What is a DNS Zone?

A DNS zone is a slice of the domain name space that a single administrator manages as one unit. In practical terms, it is the collection of records for a domain that lives together on a set of authoritative nameservers. When you log into a DNS provider and see all the records for example.com in one place, you are looking at a zone.

The concept exists to divide DNS into manageable pieces. The global name space is enormous, so responsibility is delegated downward and each delegated section becomes its own zone with its own owner. For background on the wider system, see what is DNS.

Zone and domain are often used interchangeably, but they are not the same thing. A domain is simply a name in the hierarchy, such as example.com. A zone is the administrative boundary that holds the records for that name.

• Most of the time a single zone covers an entire domain, so the two line up neatly.
• But a domain can be split into several zones. If you delegate support.example.com to a different set of nameservers, that subdomain becomes its own zone, separate from the parent.
• Conversely, a zone never spans a delegation boundary; the moment a subdomain is delegated, it leaves the parent zone.

The short version: a domain is a name, a zone is the unit of records and responsibility behind it.

A zone's contents are described by a zone file, the text format that lists every record the zone contains. Each zone has a clear structure that always begins at its apex:

• SOA record — a single SOA record sits at the apex of every zone. It marks the start of authority and carries timing values like the refresh interval and the primary nameserver.
• NS records — declare the authoritative nameservers for the zone.
• Resource records — the A, AAAA, CNAME, MX, TXT, and other records that define where the domain's services live.

Every zone must have exactly one SOA record and at least one NS record; without them it is not a valid zone. See the full list of DNS record types for everything else a zone can hold.

Subdomains can be handled in two different ways, and the choice determines how many zones you have:

• Inside the parent zone — most subdomains, like www.example.com or blog.example.com, are just records within the parent zone. They share the same nameservers and the same administration.
• Delegated to a subzone — you can instead delegate a subdomain to its own nameservers using NS records. That subdomain then becomes a separate zone, managed independently, and the parent only keeps the delegation pointing to it.

Delegation is the same mechanism that creates zones at every level of DNS, from the root delegating to top-level domains, down to a company delegating an internal subdomain to a different team.

In day-to-day work, managing a zone means adding, editing, and removing the records inside it through your DNS provider. Because a zone is the single source of truth for how a domain resolves, a single bad edit, a deleted record, or an unexpected change can break a website or reroute email.

That is exactly what ZoneWatcher guards against. It monitors your entire zone, every record in it, around the clock, and alerts you the instant anything is added, changed, or removed, whether the change was an honest mistake or something malicious.