DNS Records

programming
Author

Stephen J. Mildenhall

Published

2025-08-24

Modified

2025-08-24

Basic Entries

Domain names are resolved through DNS, the Domain Name System, which acts as the internet’s phonebook.

An A record (A for address) maps a name directly to an IPv4 address, while an AAAA record does the same for IPv6. A CNAME (canonical name) record is an alias that points one name to another, which must then be resolved further. A TXT record holds arbitrary text, often used today for email verification (SPF, DKIM, DMARC) or domain ownership checks.

In DNS zone files, @ is shorthand for the root of the zone — so in the mynl.com zone, @ means mynl.com. By contrast, www or any other label (mail, blog) represents subdomains, www.mynl.com. There is nothing special about www: it’s just convention, a subdomain chosen in the early web era to signal “the web server”.

If you only define @ in your zone, then only the root domain (mynl.com) will resolve. Subdomains like www.mynl.com are separate names in DNS, and unless you explicitly add records for them they will fail with NXDOMAIN (“no such domain”). That often surprises people who assume www comes for free. To make www work, a common setup is to create a CNAME pointing back to the root:

@       IN  A       203.0.113.45
www     IN  CNAME   mynl.com.

Now both mynl.com and www.mynl.com resolve to the same IP. The browser still tells the web server which one was typed, and the server can serve the same content for both or redirect one to the other.

If you want all possible subdomains to work, you can add a wildcard (*). For example:

@       IN  A       203.0.113.45
*       IN  A       203.0.113.45

This makes cats.mynl.com, blog.mynl.com, or anything.mynl.com all point to the same server automatically. Wildcards are convenient, but you lose some control — every undefined subdomain will resolve, even typos. For production sites, it’s common to explicitly define important subdomains (www, mail, api) and only use wildcards in special cases.

DNS only maps names to IPs. Once a browser connects, the HTTP request carries a Host header that tells the server which name was used (Host: www.mynl.com). That’s why one server at one IP can serve many different sites (virtual hosting) or redirect one name to another.

The IN field you see in zone files simply means Internet class; in practice, all public DNS records use IN. IPv6 addresses look enormous because they are: 128 bits long, written in 8 groups of hex numbers, with shorthand (::) used to compress runs of zeros. There can be only on :: in an IPv6 address, so

An NS record (Name Server record) tells the world which DNS servers are authoritative for a domain. For example, if mynl.com has NS records pointing to ns65.domaincontrol.com and ns66.domaincontrol.com, that means those servers (run by GoDaddy) hold the zone file that contains the actual A, AAAA, CNAME, and TXT records for the domain. When someone looks up www.mynl.com, the query flows step by step: the root DNS servers direct the resolver to the .com servers, the .com servers return the NS records for mynl.com, and then the resolver asks those authoritative nameservers for the final answer. Changing your DNS provider is simply a matter of updating the NS records at your registrar so that the parent zone (like .com) points to the new provider’s authoritative servers.

IPv4 and IPv6

IPv4 = 32 bits (4 bytes), so it tops out at about 4.3 billion addresses. Example:

203.0.113.45

IPv6 = 128 bits (16 bytes) → about 3.4 × 10³⁸ addresses. It’s huge! Enough that we’ll never run out–famous last words. Example:

2001:0db8:0000:0000:0000:0000:0000:1234

Because that’s painful to type, the shorthand rules (::, dropping leading zeros) are essential.

2001:0db8::1234

Example zone file

In a zone file ; starts a comment, TTL means time to live, IN refers to the Internet class (always used in practice). The first line $ORIGIN defines the domain name, subsequently abbreviated @.

$ORIGIN mynl.com.
$TTL 3600   ; default cache time: 1 hour

; Root domain → IPv4 and IPv6
@       IN  A       203.0.113.45
@       IN  AAAA    2001:db8::1234

; www is just an alias of the root
www     IN  CNAME   mynl.com.

; Wildcard: catch-all for any undefined subdomain
*       IN  A       203.0.113.45

; Text record, often used for mail policies or verification
@       IN  TXT     "v=spf1 include:_spf.google.com ~all"

Addresses fabricated! This minimal setup ensures that mynl.com resolves for both IPv4 and IPv6. www.mynl.com works via the CNAME. The wildcard makes any random subdomain resolves to the same IP. Finally, email verification records are in place via TXT.

Exploring the DNS

The utility dig is a common DNS query tool. Querying the root domain (mynl.com) reveals:

$ dig mynl.com A +short
3.33.251.168
15.197.225.128


$ dig mynl.com AAAA +short
2001:db8::1234

So the root resolves to both IPv4 and IPv6 addresses. Querying the www subdomain

$ dig www.mynl.com A +short
webapp-915645.pythonanywhere.com.
35.173.69.207

What happens behind the scenes:

  • DNS looks up www.mynl.com.
  • Finds the CNAME → mynl.com.
  • Then follows that to the A record.

If you ask for the full answer instead of +short, you see the chain:

$ dig www.mynl.com

;; ANSWER SECTION:
www.mynl.com.           218     IN      CNAME   webapp-915645.pythonanywhere.com.
webapp-915645.pythonanywhere.com. 218 IN A      35.173.69.207

dig lets you see directly how your zone file entries resolve into the answers your browser uses.

Host headers

Here’s the last piece of the puzzle: what happens after DNS resolution, when the browser actually talks to the server. Let’s say you type www.mynl.com in the browser.

  • Browser asks DNS: “What IP is www.mynl.com?”
  • DNS replies: “That’s a CNAME to mynl.com, which has A = 203.0.113.45”
  • Browser now knows the IP: 203.0.113.45

The browser then opens a TCP connection to 203.0.113.45 on port 80 (HTTP) or 443 (HTTPS).

Here’s the HTTP request host header the browser actually sends over the wire (simplified HTTP/1.1 request)

GET / HTTP/1.1
Host: www.mynl.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Accept: text/html,application/xhtml+xml

Notice that even though DNS gave the same IP for both mynl.com and www.mynl.com, the Host header tells the server which name was typed. This means the server can now: serve the same content for both; redirect one to the other (common for SEO, e.g. redirect mynl.comwww.mynl.com); or serve entirely different sites (this is called virtual hosting).

Example in Caddy:

mynl.com {
    redir https://www.mynl.com{uri}
}

www.mynl.com {
    root * /var/www/mynl
    file_server
}

Here {uri} is a placeholder that means “whatever path/query the user originally asked for.” Note, the redirect is to https.

TLS

TLS stands for Transport Layer Security. It’s the protocol that puts the “S” in HTTPS — the padlock you see in your browser.

TLS = Transport Layer Security.

It’s the protocol that puts the “S” in HTTPS — the padlock you see in your browser. It does three things. Encryption: scrambles the data so nobody in between (ISP, café Wi-Fi, etc.) can read it. Authentication: uses certificates to prove you’re really talking to example.com, not an impostor. Integrity: ensures the data isn’t tampered with while in transit.