What is the difference between A and CNAME records?

An A record maps a domain name directly to an IPv4 address (e.g., example.com → 93.184.216.34). A CNAME record maps a domain name to another domain name (e.g., www.example.com → example.com), creating an alias. Key rules: CNAME records cannot coexist with other record types at the same name (no CNAME + MX at the same subdomain), and you cannot use a CNAME at the zone apex (the bare domain). Use A records for your root domain and CNAME records for subdomains like www, blog, or app.

What TTL should I set for DNS records?

For most records, 3600 seconds (1 hour) is a good default. Use lower TTL (300 seconds / 5 minutes) for records you might need to change quickly during migrations or failovers. Use higher TTL (86400 seconds / 24 hours) for stable records like MX or NS that rarely change. Before a planned migration, lower TTL 24-48 hours in advance so caches expire before the change, then raise it again afterward. CDN providers like Cloudflare often recommend leaving TTL on "Auto" which typically uses 300 seconds.

What TXT records do I need for email deliverability?

Three TXT records are essential for email: (1) SPF (Sender Policy Framework) — specifies which mail servers can send email on behalf of your domain (v=spf1 include:_spf.google.com ~all). (2) DKIM (DomainKeys Identified Mail) — a public key record that verifies email signatures, proving the email was not altered in transit. (3) DMARC (Domain-based Message Authentication) — tells receiving servers how to handle emails that fail SPF/DKIM checks (_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"). Without these records, your emails are likely to land in spam folders or be rejected entirely.

DNS Records Explained: A, AAAA, CNAME, MX, TXT & More

How DNS Resolution Works

The Domain Name System translates human-readable domain names into IP addresses that computers use to communicate. When you type bytepane.com in your browser, a chain of DNS lookups converts that name into an IP address before your browser can connect.

# DNS resolution chain (simplified):
#
# 1. Browser cache → Already resolved recently?
# 2. OS cache      → Check /etc/hosts and local DNS cache
# 3. Recursive resolver (ISP or 8.8.8.8) → Cached from other users?
# 4. Root servers  → "Who handles .com?" → Verisign
# 5. TLD servers   → "Who handles bytepane.com?" → Cloudflare NS
# 6. Authoritative nameserver → "bytepane.com = 104.21.x.x"
# 7. Answer cached at each level based on TTL

# Total time: 10-100ms (uncached), <1ms (cached)

# Check your domain's DNS resolution chain:
dig bytepane.com +trace

A and AAAA Records: IP Address Mapping

The A record is the most fundamental DNS record type. It maps a domain name to an IPv4 address. The AAAA record (pronounced "quad-A") does the same for IPv6 addresses. Every domain needs at least one A record for the root domain.

# A Record: Domain → IPv4
example.com.    3600    IN    A    93.184.216.34

# AAAA Record: Domain → IPv6
example.com.    3600    IN    AAAA    2606:2800:220:1:248:1893:25c8:1946

# Multiple A records for load balancing (round-robin DNS)
api.example.com.    300    IN    A    10.0.1.1
api.example.com.    300    IN    A    10.0.1.2
api.example.com.    300    IN    A    10.0.1.3

# Query A records with dig
dig example.com A
# ;; ANSWER SECTION:
# example.com.    3600    IN    A    93.184.216.34

# Query AAAA records
dig example.com AAAA

CNAME Records: Domain Aliases

CNAME (Canonical Name) records create aliases from one domain name to another. Instead of pointing to an IP address, a CNAME points to another domain name, which is then resolved to get the final IP.

# CNAME: Alias one domain to another
www.example.com.     3600    IN    CNAME    example.com.
blog.example.com.    3600    IN    CNAME    myblog.wordpress.com.
shop.example.com.    3600    IN    CNAME    shops.myshopify.com.
docs.example.com.    3600    IN    CNAME    example.github.io.

# IMPORTANT: CNAME restrictions
# 1. Cannot coexist with other record types at same name
#    WRONG: example.com CNAME + example.com MX ← Not allowed!
#
# 2. Cannot be used at zone apex (root domain)
#    WRONG: example.com. CNAME other.com. ← Not allowed!
#    RIGHT: www.example.com. CNAME other.com. ← Subdomain OK
#
# 3. Workaround for root: Use ALIAS/ANAME (provider-specific)
#    Cloudflare calls this "CNAME flattening"
#    example.com. CNAME my-app.vercel.app. ← Works on Cloudflare

# Resolution chain: www.example.com → example.com → 93.184.216.34
dig www.example.com
# ;; ANSWER SECTION:
# www.example.com.  3600  IN  CNAME  example.com.
# example.com.      3600  IN  A      93.184.216.34

MX Records: Email Routing

MX (Mail Exchange) records tell other mail servers where to deliver email for your domain. Each MX record has a priority value; lower numbers mean higher priority. Mail is attempted at the lowest priority server first, falling back to higher values if the primary is unavailable.

# MX Records for Google Workspace
example.com.    3600    IN    MX    1  aspmx.l.google.com.
example.com.    3600    IN    MX    5  alt1.aspmx.l.google.com.
example.com.    3600    IN    MX    5  alt2.aspmx.l.google.com.
example.com.    3600    IN    MX    10 alt3.aspmx.l.google.com.
example.com.    3600    IN    MX    10 alt4.aspmx.l.google.com.

# MX Records for Microsoft 365
example.com.    3600    IN    MX    0  example-com.mail.protection.outlook.com.

# Check MX records
dig example.com MX
# Or use nslookup
nslookup -type=mx example.com

# Priority explanation:
# Priority 1  → Try first (primary mail server)
# Priority 5  → Try second (secondary servers)
# Priority 10 → Try last (backup servers)
# Same priority = round-robin between them

TXT Records: Verification and Security

TXT records store arbitrary text data associated with a domain. They are primarily used for domain verification (proving you own a domain), email authentication (SPF, DKIM, DMARC), and security policies.

# SPF: Which servers can send email for your domain
example.com.    3600    IN    TXT    "v=spf1 include:_spf.google.com ~all"
# include: = allow Google's mail servers
# ~all = soft fail others (mark as spam, don't reject)
# -all = hard fail (reject unauthorized senders)

# DKIM: Email signature verification
google._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0..."

# DMARC: Policy for failed SPF/DKIM checks
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
# p=none    → Monitor only (start here)
# p=quarantine → Mark as spam
# p=reject  → Reject entirely (strictest)

# Domain verification (Google, Microsoft, etc.)
example.com. 3600 IN TXT "google-site-verification=abc123..."
example.com. 3600 IN TXT "MS=ms12345678"

# Check TXT records
dig example.com TXT +short

NS, SOA, SRV, and CAA Records

Beyond the common record types, several specialized records handle nameserver delegation, zone metadata, service discovery, and certificate authority restrictions.

# NS (Nameserver): Which DNS servers are authoritative
example.com.    86400   IN    NS    ns1.cloudflare.com.
example.com.    86400   IN    NS    ns2.cloudflare.com.

# SOA (Start of Authority): Zone metadata
example.com.    3600    IN    SOA   ns1.cloudflare.com. dns.cloudflare.com. (
    2026030801  ; Serial number (YYYYMMDDNN)
    3600        ; Refresh interval
    600         ; Retry interval
    604800      ; Expire time
    300         ; Minimum TTL (negative cache)
)

# SRV (Service): Service discovery
# _service._protocol.name  TTL  IN  SRV  priority weight port target
_sip._tcp.example.com.  3600  IN  SRV  10 60 5060 sip.example.com.
_xmpp._tcp.example.com. 3600  IN  SRV  5  0  5222 xmpp.example.com.

# CAA (Certificate Authority Authorization)
# Restricts which CAs can issue certificates for your domain
example.com.    3600    IN    CAA    0 issue "letsencrypt.org"
example.com.    3600    IN    CAA    0 issue "digicert.com"
example.com.    3600    IN    CAA    0 iodef "mailto:[email protected]"

DNS Record Type Reference

Type	Purpose	Example Value
A	IPv4 address mapping	93.184.216.34
AAAA	IPv6 address mapping	2606:2800:220:1::248
CNAME	Domain alias	www → example.com
MX	Mail server routing	10 mail.example.com
TXT	Text data (SPF, DKIM, verification)	v=spf1 include:...
NS	Nameserver delegation	ns1.cloudflare.com
SOA	Zone authority metadata	Serial, refresh, retry
SRV	Service discovery	10 60 5060 sip.example.com
CAA	Certificate authority restriction	0 issue "letsencrypt.org"

Troubleshooting DNS Issues

DNS problems are notoriously difficult to debug because of caching at multiple levels. These commands help you diagnose resolution failures, propagation delays, and configuration errors.

# dig: The Swiss Army knife for DNS debugging

# Basic query (A record)
dig example.com

# Query specific record type
dig example.com MX
dig example.com TXT
dig example.com NS

# Query a specific nameserver (bypass cache)
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

# Short output (just the answer)
dig example.com +short
# 93.184.216.34

# Trace the full resolution path
dig example.com +trace

# Check if a DNS change has propagated
# Query different public DNS servers:
dig @8.8.8.8 example.com +short      # Google DNS
dig @1.1.1.1 example.com +short      # Cloudflare DNS
dig @208.67.222.222 example.com +short  # OpenDNS
dig @9.9.9.9 example.com +short      # Quad9

# Check TTL remaining on cached record
dig example.com | grep -A1 "ANSWER SECTION"

# nslookup alternative (works on Windows too)
nslookup example.com
nslookup -type=MX example.com
nslookup example.com 8.8.8.8

When setting up DNS for a new domain, you will often need to add TXT records for verification. Use our Base64 tool to decode DKIM keys and our Diff Checker to compare DNS configurations between environments.

Common DNS Configurations

Here are complete DNS setups for the most common scenarios developers encounter.

# Website on Cloudflare (proxied)
example.com.      1    IN    A       104.21.32.1    ; Proxied
www.example.com.  1    IN    CNAME   example.com.   ; Proxied

# Website on Vercel
example.com.      300  IN    A       76.76.21.21
www.example.com.  300  IN    CNAME   cname.vercel-dns.com.

# Subdomain for API on different server
api.example.com.  300  IN    A       10.0.1.50

# Subdomain for staging
staging.example.com. 300 IN  CNAME   staging-abc123.netlify.app.

# Email with Google Workspace
example.com.    3600  IN    MX    1   aspmx.l.google.com.
example.com.    3600  IN    MX    5   alt1.aspmx.l.google.com.
example.com.    3600  IN    TXT   "v=spf1 include:_spf.google.com ~all"
_dmarc.example.com. 3600 IN TXT  "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

# Redirect www to non-www (or vice versa)
# Option 1: CNAME + server-side redirect
# Option 2: Cloudflare Page Rule: www.example.com/* → 301 → example.com/$1

Developer Tools for DNS and Networking

Decode Base64 DKIM keys with our Base64 Encoder/Decoder. Format DNS configuration exports with the JSON Formatter. Generate unique identifiers for DNS-based service discovery with the UUID Generator.

Open Base64 Tool

DNS Records Explained: A, AAAA, CNAME, MX, TXT & More

How DNS Resolution Works

A and AAAA Records: IP Address Mapping

CNAME Records: Domain Aliases

MX Records: Email Routing

TXT Records: Verification and Security

NS, SOA, SRV, and CAA Records

DNS Record Type Reference

Troubleshooting DNS Issues

Common DNS Configurations

Developer Tools for DNS and Networking

Related Articles

HTTP Status Codes Guide

SSH Keys Guide

Web Performance Optimization

Linux File Permissions