The internet is a marvel that works because of the sprawling set of dispersed infrastructure supporting it. The system is extremely complex, but it gets simplified at the application layer, which allows anyone with a passing level of competence to use it.
A crucial part of the internet’s core architecture is its overarching domain name system (DNS) and associated DNS records. These records are vital in providing the necessary information to serve client browser requests from the relevant sites. For instance, DNS records provide the mappings that link your website’s domain name with its IP address.
This guide will examine DNS records, highlight their importance, and explain the various types of DNS records.
What Is DNS?
To understand DNS records, you first have to comprehend the wider DNS ecosystem.
In simple terms, the DNS directs traffic on the internet. In other words, it matches up domain names with IP addresses. For instance, DNS uses A records (one DNS record type) to ensure that you don’t have to enter the IP address of the website you intend to visit in your browser.
Instead, it lets you enter the site’s domain name, which then automatically points to the IP address of the hosting server. The obvious advantage here is that it replaces cumbersome IP address numbers, allowing you to memorize and enter easy-to-remember domain names instead.
Just as a mailing address or a phonebook helps you locate a physical resource, DNS converts domain names to IP addresses. To implement this, it leverages DNS records to help resolve the domain name with the server’s IP address.
DNS Records and Why They Are Important
DNS records provide information about a domain (such as its IP address or aliases), including relevant instructions—like how to resolve DNS queries. They are also known as resource records (RR) because they hold the resources that identify domain names and IP address mappings.
DNS records, which are sometimes called zone files, are plain text files that reside in authoritative nameservers, aka DNS servers. An authoritative nameserver accurately identifies the web server that must be contacted in order for a browser or client agent to access the requested resource for a user. Together with DNS records, they facilitate DNS lookups and accurate domain pointing.
Domain registrars or third-party services also add DNS records to nameservers.
Types of DNS Records
The primary function of DNS records is to map a human-readable hostname (like quicksprout.com) to an IP address (like 22.214.171.124). This is mainly what an A-type DNS record does.
How to access DNS records
DNS records make the internet’s huge transactions and vast communications possible each day. If you type quicksprout.com in your browser, for example, the nameserver fetches the IP address of the domain from the DNS records.
This represents the most basic kind of DNS record, often called an address record. It fulfills the most fundamental DNS function of pointing a domain or subdomain to an IP address (IPv4). An A record points the domain to the specific web server where the website resides.
A records are also used to implement host file modification to manually override DNS hostname-to-IP address mappings. This can be handy when you want to see how your website looks on a different IP address or server.
Host file modification can be necessary during website migrations or when implementing domain-dependent software like content management systems. However, A records only map to IPv4 protocol addresses (which is the fourth version of the internet protocol), but not on IPv6.
After you type in the domain or site you want to visit in the Google Dig search bar, you should see an image that displays the A record type of DNS record, revealing the hostname’s IP address mappings.
If you activate the Raw button option, it will display more comprehensive information related to the domain.
In addition to using applications such as Google Dig, you can also execute A record lookups issuing nslookup <domain name> from the command line.
This is similar to the A record, except it allows you to point your domain to an IPv6 website address instead of an IPv4 one. Therefore, an AAAA record is used when a website has an IPv6 address. However, most websites have IPv4 addresses and thus use A records.
When displaying IP addresses on Google Dig, IPv6 addresses are longer than their IPv4 counterparts. Likewise, colons are used to separate each field in the IPv6 address instead of periods.
Just as numbers within a specific area code aren’t infinite, the internet is also running out of unique IPv4 addresses. IPv6 was designed to address this problem. Since the larger number offers far more permutations of digits, IPv6 allows for more possible IP address combinations.
CNAME stands for canonical name record. It is typically used when domain names share an IP address, thereby requiring the use of aliases.
Instead of pointing a domain to an IP address, a CNAME record points it to another domain. It primarily maps or associates a subdomain or alias name to its primary domain.
As a result, a CNAME allows one hostname to point at another, like mapping www.example.com to its actual domain, example.com.
Similarly, this is why typing quicksprout.com will fetch www.quicksprout.com without incident. Therefore, the CNAME’s most common function is routing traffic, as it provides the ability to use one location for multiple domains—thus eliminating the need to create multiple A records.
CNAME records have other useful purposes, too. For instance, when a site has various subdomains, CNAME records can serve as an alias for domains that share a single IP address. In practice, this is how something like blog.example.com has a canonical name record of example.com.
Consequently, when a nameserver queries DNS records for something like blog.example.com, the action activates a DNS lookup for its root domain, example.com. As a result, the lookup returns the IP address of example.com through its A record.
For its blog, a site like HubSpot uses the subdomain blog.hubspot.com. For this subdomain, you’ll find via Google Dig that its CNAME record is 53.group3.sites.hubspot.net.
The advantage of the CNAME approach is that it reduces the need for modifications. For instance, if you require to make changes to the host server, you only need to update the root domain since the CNAME record only points to the IP address of the root. Therefore, when the domain’s IP address changes, the CNAME will automatically follow along with the changes made to the root.
In the end, CNAME records make it easy to run multiple services from one IP address. You can leverage this to your advantage due to the flexibility of a CNAME’s association with a domain name rather than a physical IP address.
MX stands for mail exchange, so these records highlight domains associated with email addresses. In essence, MX records direct emails to a mail server.
You can use this record to reroute emails for, let’s say (once again), example.com to a Gmail service. MX records are also similar to CNAME records, in that they point to a domain rather than an IP address. However, their function goes a bit deeper, as they direct how emails should be routed to comply with SMTP (Simple Mail Transfer Protocol) email standards.
Querying the MX record for google.com on Google Dig returns a result of smtp.google.com.
The purpose of this record is to provide information to external sources through human-readable text. TXT records aren’t used to direct traffic but to allow system administrators to store text notes that can provide context for things like email security insights surrounding the domain.
Some of the other use cases for the text strings stored in the value field of TXT records are ownership details and Google site verification info. They are also useful in preventing email spam.
TXT DNS records also make associating arbitrary text to an email domain possible. Consequently, TXT records make it harder for domain forgers and spammers to spoof legitimate websites. It also provides a means for administrators to track unexpected attempts to do so.
For instance, Sender Policy Framework (SPF) TXT records detail all the servers authorized to send emails from a specific domain. This feature alerts email systems whether an incoming email is from a trusted source. Meanwhile, the DomainKeys Identified Mail (DKIM) digitally signs each email with a pair of public-private keys.
This is a DNS record used to specify ports for specific services by including a hostname and a port number. As such, SRV records differ from most DNS records that map a server with its IP address.
Examples include instant messaging (IM) and voice-over IP (VoIP) services. Some internet protocols, such as IMAP or XMPP, can’t be used without an SRV record.
SRV records allow system administrators to prioritize servers for a given service by indicating the priority and so-called weight of listed servers. Of these two values, priority is looked at first, taking precedence over weight. Meanwhile, weight only becomes a factor when servers have similar priority values.
Let’s assume that a domain has three servers, naming them A, B, and C. If they have priority values of 100, 200, and 300, respectively, then their individual weight value is negated—meaning it doesn’t matter what the weights are because Server A will always be chosen first due to its highest priority.
Somewhat counterintuitively, the lower the priority value, the more traffic the server receives. At the same time, the weight value has a direct relationship with the corresponding traffic that’s received. In the end, a server with a higher weight will obtain more traffic than servers with a lower weight.
NS record is a shortened abbreviation for the nameserver record. It indicates which nameserver (DNS server) is authoritative for a particular domain. This is vital because a domain can have multiple NS records, indicating primary and secondary nameservers.
Authoritative nameservers are responsible for resolving queries for the hostname containing the actual DNS records. Moreover, an authoritative DNS server contains the actual DNS records and information specific to the domain it serves.
An NS record determines which IP address should access a particular server. Accordingly, NS records generally inform a DNS service where to look for a domain’s name and other associated information.
SOA stands for start of authority. SOA records are used to store purely administrative information regarding a domain or zone. A DNS zone is similar to a namespace and spans a domain name, many domain names, and subdomains. Consequently, a DNS zone simply contains the DNS entries for your domain.
SOA records include rudimentary information such as the domain’s most recently updated timestamp, its administrator’s email address (RNAME), and its TTL (time to live) to indicate how long the server waits between refreshes. It also identifies the primary nameserver (MNAME) for the zone it covers.
SOA records are also used by the DNS zone to confirm zone transfers according to IETF standards.
PTR is a DNS pointer record that allows reverse lookups in a domain. You can think of it as the opposite of an A record, since an A record provides the IP address of a domain, while a PTR record provides the domain of the associated IP address.
For instance, instead of showing an IP address like blog.google.com, the PTR record will display the site’s actual host, which in this example is blogger.l.google.com.
TSIG stands for transaction signature and serves as a network protocol for securely updating a DNS database. It is also referred to as Secret Key Transaction Authentication. As a DNS record, TSIG is primarily used for authentication in DNS systems.
TSIG is optional, but in an era where hackers are expanding their targets, TSIG is recommended to prevent bad actors from subverting DNS systems. It uses a combination of shared secret keys and one-way hashing to ensure DNS packets originate from an authorized sender.
CAA stands for Certificate Authority Authorization. These DNS records highlight the certificate authorities (CA) permitted to issue SSL certificates for the domain or fully qualified domain name (FQDN).
As a domain owner, the CAA record allows you to specify one or more CAs, thereby smoothing out certificate issuance problems and providing a measure of standardization throughout your organization.
Transport Layer Security Authentication (TLSA) is a key specification record. It improves DNS security and reduces malicious attacks by specifying which keys can be used for a given domain’s TLS servers.
However, TLSA records only work if the Domain Name System Security Extensions (DNSSEC) feature is enabled on your system.
The TLSA is made up of three parts.
The first is a protocol, either standard (TCP, UDP, or SCTP) or user-defined. The second element is a port number on which the TLS server listens. The third part is a server hostname.
A delegation signer (DS) record is used to secure DNSSEC delegations. DNSSEC adds cryptographic signatures to existing DNS records. As such, a DS record is created and used to establish a chain of trust when DNSSEC signing has been configured.
Together with DNSSEC, DS records prevent attackers from poisoning or manipulating responses to DNS requests.
As its name implies, DNSKEY holds a public signing key used to verify DNSSEC signatures. Both DNSKEY and DS were created as DNS records to facilitate DNSSEC encryption with cryptographic signatures.