The Domain Name System turns human-readable names like example.com into the IP addresses that
actually route packets across the internet. Almost every web, email, and API problem you will
ever debug eventually leads back to a DNS record. This beginner-friendly guide walks through the
resolution chain, the seven record types you must know, real-world troubleshooting flowcharts, and how to
use a DNS lookup tool like a pro.
What Is DNS?
Computers communicate using numeric IP addresses (like 93.184.216.34 or
2606:2800:220:1::1946). Humans remember names. DNS is the global, hierarchical,
distributed database that maps one to the other. Defined in RFC 1034 and RFC 1035
(1987), it remains one of the most successful pieces of internet infrastructure ever designed.
📖 Definition — A DNS lookup is the act of asking a resolver for the value of
a record (e.g., the A record of example.com) and receiving the answer along with a
TTL that tells caches how long they can store it.
How a DNS Lookup Actually Works
When you type example.com into a browser, the following sequence happens — usually in 20–120 ms:
1. Stub resolver — Your OS asks the configured recursive resolver (ISP, 1.1.1.1, 8.8.8.8).
2. Cache check — The resolver answers immediately if it has a fresh cached entry.
3. Root servers — If not cached, the resolver asks one of the 13 root server clusters: "where is .com?"
4. TLD nameservers — The .com servers respond with the authoritative nameservers for example.com.
5. Authoritative nameserver — Returns the actual A/AAAA record + TTL.
6. Browser connects — Your browser opens a TCP/TLS connection to the IP and sends the HTTP request.
💡 Caching happens at every layer (browser, OS, router, ISP, public resolver). That is why a single DNS change can take minutes for some users and hours for others — see our companion article DNS Propagation: How Long Does It Take?
The 7 DNS Record Types You Must Know
| Type | Maps to | Used for | Example |
|---|---|---|---|
| A | IPv4 address | Pointing a name to a server | 93.184.216.34 |
| AAAA | IPv6 address | Modern dual-stack hosting | 2606:2800:220:1::1946 |
| CNAME | Another name | Aliases (www → root, CDN, SaaS) | d1.cloudfront.net. |
| MX | Mail server hostname | Inbound email routing | 10 mx.example.com. |
| TXT | Free-form text | SPF / DKIM / DMARC / verification | v=spf1 include:_spf.google.com -all |
| NS | Authoritative nameserver | Delegating a zone | ns1.cloudflare.com. |
| SOA | Zone metadata | Serial number, refresh, expiry | 1 per zone |
A & AAAA — The "Address" Records
These are the foundation of the web. A maps a name to an IPv4 address; AAAA ("quad A") maps to IPv6.
Modern best practice is to publish both for full dual-stack reachability.
CNAME — Aliases
A CNAME is a redirect at the DNS level. www.example.com can CNAME to
example.com, or to a CDN hostname like d1.cloudfront.net. The resolver follows
the chain until it reaches an A/AAAA.
⚠️ You cannot put a CNAME at the apex (the root example.com) per RFC 1034 because it would conflict with the SOA/NS records. Use A/AAAA at the apex, or a provider feature called ALIAS / ANAME that emulates apex CNAMEs.
MX — Mail Routing
Each MX record has a priority (lower = preferred). Mail servers attempt the lowest-priority host first and fall back to higher numbers.
example.com. 3600 IN MX 1 aspmx.l.google.com.
example.com. 3600 IN MX 5 alt1.aspmx.l.google.com.
example.com. 3600 IN MX 10 alt2.aspmx.l.google.com.TXT — Email Authentication & Verification
TXT records carry the strings that drive modern email authentication and ownership proofs:
- SPF —
v=spf1 include:_spf.google.com -all(see SPF guide) - DKIM — public key under
selector._domainkey.example.com(see DKIM guide) - DMARC —
_dmarc.example.comwithv=DMARC1; p=quarantine; rua=mailto:... - Site verification — Google Search Console, Microsoft 365, Apple Business Connect
NS & SOA — Zone Authority
NS records tell the world which servers are authoritative for your zone. Updating them at the registrar is what activates a new DNS provider. SOA ("Start of Authority") holds the zone serial number, refresh interval, retry, and expiry — used by secondary nameservers to know when to re-sync.
Anatomy of a DNS Record
; name TTL class type data
example.com. 3600 IN A 93.184.216.34
example.com. 3600 IN MX 10 mx.example.com.
www.example.com. 300 IN CNAME example.com.| Field | Meaning |
|---|---|
| Name | The fully qualified domain name (note the trailing dot). |
| TTL | Time-to-live in seconds — how long resolvers can cache. |
| Class | Almost always IN (Internet). |
| Type | A, AAAA, CNAME, MX, TXT, NS, SOA, CAA, SRV, etc. |
| Data | The record value — IP, hostname, text string, key, etc. |
CLI Tools: dig, nslookup, host
Every operations engineer should be fluent with at least dig:
# Lookup A records via Cloudflare 1.1.1.1
dig @1.1.1.1 example.com A +short
# Lookup MX with full response
dig @8.8.8.8 example.com MX
# Trace the resolution from the root
dig example.com +trace
# Query a TXT (e.g., DMARC)
dig _dmarc.example.com TXT +short
# Reverse lookup an IP (PTR)
dig -x 93.184.216.34 +shortIf you don't have a terminal handy, our browser-based DNS Lookup queries Cloudflare's 1.1.1.1 over DNS-over-HTTPS and returns the same data — including raw TTLs.
Troubleshooting Playbook
| Symptom | First Check | Likely Fix |
|---|---|---|
| Site loads as "not found" | A / AAAA records | Set A record to your server IP |
| Email rejected for spam | SPF + DKIM + DMARC TXT | Publish all three correctly |
| Email never arrives | MX records | Set MX to your provider's hosts |
| "Site not secure" warning | A record + cert SAN | Re-issue cert covering both apex & www |
| Subdomain points to wrong app | CNAME chain | Update CNAME to the correct target |
| Recent change not visible | TTL / cache | Wait for TTL or flush cache |
| Unexpected NS values | Registrar lock | Possible hijack — rotate creds, re-set NS |
DNS Security Essentials
Enable DNSSEC at your provider — cryptographically signs responses to defeat spoofing.
Lock the registrar with 2FA + transfer lock + registrar-lock to block hijacks.
Publish CAA records to restrict which CAs may issue TLS certs for your domain.
Set SPF/DKIM/DMARC on every domain — even ones that don't send email (use v=spf1 -all).
Audit periodically — unexpected new records can indicate compromise.
Common Beginner Mistakes
| Mistake | Why it breaks | Fix |
|---|---|---|
| CNAME at apex | RFC 1034 forbids it (collides with SOA/NS) | Use A/AAAA or provider's ALIAS/ANAME |
| Multiple SPF records | RFC 7208 allows only one | Merge into a single TXT |
| TTL = 86400 before a migration | Stale cache for 24h+ | Pre-lower to 60s, wait, then change |
| Forgot trailing dot | Some panels treat mx.example.com as relative | Use FQDN with trailing dot |
| Missing AAAA | IPv6-only clients fail | Publish AAAA alongside A |
| Public-facing internal records | Information disclosure | Split-horizon DNS or remove |
Free Online DNS Tools
- 🔧 DNS Lookup — Query A, AAAA, MX, CNAME, TXT, NS, CAA, SOA via 1.1.1.1.
- 🔧 Global DNS Checker — See propagation from 20+ worldwide vantage points.
- 🔧 DNS Health Report — Audit your zone for misconfigurations.
- 🔧 IP Address Lookup — Geolocate an IP, check ASN and reverse DNS.
- 🔧 SPF Generator · DMARC Generator
Frequently Asked Questions
How long does a DNS lookup take?
Cached lookups are typically under 5 ms. A cold lookup that traverses root → TLD → authoritative usually completes in 20–120 ms depending on geography and the resolver in use.
What is the difference between an A record and a CNAME?
An A record points directly to an IPv4 address. A CNAME points to another DNS name, which the resolver then follows to find the actual A/AAAA. Use A at the apex; CNAME is fine for subdomains.
Why are my DNS changes not visible yet?
Resolvers cache the previous answer until the TTL expires. If your old TTL was 24 hours, some users may see the stale value for up to 48 hours. Read our DNS propagation guide for the pre-lowering strategy.
Can I use 1.1.1.1 or 8.8.8.8 instead of my ISP's resolver?
Yes. Public resolvers like Cloudflare 1.1.1.1, Google 8.8.8.8, and Quad9 9.9.9.9 are faster, more privacy-respecting, and strictly honor TTLs. They are safe for both home and business use.
Do I need DNSSEC?
For any domain handling money, identity, or email, yes. DNSSEC prevents an attacker from poisoning resolver caches with forged answers. Most modern DNS providers enable it with one click.
What is reverse DNS / PTR?
A PTR record maps an IP back to a hostname. It is required for many SMTP servers to accept your outbound mail and is set in your hosting provider's IP management panel, not your domain's zone.
References
- 📄 RFC 1034 — Domain Names: Concepts & Facilities
- 📄 RFC 1035 — Domain Names: Implementation
- 📄 RFC 7208 — Sender Policy Framework (SPF)
- 📄 RFC 6376 — DKIM Signatures
- 📄 RFC 7489 — Domain-based Message Authentication (DMARC)
- 📄 Cloudflare Learning — What Is DNS?
🚀 Free ToolZilla tools used in this article
All client-side, no signup, no upload — open them in a new tab while you read:
- 🔧 DNS Lookup — try it free in your browser.
- 🔧 Dns Checker — try it free in your browser.
- 🔧 DNS Health Report — try it free in your browser.
- 🔧 IP Address Lookup — try it free in your browser.
- 🔧 SPF Generator — try it free in your browser.
- 🔧 DMARC Generator — try it free in your browser.
- 🧰 Browse all 60+ free tools →
DNS is the internet's directory. Master the seven core record types (A, AAAA, CNAME, MX, TXT, NS, SOA),
learn one of dig/nslookup/our DNS Lookup tool, lock down your
zone with DNSSEC + SPF/DKIM/DMARC + CAA, and you can debug or design 95% of real-world domain and email problems.