+420-602-558-144 I'm under attack Log in Sign Up

What Are DNS Records?

Understanding DNS Records

The Domain Name System (DNS) is an essential component of the Internet infrastructure, responsible for translating human-readable domain names into the numerical IP addresses that computers use to communicate with each other on a network. Without DNS, users would be forced to memorize complex numerical IP addresses to access websites. In this sense, Domain Name System functions like the Internet’s phonebook, making it easier for humans to browse the web by using domain names instead of long strings of numbers.

DNS operates through millions of hierarchically structured DNS servers around the world, working together to resolve domain names and handle trillions of DNS queries each day. At its core, DNS is essentially a distributed database filled with different types of records, each serving a unique purpose in this process. These DNS records are the topic of today’s post, where we’ll explore the various types and their specific roles in the system.

DNS A Records

The DNS A record (short for Address) is a fundamental type of DNS record. DNS A records map domain names to their corresponding IPv4 addresses, which are 32-bit numerical strings that computers use to identify each other on a network. For instance, when you type “example.com” into your browser, the A record translates the domain into an IP address, like 93.184.215.14, allowing your computer to connect to the correct web server.

DNS A records are critical for ensuring that users can reach the correct website or service when entering a domain name. Each domain typically has one or more A records (with no upper limit on the number of A records associated with a domain), depending on how many IP addresses are linked to it.

DNS AAAA Records

DNS AAAA records, also known as “quad-A” records, serve a similar purpose to A records but are used for mapping domain names to IPv6 addresses rather than IPv4. IPv6 addresses are 128-bit numerical strings, allowing for a much larger pool of unique addresses compared to IPv4’s 32-bit system.

However, IPv6 addresses are even more difficult for humans to work with than IPv4. For example, an AAAA record for “example.com” might correspond to an IPv6 address like “2606:2800:21f:cb07:6820:80da:af6b:8b2c,” which is nearly impossible to remember. As the Internet gradually transitions from IPv4 to IPv6 to accommodate the growing number of devices and users on the network, AAAA records are becoming increasingly important.

DNS CNAME Records

DNS CNAME records (short for Canonical Name) are used to map an alias or subdomain to another domain name. Instead of pointing directly to an IP address, as A or AAAA records do, a CNAME record points one domain name to another, allowing multiple domain names to resolve to the same destination.

For instance, if “www.example.com” is an alias for “example.com,” a CNAME record can be created so that when users type “www.example.com,” they are seamlessly redirected to “example.com.” When a DNS recursive resolver encounters a CNAME record, it starts the DNS lookup process again to find an A or AAAA record for the domain it’s pointed to.

It should be noted that the domain name a CNAME record points to can be anywhere in the Domain Name System, whether it’s local or on a remote server in a different DNS zone. This flexibility allows for versatile cross-zone use cases and better DNS management.

DNS MX Records

DNS MX records (short for Mail Exchange) are used to specify the mail servers responsible for receiving e-mail on behalf of a domain. Instead of directing web traffic, MX records ensure that e-mail is routed to the appropriate mail server based on the domain name in the recipient’s e-mail address. For instance, when an e-mail is sent to “user@example.com,” the MX record for the “example.com” domain tells the sending mail server where to deliver the e-mail.

MX records also include a priority value, allowing multiple mail servers to be listed for redundancy. The mail server with the lowest priority number is preferred, and if it becomes unavailable, the mail server with the next lowest priority is used. This setup ensures that e-mail delivery can continue even if one server fails.

DNS TXT Records

DNS TXT records (short for Text) were initially introduced to allow domain administrators to store text information within the DNS. However, over time, TXT records have been adapted for a variety of other use cases. For instance, they now play a critical role in e-mail security, being used to implement mechanisms such as SPF, DKIM, and DMARC.

  • SPF (Sender Policy Framework) records help prevent e-mail spoofing by specifying which mail servers are authorized to send e-mails on behalf of a domain. When an e-mail is received, the recipient’s mail server checks the SPF record of the sender’s domain to verify whether the e-mail was sent from an authorized server. If the e-mail originates from an unauthorized server, it may be flagged or rejected as spam.
  • DKIM (DomainKeys Identified Mail) records provide an additional layer of security by using cryptographic signatures. A DKIM record contains a public key that the recipient’s mail server uses to verify the signature on an incoming e-mail. If the signature matches, it ensures that the e-mail hasn’t been tampered with during transmission.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) records add another layer of protection, building on both SPF and DKIM to provide a comprehensive e-mail authentication policy. A DMARC record allows domain owners to specify how receiving mail servers should handle e-mails that fail SPF or DKIM checks. It also enables reporting, allowing domain administrators to receive feedback on authentication failures.

SPF, DKIM, and DMARC records do not have dedicated types but are instead stored on authoritative DNS servers as TXT records. Together, these three mechanisms significantly improve the security of e-mail communication, helping to prevent phishing, e-mail scams, business e-mail compromise, and other e-mail-related threats

DNS NS Records

DNS NS records (short for Name Server) specify the authoritative name servers that hold the DNS records for a particular domain. These records are used for directing queries to the appropriate DNS servers responsible for resolving domain names.

For instance, if a user types “example.com” into their browser, the NS records for the “example.com” domain tell the recursive resolver which name servers to query in order to retrieve the A or AAAA records. Each domain typically has multiple NS records for redundancy, ensuring that if one name server becomes unavailable, another can take over. This approach minimizes downtime and ensures continued access to the domain.

DNSKEY Records

DNSKEY records are an essential part of DNSSEC (Domain Name System Security Extensions), which adds an extra layer of security to the DNS by enabling DNS responses to be authenticated. A DNSKEY record contains a public key that is used to verify the digital signatures attached to DNS data, ensuring that the information hasn’t been tampered with or altered during transmission.

When a recursive resolver queries a DNSSEC-enabled domain, the DNSKEY record is used to authenticate the data provided by the authoritative name server. If the signature and the DNSKEY match, it confirms that the DNS response is legitimate. The DNSSEC mechanism, and the DNSKEY records it relies on, play a crucial role in preventing attacks like DNS hijacking or cache poisoning, ensuring the integrity of DNS records.

Other Types of DNS Records

In addition to the commonly used DNS records like A, AAAA, CNAME, MX, and NS records, there are several other DNS record types that serve specific purposes in managing and securing domain names. Here are a few notable examples:

  • SOA (Start of Authority) records provide essential administrative information about a domain, such as the primary authoritative DNS server, the e-mail address of the domain administrator, and details about how often DNS records should be refreshed and synchronized across DNS servers.
  • PTR (Pointer) records are the opposite of A records. Instead of mapping a domain name to an IP address, a PTR record maps an IP address to a domain name. PTR records are used in reverse DNS lookups, for instance, to verify the authenticity of an IP address for e-mail spam prevention.
  • SRV (Service) records are used to define the location of specific services within a domain, such as SIP (Session Initiation Protocol) for voice services or XMPP for instant messaging. They help identify the host and port for particular services.
  • CAA (Certification Authority Authorization) records specify which certificate authorities are allowed to issue SSL/TLS certificates for a domain. This adds a layer of security, ensuring that only trusted authorities can provide certificates, reducing the risk of fraudulent issuance.

There are dozens of types of DNS records, many of which have become obsolete over time, but the most essential ones, which we described above, continue to play a critical role in managing and securing domain names.

How to Protect DNS Servers

DNS servers are a crucial part of digital infrastructure, and because of their importance, they are common targets for Distributed Denial of Service (DDoS) attacks. When DNS servers are disabled, websites and services can become unreachable, even if the web servers themselves are still running. Unfortunately, many organizations overlook the need to protect their DNS servers, leaving a critical vulnerability in their defenses.

A comprehensive solution like Qrator.SecureDNS offers strong protection against DDoS attacks by leveraging a global Anycast network. This network distributes DNS traffic across multiple servers worldwide, ensuring high availability and reducing response times by routing queries to the closest available server. This distributed approach enhances both the resilience and performance of DNS infrastructure, keeping services online even under heavy attack.

In addition to DDoS protection, Qrator.SecureDNS supports DNSSEC, which prevent attacks like DNS spoofing and hijacking. The service is easy to deploy, either as a secondary DNS server or through Qrator DNS Reverse Proxy, allowing organizations to strengthen their DNS security without disrupting their existing setup. This flexibility ensures that businesses can protect their DNS infrastructure with minimal effort while maintaining high performance and reliability.

Qrator Labs uses cookies to improve your experience, deliver personalized content and analyze our traffic. By clicking “Accept All” you agree to the storing of cookies on your device to enhance website navigation and analyze usage, assisting in our marketing efforts and improving user experience. You may modify your cookies settings at any time, as explained in our Cookie notice.
Cookies Preference Center
Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Detailed information about this category of cookies can be found in the Cookie Policy.
Performance/Analytics Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance. Detailed information about this category of cookies can be found in the Cookie Policy.
Targeting/Marketing Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. You may opt out of Targeting/Marketing cookies through the "Cookie settings" button. Detailed information about this category of cookies can be found in the Cookie Policy.
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalization. Company sets some functionality cookies, while third party providers whose services Qrator Labs added to the website set the rest of these cookies. If you do not allow functionality cookies, then services relying on functionality cookies may not function properly.