DNS Records Reference

Every DNS record type that matters, with format and the gotchas.

By Λ · Updated May 18, 2026

DNS has over 80 record types but you will only ever touch about a dozen. Here are the ones worth knowing, in order of how often you will need them.

A

most commonMaps a name to an IPv4 address.

example.com.    300    IN  A     93.184.216.34

TTL 300 = the record is valid for 300 seconds. Lower TTL = faster propagation when you change the record, but more DNS queries.

AAAA

Maps a name to an IPv6 address. (Four-A, because IPv6 addresses are four times the size of IPv4.)

example.com.    300    IN  AAAA  2606:2800:220:1:248:1893:25c8:1946

CNAME

Alias from one name to another. www → example.com.

www.example.com.    3600   IN  CNAME  example.com.

Gotcha: a CNAME cannot coexist with any other record at the same name. You cannot put both a CNAME and an MX on example.com. Many DNS providers solve this with ALIAS or ANAME records that act like a CNAME but at the apex.

MX

Mail Exchanger. Tells SMTP servers where to deliver email for the domain.

example.com.    3600   IN  MX  10  mail.example.com.
example.com.    3600   IN  MX  20  backup.example.com.

The number (10, 20) is the priority. Lower number = higher priority. backup.example.com only receives mail if mail.example.com is unreachable.

TXT

Arbitrary text. Used for:

example.com.    3600   IN  TXT  "v=spf1 include:_spf.google.com ~all"
_dmarc.example.com.    3600   IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

NS

Nameservers. Tells the rest of the internet which servers are authoritative for this zone.

example.com.    86400  IN  NS  ns1.example.com.
example.com.    86400  IN  NS  ns2.example.com.

Changing NS records is how you switch DNS providers. The change has to propagate from the registrar (the .com TLD nameserver), then the rest of the internet. Allow 24-48 hours.

SOA

Start of Authority. Metadata about the zone. There is exactly one per zone.

example.com.  86400  IN  SOA  ns1.example.com. admin.example.com. (
    2026051801   ; serial number
    7200         ; refresh
    3600         ; retry
    1209600      ; expire
    300 )        ; minimum TTL

The serial number must increment on every change. Many DNS providers auto-increment; some require manual bumping.

CAA

Certificate Authority Authorization. Lists which CAs can issue certs for this domain.

example.com.    3600   IN  CAA  0 issue "letsencrypt.org"
example.com.    3600   IN  CAA  0 issuewild ";"
example.com.    3600   IN  CAA  0 iowa "mailto:security@example.com"

If you have CAA and try to issue from a CA not listed, the issuance fails. Common reason for "I cannot get a cert!" debugging.

DS and DNSKEY

DNSSEC chain of trust. DS (Delegation Signer) lives at the parent zone; DNSKEY lives at your zone.

example.com.    3600   IN  DS  2371 13 2 E0E2BC25...

Key Tag (2371), Algorithm (13 = ECDSA P-256), Digest Type (2 = SHA-256), Digest. If you enable DNSSEC at your DNS provider, you must publish the DS at your registrar so the chain validates.

SRV

Service location. Used by SIP, XMPP, Minecraft, Active Directory, and many service-discovery protocols.

_sip._tcp.example.com.    3600   IN  SRV  10 60 5060 sipserver.example.com.

Format: priority weight port target.

PTR

Reverse lookup. Maps an IP back to a hostname. Lives in the in-addr.arpa (IPv4) or ip6.arpa (IPv6) tree.

Mail servers check this for sender reputation. If your outbound mail server has no PTR or PTR does not match the HELO name, expect deliverability problems.

Related

Last updated