DNS (Domain Name System) translates human-readable domain names into IP addresses and service endpoints. With over 1.1 trillion DNS queries handled daily worldwide, understanding every record type — from the ubiquitous A record to specialized CAA and SRV entries — is fundamental to deploying, securing, and troubleshooting any internet service. This reference covers all major record types with real-world examples.
How DNS Works
A DNS query follows a hierarchical resolution path: your device's stub resolver asks a recursive resolver (e.g., 1.1.1.1 or 8.8.8.8), which queries root servers, then the TLD nameserver (.com, .org), and finally the domain's authoritative nameserver to return the answer. Responses are cached at each level according to the record's TTL.
📖 Definition — A DNS record (Resource Record) is an entry in a zone file that maps a domain name to a specific value — an IP address, mail server, text string, or another domain name.
A & AAAA Records
The most fundamental record types. A records map a domain to an IPv4 address; AAAA records map to an IPv6 address.
; A Record — IPv4
example.com. 300 IN A 93.184.216.34
; AAAA Record — IPv6
example.com. 300 IN AAAA 2606:2800:220:1:248:1893:25c8:1946🎯 Always publish both A and AAAA records for dual-stack compatibility. IPv6 adoption crossed 40% globally in 2024.
CNAME Records
A CNAME (Canonical Name) record aliases one domain to another. The DNS resolver follows the chain until it reaches an A/AAAA record.
www.example.com. 3600 IN CNAME example.com.
blog.example.com. 3600 IN CNAME myhost.github.io.⚠️ A CNAME cannot coexist with any other record type at the same name (RFC 1034 §3.6.2). You cannot place a CNAME at the zone apex alongside SOA/NS records. Use ALIAS/ANAME (provider-specific) for apex domains.
MX Records
MX (Mail Exchanger) records direct email to the correct mail servers. The priority value determines failover order — lower numbers are tried first.
example.com. 3600 IN MX 10 mail1.example.com.
example.com. 3600 IN MX 20 mail2.example.com.| Priority | Server | Role |
|---|---|---|
| 10 | mail1.example.com | Primary mail server |
| 20 | mail2.example.com | Backup mail server |
TXT Records
TXT records store arbitrary text and are heavily used for email authentication, domain verification, and security policies.
; SPF — Authorize mail senders
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all"
; DKIM — Email signature verification
selector._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."
; DMARC — Email policy
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
; Domain verification
example.com. 3600 IN TXT "google-site-verification=abc123..."💡 A single domain can have multiple TXT records. However, only one SPF record is allowed per domain — multiple SPF records cause authentication failures (RFC 7208 §3.2).
NS & SOA Records
NS records delegate a zone to specific nameservers. SOA (Start of Authority) records define the zone's primary nameserver, admin email, and serial/refresh/retry/expire timers.
; NS Records
example.com. 86400 IN NS ns1.provider.com.
example.com. 86400 IN NS ns2.provider.com.
; SOA Record
example.com. 3600 IN SOA ns1.provider.com. admin.example.com. (
2024031501 ; Serial
7200 ; Refresh (2h)
3600 ; Retry (1h)
1209600 ; Expire (14d)
86400 ; Minimum TTL (1d)
)SRV Records
SRV records specify the host and port for specific services (e.g., SIP, XMPP, LDAP).
; _service._protocol.name TTL class SRV priority weight port target
_sip._tcp.example.com. 3600 IN SRV 10 60 5060 sip1.example.com.
_sip._tcp.example.com. 3600 IN SRV 10 40 5060 sip2.example.com.💡 The weight field enables load balancing among servers with the same priority. Higher weight = more traffic share.
CAA Records
CAA (Certificate Authority Authorization, RFC 8659) records specify which CAs are permitted to issue certificates for a domain — a critical security control.
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 issuewild ";"
example.com. 3600 IN CAA 0 iodef "mailto:security@example.com"🎯 Use issuewild ";" to explicitly block wildcard certificate issuance if you don't need wildcards. The iodef tag notifies you of policy violations.
PTR Records
PTR (Pointer) records provide reverse DNS — mapping an IP address back to a domain name. Essential for mail server reputation and network diagnostics.
; Reverse DNS for 93.184.216.34
34.216.184.93.in-addr.arpa. 3600 IN PTR example.com.Understanding TTL
| TTL Value | Duration | Use Case |
|---|---|---|
| 60 | 1 minute | Failover, migrations, testing |
| 300 | 5 minutes | Dynamic services, CDNs |
| 3600 | 1 hour | Standard web records |
| 86400 | 24 hours | Stable records (NS, MX) |
Before a planned DNS change, lower the TTL to 60–300 seconds at least 48 hours in advance (to let the old high TTL expire from caches). After the change propagates, raise TTL back to its normal value.
Best Practices
Publish both A and AAAA records for every public hostname.
Set CAA records to restrict certificate issuance to your chosen CA.
Configure SPF + DKIM + DMARC TXT records for every domain that sends email.
Use at least two geographically diverse NS records.
Set up PTR records for all mail server IPs.
Lower TTL before migrations, restore afterward.
Common Mistakes
| Mistake | Impact | Fix |
|---|---|---|
| CNAME at zone apex | Broken NS/SOA coexistence | Use ALIAS/ANAME or A record |
| Multiple SPF TXT records | SPF PermError — email fails auth | Merge into one v=spf1 record |
| Missing trailing dot in zone files | Relative name interpreted wrong | Always use FQDN with trailing dot |
| TTL too high before migration | Long propagation delays | Pre-lower TTL 48h before changes |
| No CAA records | Any CA can issue certs for your domain | Publish restrictive CAA records |
Tools
Inspect and verify your DNS configuration:
- 🔧 DNS Lookup — Query A, AAAA, MX, NS, SOA, SRV, and other record types.
- 🔧 TXT Record Lookup — Inspect SPF, DKIM, DMARC, and verification records.
- 🔧 CNAME Lookup — Trace CNAME chains to their canonical target.
References
- 📄 RFC 1035 — Domain Names: Implementation and Specification
- 📄 RFC 8659 — DNS Certification Authority Authorization (CAA)
- 📄 RFC 7208 — Sender Policy Framework (SPF)
- 📄 RFC 2782 — A DNS RR for Specifying the Location of Services (SRV)
- 📄 Cloudflare DNS Documentation
🚀 Free ToolZilla tools used in this article
All client-side, no signup, no upload — open them in a new tab while you read:
- 🔧 DNS Lookup — try it free in your browser.
- 🔧 Txt Lookup — try it free in your browser.
- 🔧 CNAME Lookup — try it free in your browser.
- 🧰 Browse all 60+ free tools →
DNS is the invisible foundation of every internet service. Master the record types — A/AAAA for addresses, CNAME for aliases, MX for mail, TXT for authentication, CAA for certificate control, and SRV for service discovery. Combine proper TTL management with email authentication (SPF/DKIM/DMARC) to build a secure, resilient DNS configuration.