Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


DNS Glue -- WHAT and WHY

Published on
9,667 Points
2 Endorsements
Last Modified:
Daniel McAllister
Working in computing since 1987, and in IT since 2000, Dan McAllister is a Developer & Admin for the QMail Toaster project.
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created.

To understand GLUE, you must first understand that DNS is a top-down, recursive, distributed database. Thus, to resolve (on your own) the name host.example.com., you first contact one of the 13 top-level (root) DNS servers and ask about .com. The reply will tell you where to find .com's nameservers, so you'll choose one of those and ask about example.com. The result will tell you where example.com's nameservers are, so you'll choose one of those to ask about host.example.com, whereupon you finally get your reply:

That's all well and good, until you look deeper and see that nameserver entries are NAMES, not IP addresses. So if the nameserver for example.com is dns.example.com, you're going to be stuck -- you can't query the nameserver dns.example.com for the name dns.example.com because its self-referencing. (The term in DNS, is circular.)

That is where GLUE comes in. GLUE is simply an IP address of a nameserver that is provided as "additional data" in the DNS reply from a parent server. So, when I query the .com server for example.com's nameservers, it will reply not just with dns.example.com, but also with the IP address of dns.example.com ( in the "additional data" area of the response. Thus, I don't get caught in a loop, and I also save an additional query.

Specifically, any time a nameserver for a subdomain is within the parent's own domain, GLUE must be provided. However, it is also common for GLUE to be provided at other times -- lets look at an example to see:
Suppose example.com has 4 nameservers:

In the first case, when we query the .com server for example.com, since the return value is dns.example.com (which is within our own domain), we MUST include GLUE -- the result otherwise would be circular.

In this case, the owner of example.com has to provide the GLUE data at their registrar (that is, I have to create a special entry at the registrar that says that the IP address of dns.example.com is so that it can be included in queries for example.com).

In the second case, when we query the .com server for example.com, since the return value is dns.other.com, GLUE doesn't technically HAVE to be provided, but if you look at what comes next (a second query to the .com server for the NS entries for other.com) and realize that the data is therefore already available in that server, it makes sense that the TLD will preemptively provide the GLUE -- in fact, it will do so for any other .com name listed.

However, it is important to note that the owner of other.com has to have created their own GLUE record for that nameserver at their own registrar.

In the third case, when we query the .com server for example.com, since the return value is dns.another.net, the result is on another TLD -- BUT in this case, the same .com server (physical server) is also a .net TLD server (common for those particular TLDs), so GLUE is provided -- essentially as a convenience -- it is, after all, preventing a query to its .net service. This is similar to the second example, but the fact that GLUE is provided is almost accidental, and not guaranteed.

In the third case, when we query the .com server for example.com, since the return value is dns.otro.es, the result is on another TLD, and this time not one that the .com server just happens to also service. Thus, no GLUE can be provided and the querying client must now independently resolve the name starting with the .es TLD. More work for the client, but the data just isn't on the .com server to provide...
The technical answer is that if you're providing your own DNS service, you will need GLUE. But in practice, you can just specify your DNS servers at your registrar... if GLUE would be needed, and isn't already present, your registrar will tell you (it won't allow the entry).

GLUE entries must be made in the parent domain. In the examples shown here, I had to create a GLUE entry for dns.example.com in the .com server. To do that, I used tools at my registrar's site to create a host entry on the .com servers. Typically, you can only create host entries for the domain you are managing on that registrar.

However, if I had a sub-domain for example.com (sub1.example.com) that had DNS servers at ns.sub1.example.com, then I would have to make GLUE entries (they are just A records) in the example.com zone for ns.sub1.example.com. The values will be used as GLUE automatically by all major DNS server software packages.
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 32

Expert Comment

Well written. Excellent. Useful.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Join & Write a Comment

Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month