DNS (Domain Name System) records are instructions stored in the DNS that provide information about a domain, such as its corresponding IP addresses, mail servers, verification data, and more.
They serve as a directory, helping web browsers, mail servers, and other networked services find the correct destinations and resources. Below are the most common DNS record types, their purposes, and examples.
Remember, all hosts on the Internet are identified by IP addresses; and DNS allows to offer mapping between user friendly host or domain names to the corresponding IP addresses.
There are multiple different types of DNS records that can be created and managed. We list some more common DNS records below with examples.
1. A Record (Address Record)
Purpose: The A record is one of the most fundamental records in DNS. For any website that has a domain name, you would need an A record to map the domain name to the IP address of the server hosting the domain content. A records specifically work with IPv4 addresses.
Example of A record:
www.demosite.com. 3600 IN A 207.124.120.25
This means the content of www.demosite is hosted on a server with IPv4 address of 207.124.120.25. And, the DNS record offers a mapping between www.demosite.com and the IPv4 address 207.124.120.25. This A record has a Time To Live (TTL) of 3600 seconds.
2. AAAA Record (IPv6 Address Record)
Purpose: AAAA record works in the same way the A record does. It provides a mapping between domain name or hostname with an IPv6 address. IPv6 address refers to IP version 6 addresses.
Example of AAAA record:
www.demosite.com. 3600 IN AAAA 2001:db8:1234::1
This points www.demosite.com to the IPv6 address 2001:db8:1234::1.
3. CNAME Record (Canonical Name Record)
Purpose: Canonical name records are very commonly used. It is an alias record. It makes one domain or subdomain an alias of another domain name. When a DNS resolver encounters a CNAME, it replaces the query with the canonical name specified.
Example of CNAME record:
docs.demosite.com. 3600 IN CNAME www.demosite.com.
This directs docs.demosite.com to www.demosite.com. When a user queries docs.demosite.com, DNS returns the record for www.demosite.com.
4. MX Record (Mail Exchange Record)
Purpose: An MX record is a mail-exchanged record. It offers DNS records for setting up email services for a domain name or host name.
An, MX record specifies which mail server(s) accept incoming email for a domain, along with their priorities. You could setup multiple incoming servers in an MX record. The server with lower number of priority would accept the emails before the servers with higher priority numbers,
A perfect example of the MX records would be the multiple MX records needed to setup Google Workspace or Microsoft Email Services.
Example of MX records:
demosite.com. 3600 IN MX 10 mail1.demosite.com.
demosite.com. 3600 IN MX 20 mail2.demosite.com.
mail1.demosite.com is the primary mail server (priority 10), and mail2.demosite.com is the backup or secondary mail server(priority 20).
5. TXT Record (Text Record)
Purpose: Text records hold arbitrary text information. These records are commonly used for Sender Policy Framework (SPF), domain verification (for Google Workspace, Microsoft 365), and other service validations.
Example of a TXT record:
demosite.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all"
This SPF record states that Google’s mail servers are authorized to send email on behalf of demosite.com.
6. NS Record (Name Server Record)
Purpose: NS records are nameserver records. These nameservers host the records for domain name to server ip address hosting. An authoritative Nameserver for a site implies that the nameserver owns up responsibility for providing accurate DNS record for a specified domain or host name.
Example of NS records:
demosite.com. 3600 IN NS ns1.demosite.net.
demosite.com. 3600 IN NS ns2.demosite.net.
ns1.demosite.net and ns2.demosite.net are authoritative name servers for demosite.com.
7. SOA Record (Start of Authority)
Purpose: The SOA record contains administrative information about the zone, including the primary name server, the email address of the domain administrator, and timing parameters for zone transfers.
Example of an SOA record:
demosite.com. 3600 IN SOA ns1.demosite.net. admin.demosite.com. (
2024121401 ; Serial
7200 ; Refresh (2 hours)
3600 ; Retry (1 hour)
1209600 ; Expire (2 weeks)
3600 ; Minimum TTL (1 hour)
)
The primary name server is ns1.demosite.net and the contact email is [email protected] (the . before the domain substitutes for @ in DNS notation).
The SOA record would be part of every DNS zone file.
8. PTR Record (Pointer Record)
Purpose: The PTR record works the opposite of an A record. It maps an IP address to a domain name for reverse lookups. Reverse lookups are essential for overall security and establishing the server hosting a specific domain name.
Example of a PTR record:
24.25.26.208.in-addr.arpa. 3600 IN PTR www.demosite.com.
This maps the IP address 208.26.25.24 back to www.demosite.com.
On the Internet, you would see many sites that offer Reverse Lookup services. Some paid subscription services also offer the Reverse Lookup Services.
All these DNS records are the most commonly used records. Additionally, there are other DNS records that you would do well to be aware of.
We have discussed these in brief below.
9. SRV Record (Service Record)
An SRV (Service) record is a type of DNS record used to specify the hostname and port number of servers for particular services within a domain. SRV records tell clients how to find specific services (such as VoIP, messaging, or directory services) by providing:
- Service Name and Protocol: Identifies the type of service (e.g.,
_sip._tcpfor SIP over TCP). - Priority: Indicates which server should be tried first. Lower numbers mean higher priority.
- Weight: Helps distribute load among servers with the same priority.
- Port: The specific port on which the service is running.
- Target (Hostname): The domain name of the server hosting the service.
Example of SRV record
_sip._tcp.demosite.com. 3600 IN SRV 10 60 5060 sipserver.demosite.com.
This indicates that the SIP service for demosite.com is on sipserver.example.com, port 5060, with priority 10 and weight 60.
10. CAA Record (Certification Authority Authorization)
Purpose: Specifies which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for the domain, adding a layer of security to prevent unauthorized certificate issuance.
Example of CAA record:
demosite.com. 3600 IN CAA 0 issue "letsencrypt.org"
demosite.com. 3600 IN CAA 0 issuewild ";"
The CAA record in the above example confirms that the SSL Certification authority for demosite.com is ‘Let’s Encrypt’. It also states that wildcard certificates are disallowed.
11. DNAME Record (Delegation Name)
Purpose: Redirects a subtree of the DNS namespace to another domain. Unlike CNAME (which applies to a single node), DNAME redirects all subdomains.
Example of DNAME record:
sub.demosite.com. 3600 IN DNAME demosite2.com.
All queries for anything.sub.demosite.com are redirected to anything.demosite2.com.
12. NAPTR Record (Naming Authority Pointer)
Purpose: Used for more complex rewriting rules that facilitate services like SIP and ENUM.
Example:
demosite.com. 3600 IN NAPTR 100 10 "U" "E2U+sip" "!^.*$!sip:[email protected]!i"
This indicates a rewrite rule that directs queries to sip:[email protected].
13. DNSKEY Record (DNS Key Record)
Purpose: Publishes a public key that DNSSEC (DNS Security Extensions) uses to authenticate DNS data.
Example:
demosite.com. 3600 IN DNSKEY 256 3 8 AwEAAa...
This public key is used in DNSSEC validations.
14. RRSIG Record (Resource Record Signature)
Purpose: Contains a cryptographic signature used by DNSSEC to verify that a set of DNS records is authentic.
Example:
demosite.com. 3600 IN RRSIG A 8 3 3600 20250101000000 20241214000000 12345 demosite.com. AwEAAa...
This is a DNSSEC signature for the A record of demosite.com.
15. TLSA Record (Transport Layer Security Authentication)
Purpose: Associates a TLS server certificate or public key with a domain, enabling DANE (DNS-Based Authentication of Named Entities).
Example:
_443._tcp.demosite.com. 3600 IN TLSA 3 1 1 2A3B4C5D...
This binds a TLS certificate fingerprint for demosite.com’s HTTPS service.
16. SSHFP Record (SSH Fingerprint Record)
Purpose: Publishes SSH public key fingerprints in DNS, allowing SSH clients to verify server keys via DNSSEC.
Example:
demosite.com. 3600 IN SSHFP 1 1 123456789abcdef...
This provides the SSH fingerprint for demosite.com.
17. CERT Record (Certificate Record)
Purpose: Stores certificates, like X.509 or PGP, in DNS.
Example:
demosite.com. 3600 IN CERT 7 1 1 MIIBIjANBgkqhkiG...
This could hold a public key certificate for demosite.com.
18. LOC Record (Location Record)
Purpose: Specifies geographical coordinates (latitude, longitude, altitude), useful for geographic applications.
Example:
demosite.com. 3600 IN LOC 37 25 19.00 N 122 05 06.00 W 1m 10m 100m 10m
Provides a physical location for example.com.
19. HINFO Record (Host Information)
Purpose: Describes the CPU and operating system of a host. Rarely used due to privacy/security concerns.
Example:
demosite.com. 3600 IN HINFO "Intel" "Linux"
Indicates the host runs on an Intel CPU and Linux OS.
20. RP Record (Responsible Person)
Purpose: Specifies the mailbox of the person responsible for the domain.
Example:
demosite.com. 3600 IN RP admin.demosite.com. hostmaster.demosite.com.
[email protected] is responsible for demosite.com.
Summary table of DNS records
The table below is a ready reckoner for DNS records.
| Record Type | Purpose |
|---|---|
| A | Maps domain to IPv4 address |
| AAAA | Maps domain to IPv6 address |
| CNAME | Alias for another domain |
| MX | Specifies mail servers |
| TXT | Holds arbitrary text (e.g., SPF, verification) |
| NS | Delegates to name servers |
| SOA | Administrative information about the zone |
| PTR | Reverse DNS lookup |
| SRV | Specifies service location (port, protocol) |
| CAA | Authorizes certificate authorities |
| DNAME | Redirects a subtree of the DNS namespace |
| NAPTR | Dynamic service discovery |
| DNSKEY | Holds DNSSEC public keys |
| RRSIG | DNSSEC signature for records |
| TLSA | Associates TLS certificates with domain |
| ALIAS | CNAME-like functionality at the root domain |
| SSHFP | Stores SSH key fingerprints |
| CERT | Associates a domain with a certificate |
| SVCB/HTTPS | Provides service binding and parameters |
| URI | Associates a domain with a URI |
| NSEC/NSEC3 | Authenticated denial of existence (DNSSEC) |
| CDS/CDNSKEY | Delegation signer records for DNSSEC |
| DS | Delegation signer record for DNSSEC |
Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.