DEV Community

Cover image for DNS Records: The Complete Reference Guide for Every Record Type
toolbox-poster
toolbox-poster

Posted on • Originally published at toolbox.starnomina.tn

DNS Records: The Complete Reference Guide for Every Record Type

#dns #networking #webdev #devops

TL;DR
DNS (Domain Name System) translates human-readable domain names into IP addresses and service endpoints.
With over 1.1 trillion DNS queries handled daily worldwide, understanding every record type โ€” from
the ubiquitous A record to specialized CAA and SRV entries โ€” is fundamental to deploying, securing,
and troubleshooting any internet service. This reference covers all major record types with real-world examples.

๐Ÿ“‘ Table of Contents

  • How DNS Works
  • A & AAAA Records
  • CNAME Records
  • MX Records
  • TXT Records
  • NS & SOA Records
  • SRV Records
  • CAA Records
  • PTR Records
  • Understanding TTL
  • Best Practices
  • Common Mistakes
  • Tools
  • References

How DNS Works

A DNS query follows a hierarchical resolution path: your device's stub resolver asks a
recursive resolver (e.g., 1.1.1.1 or 8.8.8.8), which queries root servers,
then the TLD nameserver (.com, .org), and finally the domain's authoritative nameserver
to return the answer. Responses are cached at each level according to the record's TTL.

๐Ÿ“– Definition โ€” A DNS record (Resource Record) is an entry in a zone file that maps a domain name to a specific value โ€” an IP address, mail server, text string, or another domain name.

A & AAAA Records

The most fundamental record types. A records map a domain to an IPv4 address;
AAAA records map to an IPv6 address.

; A Record โ€” IPv4
example.com.    300    IN    A      93.184.216.34

; AAAA Record โ€” IPv6
example.com.    300    IN    AAAA   2606:2800:220:1:248:1893:25c8:1946
Enter fullscreen mode Exit fullscreen mode

๐ŸŽฏ Always publish both A and AAAA records for dual-stack compatibility. IPv6 adoption crossed 40% globally in 2024.

CNAME Records

A CNAME (Canonical Name) record aliases one domain to another. The DNS resolver follows the chain
until it reaches an A/AAAA record.

www.example.com.    3600    IN    CNAME    example.com.
blog.example.com.   3600    IN    CNAME    myhost.github.io.
Enter fullscreen mode Exit fullscreen mode

โš ๏ธ A CNAME cannot coexist with any other record type at the same name (RFC 1034 ยง3.6.2). You cannot place a CNAME at the zone apex alongside SOA/NS records. Use ALIAS/ANAME (provider-specific) for apex domains.

MX Records

MX (Mail Exchanger) records direct email to the correct mail servers. The priority
value determines failover order โ€” lower numbers are tried first.

example.com.    3600    IN    MX    10    mail1.example.com.
example.com.    3600    IN    MX    20    mail2.example.com.
Enter fullscreen mode Exit fullscreen mode
Priority Server Role
10 mail1.example.com Primary mail server
20 mail2.example.com Backup mail server

TXT Records

TXT records store arbitrary text and are heavily used for email authentication, domain verification, and security policies.

; SPF โ€” Authorize mail senders
example.com.    3600    IN    TXT    "v=spf1 include:_spf.google.com ~all"

; DKIM โ€” Email signature verification
selector._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIGfMA0G..."

; DMARC โ€” Email policy
_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

; Domain verification
example.com.    3600    IN    TXT    "google-site-verification=abc123..."
Enter fullscreen mode Exit fullscreen mode

๐Ÿ’ก A single domain can have multiple TXT records. However, only one SPF record is allowed per domain โ€” multiple SPF records cause authentication failures (RFC 7208 ยง3.2).

NS & SOA Records

NS records delegate a zone to specific nameservers. SOA (Start of Authority) records
define the zone's primary nameserver, admin email, and serial/refresh/retry/expire timers.

; NS Records
example.com.    86400    IN    NS    ns1.provider.com.
example.com.    86400    IN    NS    ns2.provider.com.

; SOA Record
example.com.    3600    IN    SOA    ns1.provider.com. admin.example.com. (
                        2024031501  ; Serial
                        7200        ; Refresh (2h)
                        3600        ; Retry (1h)
                        1209600     ; Expire (14d)
                        86400       ; Minimum TTL (1d)
)
Enter fullscreen mode Exit fullscreen mode

SRV Records

SRV records specify the host and port for specific services (e.g., SIP, XMPP, LDAP).

; _service._protocol.name    TTL    class    SRV    priority weight port target
_sip._tcp.example.com.    3600    IN    SRV    10 60 5060 sip1.example.com.
_sip._tcp.example.com.    3600    IN    SRV    10 40 5060 sip2.example.com.
Enter fullscreen mode Exit fullscreen mode

๐Ÿ’ก The weight field enables load balancing among servers with the same priority. Higher weight = more traffic share.

CAA Records

CAA (Certificate Authority Authorization, RFC 8659) records specify which CAs are permitted to issue
certificates for a domain โ€” a critical security control.

example.com.    3600    IN    CAA    0 issue "letsencrypt.org"
example.com.    3600    IN    CAA    0 issuewild ";"
example.com.    3600    IN    CAA    0 iodef "mailto:security@example.com"
Enter fullscreen mode Exit fullscreen mode

๐ŸŽฏ Use issuewild ";" to explicitly block wildcard certificate issuance if you don't need wildcards. The iodef tag notifies you of policy violations.

PTR Records

PTR (Pointer) records provide reverse DNS โ€” mapping an IP address back to a domain name.
Essential for mail server reputation and network diagnostics.

; Reverse DNS for 93.184.216.34
34.216.184.93.in-addr.arpa.    3600    IN    PTR    example.com.
Enter fullscreen mode Exit fullscreen mode

Understanding TTL

TTL Value Duration Use Case
60 1 minute Failover, migrations, testing
300 5 minutes Dynamic services, CDNs
3600 1 hour Standard web records
86400 24 hours Stable records (NS, MX)

โšก Pro Tip: Before a planned DNS change, lower the TTL to 60โ€“300 seconds at least 48 hours in advance (to let the old high TTL expire from caches). After the change propagates, raise TTL back to its normal value.

Best Practices

Publish both A and AAAA records for every public hostname.

Set CAA records to restrict certificate issuance to your chosen CA.

Configure SPF + DKIM + DMARC TXT records for every domain that sends email.

Use at least two geographically diverse NS records.

Set up PTR records for all mail server IPs.

Lower TTL before migrations, restore afterward.

Common Mistakes

Mistake Impact Fix
CNAME at zone apex Broken NS/SOA coexistence Use ALIAS/ANAME or A record
Multiple SPF TXT records SPF PermError โ€” email fails auth Merge into one v=spf1 record
Missing trailing dot in zone files Relative name interpreted wrong Always use FQDN with trailing dot
TTL too high before migration Long propagation delays Pre-lower TTL 48h before changes
No CAA records Any CA can issue certs for your domain Publish restrictive CAA records

Tools

Inspect and verify your DNS configuration:

  • ๐Ÿ”ง DNS Lookup โ€” Query A, AAAA, MX, NS, SOA, SRV, and other record types.

  • ๐Ÿ”ง TXT Record Lookup โ€” Inspect SPF, DKIM, DMARC, and verification records.

  • ๐Ÿ”ง CNAME Lookup โ€” Trace CNAME chains to their canonical target.

References

  • ๐Ÿ“„ RFC 1035 โ€” Domain Names: Implementation and Specification

  • ๐Ÿ“„ RFC 8659 โ€” DNS Certification Authority Authorization (CAA)

  • ๐Ÿ“„ RFC 7208 โ€” Sender Policy Framework (SPF)

  • ๐Ÿ“„ RFC 2782 โ€” A DNS RR for Specifying the Location of Services (SRV)

  • ๐Ÿ“„ Cloudflare DNS Documentation

๐ŸŽฏ Key Takeaway: DNS is the invisible foundation of every internet service. Master the record types โ€” A/AAAA for addresses,
CNAME for aliases, MX for mail, TXT for authentication, CAA for certificate control, and SRV for service
discovery. Combine proper TTL management with email authentication (SPF/DKIM/DMARC) to build a secure,
resilient DNS configuration.

Originally published on StarNomina ToolBox. Try our free online tools โ€” no signup required.

Top comments (0)