DNS Records
Basic Entries
Domain names are resolved through DNS, the Domain Name System, which acts as the internet’s phonebook.
An A record (A for address) maps a name directly to an IPv4 address, while an AAAA record does the same for IPv6. A CNAME (canonical name) record is an alias that points one name to another, which must then be resolved further. A TXT record holds arbitrary text, often used today for email verification (SPF, DKIM, DMARC) or domain ownership checks.
In DNS zone files, @
is shorthand for the root of the zone — so in the mynl.com
zone, @
means mynl.com
. By contrast, www
or any other label (mail
, blog
) represents subdomains, www.mynl.com
. There is nothing special about www
: it’s just convention, a subdomain chosen in the early web era to signal “the web server”.
If you only define @
in your zone, then only the root domain (mynl.com
) will resolve. Subdomains like www.mynl.com
are separate names in DNS, and unless you explicitly add records for them they will fail with NXDOMAIN (“no such domain”). That often surprises people who assume www
comes for free. To make www
work, a common setup is to create a CNAME pointing back to the root:
@ IN A 203.0.113.45
www IN CNAME mynl.com.
Now both mynl.com
and www.mynl.com
resolve to the same IP. The browser still tells the web server which one was typed, and the server can serve the same content for both or redirect one to the other.
If you want all possible subdomains to work, you can add a wildcard (*
). For example:
@ IN A 203.0.113.45
* IN A 203.0.113.45
This makes cats.mynl.com
, blog.mynl.com
, or anything.mynl.com
all point to the same server automatically. Wildcards are convenient, but you lose some control — every undefined subdomain will resolve, even typos. For production sites, it’s common to explicitly define important subdomains (www
, mail
, api
) and only use wildcards in special cases.
DNS only maps names to IPs. Once a browser connects, the HTTP request carries a Host header that tells the server which name was used (Host: www.mynl.com
). That’s why one server at one IP can serve many different sites (virtual hosting) or redirect one name to another.
The IN
field you see in zone files simply means Internet class; in practice, all public DNS records use IN
. IPv6 addresses look enormous because they are: 128 bits long, written in 8 groups of hex numbers, with shorthand (::
) used to compress runs of zeros. There can be only on ::
in an IPv6 address, so
An NS record (Name Server record) tells the world which DNS servers are authoritative for a domain. For example, if mynl.com
has NS records pointing to ns65.domaincontrol.com
and ns66.domaincontrol.com
, that means those servers (run by GoDaddy) hold the zone file that contains the actual A, AAAA, CNAME, and TXT records for the domain. When someone looks up www.mynl.com
, the query flows step by step: the root DNS servers direct the resolver to the .com
servers, the .com
servers return the NS records for mynl.com
, and then the resolver asks those authoritative nameservers for the final answer. Changing your DNS provider is simply a matter of updating the NS records at your registrar so that the parent zone (like .com
) points to the new provider’s authoritative servers.
IPv4 = 32 bits (4 bytes), so it tops out at about 4.3 billion addresses. Example:
203.0.113.45
IPv6 = 128 bits (16 bytes) → about 3.4 × 10³⁸ addresses. It’s huge! Enough that we’ll never run out–famous last words. Example:
2001:0db8:0000:0000:0000:0000:0000:1234
Because that’s painful to type, the shorthand rules (::
, dropping leading zeros) are essential.
2001:0db8::1234
Example zone file
In a zone file ;
starts a comment, TTL
means time to live, IN
refers to the Internet class (always used in practice). The first line $ORIGIN
defines the domain name, subsequently abbreviated @
.
$ORIGIN mynl.com.
$TTL 3600 ; default cache time: 1 hour
; Root domain → IPv4 and IPv6
@ IN A 203.0.113.45
@ IN AAAA 2001:db8::1234
; www is just an alias of the root
www IN CNAME mynl.com.
; Wildcard: catch-all for any undefined subdomain
* IN A 203.0.113.45
; Text record, often used for mail policies or verification
@ IN TXT "v=spf1 include:_spf.google.com ~all"
Addresses fabricated! This minimal setup ensures that mynl.com
resolves for both IPv4 and IPv6. www.mynl.com
works via the CNAME. The wildcard makes any random subdomain resolves to the same IP. Finally, email verification records are in place via TXT
.
Exploring the DNS
The utility dig
is a common DNS query tool. Querying the root domain (mynl.com
) reveals:
$ dig mynl.com A +short
3.33.251.168
15.197.225.128
$ dig mynl.com AAAA +short
2001:db8::1234
So the root resolves to both IPv4 and IPv6 addresses. Querying the www
subdomain
$ dig www.mynl.com A +short
webapp-915645.pythonanywhere.com.
35.173.69.207
What happens behind the scenes:
- DNS looks up
www.mynl.com
. - Finds the CNAME →
mynl.com
. - Then follows that to the A record.
If you ask for the full answer instead of +short
, you see the chain:
$ dig www.mynl.com
;; ANSWER SECTION:
www.mynl.com. 218 IN CNAME webapp-915645.pythonanywhere.com.
webapp-915645.pythonanywhere.com. 218 IN A 35.173.69.207
dig
lets you see directly how your zone file entries resolve into the answers your browser uses.
Host headers
Here’s the last piece of the puzzle: what happens after DNS resolution, when the browser actually talks to the server. Let’s say you type www.mynl.com
in the browser.
- Browser asks DNS: “What IP is
www.mynl.com
?” - DNS replies: “That’s a CNAME to
mynl.com
, which has A = 203.0.113.45” - Browser now knows the IP: 203.0.113.45
The browser then opens a TCP connection to 203.0.113.45 on port 80 (HTTP) or 443 (HTTPS).
Here’s the HTTP request host header the browser actually sends over the wire (simplified HTTP/1.1 request)
GET / HTTP/1.1
Host: www.mynl.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Accept: text/html,application/xhtml+xml
Notice that even though DNS gave the same IP for both mynl.com
and www.mynl.com
, the Host header tells the server which name was typed. This means the server can now: serve the same content for both; redirect one to the other (common for SEO, e.g. redirect mynl.com
→ www.mynl.com
); or serve entirely different sites (this is called virtual hosting).
Example in Caddy:
mynl.com {
redir https://www.mynl.com{uri}
}
www.mynl.com {
root * /var/www/mynl
file_server
}
Here {uri}
is a placeholder that means “whatever path/query the user originally asked for.” Note, the redirect is to https
.
TLS
TLS stands for Transport Layer Security. It’s the protocol that puts the “S” in HTTPS — the padlock you see in your browser.
TLS = Transport Layer Security.
It’s the protocol that puts the “S” in HTTPS — the padlock you see in your browser. It does three things. Encryption: scrambles the data so nobody in between (ISP, café Wi-Fi, etc.) can read it. Authentication: uses certificates to prove you’re really talking to example.com
, not an impostor. Integrity: ensures the data isn’t tampered with while in transit.