// dns
DNS Record Types Cheatsheet
What each DNS record type does, an example, and the gotcha that bites people in production.
Updated
Record reference
| Type | Purpose | Example | Notes |
|---|---|---|---|
| A | IPv4 address | example.com → 93.184.216.34 | Most common record. One name → one IPv4. |
| AAAA | IPv6 address | example.com → 2606:2800:220:1:: | IPv6 equivalent of A. |
| CNAME | Alias to another name | www → example.com. | Cannot coexist with other records on the same name. Never on apex. |
| MX | Mail exchange | 10 mail.example.com. | Lower priority = preferred. Points to a hostname, not an IP. |
| TXT | Text data | v=spf1 include:_spf.google.com ~all | Used for SPF, DKIM, DMARC, domain verification. |
| NS | Authoritative nameserver | ns1.example.com. | Delegates a zone. Set at registrar and at the parent zone. |
| SOA | Start of authority | ns1 hostmaster serial refresh retry expire min | One per zone. Holds zone metadata and refresh timers. |
| PTR | Reverse DNS | 34.216.184.93.in-addr.arpa → example.com. | IP → name. Required for many mail servers. |
| SRV | Service location | _sip._tcp 10 60 5060 sipserver.example.com. | Priority + weight + port + target. Used by SIP, XMPP, AD. |
| CAA | Certificate authority authorization | 0 issue "letsencrypt.org" | Restricts which CAs can issue certs for a domain. |
| TLSA | DANE TLS binding | 3 1 1 <hash> | Pins a cert to a name. Requires DNSSEC. |
| DNSKEY / DS / RRSIG | DNSSEC | — | Public keys, delegation signers and signatures for DNSSEC validation. |
| ALIAS / ANAME | Apex alias | example.com → cdn.provider.net. | Provider-specific. Solves the 'no CNAME at apex' rule. |
| NAPTR | Naming authority pointer | 100 10 "u" "E2U+sip" "!^.*$!sip:user@ex!" . | ENUM and complex service discovery. |
FAQ
- Why can't I put a CNAME on my apex domain (example.com)?
- RFC 1034 forbids a CNAME alongside other record types, and the apex always has SOA and NS records. Use ALIAS/ANAME (provider-specific) or an A record pointing to a stable IP.
- What's the difference between SPF, DKIM and DMARC?
- SPF (TXT) authorizes which IPs can send mail. DKIM (TXT) signs messages cryptographically. DMARC (TXT) tells receivers what to do when SPF/DKIM fail and where to report.
- How long does a DNS change take to propagate?
- Up to the record's TTL. Lower the TTL (e.g. 300s) before a planned change so resolvers refresh quickly.
- Do I need a PTR record?
- Yes if you send email — most mail servers reject connections without matching forward and reverse DNS. PTR is set by whoever owns the IP block (usually your ISP or cloud provider).