DNS Records Reference
Every DNS record type that matters, with format and the gotchas.
By Λ · Updated May 18, 2026
DNS has over 80 record types but you will only ever touch about a dozen. Here are the ones worth knowing, in order of how often you will need them.
A
most commonMaps a name to an IPv4 address.
example.com. 300 IN A 93.184.216.34
TTL 300 = the record is valid for 300 seconds. Lower TTL = faster propagation when you change the record, but more DNS queries.
AAAA
Maps a name to an IPv6 address. (Four-A, because IPv6 addresses are four times the size of IPv4.)
example.com. 300 IN AAAA 2606:2800:220:1:248:1893:25c8:1946
CNAME
Alias from one name to another. www → example.com.
www.example.com. 3600 IN CNAME example.com.
Gotcha: a CNAME cannot coexist with any other record at the same name. You cannot put both a CNAME and an MX on example.com. Many DNS providers solve this with ALIAS or ANAME records that act like a CNAME but at the apex.
MX
Mail Exchanger. Tells SMTP servers where to deliver email for the domain.
example.com. 3600 IN MX 10 mail.example.com. example.com. 3600 IN MX 20 backup.example.com.
The number (10, 20) is the priority. Lower number = higher priority. backup.example.com only receives mail if mail.example.com is unreachable.
TXT
Arbitrary text. Used for:
- SPF:
v=spf1 include:_spf.google.com ~all - DKIM: usually at
selector._domainkey.example.com - DMARC: at
_dmarc.example.com - Domain verification: Google, Microsoft, etc. all use TXT for ownership proof
- Site verification: search engines, social networks, certificate issuers
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all" _dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
NS
Nameservers. Tells the rest of the internet which servers are authoritative for this zone.
example.com. 86400 IN NS ns1.example.com. example.com. 86400 IN NS ns2.example.com.
Changing NS records is how you switch DNS providers. The change has to propagate from the registrar (the .com TLD nameserver), then the rest of the internet. Allow 24-48 hours.
SOA
Start of Authority. Metadata about the zone. There is exactly one per zone.
example.com. 86400 IN SOA ns1.example.com. admin.example.com. (
2026051801 ; serial number
7200 ; refresh
3600 ; retry
1209600 ; expire
300 ) ; minimum TTL
The serial number must increment on every change. Many DNS providers auto-increment; some require manual bumping.
CAA
Certificate Authority Authorization. Lists which CAs can issue certs for this domain.
example.com. 3600 IN CAA 0 issue "letsencrypt.org" example.com. 3600 IN CAA 0 issuewild ";" example.com. 3600 IN CAA 0 iowa "mailto:security@example.com"
If you have CAA and try to issue from a CA not listed, the issuance fails. Common reason for "I cannot get a cert!" debugging.
DS and DNSKEY
DNSSEC chain of trust. DS (Delegation Signer) lives at the parent zone; DNSKEY lives at your zone.
example.com. 3600 IN DS 2371 13 2 E0E2BC25...
Key Tag (2371), Algorithm (13 = ECDSA P-256), Digest Type (2 = SHA-256), Digest. If you enable DNSSEC at your DNS provider, you must publish the DS at your registrar so the chain validates.
SRV
Service location. Used by SIP, XMPP, Minecraft, Active Directory, and many service-discovery protocols.
_sip._tcp.example.com. 3600 IN SRV 10 60 5060 sipserver.example.com.
Format: priority weight port target.
PTR
Reverse lookup. Maps an IP back to a hostname. Lives in the in-addr.arpa (IPv4) or ip6.arpa (IPv6) tree.
Mail servers check this for sender reputation. If your outbound mail server has no PTR or PTR does not match the HELO name, expect deliverability problems.
Related
- DNS lookup tool
- IPv4 subnet calculator
- The IPv4 subnet math I wish I had learned sooner
- HTTP methods reference
Last updated