DNS Basics: How It Works
The Domain Name System (DNS) is the phonebook of the internet. It translates human-readable domain names (like google.com) into IP addresses that computers use to connect.
Without DNS, you would need to memorize IP addresses like 142.250.190.46 to visit websites.
π Info
π DNS Resolution Process (Step by Step)
When you type a domain name, your browser first checks its local cache. If not found, it asks your operating system, then your router, then your ISP's DNS resolver, and finally the authoritative name server. Each step caches the result to speed up future requests.
A Record (Address Record)
A records are the most fundamental DNS record type. They map a domain name directly to an IPv4 address (32-bit address).
Syntax:
example.com. A 93.184.216.34Real-World Examples:
google.com. A 142.250.190.46
facebook.com. A 157.240.22.35
amazon.com. A 205.251.242.103Use Cases: Website hosting, email servers, FTP servers, game servers, and any service that needs to be reached via an IPv4 address.
π‘ Pro Tip
β οΈ Important:
A records only work with IPv4. For IPv6, you need AAAA records.
AAAA Record (IPv6 Address Record)
AAAA records (pronounced "quad-A") do the same as A records but for IPv6 addresses (128-bit addresses). As the world runs out of IPv4 addresses, IPv6 adoption is becoming critical.
Syntax:
example.com. AAAA 2606:2800:220:1:248:1893:25c8:1946Real-World Examples:
google.com. AAAA 2607:f8b0:4005:80b::200e
facebook.com. AAAA 2a03:2880:f10c:83:face:b00c:0:25deβ Good to Know
β Why IPv6 Matters:
There are only 4.3 billion IPv4 addresses, but over 340 undecillion IPv6 addresses. Modern websites should support both IPv4 and IPv6.
MX Record (Mail Exchange)
MX records specify which mail servers are responsible for receiving email on behalf of your domain. They include a priority value that determines the order in which mail servers should be tried.
Syntax:
example.com. MX 10 mail.example.com.
example.com. MX 20 backup.example.com.Priority Explained:
- Lower number = Higher priority - Mail is always delivered to the lowest-numbered server first
- Typical values: 10, 20, 30 (leave gaps so you can insert new servers later)
- Multiple servers: Always have at least 2 MX records for redundancy
Google Workspace Example:
example.com. MX 1 ASPMX.L.GOOGLE.COM.
example.com. MX 5 ALT1.ASPMX.L.GOOGLE.COM.
example.com. MX 5 ALT2.ASPMX.L.GOOGLE.COM.
example.com. MX 10 ALT3.ASPMX.L.GOOGLE.COM.
example.com. MX 10 ALT4.ASPMX.L.GOOGLE.COM.β οΈ Warning
β οΈ Critical Note:
MX records must point to a domain name with an A or AAAA record, never directly to an IP address.
NS Record (Name Server)
NS records specify which name servers are authoritative for your domain. These are the servers that actually contain your DNS records. These records are set at your domain registrar.
Syntax:
example.com. NS ns1.cloudflare.com.
example.com. NS ns2.cloudflare.com.
example.com. NS ns3.cloudflare.com.Critical Requirements:
- Always have at least 2 NS records (3 is better)
- NS records should be on different networks and geographical locations
- Never point NS records to the same IP address
- The domain of the NS record should not be the same as the domain itself
Popular DNS Providers:
- Cloudflare: ns1.cloudflare.com, ns2.cloudflare.com
- AWS Route 53: ns-1.awsdns-01.com, ns-2.awsdns-02.net
- Google Cloud DNS: ns-cloud-c1.googledomains.com
TXT Record (Text Record)
TXT records store arbitrary text information. They're most commonly used for email authentication and domain verification.
Primary Use Cases:
1. SPF (Sender Policy Framework):
example.com. TXT "v=spf1 include:_spf.google.com ~all"2. DKIM (DomainKeys Identified Mail):
google._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."3. DMARC (Domain-based Message Authentication):
_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"4. Domain Verification (Google Search Console):
example.com. TXT "google-site-verification=abc123def456"CNAME Record (Canonical Name)
CNAME records create an alias from one domain name to another. They're extremely useful but have important limitations.
Syntax:
www.example.com. CNAME example.com.
blog.example.com. CNAME example.com.
shop.example.com. CNAME example.com.β οΈ Warning
β οΈ Critical Limitations:
- Cannot be used at the zone apex (root domain) - You cannot have a CNAME on example.com itself
- Cannot coexist with other records - If you have a CNAME, you cannot have any other record type for the same name
- Performance impact - Each CNAME requires an additional DNS lookup
Best Practice Example:
; Root domain (uses A record)
example.com. A 192.0.2.1
; Subdomains (use CNAMEs)
www.example.com. CNAME example.com.
ftp.example.com. CNAME example.com.
mail.example.com. CNAME example.com.SOA Record (Start of Authority)
The SOA record is the most important record in your zone file. Every domain must have exactly one SOA record. It contains administrative information about your domain.
Syntax with Explanation:
example.com. IN SOA ns1.example.com. admin.example.com. (
2024121501 ; Serial Number (YYYYMMDDNN format)
7200 ; Refresh (2 hours - secondary checks for updates)
3600 ; Retry (1 hour - retry if refresh fails)
1209600 ; Expire (14 days - stop answering if primary unreachable)
86400 ; Minimum TTL (1 day - negative caching TTL)
)Understanding Each Field:
- Primary Nameserver: The master name server for this zone
- Responsible Email: Admin email (replace @ with dot, e.g., admin.example.com = admin@example.com)
- Serial Number: Must increment every time you change the zone. Use format YYYYMMDDNN
- Refresh: How often secondary servers check for updates
- Retry: How long to wait after a failed refresh before retrying
- Expire: How long secondary servers continue answering after primary fails
- Minimum TTL: How long negative responses (NXDOMAIN) are cached
PTR Record (Pointer Record / Reverse DNS)
PTR records do the opposite of A records - they map an IP address back to a domain name. This is called "reverse DNS lookup."
Syntax:
34.216.184.93.in-addr.arpa. PTR example.com.Why PTR Records Matter:
- Email deliverability: Many mail servers reject emails from IPs without PTR records
- Security logging: Helps identify the source of connections
- FTP/IRC authentication: Some services require reverse DNS
- Troubleshooting: Makes logs more readable
π‘ Pro Tip
β οΈ Important:
PTR records are managed by your hosting provider or ISP, not your DNS provider, because they own the IP address range.
SRV Record (Service Locator)
SRV records specify the location (hostname and port) of specific services. They're essential for modern protocols like Active Directory, SIP, XMPP, and CalDAV.
Syntax:
_service._proto.example.com. SRV 10 5 5060 sipserver.example.com.Understanding SRV Fields:
- Priority (10): Lower value = higher priority, similar to MX records
- Weight (5): For load balancing among same-priority servers
- Port (5060): The port number the service runs on
- Target (sipserver.example.com): The server hostname
Real-World Examples:
; Active Directory Domain Controllers
_ldap._tcp.example.com. SRV 10 100 389 dc1.example.com.
; SIP (VoIP) Servers
_sip._tcp.example.com. SRV 10 50 5060 sip1.example.com.
_sip._tcp.example.com. SRV 10 50 5060 sip2.example.com.
; CalDAV (Calendar)
_caldav._tcp.example.com. SRV 10 1 8080 calendar.example.com.CAA Record (Certificate Authority Authorization)
CAA records allow domain owners to specify which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for their domain. This is a security feature that prevents unauthorized certificates.
Syntax:
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "digicert.com"
example.com. CAA 0 iodef "mailto:security@example.com"CAA Property Types:
- issue: Authorizes a specific CA to issue certificates for the domain
- issuewild: Authorizes a CA to issue wildcard certificates
- iodef: Specifies how to report policy violations (email or HTTP)
Best Practice CAA Record:
; Allow only Let's Encrypt and DigiCert
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
; Report violations to security team
example.com. CAA 0 iodef "mailto:security@example.com"
; Disallow all wildcard certificates
example.com. CAA 0 issuewild ";"TTL Explained: Time To Live
TTL (Time To Live) tells DNS resolvers how long to cache a DNS record before requesting a fresh copy. TTL is measured in seconds.
Common TTL Values and Their Uses:
| TTL Value | Use Case | Pros | Cons |
|---|---|---|---|
| 300 (5 min) | Before DNS changes | Fast propagation | Higher DNS query volume |
| 3600 (1 hour) | Standard production | Good balance | 1 hour wait for changes |
| 86400 (24 hours) | Stable records | Excellent performance | Very slow updates |
π Info
π‘ Pro Strategy for DNS Changes:
Step 1 (48 hours before): Lower TTL to 300 seconds
Step 2 (Make change): Update DNS records
Step 3 (After 24 hours): Increase TTL back to original value
DNS Best Practices
- β Always have at least 2-3 NS records on different networks
- β Use low TTL values (300-600 seconds) before planned DNS changes
- β Enable DNSSEC on all critical domains
- β Set proper SPF, DKIM, and DMARC records for email authentication
- β Implement CAA records to control SSL certificate issuance
- β Monitor DNS propagation after changes using tools like DNSViz
- β Use separate subdomains for different services (mail., www., blog.)
- β Regularly audit your DNS records and remove unused entries
- β Keep your SOA serial number in YYYYMMDDNN format
- β Set up DNS change monitoring alerts
