DNS · Reference

DNS Record Types Explained

DNS is the address book of the internet, and every entry in it has a type that tells resolvers how to use the data. This guide is a reference for every record type you're likely to touch when running a domain — what it does, what it looks like in a zone file, and the gotchas to avoid.

Record reference

AMaps a hostname to an IPv4 address.

example.com.  3600  IN  A  192.0.2.10

The most common record. Used for every IPv4 hostname on the public internet.

AAAAMaps a hostname to an IPv6 address.

example.com.  3600  IN  AAAA  2001:db8::10

Required for IPv6 reachability. Modern OSes prefer AAAA when both A and AAAA exist (Happy Eyeballs).

CNAMEAliases one hostname to another.

www.example.com.  3600  IN  CNAME  example.com.

A CNAME cannot coexist with any other record on the same name. Never put a CNAME at the zone apex — use ALIAS/ANAME or apex-flattening.

MXRoutes email to mail servers for a domain.

example.com.  3600  IN  MX  10 mail.example.com.

Lower priority numbers win. Always pair with an A/AAAA record for the target.

TXTArbitrary text data attached to a name.

example.com.  3600  IN  TXT  "v=spf1 include:_spf.google.com ~all"

Used for SPF, DKIM, DMARC, domain-ownership verification (Google, Microsoft, Let's Encrypt DNS-01).

NSDelegates a zone to authoritative name servers.

example.com.  86400  IN  NS  ns1.dns-provider.com.

Must match the NS set at the registrar (the parent zone), otherwise lookups fail intermittently.

SOAMarks the start of authority for a zone.

example.com.  3600  IN  SOA  ns1.example.com. admin.example.com. 2026061401 7200 3600 1209600 3600

Exactly one per zone. The serial number must increment on every change so secondaries re-sync.

PTRReverse mapping — IP to hostname.

10.2.0.192.in-addr.arpa.  3600  IN  PTR  example.com.

Required for outbound mail-server reputation (rDNS). Lives in the in-addr.arpa or ip6.arpa zone, controlled by whoever owns the IP block.

SRVLocates services (host + port) for a protocol.

_sip._tcp.example.com.  3600  IN  SRV  10 60 5060 sip.example.com.

Used by SIP, XMPP, Matrix, Minecraft, Active Directory. Encodes priority, weight, port, and target.

CAARestricts which CAs may issue certificates for a domain.

example.com.  3600  IN  CAA  0 issue "letsencrypt.org"

Mandatory check by every public CA since 2017. Add one before issuing your first cert; it prevents rogue issuance.

TLSAPublishes a certificate or key fingerprint for DANE.

_443._tcp.example.com.  3600  IN  TLSA  3 1 1 abc123...

Only useful with DNSSEC. Adopted mostly by SMTP servers for opportunistic TLS.

DNSKEY / DS / RRSIG / NSECDNSSEC chain of trust.

Generated automatically by your DNS provider when DNSSEC is enabled.

Don't hand-edit. Enable DNSSEC at the provider; the registrar publishes the DS record at the parent zone.

How a DNS lookup actually works

Your device asks its recursive resolver (usually your ISP, 1.1.1.1, or 8.8.8.8) for example.com.
The resolver, if it doesn't have a cached answer, asks the root servers (the 13 letter-labelled servers, A–M).
Root refers it to the TLD servers for .com.
The TLD refers it to the authoritative name servers listed in example.com's NS records.
The authoritative server returns the actual record (A, AAAA, MX, whatever was asked for).
The resolver caches the answer for the record's TTL and returns it to your device.

Common production setup for a new domain

A + AAAA at apex pointing to your server / load balancer / CDN.
CNAME for www pointing to the apex.
MX records pointing to your email provider.
TXT records: SPF, DKIM, DMARC, plus any ownership-verification strings.
CAA permitting your CA (usually letsencrypt.org).
Optional: SRV for chat/voice services, TLSA for DANE.

Try it on Toolzer

DNS Lookup — query any record type for any domain, including AAAA, MX, TXT, CAA.
WHOIS Lookup — see the registrar, name servers, and expiry of a domain.
Blacklist Checker — confirm your mail-server IP isn't on a reputation block list (relies on PTR + reverse-DNS health).

Frequently asked questions

Why can't I put a CNAME at the root of my domain?+

RFC 1034 forbids a CNAME on a name that has any other records, and the zone apex always has at least an SOA and NS records. Modern DNS providers offer ALIAS, ANAME, or 'CNAME flattening' that look up the target and serve A/AAAA records from the apex instead.

What's the difference between an A and an AAAA record?+

An A record points to an IPv4 address; AAAA points to an IPv6 address. They are independent — a host can have both, only one, or neither. Modern resolvers query both in parallel and the OS picks the working one.

How long does a DNS change take to propagate?+

It depends on the TTL of the old record. If the old A record had TTL 3600 (1 hour), caching resolvers will keep serving the old answer for up to an hour after you change it. Lower the TTL a day before any planned change.

Do I need an MX record if my mail is hosted elsewhere?+

Yes — the MX tells sending servers where to deliver mail for your domain. Without it, senders fall back to the A record (legacy behaviour) which usually fails. Google Workspace, Microsoft 365, and Fastmail all give you the exact MX records to add.

What is a CAA record and do I need one?+

CAA tells public Certificate Authorities which of them are allowed to issue certs for your domain. Every CA checks CAA before issuing. It's strongly recommended — without one, any CA in the trust store can issue a certificate for your name.

Is DNSSEC worth enabling?+

If your DNS provider supports one-click DNSSEC and your registrar accepts DS records, yes — it adds cryptographic protection against cache-poisoning attacks. Implementing it manually is fiddly and easy to break (expired RRSIGs cause full-zone outages), so prefer a managed setup.

Sources: RFC 1034/1035 (DNS), RFC 8499 (DNS Terminology), RFC 8659 (CAA), IANA DNS Parameters Registry.