1. Overview

DNS records are instructions in DNS servers for resolving domain names to IP addresses and for obtaining domain details such as their name servers, mail servers, and subdomains. We can also use them to verify ownership, configure external services, and prevent spam and other abuses.

A Time-To-Live (TTL) value is mandatory for every DNS record. It specifies the number of seconds after which a non-authoritative DNS server will update its cached copy of a particular DNS record by asking an authoritative DNS server for a new one. However, we won’t deal with it.

In this tutorial, we’ll look at common DNS record types that we can encounter in domain management. As an example, we’ll examine the DNS records for baeldung.com using nslookup, a cross-platform networking utility for Linux, macOS, Windows and other operating systems.

2. Name Server (NS) Records

In general, a domain has one primary authoritative DNS server and one or more secondary authoritative DNS servers for reliability, as indicated by the NS records:

nslookup -type=ns baeldung.com
[...]
baeldung.com	nameserver = lakas.ns.cloudflare.com.
baeldung.com	nameserver = meera.ns.cloudflare.com.

In this case, the authoritative servers are those of Cloudflare, a popular security service that sits between the client and the server. As a result, we can expect that the domain resolution won’t give us an IP of a host where baeldung.com is actually running, but an IP of Cloudflare. We’ll verify this in the next section.

3. A and AAAA Records

The A and AAAA records are essential for resolving domain names into IP addresses. A records indicate the IPv4 addresses available for resolution, while AAAA records indicate IPv6 addresses. It’s common enough that a domain name can be mapped to multiple IPv4 or IPv6 addresses for redundancy:

nslookup -q=A baeldung.com
[...]
Name:	baeldung.com
Address: 172.66.43.8
Name:	baeldung.com
Address: 172.66.40.248
 
nslookup -q=AAAA baeldung.com
[...]
baeldung.com	has AAAA address 2606:4700:3108::ac42:2b08
baeldung.com	has AAAA address 2606:4700:3108::ac42:28f8

We said earlier that we can assume that these IP addresses belong to Cloudflare. We can do a quick check using the cross-platform whois command or, if not available, an equivalent online service:

whois 172.66.43.8
[...]
Organization:   Cloudflare, Inc. (CLOUD14)
[...]

Sometimes reverse DNS, from IP address to domain, is also possible to facilitate troubleshooting and network monitoring.

4. Canonical Name (CNAME) Records

CNAME records are an alternative to A and AAAA records when we want to indicate that a domain is an alias, i.e., another name, of another domain. The subdomains of baeldung.com, such as www.baeldung.com, don’t use CNAME records:

nslookup -q=cname www.baeldung.com
[...]
*** Can't find www.baeldung.com: No answer

So we need to use a different example. Let’s take the case of www.informatica-libera.net:

nslookup -q=cname www.informatica-libera.net
[...]
www.informatica-libera.net	canonical name = informatica-libera.net.

The canonical name must always be a domain, never an IP address. Thus, to resolve the domain www.informatica-libera.net to an IP address, DNS must first obtain its canonical name, which is informatica-libera.net, and then query its A record:

nslookup -q=A www.informatica-libera.net
[...]
www.informatica-libera.net	canonical name = informatica-libera.net.
Name:	informatica-libera.net
Address: 45.77.139.203

In contrast, www.baeldung.com, which isn’t an alias and doesn’t have a CNAME, has its own A and AAAA records.

5. TXT Records

TXT records are strings of text with a maximum length of 255 characters, usually helpful for ownership verification and spam prevention. Any other usage is acceptable, so we can write anything in a TXT record, as the following example shows:

nslookup -q=txt archiviodigiulioripa.sytes.net
[...]
archiviodigiulioripa.sytes.net	text = "In memory of a dear friend"

However, let’s focus on the most common uses.

5.1. Ownership Verification

Let’s look at the first two TXT records for baeldung.com:

nslookup -q=txt baeldung.com
[...]
baeldung.com	text = "facebook-domain-verification=ny2v0v0otsbrog31izabxocdl2e43k"
baeldung.com	text = "google-site-verification=CUkSh9SC1Uf7Og5HzAuC5D51G4mldmDLqn766U1ZXW8"
[...]

As we can easily guess, the DNS administrator entered the codes provided by Facebook and Google to verify domain ownership. Another similar usage of TXT records is in the _acme-challenge subdomains:

nslookup -q=txt _acme-challenge.ricercaalternativa.mydissent.net
[...]
_acme-challenge.ricercaalternativa.mydissent.net	text = "5rlYYzYHSNpi2dL9RnGODaPii55pDUsOb701kezBs0w"

Let’s Encrypt‘s DNS-01 Challenge documents this type of use. In short, it’s an alternative way to verify domain ownership when fully automated methods, such as using a dedicated web server plugin, aren’t possible.

5.2. Spam Prevention

Sender Policy Framework (SPF) is a protocol for determining which servers have permission to send e-mail from mailboxes in a domain. The third TXT record for baeldung.com is an SPF record:

nslookup -q=txt baeldung.com
[...]
baeldung.com	text = "v=spf1 mx a include:_spf.google.com ~all"

The SPF syntax has its official documentation. In this case, we can understand the baeldung.com‘s record as follows:

  • v=spf1 indicates the SPF protocol version
  • mx means that any server within baeldung.com‘s MX records can send e-mails
  • a specifies that any server within baeldung.com‘s A records can also send e-mails
  • include:_spf.google.com allows e-mails to be sent from Google Workspace, as specified in its documentation
  • ~all specifies a softfail status for any e-mail that doesn’t match the previous rules, so that the receiving server can accept the mismatched e-mails but mark them as spam

By using SPF records, we can prevent e-mail spoofing and phishing attacks and improve our e-mails deliverability and reputation.

6. MX Records

MX records specify which servers are responsible for receiving e-mails, so the sender knows where to deliver them. For example, there are five servers that can accept e-mails for baeldung.com, each with a priority value. The lower the priority value, the higher the preference:

nslookup -q=mx baeldung.com
[...]
baeldung.com	mail exchanger = 1 aspmx.l.google.com.
baeldung.com	mail exchanger = 5 alt1.aspmx.l.google.com.
baeldung.com	mail exchanger = 10 aspmx3.googlemail.com.
baeldung.com	mail exchanger = 5 alt2.aspmx.l.google.com.
baeldung.com	mail exchanger = 10 aspmx2.googlemail.com.

The sender’s e-mail server will first try to connect to the most preferred server, which is aspmx.l.google.com with a priority of 1. If this fails, it’ll try the next most preferred server, which is alt1.aspmx.l.google.com with a priority of 5, and so on until it succeeds or exhausts all options.

By using MX records, a domain can delegate e-mail handling to a third-party service provider, such as Google in this case.

7. Conclusion

In this article, we’ve taken a look at the DNS records that are most likely to interest us as domain administrators:

  • NS records → authoritative name servers for a domain
  • A and AAAA records → they point a domain or a subdomain to an IPv4 or IPv6 address, respectively
  • CNAME records → they create an alias for another domain or subdomain
  • TXT records → they store arbitrary text, often used for verification or configuration purposes
  • MX records → they are used to route e-mail messages to the correct destination

However, there are many other types of DNS records that we may need for very specific purposes.