IPs or domains known for spam or abuse, published as DNS records for easy lookup.

A DNSBL (DNS-based Blocklist), also known as an RBL (Real-time Blackhole List), is a reputation list distributed via the DNS protocol. To check an IP like 192.0.2.5 against a list at example.dnsbl, a mail server queries `5.2.0.192.example.dnsbl` and treats any answer as a hit. Major lists like Spamhaus, SORBS, and SpamCop are used by mail servers worldwide to reject spam at SMTP time. Getting on a DNSBL can devastate email deliverability for a domain or shared hosting IP, so monitoring blocklist status is a routine part of operating a mail server.

The DNSSEC record that publishes a zone's public signing keys (KSK and ZSK) so resolvers can verify RRSIG signatures.

A DNSKEY record publishes the public half of a DNSSEC signing key in the zone. A typical signed zone has at least two DNSKEYs: a ZSK (Zone Signing Key) used to sign every record set, and a KSK (Key Signing Key) used only to sign the DNSKEY set itself. Validating resolvers fetch the DNSKEY records, then use them to verify the RRSIG signatures on other records. The hash of the KSK is also published in the parent zone as a DS record, which is what extends the chain of trust upward. DNSKEY rollovers are one of the trickiest operational tasks in DNSSEC.

DNS Security Extensions: a set of protocols that add cryptographic verification to DNS responses.

DNSSEC (DNS Security Extensions) adds a layer of trust to DNS by digitally signing DNS records. Without DNSSEC, there is no way to verify that a DNS response actually came from the legitimate nameserver. An attacker could forge responses and redirect you to a malicious site (DNS spoofing). With DNSSEC enabled, your resolver can verify the cryptographic signature on each response to confirm it is authentic and has not been tampered with. Not all domains use DNSSEC, but adoption is growing.

DNS over HTTPS: encrypts DNS queries inside HTTPS requests so that ISPs and on-path observers cannot see or tamper with them.

DoH (DNS over HTTPS) tunnels DNS queries through normal HTTPS to a resolver endpoint, typically on port 443. Because the traffic looks like any other web request, it is hard to block selectively and impossible to read without breaking TLS. Browsers like Firefox and Chrome support DoH directly, often defaulting to Cloudflare (1.1.1.1) or NextDNS. DoH defeats classic on-path attacks like DNS hijacking by hotel Wi-Fi or ISP injection, but it also moves a great deal of DNS visibility from the network operator to whichever provider runs the DoH endpoint.

Pointing an unused domain at a single page (usually ads, a marketplace listing, or a placeholder) so it generates revenue or signals availability while the owner decides what to do with it.

Domain parking points a registered but undeveloped domain at a generic landing page, typically a pay-per-click ad page run by a parking service (Sedo, Bodis, ParkingCrew, Dan), a "for sale" listing, or the registrar's default placeholder. Parked domains generate small ad revenue from accidental type-in traffic and serve as a discovery surface for prospective buyers. Parking services concentrate huge portfolios behind a few common A records, which is why IP and nameserver intelligence can identify parked-domain clusters at scale. Most search engines treat heavily-parked content as thin and exclude it from indexing.

DNS over QUIC: encrypts DNS over the QUIC transport, combining the privacy of DoT with the lower latency of QUIC.

DoQ (DNS over QUIC) carries DNS messages over QUIC, the same transport used by HTTP/3. Compared to DoT (which runs over TCP+TLS), DoQ avoids head-of-line blocking, recovers from packet loss faster, and uses a 1-RTT or 0-RTT handshake. The result is encrypted DNS that often beats even plain UDP DNS on a lossy network. Adoption is led by AdGuard DNS, NextDNS, and dnscrypt-proxy. DoQ uses dedicated port 853 for the QUIC variant (distinct from DoT's TCP 853), so firewalls treat it as its own protocol.

DNS over TLS: encrypts DNS queries inside a TLS connection on port 853 to protect against eavesdropping and tampering.

DoT (DNS over TLS) wraps DNS traffic in a TLS session on dedicated port 853. Unlike DoH, which blends into HTTPS, DoT is recognisable on the network as encrypted DNS, which makes it easier for operators to allow or block deliberately. Android's "Private DNS" setting uses DoT, as do most enterprise resolver deployments. DoT and DoH protect different things: both stop on-path snooping and DNS hijacking, but neither hides queries from the resolver itself. Pairing DoT with a privacy-respecting resolver is the standard recommendation.

The practice of registering a domain at the exact moment it drops from expiry back into the available pool, also called backordering or domain sniping.

Drop catching is the timed re-registration of an expiring domain the instant the registry releases it. After a domain hits redemption and then pending-delete, it drops back to available, typically around 11:00-14:00 UTC for .com. Specialist registrars (SnapNames, DropCatch, NameJet, Dynadot) maintain pools of EPP connections and fire register requests in the same second the drop happens. Multiple catchers competing for one valuable drop trigger a private auction. The economics are why expired domains with backlinks or brandable strings rarely become available to a normal manual registration.

A service that automatically updates a DNS record when the host's IP address changes, useful for residential connections with rotating IPs.

Dynamic DNS (DDNS) is the practice of automatically updating an A or AAAA record whenever the host's public IP changes. A small client on the host (router, NAS, home server) periodically reports its current IP to a DDNS provider, which republishes the matching hostname (e.g. `myhome.dyndns.org`). DDNS makes services reachable behind ISP connections that hand out rotating public IPs. RFC 2136 defines the standard DNS UPDATE protocol used internally by enterprise DDNS, while consumer DDNS providers usually use a vendor-specific HTTPS API.

Dynamic Host Configuration Protocol: assigns IP addresses, gateways, and DNS resolvers to devices joining a network.

DHCP (Dynamic Host Configuration Protocol) is how devices ask a network for an IP address and the configuration needed to use it: subnet mask, default gateway, DNS resolvers, NTP servers, and more. When a laptop joins WiFi, it broadcasts a DHCPDISCOVER, the DHCP server replies with an OFFER, and the device requests and acknowledges a lease for a finite duration. DHCP also exists for IPv6 (DHCPv6), though IPv6 networks commonly use SLAAC for address assignment and DHCPv6 only for DNS configuration.

A method for generating strong passphrases by rolling physical dice to select words from a numbered wordlist.

Diceware is a passphrase generation method invented by Arnold Reinhold in 1995. Roll five six-sided dice, look up the five-digit number in a 7,776-word list, and the matching word becomes one element of the passphrase. Each word contributes about 12.9 bits of entropy, so a six-word Diceware passphrase delivers around 77 bits, which resists offline attack on a slow KDF like Argon2id. The appeal is that it produces memorable, pronounceable secrets without trusting any software randomness source.

Extension Mechanisms for DNS: lets DNS messages exceed the 512-byte limit and carry extra options like DNSSEC, client subnet, and cookies.

EDNS0 (Extension Mechanisms for DNS, version 0) is the workaround that lets modern DNS escape the constraints baked into the 1987 spec. By adding an OPT pseudo-record to a query, a client can advertise a larger UDP buffer size (so responses bigger than 512 bytes are not truncated), request DNSSEC validation data, send EDNS Client Subnet for CDN geo-targeting, or include DNS cookies to mitigate spoofing. Almost every DNS feature added in the last 20 years rides on top of EDNS0. Resolvers and authoritative servers that fail to handle EDNS0 cleanly cause many obscure DNS failures.

An EDNS0 option that lets a recursive resolver pass a truncated client IP prefix to authoritative servers so CDNs can return geographically appropriate answers.

EDNS Client Subnet (ECS) is the option that lets a recursive resolver forward the client's network prefix (typically /24 for IPv4, /56 for IPv6) to upstream authoritative servers. CDNs and GeoDNS providers use it to pick a nearby edge instead of optimising for the resolver's own location, which would send a Comcast user behind an 8.8.8.8 lookup to whichever PoP is close to Google. ECS trades a small amount of client-network privacy for much better CDN geo-routing. Some privacy resolvers (Cloudflare 1.1.1.1) deliberately strip ECS; others (Google 8.8.8.8) forward it.

Extensible Provisioning Protocol: the XML-over-TLS protocol registrars use to register, transfer, and update domains at a registry.

EPP (Extensible Provisioning Protocol) is the standard XML-over-TLS protocol that domain registrars use to talk to registries. Every time a domain is registered, renewed, transferred, or has its nameservers changed, the registrar sends an EPP command (an XML document over a long-lived TLS connection) to the registry's EPP server. EPP also carries the domain status flags that surface in WHOIS, like clientTransferProhibited or pendingDelete. The user-facing surface that registrants actually touch is the per-domain auth-info code (sometimes called the auth code, EPP code, or transfer code), the password the gaining registrar needs to pull a domain over during a transfer.

An EDNS0 option (EDE) that lets a resolver explain WHY a DNS query failed with structured error codes like "DNSSEC bogus", "blocked", or "forged answer".

Extended DNS Errors (EDE) is the option that finally lets resolvers explain failures beyond opaque rcodes like SERVFAIL. Defined codes include 6 (DNSSEC Bogus), 8 (Signature Expired), 10 (RRSIGs Missing), 15 (Blocked by policy), 18 (Prohibited), and 22 (No Reachable Authority). A modern dig version surfaces these as `; EDE: 6 (DNSSEC Bogus)` in the comments. Operators can finally tell a user that a query was blocked by parental control filtering, by RPZ, or because DNSSEC validation actually failed, instead of just "something went wrong". Adoption in resolvers like Unbound, BIND, and PowerDNS is now widespread.

A bits-of-uncertainty measure of how hard a password is to guess: log2 of the number of possible candidates given the character set and length.

Password entropy is measured in bits and represents log2 of the size of the candidate space an attacker must search. A truly random 8-character password from a 95-character set has log2(95^8) ≈ 52 bits; a Diceware passphrase of 6 words from a 7,776-word list has log2(7776^6) ≈ 77 bits. The catch: entropy only applies to truly random selection. "P@ssw0rd1!" looks 80-bit by naive math but has near-zero real entropy because attackers prioritise it. NIST SP 800-63B-4 abandons composition rules in favour of length and breach-list screening, recognising that user-chosen passwords almost never reach their notional entropy.

A TLS 1.3 extension that encrypts the ClientHello (including SNI) so on-path observers cannot see which hostname is being requested.

ECH (Encrypted Client Hello) is the modern replacement for the abandoned ESNI draft. It encrypts the entire ClientHello, including the SNI field that historically leaked the destination hostname in cleartext even on TLS-secured connections. The client fetches the server's ECH public key via DNS (an HTTPS resource record), wraps the real ClientHello inside an outer ClientHello addressed to a generic front-end, and the server unwraps it. ECH is widely deployed by Cloudflare and supported by recent versions of Firefox and Chrome, closing one of the last major plaintext metadata leaks in HTTPS.

The extended SMTP greeting a client sends to advertise support for SMTP extensions like STARTTLS, SIZE, and AUTH.

EHLO (Extended HELLO) is the first command an SMTP client sends after connecting. It replaces the original HELO from RFC 821 and tells the server `I speak Extended SMTP`. The server responds with a multi-line list of supported extensions: STARTTLS, 8BITMIME, SIZE, AUTH, PIPELINING, and more. Modern mail flow depends on EHLO succeeding, since STARTTLS (and therefore transport encryption) is only negotiated after the extension is advertised. A server that rejects EHLO and only accepts HELO is effectively legacy-only.

The likelihood that a legitimately sent email reaches the recipient's inbox rather than the spam folder or a bounce.

Email deliverability is the practical measure of whether mail that is technically sent actually lands in inboxes. It depends on authentication (SPF, DKIM, DMARC, BIMI), sender reputation (IP and domain), list hygiene (low bounce rate, no spam traps), engagement (opens, replies), content quality, and adherence to mailbox-provider postmaster guidelines. A perfectly RFC-correct message can still go to spam if the sending IP has a poor reputation or the domain has no DMARC alignment. Deliverability work is an ongoing operations discipline, not a one-time setup.

A security system that monitors and controls incoming and outgoing network traffic.

A firewall is a security barrier between a trusted network (like your server) and an untrusted one (like the internet). It examines every incoming and outgoing network connection and decides whether to allow or block it based on a set of rules. Firewalls can be software running on your server (iptables, ufw, Windows Firewall), hardware appliances, or cloud-based services (Cloudflare WAF, AWS Security Groups). A properly configured firewall is your first line of defense against unauthorized access.

A DNS evasion technique used by botnets and phishing kits that rapidly rotates the A records for a hostname through hundreds of compromised IPs, often every few minutes.

Fast flux is the practice of binding a hostname to a constantly-rotating set of IP addresses, usually compromised residential or small-business hosts acting as reverse proxies in front of the real C2 server. Single-flux changes only the A records (TTLs of 60-300 seconds, dozens of IPs per response). Double-flux also rotates the authoritative nameservers themselves, making takedown harder. The pattern is a strong indicator of malicious infrastructure: legitimate services almost never need to rotate IPs that aggressively. Passive DNS feeds surface fast-flux clusters by tracking IPs per name and names per IP over time.

Forward-Confirmed Reverse DNS: a check that a hostname's PTR record points at an IP that itself resolves back to the same hostname, the standard sanity test for mail servers.

FCrDNS (Forward-Confirmed Reverse DNS) is a two-step check. Given an IP, look up its PTR record to get a hostname; then look up the A or AAAA records for that hostname and confirm the original IP appears in the answer. If both directions agree, the IP is FCrDNS-validated. Almost every major mail receiver (Gmail, Outlook, Yahoo) requires sending IPs to have valid FCrDNS, and many will downgrade or reject mail that fails the check. Setting up FCrDNS requires control over both forward DNS (A/AAAA) and reverse DNS (PTR), and PTR is usually managed by the IP's hosting provider.

Also called PFS (Perfect Forward Secrecy): a TLS property where compromising the server's long-term private key cannot decrypt past recorded sessions.

Forward secrecy (often Perfect Forward Secrecy, PFS) means that even if an attacker records all your encrypted TLS traffic today and steals your server's private key tomorrow, they still cannot decrypt the captured sessions. It is achieved by using ephemeral Diffie-Hellman key exchange (ECDHE) to derive a per-session key that is discarded after the connection ends; the long-term key only authenticates the handshake. TLS 1.3 mandates forward secrecy in every cipher suite. TLS 1.2 only provides it for ECDHE/DHE suites, which is why disabling static-RSA key exchange has been the recommendation for a decade.

Fully Qualified Domain Name: a domain name written with every label up to the root, like www.example.com.

An FQDN (Fully Qualified Domain Name) is a domain name that specifies its exact location in the DNS hierarchy, from the host label all the way up to the implicit root. `www.example.com.` (with the trailing dot) is the strictly correct form, though the trailing dot is almost always omitted in everyday use. The opposite is a relative or partially qualified name like `www`, which only makes sense in the context of a search domain. FQDNs matter in zone files, TLS certificates, and many config files, where ambiguity about whether a name is fully qualified is a common source of bugs.

A service from a mailbox provider that forwards spam complaints back to the sender so they can suppress the complaining recipient.

A feedback loop (FBL) is a programmatic channel through which mailbox providers (Yahoo, Microsoft, Comcast, La Poste, and many others) forward `this is spam` complaints back to the originating sender. The sender enrolls per IP or per domain, receives the complaint as an ARF-formatted report (RFC 5965), and is expected to suppress that recipient from future sends. FBLs are essential for keeping complaint rates below mailbox-provider thresholds (typically 0.1 to 0.3 percent), and ignoring them is one of the fastest ways to land on a deny list.

An authoritative DNS feature that returns different answers based on the geographic location or network of the querying resolver, used for global load balancing and regional routing.

GeoDNS returns different A/AAAA answers to the same query depending on where the request appears to come from, usually based on the resolver's IP (or its EDNS Client Subnet hint when available). A user in Frankfurt querying `app.example.com` gets the EU PoP IP; a user in São Paulo gets the South America PoP. Providers like Route 53 (geolocation/geoproximity), NS1, and Cloudflare Load Balancing implement it with policies for failover, weighted splits, and proximity rules. GeoDNS is less precise than anycast (it operates at resolver granularity, not packet path), but it is the standard way to do region-aware routing without owning physical network presence.

An IP address record served by a parent zone that breaks the chicken-and-egg problem when a domain's nameservers live inside the domain itself.

A glue record solves a bootstrap problem: if example.com's nameservers are ns1.example.com and ns2.example.com, a resolver cannot look up those names without first asking those very nameservers. The parent zone (here, .com) breaks the loop by serving the IP addresses of the in-bailiwick nameservers alongside the NS delegation. Without glue, the domain becomes unresolvable. Registrars expose glue records under names like "host records" or "private nameservers." Missing or stale glue (where the registrar's glue points to a different IP than the nameserver actually uses) is a classic cause of intermittent DNS failures.

The lifecycle stages after a domain expires: a grace period for easy renewal, then a costly Redemption Grace Period, then deletion.

When a gTLD domain expires, it does not vanish immediately. First comes the Auto-Renew Grace Period (up to 45 days, varies by registrar) where the registrar can usually still renew at the normal price. Then comes the Redemption Grace Period (RGP, 30 days) during which the domain is suspended, removed from the zone, and can only be recovered by paying a steep redemption fee, often $100 or more. After RGP, the domain enters Pending Delete for 5 days, with no recovery path, then drops back into the pool for anyone to register. RFC 3915 formalises these states in EPP (redemptionPeriod, pendingRestore, pendingDelete). Watching these statuses in WHOIS is how drop-catchers time their re-registration attempts.

Hash-based Message Authentication Code: a construction that combines a secret key with a cryptographic hash to verify both integrity and authenticity of a message.

HMAC (Hash-based Message Authentication Code) wraps a hash function like SHA-256 with a shared secret key to produce an authentication tag that proves the message was not tampered with and came from someone holding the key. The construction (`H((K xor opad) || H((K xor ipad) || message))`) is provably secure even against length-extension attacks that break naive `H(K || message)` schemes. HMAC is everywhere: AWS request signing (SigV4), JWT HS256 tokens, webhook signatures (Stripe, GitHub), TLS record MACs in older cipher suites, and TOTP/HOTP one-time codes. The right primitive any time both sides share a secret and need to authenticate messages.

A phishing technique that registers a lookalike domain using visually similar characters from other scripts, like Cyrillic 'а' instead of Latin 'a'.

A homograph attack (or IDN homograph attack) abuses the fact that many alphabets share visually identical glyphs. An attacker registers `аpple.com` using a Cyrillic 'а' (U+0430) that renders identically to the Latin 'a' but resolves to an entirely different domain. Once the punycode-decoded version is shown in the address bar, the visual is indistinguishable from the real brand. Modern browsers defend against this by showing the punycode form (xn--...) when a label mixes scripts or matches known-suspect patterns, but the attack remains effective in email, chat clients, and PDFs.

HTTP Strict Transport Security: a response header that forces browsers to use HTTPS for a site for a specified duration.

HSTS (HTTP Strict Transport Security) is an HTTP response header that tells the browser "for the next N seconds, always connect to this domain over HTTPS, even if the user types http://." That single rule eliminates the SSL-stripping attack where an on-path adversary downgrades the connection before TLS can engage. The `includeSubDomains` directive extends protection to every subdomain, and the `preload` directive (combined with submission to the HSTS preload list shipped in major browsers) means the first connection is already HTTPS-only. Removing HSTS is hard by design, so deploy with care.

The third major version of HTTP, built on QUIC instead of TCP, offering faster connection setup and better recovery from packet loss.

HTTP/3 is the latest version of the HTTP protocol, standardised in 2022. Unlike HTTP/1.1 and HTTP/2 which run on TCP, HTTP/3 runs on QUIC, a UDP-based transport that integrates TLS 1.3 directly into the handshake. The practical wins: 1-RTT (or 0-RTT for repeat visits) connection setup, no head-of-line blocking when a packet is lost, and seamless connection migration when a client's IP changes (for example, switching from Wi-Fi to cellular). Modern browsers and CDNs negotiate HTTP/3 via ALPN, falling back to HTTP/2 if QUIC traffic is blocked.

The secure version of HTTP that encrypts all data between the browser and server.

HTTPS (HyperText Transfer Protocol Secure) is the encrypted version of HTTP, the protocol your browser uses to communicate with web servers. When you see the padlock icon in your browser's address bar, the connection is using HTTPS. It encrypts all data in transit using TLS, preventing anyone from eavesdropping on or tampering with the communication, including passwords, credit card numbers, and personal data. Modern browsers mark HTTP sites as "Not Secure." HTTPS requires an SSL/TLS certificate on the server.

A permanent email delivery failure (SMTP 5xx), typically because the address does not exist or is blocked.

A hard bounce is a permanent SMTP rejection: the recipient mailbox does not exist (550 5.1.1), the domain has no MX (550 5.1.2), the sender is blocked, or policy refuses the message. Hard-bounced addresses must be suppressed immediately, because retrying them piles up more bounces, which mailbox providers interpret as a list-hygiene signal and translate into reputation damage. Most ESPs auto-suppress on the first hard bounce. Compare with soft bounce, which is a temporary 4xx failure that should be retried.

Two different inputs producing the same hash output, which breaks the integrity guarantee of a cryptographic hash function.

A hash collision is when two different inputs hash to the same digest. For a cryptographic hash, collisions are guaranteed to exist (the input space is larger than the output space) but should be computationally infeasible to find. When researchers demonstrate practical collisions, the function is considered broken for signature use: MD5 collisions were published in 2004, SHA-1 collisions in 2017 (SHAttered), and both are now banned from TLS certificates and code signing. SHA-2 and SHA-3 families have no known practical collisions.

The original SMTP greeting command (RFC 821), now superseded by EHLO but still accepted as a fallback.

HELO is the original SMTP greeting from RFC 821 (1982). A client says `HELO mail.example.com` to introduce itself and the server replies with a single line. Modern SMTP uses EHLO instead, which lets the server advertise extensions like STARTTLS and AUTH, but every SMTP server still accepts HELO as a fallback for ancient clients. The hostname the client claims in HELO/EHLO is logged and used in some anti-spam heuristics: it should match the sending IP's reverse DNS for best deliverability.

A decoy system deployed to attract attackers so their behaviour can be observed and indicators collected.

A honeypot is a system, service, or address deliberately exposed to attract malicious activity. Low-interaction honeypots emulate vulnerable services (SSH, Telnet, RDP) to collect credentials and payloads; high-interaction honeypots run real operating systems inside isolated environments to capture full intrusion chains. Honeypot data feeds threat intelligence: shared IP reputation lists, malware sample collection, and early warning of new exploit campaigns. Spam honeypots (also called spam traps) play a similar role for email reputation.

The number of intermediate routers a packet crosses between source and destination, visible in traceroute output.

A hop is one router-to-router step on a packet's journey across the internet. Hop count is the total number of those steps from source to destination. Traceroute exposes the path by sending packets with incrementally larger TTL values: each router decrements TTL and, when it hits zero, replies with an ICMP Time Exceeded that reveals its IP. IPv6 calls the same field Hop Limit. Excessive hops add latency, and unexpected hop count changes can indicate routing leaks, BGP hijacks, or middlebox interference.

A built-in browser list of domains that must always be loaded over HTTPS, even on a user's first visit.

HSTS Preload is a curated list shipped inside Chromium, Firefox, Safari, and Edge that hardcodes HSTS for domains opted into it. Normal HSTS only protects users after their first successful HTTPS visit; preload closes that gap by making the browser refuse plaintext HTTP to a listed domain even on the very first request. To qualify, a site must serve a valid certificate on the apex, redirect HTTP to HTTPS, and serve the header `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`. Submissions are reviewed at hstspreload.org. Removal can take months, so the decision is effectively permanent.

The 2015 binary, multiplexed evolution of HTTP/1.1 that lets a single TCP connection carry many concurrent requests.

HTTP/2 (RFC 9113) replaces HTTP/1.1's text-based, head-of-line-blocked transport with a binary framing layer that multiplexes many request/response streams over one TCP connection. Headers are compressed with HPACK, servers can push resources proactively, and stream priorities hint at importance. Browsers only negotiate HTTP/2 over TLS, using ALPN to agree on `h2` during the TLS handshake. HTTP/2 dramatically improved page load times for resource-heavy sites and is still the dominant HTTP version on the web, with HTTP/3 (over QUIC) layered on top for the next jump.

Internet Assigned Numbers Authority: the body that maintains the global registries for IP addresses, ASNs, protocol numbers, and the DNS root zone.

IANA (Internet Assigned Numbers Authority) is the function that keeps the master registries of unique identifiers that make the internet interoperable. That includes IPv4 and IPv6 address blocks (which IANA allocates to the five RIRs), AS numbers, port numbers, protocol parameters, and most importantly the DNS root zone, including the list of all TLDs and their nameserver delegations. IANA is operated by ICANN under a contract with the US National Telecommunications and Information Administration that transitioned to a multi-stakeholder model in 2016. Every TLD listed in the dnschkr directory ultimately traces back to an IANA root zone entry.

Internet Corporation for Assigned Names and Numbers: the nonprofit that coordinates the global DNS, accredits registrars, and manages gTLD policy.

ICANN (Internet Corporation for Assigned Names and Numbers) is the nonprofit that sets policy for the global DNS namespace. It accredits registrars, contracts with registries for every gTLD, oversees the IANA function (and therefore the root zone), runs UDRP for trademark disputes, and ran the New gTLD Program that introduced .app, .dev, .xyz, and hundreds of others. ICANN does not regulate ccTLDs directly; those are run by each country's designated operator. For domain owners, ICANN's most visible touchpoints are the WHOIS Accuracy Program, the Transfer Policy, and the annual $0.18 ICANN fee on every gTLD registration.

A unique numerical label assigned to every device connected to the internet.

An IP address (Internet Protocol address) is the unique number that identifies a device on the internet, like a street address for your computer or server. IPv4 addresses look like 192.168.1.1 (four numbers separated by dots), while IPv6 addresses are longer like 2001:0db8:85a3::8a2e:0370:7334. Every website, email server, and internet-connected device has at least one IP address. When you visit a website, your browser uses DNS to translate the domain name into the server's IP address.

The fourth version of the Internet Protocol, using 32-bit addresses like 93.184.216.34.

IPv4 (Internet Protocol version 4) is the original addressing system of the internet, using 32-bit addresses written as four numbers separated by dots (e.g., 93.184.216.34). It supports about 4.3 billion unique addresses, which seemed like plenty in the 1980s but is now almost completely exhausted. Most of the internet still runs on IPv4, but organizations increasingly use IPv6 alongside it to handle the growing number of connected devices.

The latest version of the Internet Protocol, using 128-bit addresses to support far more devices.

IPv6 (Internet Protocol version 6) is the successor to IPv4, designed to solve the address shortage. IPv6 addresses are 128 bits long (e.g., 2606:4700:4700::1111), providing a virtually unlimited number of unique addresses, enough for every grain of sand on Earth to have its own IP. IPv6 is being adopted gradually alongside IPv4. If your server supports IPv6, you should add AAAA records to your DNS so it is reachable on both protocols.

Internet Service Provider: the company that provides your internet connection.

An ISP (Internet Service Provider) is the company that connects you to the internet, like Comcast, AT&T, Vodafone, or BT. Your ISP assigns your IP address, provides a DNS resolver (unless you configure a different one), and controls the "last mile" of your internet connection. ISPs can affect your experience by blocking certain ports, throttling traffic, or filtering DNS requests. When troubleshooting connectivity issues, your ISP is often part of the chain you need to investigate.

Incremental Zone Transfer: a DNS operation that copies only the records changed since the last transfer, instead of the whole zone.

IXFR (Incremental Zone Transfer) is the efficient sibling of AXFR. Instead of shipping the entire zone every time, a secondary nameserver tells the primary "I have serial 2026051601, send me everything that changed since then." The primary replies with just the added and deleted records. For large zones like .com or busy enterprise zones, IXFR cuts transfer bandwidth by orders of magnitude. If the primary cannot satisfy an incremental request (for example, the serial is too old), it falls back to a full AXFR automatically.

Internationalized Domain Name: a domain that contains non-ASCII characters, encoded via Punycode for DNS transport.

An IDN (Internationalized Domain Name) is a domain that uses characters outside the original ASCII letter-digit-hyphen set, such as `münchen.de`, `日本.jp`, or `إختبار.مصر`. Because DNS itself is ASCII-only, IDNs are encoded to Punycode for transport (`xn--mnchen-3ya.de`) under the IDNA standard. Browsers and email clients display the Unicode form to users where it is safe to do so, falling back to the punycode form when label-mixing rules indicate possible homograph attacks. DNS Checker displays both forms side by side: `.닷넷 (.xn--t60b56a)`.

The DNS zone used for IPv4 reverse lookups, where 8.8.8.8 becomes 8.8.8.8.in-addr.arpa.

`in-addr.arpa` is the special-purpose DNS zone that maps IPv4 addresses to PTR records for reverse lookups. The address octets are reversed and appended to the zone, so `8.8.8.8` becomes the DNS name `8.8.8.8.in-addr.arpa`, which holds a PTR record pointing at `dns.google`. Reverse zones are typically delegated by RIRs (for /24 and larger) or by ISPs (for smaller residential allocations). Properly maintained reverse DNS is required for SMTP servers to pass FCrDNS checks and avoid being treated as spammers.

The DNS zone used for IPv6 reverse lookups, where each nibble of the address becomes a label.

`ip6.arpa` is the IPv6 equivalent of `in-addr.arpa`. Each of the 32 hexadecimal nibbles of an IPv6 address is reversed and turned into a label, so `2001:4860:4860::8888` becomes `8.8.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa`, holding a PTR record. IPv6 reverse zones are delegated in /4 increments by RIRs and large allocation holders. Many IPv6 deployments skip reverse DNS entirely or auto-generate placeholder records, which can cause mail rejection if FCrDNS is enforced.

A score or classification assigned to an IP address based on its history of sending spam, hosting malware, or other abuse.

IP reputation is the aggregate judgment that mailbox providers, firewalls, and security vendors have formed about a given IP address. It is built from observed behaviour (volume, complaint rate, bounce rate, malware hosting, brute-force attempts), DNSBL listings, sender authentication results, and proprietary signals. Senders inherit the reputation of the IP they send from, which is why shared sending pools can sink a careful sender and why warmup of new IPs is critical. Reputation is operator-specific: an IP in good standing at Gmail may be blocked at Microsoft.

Internet Exchange Point: a shared layer-2 fabric where many networks meet to exchange traffic via BGP peering.

An Internet Exchange Point (IXP) is a physical fabric (usually a high-density Ethernet switch in a data center) where dozens to hundreds of networks meet to exchange traffic directly. Networks plug in once and then peer with any other member, avoiding paid transit and reducing latency. Major IXPs like AMS-IX, DE-CIX, and LINX move terabits per second at peak. IXPs are where the modern internet's mesh actually exists in physical form, and route servers at the IXP let small networks peer with everyone using a single BGP session.

JSON Web Token: a compact, URL-safe token format with a JSON payload, a header, and a signature, widely used for authentication and stateless session data.

A JWT (JSON Web Token) is three base64url-encoded segments joined by dots: `header.payload.signature`. The header declares the algorithm (HS256, RS256, ES256, EdDSA), the payload carries claims like `sub`, `iat`, and `exp`, and the signature lets the receiver verify the token was not modified and came from someone holding the key. JWTs are everywhere in modern auth: OAuth 2.0 access tokens, OIDC ID tokens, API session cookies. Common pitfalls: accepting `alg: none`, confusing HS256 (HMAC, symmetric) with RS256 (asymmetric), and treating JWTs as encrypted (they are signed, not encrypted, unless wrapped as JWE).

Key Signing Key: the long-lived DNSSEC key that signs the DNSKEY set and whose hash is published as a DS record in the parent zone.

A KSK (Key Signing Key) is the DNSSEC key whose only job is to sign the DNSKEY record set in its zone. Because the KSK's public hash is published in the parent zone as a DS record (and any change must be coordinated with the parent), KSKs are deliberately long-lived, often 1 to 2 years between rollovers. The shorter-lived ZSK does the bulk of the signing work. Splitting the roles means the operator can rotate ZSKs frequently without touching the parent zone, while the KSK rollover (an inherently slower, more coordinated process) happens rarely.

A mechanism that lets HTTP or TCP connections stay open across multiple requests instead of opening a new connection each time.

Keep-alive (persistent connection) lets a single TCP or HTTP connection serve multiple requests, avoiding the latency cost of repeated three-way handshakes and TLS negotiations. HTTP/1.1 made keep-alive the default, controlled by the `Connection` header. TCP itself has a separate `SO_KEEPALIVE` option that sends periodic probes to detect dead peers on idle connections. HTTP/2 and HTTP/3 multiplex many streams over one long-lived connection, making keep-alive even more important. Reverse proxies and load balancers expose their own keep-alive timeouts that must be tuned together with upstream timeouts to avoid mid-request connection resets.

A broken DNS delegation where a domain's listed nameservers do not actually answer authoritatively for the zone.

A lame delegation is what happens when a domain's NS records point at servers that either do not exist, do not respond, or refuse to answer authoritatively for the zone. The parent says "ask ns1.example.net for example.com," but ns1.example.net has no clue about example.com. Lame delegations cause slow lookups (resolvers wait for timeouts before trying the next NS), partial outages, and in some cases full unreachability. DNS Checker's own zone analysis flags lame delegations across the .com and .net zones as one of the most common operational bugs in the wild.

The time delay between sending a request and receiving a response, measured in milliseconds.

Latency is the time it takes for data to travel from one point to another on the internet, measured in milliseconds (ms). Lower latency means faster response times. When you ping a server and get "12ms," that is the round-trip latency. Latency is affected by physical distance (light in fiber takes ~5ms per 1,000 km), network congestion, the number of routers in the path, and server processing time. CDNs reduce latency by serving content from servers closer to the user.

An email header that gives recipients a one-click way to unsubscribe, now required by Gmail and Yahoo for bulk senders.

List-Unsubscribe is an email header (RFC 2369) that lets the recipient's mail client expose a built-in unsubscribe button. The newer one-click variant (RFC 8058) adds `List-Unsubscribe-Post: List-Unsubscribe=One-Click` and lets the mail client POST to the unsubscribe URL with no further user interaction. Since February 2024, Gmail and Yahoo require one-click List-Unsubscribe on bulk mail (5,000+ messages per day to their users), alongside aligned DKIM and DMARC. Missing or broken List-Unsubscribe is now a top cause of inbox loss.

Man-in-the-Middle Attack: an attacker silently sits between two parties, intercepting and potentially modifying their traffic.

A MITM (Man-in-the-Middle) attack is any scenario where an adversary positions themselves between two communicating parties, relaying messages while reading or modifying them. Classic examples include hostile Wi-Fi hotspots that proxy HTTPS with a fake certificate, ARP spoofing on a local network, and BGP hijacks that reroute traffic through an attacker's network. Defences are layered: TLS with certificate validation, HSTS to prevent downgrade, DNSSEC and DoH/DoT to protect name resolution, and Certificate Transparency to detect mis-issuance. Any service running plain HTTP or unauthenticated DNS is vulnerable by default.

Mail Transfer Agent Strict Transport Security: lets a domain require sending mail servers to use authenticated TLS when delivering to it.

MTA-STS (Mail Transfer Agent Strict Transport Security) is the email equivalent of HSTS. A receiving domain publishes a TXT record at _mta-sts.example.com plus an HTTPS-hosted policy file declaring "only deliver mail to my MX hosts over TLS, and only if the certificate is valid for the MX hostname." Senders that support MTA-STS will refuse to fall back to plaintext SMTP or accept a self-signed certificate, defeating downgrade attacks on inbound mail. MTA-STS is usually deployed alongside TLS-RPT, which provides reports when something fails.

A DNS record that tells the internet which mail server handles email for a domain.

An MX (Mail Exchange) record is a DNS record that directs email to the correct mail server. When someone sends an email to [email protected], the sending server looks up the MX records for example.com to find which mail server to deliver to. MX records include a priority number: lower numbers are tried first, and higher numbers serve as backups. If you use Gmail, your MX records point to Google's mail servers. If you use Microsoft 365, they point to Microsoft's.

The SMTP envelope sender address (Return-Path), used by SPF for authentication and as the destination for bounces.

`MAIL FROM` is the SMTP command that declares the envelope sender for a message. This is the address bounces are returned to (the Return-Path) and the identity SPF authenticates against. It is distinct from the `From:` header that the user sees: the two can differ legitimately (think mailing lists), which is why DMARC requires alignment between the visible From domain and either the SPF MAIL FROM domain or the DKIM signing domain. A null MAIL FROM (`<>`) is used for non-delivery reports to prevent bounce loops.

A 128-bit hash function published in 1992, now broken for collision resistance and unsafe for any security use.

MD5 (Message Digest 5) is a 128-bit cryptographic hash function published by Ron Rivest in 1992. Practical collisions were demonstrated in 2004, and chosen-prefix collisions have been used to forge TLS certificates (the Flame malware, 2012). MD5 is unsafe for digital signatures, password hashing, and certificate fingerprinting, but remains acceptable as a non-cryptographic checksum (file integrity against accidental corruption, ETag generation, cache keying). Migrate any security-sensitive MD5 usage to SHA-256 or a dedicated KDF like Argon2.

Multicast DNS: a zero-configuration protocol that resolves .local hostnames on a local network without a central DNS server.

mDNS (Multicast DNS, RFC 6762) lets devices on the same link discover each other by name using the `.local` pseudo-TLD with no central DNS server. A query for `printer.local` is sent to the multicast address 224.0.0.251 (or ff02::fb for IPv6) on port 5353, and any device with that name answers directly. Apple's Bonjour, the Avahi daemon on Linux, and Windows have built-in mDNS support. Combined with DNS-SD (RFC 6763), mDNS powers AirPlay, AirPrint, Chromecast discovery, and IoT pairing flows.

A server that stores DNS records for a domain and answers DNS queries.

A nameserver (NS) is the server responsible for storing and serving the DNS records for your domain. When someone looks up your domain, the DNS system eventually asks your nameservers for the answer. Your domain registrar lets you set which nameservers to use: your registrar's nameservers, your hosting provider's, or a third-party like Cloudflare. If your nameservers are down or misconfigured, your entire domain becomes unreachable. Most domains use at least two nameservers for redundancy.

Network Address Translation: lets multiple devices share a single public IP address.

NAT (Network Address Translation) is the technology that lets all the devices in your home or office share a single public IP address. Your router assigns private IP addresses (like 192.168.1.x) to each device internally, then translates these to your single public IP when traffic goes to the internet. This is why port forwarding exists: since the router has one public IP, you need to tell it which internal device should receive incoming connections on specific ports.

Caching NXDOMAIN and NODATA responses (the absence of a record) at a resolver, so repeated lookups for non-existent names do not hammer authoritative servers.

Negative caching is the resolver behaviour of storing "this name does not exist" (NXDOMAIN) and "this name exists but has no records of this type" (NODATA) answers for a bounded TTL. The TTL is taken from the SOA record's minimum field (the fifth field of the SOA, capped at one week), so the zone operator controls how long negative answers live. Without it, every typo or misconfigured client query would touch authoritative servers indefinitely. The downside: when you add a record for a name that recently returned NXDOMAIN, clients keep getting the cached negative answer until the SOA-minimum TTL expires.

DNS response code 0: the query was answered successfully, though the answer set may still be empty.

NOERROR (RCODE 0) is the DNS response code returned when a query completes successfully. Importantly, NOERROR does not always mean "data was found." A NOERROR response with zero answer records (sometimes called NODATA) means "the name exists, but no record of the type you asked for exists for it." For example, querying for an AAAA record on an IPv4-only host typically yields NOERROR with no answers, not NXDOMAIN. Confusing NOERROR/NODATA with NXDOMAIN is a frequent source of debugging dead ends.

A DNS record that specifies which nameservers are authoritative for a domain.

An NS (Name Server) record tells the DNS system which nameservers are responsible for answering queries about your domain. When a DNS resolver needs to find records for your domain, it follows the NS records to find your authoritative nameservers. If you switch to Cloudflare or a new hosting provider, you change the NS records at your registrar to point to the new nameservers. NS records exist at every level of the DNS hierarchy, from root servers to TLD servers to your domain.

DNSSEC records that prove a name or record type does not exist, without leaking the full contents of the zone.

DNSSEC needs a way to prove a negative: "this name really does not exist" or "this type really is not present." NSEC records do this by listing the next existing name in the zone, so a resolver can see that the queried name falls in a gap. Walking the NSEC chain reveals every name in the zone, which operators consider a privacy leak. NSEC3 hashes names before chaining them, but the protection is weak for small zones: the hash set can be cracked offline with rainbow tables or brute force in minutes. RFC 9276 (2022) accordingly recommends 0 extra iterations and no salt, and many operators have moved to compact denial-of-existence or online signing instead of NSEC3 opt-out for new deployments.

An MX record of the form "0 ." that explicitly declares a domain does not accept email.

A Null MX record is the single line `0 .` published as the MX for a domain. It is the standardised way to say "this domain sends no mail and accepts none, do not even try." Compliant sending MTAs will immediately bounce mail addressed to a Null MX domain with a permanent 556 error instead of sitting in a retry queue for days. Brands often use Null MX on apex domains they use only for web hosting, alongside a strict SPF (`v=spf1 -all`) and DMARC reject policy, to make spoofing visibly invalid.

A networking technique that silently drops all traffic to a specific IP address.

A null route (also called a blackhole route) is when a network sends all traffic destined for a specific IP address to nowhere, effectively making that IP unreachable. Hosting providers sometimes null-route a customer's IP address during a DDoS attack to protect their network from the flood of traffic. While this stops the attack from affecting other customers, it also makes the targeted server completely unreachable until the null route is removed. This can cause Cloudflare error 523 (Origin Unreachable).

DNS response code 3: the queried name does not exist anywhere in the DNS hierarchy.

NXDOMAIN (Non-Existent Domain, RCODE 3) is the response a DNS resolver returns when the queried name simply does not exist. It is a definitive negative answer signed by the authoritative nameserver, not a timeout or error. NXDOMAIN is cached by resolvers (governed by the SOA minimum TTL) so an unregistered or recently deleted domain may appear unreachable for hours even after it becomes valid. The opposite confusion is NOERROR with no data, which means the name exists but the requested record type does not.

Online Certificate Status Protocol: lets a client check whether an SSL/TLS certificate has been revoked since it was issued.

OCSP (Online Certificate Status Protocol, RFC 6960) lets a TLS client ask a Certificate Authority's responder, in real time, whether a certificate has been revoked. The classic deployment had clients query the OCSP responder directly, which was slow and leaked browsing history to the CA. OCSP stapling (the TLS Certificate Status Request extension, RFC 6066 §8) fixed this: the web server periodically fetches a signed OCSP response itself and attaches it to the TLS handshake. The industry has since shifted away from OCSP entirely. Let's Encrypt announced shutdown of its OCSP responders in 2024, with Chrome and Firefox now relying on CRLite-style aggregated revocation lists and progressively shorter certificate lifetimes (90 days, moving to 47 days by 2029).

A set of `<meta property="og:...">` tags that lets a web page describe how it should appear when shared on social platforms, including title, description, image, and type.

Open Graph is a metadata protocol originally introduced by Facebook in 2010 and now used by virtually every social platform and messaging app to render link previews. A page adds tags like `<meta property="og:title" content="...">`, `og:description`, `og:image`, `og:url`, and `og:type` inside the `<head>`. When a URL is pasted into Facebook, LinkedIn, Slack, Discord, or iMessage, the platform fetches the page, reads the OG tags, and uses them for the unfurled card. Twitter uses its own `twitter:card` tags but falls back to OG when those are missing. The og:image should be at least 1200x630px to render well across platforms.

A recursive DNS resolver that accepts queries from any source IP on the internet, instead of restricting service to its operator's own users.

An open resolver is a recursive DNS server that answers queries from anyone, not just its operator's customers or internal users. Some are intentional (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9), but most are misconfigured home routers, cable modems, or hosting servers. The problem is that open resolvers are the abused infrastructure in DNS amplification DDoS attacks: attackers send small spoofed queries and the resolver reflects large answers at the victim. The Open Resolver Project and Shadowserver still track hundreds of thousands of unintentionally open resolvers; closing them is one of the standard hardening tasks for any DNS deployment.

The actual web server where your website's files and application code live.

The origin server is your actual web server, the machine (physical or virtual) that hosts your website's files, runs your application code, and generates responses. When you use a CDN or reverse proxy like Cloudflare, visitors do not connect directly to the origin. Instead, Cloudflare sits in front and forwards requests to the origin on their behalf. Most Cloudflare 5xx errors (520-526) indicate a problem between Cloudflare and your origin server. The origin is sometimes called the "upstream" server.

A TLS extension where the server attaches a fresh OCSP response to the handshake, so clients do not query the CA directly.

OCSP stapling (RFC 6066, TLS Certificate Status Request) lets a server periodically fetch a signed OCSP response from its CA and attach (`staple`) it to every TLS handshake. Clients verify the stapled response instead of contacting the CA themselves, which removes a privacy leak (the CA no longer sees who is visiting the site), eliminates a latency spike on the first connection, and avoids the CA outage problem. Must-Staple (RFC 7633) extends this with a certificate flag telling clients to refuse any handshake without a valid stapled response.

A sensor-fed database of historical DNS resolutions (also called pDNS) that records which names resolved to which IPs over time, used heavily in threat intelligence and incident response.

Passive DNS (pDNS) is built by deploying sensors at recursive resolvers that log every successful name-to-IP resolution they make, then aggregating the stream into a searchable database. Querying for an IP returns every domain ever seen pointing at it; querying for a domain returns every IP and nameserver it ever used. Threat hunters use it to pivot from one indicator to related infrastructure, spot fast-flux clusters, age-out indicators after malware migrates, and reconstruct historical state of phishing kits. Major providers include Farsight DNSDB, VirusTotal, SecurityTrails, and DomainTools. No personally identifying client data is captured, only the query name and answer.

Password-Based Key Derivation Function 2: a slow hash that iterates HMAC many times to derive a key from a password, the FIPS-approved option for password storage.

PBKDF2 (Password-Based Key Derivation Function 2) derives a cryptographic key from a password by running HMAC (usually HMAC-SHA-256 or HMAC-SHA-512) for a configurable number of iterations, with a salt mixed in. OWASP currently recommends at least 600,000 iterations for PBKDF2-HMAC-SHA-256. It is the only password-hashing function approved by FIPS 140, which is why it stays in heavy use for compliance-driven systems (1Password, LastPass, Wi-Fi WPA2-PSK, macOS FileVault). The weakness compared to Argon2 and scrypt is that PBKDF2 is not memory-hard, so attackers with GPUs and ASICs scale linearly with hardware spend.

A numbered endpoint on a server that identifies a specific service (e.g., port 80 for HTTP, 443 for HTTPS).

A port is a number (0-65535) that identifies a specific service running on a server. Think of the IP address as the building's street address and the port as the apartment number. Web servers listen on port 80 (HTTP) and 443 (HTTPS). SSH uses port 22. Email uses ports 25, 587, and 993. When you visit https://example.com, your browser connects to port 443 on example.com's IP address. Firewalls control which ports are open (accepting connections) and which are blocked.

Configuring a router to direct incoming internet traffic on a specific port to a device on the local network.

Port forwarding is a router configuration that redirects incoming internet traffic from a specific port to a specific device on your local network. Since NAT hides all your internal devices behind one public IP, the router needs to know which device should receive connections. For example, if you run a Minecraft server on your PC, you would forward port 25565 to your PC's local IP so players on the internet can connect. Without port forwarding, incoming connections stop at the router.

A DNS record that maps an IP address back to a hostname (reverse DNS), published under the in-addr.arpa or ip6.arpa special zones.

A PTR (pointer) record provides reverse DNS: given an IP, what is its hostname. The IP `192.0.2.5` is queried as `5.2.0.192.in-addr.arpa PTR ?`, and IPv6 addresses use a nibble-reversed lookup under `ip6.arpa`. PTR records are configured by whoever controls the IP block, typically the hosting provider or ISP, not the domain owner. They are critical for mail servers (Gmail and most receivers reject mail from IPs without matching forward and reverse DNS), traceroute readability, and SSH connection logging. PTR is the one common record type where the answer's authority lives with the network owner, not the domain owner.

An ASCII encoding for internationalized domain names (IDNs), turning labels like 닷넷 into xn--t60b56a.

Punycode is the encoding that lets DNS, designed for ASCII only, carry domain names written in Unicode. A label like `münchen` becomes `xn--mnchen-3ya`, with the `xn--` prefix marking it as an IDN A-label. The full IDNA standard (RFC 5890 to 5894) wraps Punycode with rules about which Unicode characters are valid in domain names and how to normalise them. Browsers decode Punycode for display when it is safe, but show the raw `xn--` form when mixed scripts hint at a possible homograph attack. Every IDN TLD listed in the dnschkr directory stores both the Unicode and Punycode forms.

A sequence of multiple words used as a secret, chosen for memorability and high entropy rather than character complexity.

A passphrase is a multi-word secret like `correct horse battery staple`, used in place of a short complex password. The security comes from length and unpredictability of word choice, not character mixing: a six-word Diceware passphrase has roughly 77 bits of entropy, far stronger than a typical 10-character password with symbols. Passphrases are easier to type and remember, work well for full-disk encryption and KeePass master passwords, and resist shoulder surfing better than character-soup passwords. They still need to be unique per service and stored in a password manager.

A DNS privacy practice where a recursive resolver sends each upstream server only the part of the query name it strictly needs.

QNAME minimization is a small change that meaningfully improves DNS privacy. Without it, a recursive resolver asks each server in the chain (root, TLD, authoritative) for the full query name like `www.api.example.com`, even though the root only needs to know about `.com`. With QNAME minimization, the resolver asks the root just for `.com`, asks the .com servers just for `example.com`, and only sends the full name to the authoritative server for example.com. The result: intermediaries learn far less about what users are browsing. Unbound, BIND, and most modern resolvers enable it by default.

A UDP-based, TLS-integrated transport protocol that powers HTTP/3 and DNS over QUIC, offering faster setup and better loss recovery than TCP.

QUIC is a transport protocol built on UDP that bundles connection setup, encryption (TLS 1.3), and reliable, multiplexed streams into a single design. Each QUIC stream is independent, so a lost packet on one stream does not block the others (no TCP-style head-of-line blocking). Connections survive IP changes (handy on mobile), and 0-RTT resumption skips the handshake entirely for repeat visits. QUIC is the foundation under HTTP/3 and DoQ. Some corporate firewalls still block UDP/443 wholesale, which forces clients back onto HTTP/2 over TCP.

A precomputed lookup structure that trades disk space for time when cracking unsalted password hashes, mostly defeated today by per-password salts and slow hash functions.

A rainbow table, introduced by Philippe Oechslin in 2003, is a clever space-time tradeoff for inverting one-way hash functions: chains of hash-then-reduce operations let an attacker reverse an unsalted hash with much less storage than a full lookup table. Pre-built rainbow tables for unsalted MD5 and NTLM still cover huge fractions of historical password sets. The defence is trivial and well known: add a per-password random salt before hashing, so the same password produces a different hash for every user. Once salts are in place, rainbow tables provide no advantage over normal brute-force search.

A technique that limits how many requests a user or IP can make in a given time period.

Rate limiting is a security and performance mechanism that restricts the number of requests a client can make to a server within a defined time window (e.g., 100 requests per minute). If the limit is exceeded, subsequent requests are blocked or delayed, typically returning an HTTP 429 (Too Many Requests) response. Rate limiting protects against brute-force attacks, API abuse, web scraping, and denial-of-service attempts. Cloudflare error 1015 appears when a visitor exceeds a rate limit configured by the site owner.

A DNS server that chases queries through the full hierarchy (root, TLD, authoritative) on behalf of clients and caches the answers.

A recursive resolver is the workhorse of DNS. When a client asks for `www.example.com`, the resolver does the legwork: query a root server for `.com` referrals, query a .com server for `example.com` referrals, query example.com's authoritative server for `www`, then return the answer and cache it. Public recursive resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) handle billions of queries a day. Most ISPs run their own. The recursive resolver is also where DNSSEC validation, QNAME minimization, response-policy zones, and DoH/DoT endpoints live.

DNS response code 5: the server refused to answer, typically because of policy (e.g., not authoritative for the zone, ACL blocked).

REFUSED (RCODE 5) is what a DNS server returns when it understood the query but declined to process it. Common causes: the server is not authoritative for the zone and recursion is disabled (a hardened authoritative-only server), the query came from an IP outside the configured ACL, or rate-limiting policy kicked in. REFUSED is distinct from SERVFAIL (which signals a server-side failure) and NXDOMAIN (which signals the name does not exist). Seeing REFUSED on a domain you control usually points at a misdirected query, not a broken zone.

An ICANN-accredited company that sells domain registrations to end users and submits them to the registry via EPP.

A registrar is the customer-facing company where domains are bought, renewed, transferred, and managed. Examples include GoDaddy, Namecheap, Porkbun, Cloudflare Registrar, and Gandi. For every gTLD, the registrar must be accredited by ICANN and have a contract with the corresponding registry. Behind the scenes, the registrar talks EPP to the registry to provision the domain, then exposes a dashboard or API so the customer can edit DNS, nameservers, contacts, and the transfer auth code. Registrar choice affects price, transfer-out friction, WHOIS privacy defaults, and TLD availability.

The operator that runs a TLD's authoritative database and zone file, contracted by ICANN for gTLDs or designated by a government for ccTLDs.

A registry is the organisation that operates a TLD: it runs the authoritative nameservers, maintains the master database of every registered domain in the TLD, and publishes the zone file. Verisign runs .com and .net. Identity Digital runs .info and over 250 other gTLDs. Each ccTLD is operated by its country's designated registry (Nominet for .uk, AFNIC for .fr). End users do not interact with the registry directly; they go through a registrar, which in turn talks to the registry via EPP. Registry policy determines registration rules, premium pricing, and dispute procedures for the TLD.

A registry-level service that disables automated EPP changes to a domain, requiring an out-of-band manual process (phone or signed authorisation) to modify nameservers, contacts, or transfer status.

Registry lock is a high-assurance domain protection product offered by major registries (Verisign for .com/.net, Identity Digital for many gTLDs) on top of the standard EPP client*Prohibited status flags. Once enabled, no EPP command from the registrar can change NS, registrant, transfer status, or delete the domain. Unlocking requires a manual authentication ritual with the registry: phone calls, passphrases, designated personnel. Facebook, Google, Microsoft, and most banks use registry lock on their primary domains. It is the standard defence against the registrar-compromise hijack pattern (attacker takes over a registrar account and changes nameservers to steal traffic).

A server that sits in front of your web server and handles requests on its behalf.

A reverse proxy is a server that intercepts requests before they reach your origin server. It can cache content, filter malicious traffic, balance load across multiple servers, terminate SSL, and compress responses. Cloudflare is a reverse proxy: visitors connect to Cloudflare's network, and Cloudflare forwards legitimate requests to your origin. Nginx and HAProxy are common self-hosted reverse proxies. The "reverse" distinguishes it from a forward proxy, which sits in front of clients rather than servers.

Regional Internet Registry: one of five regional bodies (ARIN, RIPE, APNIC, LACNIC, AFRINIC) that allocate IP address blocks and ASNs.

There are five RIRs (Regional Internet Registries) that divide the world between them and allocate IPv4, IPv6, and AS numbers to ISPs, hosting providers, and enterprises within their region. ARIN covers North America, RIPE NCC covers Europe and parts of Asia, APNIC covers Asia-Pacific, LACNIC covers Latin America, and AFRINIC covers Africa. Each RIR runs its own WHOIS/RDAP service exposing who owns each IP block. When dnschkr looks up an IP, the RIR data is the source of truth for the assignment, abuse contact, and country.

A plain-text file at `/robots.txt` that tells web crawlers which paths on a site they may or may not fetch, formalised as the Robots Exclusion Protocol in RFC 9309.

robots.txt is the file every well-behaved crawler reads before requesting any other URL on a host. Each record names one or more `User-agent` lines and a set of `Allow` and `Disallow` rules. `Disallow: /admin/` asks crawlers to stay out of that subtree; `Disallow:` (empty) allows everything. The standard is advisory, so it stops Googlebot and friends but not malicious scrapers. robots.txt does not prevent indexing of URLs that are linked from elsewhere; it only blocks the crawl. To keep a page out of search results, use a `noindex` meta tag or `X-Robots-Tag` header instead.

The top of the DNS hierarchy, published by IANA, listing every TLD and the nameservers authoritative for it.

The root zone is the tiny but critically important file at the top of DNS. It contains a single entry per TLD (`.com`, `.uk`, `.xyz`, etc.) pointing at that TLD's authoritative nameservers, plus the DNSSEC keys that anchor the whole chain of trust. It is published by IANA and served by the 13 root server letters (A through M), each operated by a different organisation and replicated globally via anycast to hundreds of physical locations. Every recursive resolver on Earth has the root server addresses baked in and starts here when its cache is cold.

Publishing multiple A or AAAA records for one hostname so resolvers return them in rotating order, providing crude load distribution across servers.

Round-robin DNS is the simplest possible load balancing: list multiple A records for the same name, and authoritative servers shuffle the order in each response. Clients usually try the first IP, so traffic spreads across endpoints over many lookups. It is cheap, requires no extra infrastructure, and works with any DNS provider. The big caveats: there is no health checking (a dead IP keeps getting handed out until you manually remove it), TTLs and resolver caching skew the distribution, and a single client can stick to one IP for hours. For anything beyond hobby use, GeoDNS, anycast, or a real load balancer beats round-robin.

Resource Public Key Infrastructure: a cryptographic system where IP-block holders publish Route Origin Authorisations (ROAs) saying which ASNs may announce their prefixes, used to detect and reject BGP hijacks.

RPKI (Resource Public Key Infrastructure) lets the holder of an IP block sign a Route Origin Authorisation (ROA) stating "AS X may originate this prefix at length up to /Y". Routers performing Route Origin Validation (ROV) check incoming BGP announcements against ROAs and reject INVALID ones, blocking the most common form of prefix hijack. RPKI is anchored at the five RIRs (ARIN, RIPE, APNIC, LACNIC, AFRINIC), each running a Trust Anchor. Adoption has crossed 50% of routed prefixes globally; the remaining gap is what lets hijacks still succeed against unprotected origins. MANRS bundles RPKI deployment with other routing-security best practices.

Response Policy Zone: a DNS firewall mechanism where a recursive resolver overrides answers based on a policy zone, used for malware blocking, parental controls, and ad filtering.

RPZ (Response Policy Zone) is the open standard, originally designed by Paul Vixie and ISC, for plugging policy data into a recursive resolver. A policy zone is just an ordinary DNS zone whose records say "if a query matches this name (or the answer matches this IP), do X" where X is NXDOMAIN, NODATA, a redirect to a walled garden, or passthrough. BIND, Unbound, PowerDNS Recursor, and Knot Resolver all support it. Threat intelligence providers like Spamhaus, SURBL, and Farsight publish RPZ feeds that operators subscribe to via AXFR/IXFR for low-latency updates of millions of bad domains.

DNSSEC Resource Record Signature: the cryptographic signature attached to a DNS record set, proving it has not been tampered with.

An RRSIG (Resource Record Signature) is the DNSSEC record that holds the digital signature for every other record set in a signed zone. When a resolver fetches an A record for a DNSSEC-protected domain, it also fetches the matching RRSIG, then verifies the signature against the zone's DNSKEY. Each RRSIG includes the algorithm, the key tag of the signing key, an inception and expiration time, and the signature itself. Expired RRSIGs are one of the most common DNSSEC outages: signatures must be re-generated before they age out, even if no record content has changed.

The SMTP command that declares each envelope recipient, sent once per recipient after MAIL FROM.

`RCPT TO` is the SMTP command that declares one envelope recipient. The client sends it once per recipient after `MAIL FROM`, and the server accepts or rejects each one independently (250 OK, 550 mailbox unknown, 451 try later). This per-recipient handling is why a single message can succeed for some addresses and fail for others on the same delivery attempt. Modern anti-spam systems often delay the final accept/reject decision until after DATA, but the RCPT TO step is still where address-validation, recipient-throttling, and recipient-specific policy are enforced.

The legal holder of a domain registration, as recorded in RDAP/WHOIS.

The registrant is the legal owner of a domain: the person, organisation, or entity to whom the registrar has granted the right to use the name for the registration term. Registrant data lives in the domain's RDAP/WHOIS record and historically included full name, organisation, postal address, phone, and email. Since GDPR took effect in 2018, most gTLD registrar interfaces redact personal registrant data from public WHOIS by default, exposing only an anonymised contact form or registrar-hosted email. The registrant remains the only party that can authorise transfers, renewals, and (with the EPP auth code) deletion.

A unique, random value mixed into a password before hashing so identical passwords produce different hashes, defeating precomputed rainbow tables and cross-account collisions.

A salt is a per-password random value (typically 16+ bytes) concatenated with the password before it hits the hash function. Two users with the same password get two completely different stored hashes, which kills the economics of rainbow tables and prevents an attacker from spotting password reuse across accounts in one stolen database. Salts are not secret; they are stored alongside the hash so the same derivation can be reproduced at verification time. Modern password hashing functions (Argon2, bcrypt, scrypt, PBKDF2) all take a salt parameter and bake it into their standard encoded output, so the application rarely has to handle salts directly.

A memory-hard key derivation function designed by Colin Percival in 2009 that forces attackers to spend RAM as well as CPU, used in Litecoin and many password-storage systems.

Scrypt is a password-based key derivation function that, like Argon2, is deliberately memory-hard: computing a single hash requires holding a large block of data in RAM, which dramatically raises the cost of building GPU or ASIC cracking rigs. It takes three parameters: N (cost factor, memory and time), r (block size), and p (parallelism). Scrypt predates Argon2 by six years and is still a sound choice when Argon2 is not available; OWASP recommends `N=2^17, r=8, p=1` as a 2024-era baseline. It is also the proof-of-work function behind Litecoin and Dogecoin, chosen specifically because it resisted ASIC mining for years.

A virtual firewall in cloud platforms (AWS, GCP, Azure) that controls traffic to and from your server.

A security group is a cloud-based firewall provided by platforms like AWS, Google Cloud, and Azure. It defines which incoming (inbound) and outgoing (outbound) traffic is allowed to reach your cloud server. By default, security groups block all incoming traffic, so you must explicitly open ports like 80 (HTTP), 443 (HTTPS), and 22 (SSH). Misconfigured security groups are the most common cause of cloud data breaches. Accidentally leaving database ports (3306, 5432, 6379) open to the public internet is a critical vulnerability.

A TLS certificate signed with its own private key instead of by a Certificate Authority, trusted only by clients that have manually installed it.

A self-signed certificate is one where the issuer and subject are the same entity and the certificate is signed with its own private key, with no CA in the chain. Browsers refuse it by default with warnings like NET::ERR_CERT_AUTHORITY_INVALID, because there is no third party vouching for the identity. Self-signed certs are still useful in three cases: internal development environments, machine-to-machine traffic where both ends pin the public key, and as the root of a private CA where the operator manually trusts the self-signed root in every client. For anything public-facing, free certs from Let's Encrypt via ACME removed every reason to self-sign.

DNS response code 2: the resolver could not complete the query due to a server-side failure, often a broken DNSSEC chain or unreachable upstream.

SERVFAIL (RCODE 2) is the DNS equivalent of HTTP 500: the resolver tried to answer but something went wrong. The two most common causes are a broken DNSSEC chain (signatures expired, missing DS record after a key rollover) and an unreachable authoritative nameserver. Because resolvers cache SERVFAIL responses (briefly, but they do), a transient outage can linger for users after it appears fixed. SERVFAIL is distinct from NXDOMAIN: NXDOMAIN is a confident "this does not exist," SERVFAIL is "I cannot tell you."

Server Name Indication: a TLS extension that lets a server host multiple SSL certificates on one IP.

SNI (Server Name Indication) is an extension to the TLS protocol that allows a client to specify which hostname it is trying to connect to at the start of the SSL/TLS handshake. Before SNI, each SSL website needed its own dedicated IP address because the server could not know which certificate to present. With SNI, a single server on a single IP can host hundreds of HTTPS websites, each with its own certificate. Virtually all modern browsers and servers support SNI. Cloudflare error 525 can sometimes be caused by SNI issues.

Start of Authority: a DNS record containing administrative information about a DNS zone.

The SOA (Start of Authority) record is a mandatory DNS record at the top of every DNS zone. It contains administrative information including the primary nameserver, the email address of the zone administrator, a serial number that increments with each change, and timing values that control how often secondary nameservers check for updates. While you rarely need to edit SOA records directly, the serial number is important: secondary nameservers use it to know when zone data has changed.

Sender Policy Framework: a DNS record that lists which servers are allowed to send email for your domain.

SPF (Sender Policy Framework) is an email authentication standard published as a TXT record in your DNS. It lists the IP addresses and servers that are authorized to send email on behalf of your domain. When a receiving mail server gets an email from your domain, it checks the SPF record to see if the sending server is on the authorized list. If not, the email may be marked as spam or rejected. A common SPF record looks like: v=spf1 include:_spf.google.com ~all (authorizing Google to send email for the domain).

The DMARC requirement that the SPF-authenticated MAIL FROM domain match the visible From: header domain.

SPF alignment is the bridge between SPF (which validates the SMTP MAIL FROM, also called the Return-Path) and DMARC (which judges authenticity based on the visible From: header). A message passes DMARC via SPF only if SPF passes AND the MAIL FROM domain aligns with the From: domain. Strict alignment (`aspf=s`) requires an exact match; the default relaxed alignment (`aspf=r`) accepts an organisational match (e.g., bounces.example.com aligns with example.com). Many third-party senders break alignment by using their own bounce domain, which is why DKIM (with its own alignment rule) is usually the more reliable DMARC pass path.

Also called split-brain DNS: serving different DNS answers for the same name depending on whether the query comes from inside or outside the network, often used to expose internal IPs to LAN clients only.

Split-horizon DNS (or split-brain DNS) is the practice of running two views of the same zone, one for internal clients and one for the public internet, with different answers for the same names. A typical use: `app.example.com` resolves to the internal 10.0.0.5 for office and VPN users, and to the public load balancer IP for everyone else. It is implemented either by running separate authoritative servers per audience, or by view configuration in BIND/PowerDNS that selects records based on the source IP of the query. Risks include desync between the two views and the assumption that "internal" clients can be reliably identified, which mobile and remote work have steadily eroded.

The encryption protocols that secure data transmitted between a browser and a web server.

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between two parties on the internet. TLS is the modern successor to SSL; when people say "SSL" today, they usually mean TLS. The protocol works through a handshake where the client and server agree on cipher suites and exchange keys, protecting against eavesdropping and tampering. RFC 8996 (2021) formally deprecated TLS 1.0 and 1.1, so TLS 1.2 is the practical floor (required by PCI DSS and modern browsers) and TLS 1.3 (RFC 8446) is the recommended target. Cloudflare errors 525 and 526 are caused by TLS problems between Cloudflare and the origin.

A digital certificate that proves a website's identity and enables encrypted HTTPS connections.

An SSL/TLS certificate is a digital document installed on a web server that does two things: it proves the server's identity (you are really connecting to example.com, not an imposter) and it enables encryption via HTTPS. Certificates are issued by trusted Certificate Authorities (CAs) like Let's Encrypt (free), DigiCert, or Cloudflare's Origin CA. They contain the domain name, the issuing CA, the expiration date, and a public key used for encryption. Expired or misconfigured certificates cause Cloudflare errors 525 and 526, and browsers will show security warnings.

An SMTP extension that upgrades a plaintext mail connection to TLS encryption mid-session.

STARTTLS is the SMTP extension that lets two mail servers begin a connection in plaintext on port 25 (or submission port 587), then upgrade to a TLS-encrypted channel using the STARTTLS command. Because the upgrade is opportunistic, an on-path attacker can strip the STARTTLS announcement and force the session to stay in plaintext, which is why MTA-STS and DANE exist: they let receiving domains require TLS rather than merely offer it. STARTTLS is also used by IMAP, POP3, and other protocols that started life unencrypted.

The minimal DNS client built into operating systems and applications that forwards every query to a configured recursive resolver instead of doing recursion itself.

A stub resolver is the tiny DNS client in your operating system (or in libc's `getaddrinfo`, or in a programming language's DNS library) that sends every query to one or more upstream recursive resolvers and trusts whatever comes back. It does not walk the DNS hierarchy itself; it does not cache much beyond the response TTL; it does not validate DNSSEC unless explicitly configured. The OS picks the upstream from DHCP, manual config, or a VPN. The stub is the layer that decides whether to use DoH, DoT, or plain port-53 UDP, and it is where features like systemd-resolved's per-domain routing live.

A domain that is part of a larger domain, like blog.example.com or api.example.com.

A subdomain is a prefix added to your main domain to create a separate web address. In blog.example.com, "blog" is the subdomain and "example.com" is the parent domain. Subdomains can have their own DNS records, pointing to different servers or services. Common uses include api.example.com for APIs, mail.example.com for email, and staging.example.com for testing. Each subdomain needs its own A, AAAA, or CNAME record in DNS. There is no limit to how many subdomains you can create.

Claiming a subdomain pointed at an abandoned third-party service (an unclaimed Heroku app, deleted S3 bucket, expired Azure host) by registering that resource yourself and inheriting the trusted hostname.

Subdomain takeover happens when a dangling DNS record points at a cloud or SaaS resource that no longer exists, and the attacker registers a new resource of the same name. A CNAME like `marketing.example.com → example-marketing.herokuapp.com` is dormant after the Heroku app is deleted; whoever next claims `example-marketing.herokuapp.com` controls the content served at `marketing.example.com`, including cookies for the parent domain and the appearance of legitimacy for phishing. Detection scans every CNAME in a zone for resources that return the cloud provider's "this app does not exist" page. The fix is to remove the DNS record before tearing down the resource it points at.

A 160-bit hash function published by NIST in 1995, now broken for collision resistance and disallowed in TLS certificates since 2017.

SHA-1 (Secure Hash Algorithm 1) produces a 160-bit digest. It was the default web hash for over a decade but Google and CWI Amsterdam demonstrated a practical collision (SHAttered) in 2017. Browsers stopped trusting SHA-1 TLS certificates that same year, and CAs no longer issue them. SHA-1 lingers in legacy protocols (Git object IDs, older TLS HMAC suites, some DNSSEC NSEC3 deployments) and remains acceptable for non-cryptographic integrity checking. New designs should use SHA-256 or SHA-3.

A 256-bit hash function from the SHA-2 family, the current default for TLS certificates, code signing, and most integrity uses.

SHA-256 is a member of the SHA-2 family standardised in FIPS 180-4. It produces a 256-bit digest and has no known practical collision attack. SHA-256 is the default hash for TLS certificate signatures, code signing, Bitcoin proof-of-work, Git's planned object hash transition, and most modern HMAC and KDF constructions. For password storage it should always be wrapped in a slow KDF (bcrypt, scrypt, Argon2, PBKDF2), never used raw, because its speed makes brute force trivial for short inputs.

A 2015 NIST hash standard based on the Keccak sponge construction, designed as a structural alternative to SHA-2.

SHA-3 is the hash family NIST standardised in 2015 (FIPS 202), based on the Keccak sponge construction that won the SHA-3 competition. It is not a replacement for SHA-2 (SHA-2 remains secure) but a structural alternative built on different math, so a future break of one is unlikely to apply to the other. SHA-3 supports the same digest sizes as SHA-2 (224, 256, 384, 512) and adds extendable-output functions (SHAKE128, SHAKE256) for variable-length output. Ethereum uses Keccak-256 (the pre-standardisation variant) for addresses and hashes.

A 512-bit hash function from the SHA-2 family, optimised for 64-bit processors and used where extra digest length helps.

SHA-512 is the wide variant of SHA-2, producing a 512-bit digest. On 64-bit CPUs it is often faster than SHA-256 because its internal operations are native 64-bit. SHA-512 is used in HMAC for high-entropy MAC keys, in `crypt(3)` style Linux shadow hashes (`$6$` prefix), in some TLS 1.3 cipher suites, and as the base hash in modern KDFs that want extra collision margin. It has no known practical collision attack.

The transport-layer addressing of an email (MAIL FROM and RCPT TO), separate from and often different from the visible headers.

The SMTP envelope is the outer addressing that mail servers actually use to route a message: the `MAIL FROM` (envelope sender, used for bounces and SPF) and one or more `RCPT TO` recipients. The envelope is distinct from the `From:`, `To:`, `Cc:` headers the user sees in the message body. A message can have a `To:` header listing one address while the envelope `RCPT TO` is a hundred different recipients (a Bcc explosion), and the envelope `MAIL FROM` can differ from the `From:` header (which is exactly what DMARC alignment checks). The envelope is discarded once the message is delivered.

A temporary email delivery failure (SMTP 4xx), such as a full mailbox or transient server error, that should be retried.

A soft bounce is a temporary SMTP rejection (a 4xx code): mailbox full (452 4.2.2), greylisted (451 4.7.1), connection timed out, or recipient server unavailable. The sending MTA should retry on a backoff schedule (typically up to several days) before giving up. Soft bounces that persist eventually convert to hard bounces in most ESP tracking. A spike in soft bounces from one provider often signals greylisting of a new IP or a reputation issue that has not yet escalated to outright blocking.

An email address used only to catch senders with poor list hygiene, never legitimately signed up for any mail.

A spam trap is an email address that exists only to receive spam. Pristine traps are never used for any signup, so any mail arriving means the sender scraped or guessed the address. Recycled traps are old abandoned addresses that mailbox providers turn into traps after a long inactivity period, so hitting one means the sender's list is stale. Hitting traps damages sender reputation severely and is one of the fastest paths to a deny-list listing. Good list hygiene (confirmed opt-in, prompt suppression of hard bounces, sunset policies for unengaged recipients) prevents trap hits.

A small DNS zone that contains only the NS and glue records for a parent or peer zone, used to short-circuit referrals.

A stub zone is a minimal zone configured on a recursive or authoritative nameserver that holds only the NS records (and any required glue) for another zone. It does not hold the actual data of that zone. The point is to short-circuit the normal delegation walk: a resolver with a stub zone for `internal.example.com` knows the authoritative nameservers for it directly, without having to ask the root or `example.com` parent. Microsoft DNS and BIND both support stub zones; they are common in split-horizon and Active Directory deployments.

Transmission Control Protocol: a reliable, connection-based protocol used for most internet traffic.

TCP (Transmission Control Protocol) is one of the two main transport protocols of the internet (the other being UDP). TCP establishes a connection using a three-way handshake (SYN, SYN-ACK, ACK) before sending data, guarantees that all data arrives in order, and automatically retransmits lost packets. This reliability makes TCP the protocol of choice for web browsing (HTTP/HTTPS), email, file transfers, and SSH. The trade-off is slightly higher latency compared to UDP because of the connection setup and error checking overhead.

The three-step process (SYN, SYN-ACK, ACK) that establishes a TCP connection.

The three-way handshake is how two devices establish a TCP connection before exchanging data. First, the client sends a SYN (synchronize) packet. The server responds with SYN-ACK (synchronize-acknowledge). Finally, the client sends ACK (acknowledge) and the connection is established. This process confirms both sides are ready to communicate. When a port scan shows a port as "open," it means the three-way handshake completed successfully. If the server sends RST (reset) instead of SYN-ACK, the port is "closed." If there is no response at all, the port is "filtered."

Top-Level Domain: the last part of a domain name, like .com, .org, or .io.

A TLD (Top-Level Domain) is the rightmost segment of a domain name: the part after the last dot. In example.com, ".com" is the TLD. TLDs come in several categories: generic TLDs (gTLDs) like .com, .org, .net; country-code TLDs (ccTLDs) like .uk, .de, .jp; and newer TLDs like .io, .dev, .app. Each TLD is managed by a registry (e.g., Verisign manages .com). The TLD you choose affects your domain's perception, availability, and sometimes its rules for registration.

The three main TLD categories: generic (gTLD like .com), country-code (ccTLD like .uk), and sponsored (sTLD like .gov).

TLDs fall into three operational categories. Generic TLDs (gTLDs) include the legacy set like .com, .net, .org plus the 1,200+ New gTLDs from the 2012 ICANN round (.app, .dev, .xyz, brand TLDs like .google). Country-code TLDs (ccTLDs) are two-letter codes assigned to countries and territories under ISO 3166, like .uk, .de, .jp, .io. Sponsored TLDs (sTLDs) are restricted to a specific community and run by a sponsoring organisation, like .gov for US government, .edu for accredited US universities, .museum for museums. Internationalised TLDs (IDN ccTLDs) like .닷넷 are a separate category implemented via Punycode.

An on-path attack that tricks a client and server into negotiating a weaker version of TLS or an obsolete cipher suite than both endpoints actually support.

A TLS downgrade attack manipulates the handshake so that two endpoints capable of TLS 1.3 with strong ciphers end up speaking TLS 1.0 with RC4, or fall back to plaintext entirely. Historical examples include POODLE (forcing SSLv3), FREAK (forcing export-grade RSA), and Logjam (forcing weak Diffie-Hellman). Mitigations are layered: TLS 1.3 made downgrade detection mandatory by signalling the highest supported version inside the random bytes; servers should disable TLS 1.0/1.1 and obsolete ciphers entirely; HSTS prevents protocol downgrade from HTTPS to HTTP; and for email, MTA-STS and DANE both pin TLS so opportunistic STARTTLS cannot be silently stripped.

The process where a client and server negotiate encryption before exchanging data over HTTPS.

The TLS handshake happens after the TCP connection is established and before any HTTP data is exchanged. During the handshake, the client and server agree on a TLS version and cipher suite, the server presents its SSL certificate, the client verifies the certificate's validity, and both sides generate session keys for encryption. This entire process typically takes one round-trip (TLS 1.3) or two (TLS 1.2). Cloudflare error 525 occurs when this handshake fails between Cloudflare and the origin server.

SMTP TLS Reporting: a TXT record that asks sending mail servers to report TLS negotiation failures back to the domain owner.

TLS-RPT (SMTP TLS Reporting) is published as a TXT record at `_smtp._tls.example.com` and tells sending mail servers where to send daily aggregate reports about TLS connection attempts to the domain. Reports include successful sessions, failed STARTTLS negotiations, certificate mismatches, and MTA-STS policy violations. Without TLS-RPT, a misconfigured MTA-STS policy or expired certificate on a mail server can silently break inbound mail with no visibility. With it, the domain owner finds out within 24 hours which senders saw which failures, and from where.

The root public key that a DNSSEC-validating resolver trusts implicitly, used as the starting point for the chain of trust.

A trust anchor is a public key that a validator accepts as authentic without further verification: the root of the trust tree. For DNSSEC, every validating resolver on Earth ships with the IANA-published root zone KSK as its trust anchor. From there, the resolver can follow DS records down through TLDs to individual domains. The root KSK is rotated rarely (the famous 2018 rollover from KSK-2010 to KSK-2017 took years of preparation), and resolvers update via RFC 5011 automatic trust anchor updates. A wrong or outdated trust anchor breaks DNSSEC validation for the entire internet from that resolver's perspective.

Transaction Signature: a shared-secret HMAC scheme that authenticates DNS messages, used most often to secure AXFR and dynamic updates.

TSIG (Transaction Signature) authenticates DNS messages using a shared symmetric key and an HMAC. The primary and secondary nameservers (or a DNS client and server) agree on a key out of band, then sign each request and response. TSIG is the standard way to lock down AXFR/IXFR zone transfers so only authorised secondaries can pull a zone, and to authenticate dynamic DNS updates from DHCP servers. Unlike DNSSEC, TSIG is point-to-point and uses pre-shared keys, so it does not need to scale to the public internet.

Time to Live: how long a DNS record is cached before it is looked up again.

TTL (Time to Live) is a value on every DNS record that tells DNS resolvers how long to cache the record before checking for an update. A TTL of 3600 means the record is cached for 1 hour. Low TTLs (60-300 seconds) mean changes take effect quickly but generate more DNS queries. High TTLs (86400 seconds = 24 hours) reduce DNS traffic but mean changes propagate slowly. Before making DNS changes, it is common practice to lower the TTL in advance so the old record expires quickly from caches worldwide.

A DNS record that holds arbitrary text data, commonly used for domain verification and email security.

A TXT (Text) record is a flexible DNS record type that stores text strings. While it can hold any text, TXT records are most commonly used for: SPF records (email authentication), DKIM public keys, DMARC policies, domain ownership verification (Google, Microsoft, and other services ask you to add a specific TXT record to prove you own the domain), and security policies. A single domain can have multiple TXT records, and each can contain up to 255 characters per string (with multiple strings concatenated).

Registering a domain that closely resembles a popular brand (gogle.com, paypa1.com) to capture mistyped traffic for phishing or ads.

Typosquatting is the practice of registering domains that exploit common typing mistakes, like `gogle.com`, `amazno.com`, or `paypa1.com` (with a digit 1 in place of an 'l'). The squatter monetises the captured traffic with ads, parking pages, or outright phishing pages that mimic the real brand. The same technique applied to nameservers (typosquatted NS hostnames) is a known attack vector that dnschkr has researched at scale. Defences for brand owners include defensive registrations of likely typos, trademark enforcement via UDRP, and monitoring newly registered domains for lookalike patterns.

The technical point of contact for a domain, traditionally responsible for DNS and operational issues.

The technical contact is one of the legacy RDAP/WHOIS roles, originally meant for the engineer responsible for the domain's DNS, hosting, and operational matters. Like the admin contact, most public tech contact data for gTLDs was redacted after GDPR took effect in 2018. The role remains useful for ccTLDs that still expose it, for enterprise domains where it points at a NOC, and as a structured field in RDAP that incident responders can extract programmatically.

The 2008 TLS version that remains widely deployed alongside TLS 1.3 for compatibility with older clients.

TLS 1.2 (RFC 5246) is the version of TLS published in 2008. It introduced authenticated encryption suites (AES-GCM), SHA-256 in PRF and signatures, and removed MD5/SHA-1 from required suites. It remains widely supported alongside TLS 1.3 because older clients (legacy Android, Java 7, Windows 7 era browsers) cannot negotiate 1.3. A well-configured TLS 1.2 deployment uses only forward-secret ECDHE suites, AEAD ciphers, and disables RC4, 3DES, CBC, and static RSA key exchange. TLS 1.0 and 1.1 were deprecated by RFC 8996 in 2021.

The 2018 redesign of TLS with faster handshakes (1-RTT, 0-RTT), AEAD-only ciphers, and mandatory forward secrecy.

TLS 1.3 (RFC 8446) is a major redesign of the protocol published in 2018. The handshake completes in one round trip (and supports 0-RTT resumption for repeat connections), all key exchanges are forward-secret, only AEAD ciphers are allowed, and a long list of legacy features (RSA key transport, static DH, custom DHE groups, compression, SHA-1 signatures, renegotiation) was removed. Cipher suite names no longer encode the key exchange or signature algorithm (those are negotiated separately). TLS 1.3 plus ECH is the modern privacy-preserving baseline.

User Datagram Protocol: a fast, connectionless protocol used for DNS, gaming, and streaming.

UDP (User Datagram Protocol) is the other main transport protocol alongside TCP. Unlike TCP, UDP does not establish a connection first: it just sends data and hopes it arrives. There is no handshake, no guaranteed delivery, and no ordering. This makes UDP faster and more efficient for use cases where speed matters more than reliability: DNS queries, online gaming, video streaming, VoIP calls, and VPN tunnels (WireGuard). The trade-off is that lost packets are not automatically retransmitted. UDP port scans are inherently ambiguous because no response could mean "open" or "filtered."

Uniform Domain-Name Dispute-Resolution Policy: the ICANN process trademark holders use to recover infringing domains without going to court.

UDRP (Uniform Domain-Name Dispute-Resolution Policy) is the binding arbitration policy every ICANN-accredited registrar enforces against its customers. A trademark holder who believes a domain was registered and used in bad faith (the classic case being typosquatting or cybersquatting) can file a UDRP complaint with an approved provider like WIPO or the Forum. If they prove all three required elements (identical or confusingly similar, no legitimate interest, bad faith), the domain is transferred or cancelled within roughly 60 days, without a lawsuit. UDRP does not cover ccTLDs, which run their own dispute procedures.

A string sent with every HTTP request that identifies the browser or client making the request.

The User-Agent is an HTTP header that every browser and HTTP client sends with each request to identify itself. It typically includes the browser name, version, operating system, and rendering engine. For example, Chrome on Windows might send: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0." Servers use this to serve appropriate content, and security tools use it to detect bots. Cloudflare's Browser Integrity Check (error 1010) blocks requests with suspicious or missing User-Agent headers.

Verified Mark Certificate: a special certificate that proves a domain owns the logo it displays via BIMI in supported mail clients.

A VMC (Verified Mark Certificate) is a specialised X.509 certificate issued by a small set of authorities (DigiCert, Entrust) after the applicant proves trademark ownership of the logo through a registered trademark in a recognised jurisdiction. Gmail, Yahoo, and Apple Mail require a valid VMC before they will display a brand's BIMI logo in the inbox. Issuance is more involved than a standard TLS certificate, typically several weeks and a four-figure annual cost, which is why VMC adoption is concentrated in larger brands that benefit visibly from logo display.

Web Application Firewall: a security layer that filters and blocks malicious HTTP traffic.

A WAF (Web Application Firewall) is a specialized firewall that sits in front of a web application and inspects every HTTP request for malicious patterns. It protects against common attacks like SQL injection, cross-site scripting (XSS), file inclusion, and other OWASP Top 10 vulnerabilities. Unlike a traditional firewall that works at the network level (IP addresses and ports), a WAF understands HTTP and can analyze URLs, headers, cookies, and request bodies. Cloudflare's WAF is responsible for error 1020 (Access Denied) when a rule matches a request.

A registrar service that substitutes the registrant's real contact details in public WHOIS/RDAP output with the registrar's own proxy contact details, hiding personal data from scrapers.

WHOIS privacy (also called proxy or privacy/proxy service) replaces a registrant's name, address, phone, and email in public WHOIS and RDAP output with the registrar's proxy contact. The registrar still knows the real registrant; only public lookups are masked. After GDPR took effect in 2018, most registrars redact personal data for EU registrants by default. ICANN's 2023 Registration Data Policy formalised the global rules: technical, abuse, and registrant-organisation fields stay public, but personal data is redacted, and a separate request channel exists for legitimate requestors (law enforcement, IP holders). Domain transfer and abuse-handling workflows still work through the proxy email.

A DNS record whose label is `*`, matching any subdomain that does not have an explicit record, often used to catch all subdomains for a single application or wildcard TLS certificate.

A wildcard DNS record uses `*` as the leftmost label and answers queries for any subdomain that does not have an explicit record. `*.example.com. A 192.0.2.10` means that `foo.example.com`, `bar.example.com`, and `anything.example.com` all resolve to `192.0.2.10`, while `mail.example.com` keeps its own explicit answer if one exists. Wildcards are essential for multi-tenant SaaS (`*.myapp.com`) and pair with wildcard TLS certificates issued via ACME dns-01. The footguns: wildcards do not match multi-label depths (`a.b.example.com` does not match `*.example.com`), they do not match the apex, and combining them with CNAMEs or DNSSEC requires careful zone design.

TCP/UDP ports 0 to 1023, reserved by IANA for standardised services like HTTP (80), HTTPS (443), and SSH (22).

Well-known ports are TCP and UDP ports in the range 0 to 1023, reserved by IANA for standardised services. Binding to a well-known port traditionally requires root or CAP_NET_BIND_SERVICE on Unix. Familiar assignments include 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 587 (Submission), 993 (IMAPS). Ports 1024 to 49151 are registered (assigned but not as tightly controlled), and 49152 to 65535 are ephemeral (used by clients for outbound connections). IANA publishes the canonical assignment list.

A text file containing all DNS records for a domain: the complete DNS configuration.

A zone file is a plain text file that contains all the DNS records for a domain, stored on the authoritative nameserver. It defines everything about the domain's DNS: its A records, MX records, CNAME records, TXT records, nameservers, and more. Each line in the zone file is a DNS record. When you edit DNS records through a web interface (like Cloudflare's dashboard or your registrar's control panel), you are modifying the zone file behind the scenes. System administrators can also import and export zone files directly for bulk DNS management.

The DNS operation that replicates a zone file from a primary nameserver to one or more secondary nameservers.

A zone transfer is how DNS keeps multiple authoritative nameservers in sync for the same zone. The primary nameserver holds the master copy of the zone file; secondaries pull updates either fully (AXFR) or incrementally (IXFR), typically authenticated with TSIG. Healthy operation requires that all secondaries answer with identical data, so an unrestricted or broken zone transfer is both an information disclosure risk (anyone can dump the zone) and a consistency risk. Auditing for accidentally open AXFR is a standard external-attack-surface check.

Zone Signing Key: the DNSSEC key used to sign all the resource record sets in a zone, rotated frequently.

A ZSK (Zone Signing Key) is the DNSSEC key that does the day-to-day signing of every record set in a zone, producing the RRSIG records that validating resolvers verify. ZSKs are typically smaller and shorter-lived than KSKs because rotating one does not require any coordination with the parent zone: just publish a new DNSKEY, re-sign with it, then retire the old one. Many operators run automated ZSK rollovers every 1 to 3 months. The split between KSK and ZSK lets operators have both strong long-term trust anchors and agile day-to-day key hygiene.

A vulnerability being exploited in the wild before the vendor has released a patch (zero days of warning).

A zero-day (0-day) is a vulnerability for which no patch exists at the time of exploitation. The name reflects the defender's lead time: zero days to prepare before attacks begin. Zero-day exploits are valuable, traded on commercial markets and government stockpiles, and typically reserved for high-value targets to avoid burning the capability. CISA's Known Exploited Vulnerabilities (KEV) catalog tracks confirmed in-the-wild exploitation and sets remediation deadlines for US federal agencies. A vulnerability stops being a zero-day once a patch is published, even if many systems remain unpatched.