resources background

Blog

What Are DNS Records and How Do They Work?

Written By Qasim, WhoisFreaks Team Published: November 18, 2024, Last Updated: April 21, 2026

DNS records are resource records stored in zone files on authoritative DNS servers. Each record maps a domain name to specific information: an IP address, a mail server, a canonical name, or security verification data. When a browser loads a webpage, it is DNS records that translate the domain name into the server address the request needs to reach.

This guide covers every major DNS record type, how the lookup process works, and how records are used in routing, email delivery, and security enforcement.

What Are DNS Records?


DNS records are resource records stored in zone files on authoritative DNS servers. They contain structured data that maps domain names to the resources they need to reach: IPv4 and IPv6 addresses, mail servers, canonical names, and text strings used for security verification.

Every domain requires at least one DNS record to be reachable on the internet. A domain with no records cannot receive web traffic, route email, or pass security checks performed by mail filters and certificate authorities. Queries against these records are handled by resolvers and authoritative name servers, a process that typically completes in under 100 milliseconds.

The delegation chain from the root zone through TLD nameservers to the domain's authoritative nameserver is what makes these records reachable from anywhere on the internet. Every DNS query follows this chain, and understanding it is a practical requirement for anyone configuring, troubleshooting, or auditing domain infrastructure.

Why DNS Records Matter?

DNS records are the control layer for a domain's entire online presence. They determine where web traffic is sent, which servers handle email, which third-party services are authorized to act on a domain's behalf, and whether the domain's DNS responses can be cryptographically verified.

A misconfigured A record takes down a website. A missing MX record stops email delivery. An incorrect NS record breaks DNS resolution for the entire domain. Attackers who can modify DNS records can redirect all traffic to servers they control. DNS records are not configuration details; they are the operational foundation of every public-facing internet service.

Core Functions of DNS Records

DNS records serve three core functions:

  • Mapping domain names to IP addresses:
    A and AAAA records translate human-readable domain names into the IPv4 and IPv6 addresses that servers use to route packets. Without this mapping, browsers cannot locate the server hosting a website.
  • Routing traffic correctly:
    MX records route email to the right mail servers. NS records point to the nameservers that hold the authoritative record set for a domain. CNAME records alias one name to another, centralizing routing management.
  • Enforcing security:
    TXT records carry SPF, DKIM, and DMARC instructions that tell receiving mail servers which senders are authorized and what to do with unauthorized messages. DNSSEC record types (DNSKEY, RRSIG, DS) add cryptographic signatures that prevent response tampering in transit.

Types of DNS Records

Supported Types of DNS records

The table below lists the nine record types covered in this guide. Scroll down for full explanations and zone file examples for each.

Record Type Purpose Example Value
AMaps domain to IPv4 address192.0.2.1
AAAAMaps domain to IPv6 address2001:0db8::1
CNAMEAlias pointing to another domain namewww.example.com → example.com
MXRoutes email to a mail server (with priority)10 mail.example.com
NSSpecifies the authoritative nameservers for the domainns1.nameserver.com
TXTStores text data (SPF, DKIM, DMARC, ownership verification)v=spf1 include:_spf.example.com ~all
SOAZone authority metadata: primary NS, admin email, serial number, TTL settingsns1.example.com admin.example.com 2024010101
PTRReverse lookup: maps an IP address to a domain name1.2.0.192.in-addr.arpa → example.com
SRVDefines location and port for specific services (VoIP, XMPP)_sip._tcp 10 5 5060 sip.example.com
  • A Record (Address Record):
    The A record maps a domain to its corresponding IPv4 address. When a user types a domain name into their browser, the DNS server checks the A record to find the IP address, allowing the user’s device to establish a connection with the correct server.
    Example: example.com IN A 192.0.2.1
  • AAAA Record:
    Similar to the A record but used for IPv6 addresses, the AAAA record ensures connectivity in environments that utilize IPv6, supporting a more extensive range of IP addresses due to its 128-bit system.
    Example: example.com IN AAAA 2001:0db8:85a3:0000:0000:8a2e:0370:7334
  • CNAME Record (Canonical Name Record):
    A CNAME record is used when you need to alias one domain name to another. This is helpful for redirecting traffic from multiple subdomains to a single canonical domain.
    Example: www.example.com IN CNAME example.com
  • MX Record (Mail Exchange Record):
    MX records direct email to specific mail servers. They prioritize servers based on their preference value, which ensures that if one server fails, emails are rerouted to the next available server.
    Examples: example.com IN MX 10 mail.example.com
    example.com IN MX 20 backupmail.example.com
  • NS Record (Name Server Record):
    NS records specify the authoritative name servers for a domain. This record type is crucial for pointing to the servers that hold the DNS records for a domain.
    Examples: example.com IN NS ns1.nameserver.com
    example.com IN NS ns2.nameserver.com
  • TXT Record (Text Record):
    TXT records store arbitrary text strings in DNS. They serve three primary security functions: SPF, DKIM, and DMARC.

    SPF (Sender Policy Framework):
    Specifies which mail servers are authorized to send email on behalf of the domain. Receiving servers reject or flag messages from unauthorized senders.
    Example: example.com IN TXT "v=spf1 include:_spf.example.com ~all"

    DKIM (DomainKeys Identified Mail):
    Publishes a public key that receiving servers use to verify the cryptographic signature on outbound messages. The signature is added by the sending mail server and attached to each email header.
    Example: default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

    DMARC (Domain-based Message Authentication, Reporting, and Conformance): Defines the policy for what receiving servers should do when SPF or DKIM checks fail: pass, quarantine (send to spam), or reject. DMARC also sends aggregate reports back to the domain owner.
    Example: _dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"

    TXT records also store domain ownership verification tokens used by Google Search Console, certificate authorities, and third-party SaaS tools during onboarding.
  • SOA Record (Start of Authority):
    Every DNS zone has exactly one SOA record. It identifies the primary authoritative nameserver for the zone, the email address of the zone administrator, and several parameters that control how zone data is synchronized across secondary nameservers. These parameters include the serial number (incremented on every zone update), the refresh interval (how often secondary servers check for changes), and the TTL for negative responses.
    The SOA record is checked during zone transfers and is a useful signal when investigating unauthorized DNS changes: an unexpected serial number increment means the zone was modified. 
    Example: example.com IN SOA ns1.example.com admin.example.com 2024010101 3600 900 604800 86400
  • PTR Record (Pointer Record): 
    PTR records perform reverse DNS lookups. While A and AAAA records map domain names to IP addresses, a PTR record maps an IP address back to a domain name. PTR records are stored in special reverse lookup zones (for example, 2.0.192.in-addr.arpa for the 192.0.2.0/24 subnet).
    Mail servers use PTR records to verify that the sending IP resolves back to a legitimate hostname. A sending IP with no PTR record, or a PTR record that does not match the forward A record, is a strong spam signal. PTR records are also used in network troubleshooting to identify which domain is associated with a given IP during traffic analysis. 
    Example: 1.2.0.192.in-addr.arpa IN PTR example.com
  • SRV Record (Service Locator Record):
    SRV records specify the hostname and port number for a specific network service running on a domain. Unlike A or MX records, SRV records include four data fields beyond the standard name and TTL: priority, weight, port, and target hostname.
    Example: _sip._tcp.example.com 3600 IN SRV 10 60 5060 sipserver.example.com
    Priority works like MX records: lower numbers are tried first. Weight provides load balancing between servers at the same priority level. A server with weight 60 receives three times more traffic than a server with weight 20 at the same priority.
Use the WhoisFreaks DNS Lookup tool to obtain DNS records in a structured format and integrate them into your solutions.

How to Read a DNS Record

Every DNS record follows a standard zone file format defined in RFC 1035. Understanding this format makes it easier to interpret records returned by DNS lookup tools and APIs.

A DNS resource record in zone file format looks like this:

example.com 3600 IN A 93.184.216.34

Each field has a specific meaning:

Field Value in Example Meaning
Nameexample.comThe domain or subdomain this record applies to
TTL3600Time-to-live in seconds: how long resolvers cache this record before re-querying
ClassINRecord class, always IN (Internet) for public DNS records
TypeAThe record type (A, AAAA, CNAME, MX, NS, TXT, etc.)
Value93.184.216.34The data the record contains: an IP address, domain name, or text string depending on type

For MX records, the value also includes a priority number: example.com 3600 IN MX 10 mail.example.com. Lower numbers have higher priority. When the primary mail server (priority 10) is unreachable, the resolver falls back to the next-lowest priority server.

How DNS Records Work

To understand how DNS records work, it's essential to grasp the DNS lookup process:

The DNS Lookup Process

  • User Request: A user types a domain name into their browser.
  • Recursive Resolver: The request is sent to a DNS recursive resolver, which queries other DNS servers to find the information.
  • Root Server: The resolver first contacts a root server to obtain the authoritative top-level domain (TLD) server for the query (e.g., .com or .org).
  • TLD Server: The TLD server provides the resolver with the IP of the authoritative name server for the domain.
  • Authoritative Name Server: The resolver contacts the authoritative name server, which holds the DNS records for the requested domain.
  • Record Retrieval: The authoritative server returns the required DNS record (e.g., an A record).
  • Data Return: The resolver returns the IP address to the user's browser, which then requests the webpage from the server.

This multistep process, typically completed in milliseconds, enables users to browse the internet smoothly. You can utilize tools such as WhoisFreaks free DNS lookup tool to get a holistic view of your DNS records.

DNS work cases

Common Use Cases for DNS Records

DNS records have various applications that extend beyond simply routing traffic:

  • Load Balancing
    DNS records can be configured to distribute traffic across multiple servers. This ensures that no single server is overwhelmed, improving website reliability and performance.
  • Email Routing MX records are essential for ensuring that emails are delivered to the correct servers. Businesses rely on these records for email continuity and backup routing during server downtimes.
  • Domain Aliasing and Subdomain Management CNAME records simplify domain management by pointing various subdomains to a single primary domain, streamlining maintenance and updates.

Security Considerations with DNS Records

DNS records can be exploited if not adequately secured. Cyberattacks such as DNS spoofing and cache poisoning can redirect users to malicious sites. Implementing DNSSEC (DNS Security Extensions) helps protect DNS infrastructure by adding digital signatures to DNS data to verify its authenticity.

Benefits of DNSSEC

  • Data Integrity: Ensures data sent between DNS servers and clients is intact and unaltered.
  • Protection Against Attacks: Guards against DNS spoofing, reducing the risk of data interception and redirection.

DNS Security Extensions (DNSSEC)

Standard DNS has no built-in mechanism to verify that a response is authentic. A resolver that receives an A record for example.com has no way to confirm the response actually came from the authoritative nameserver and was not modified in transit. DNSSEC solves this by adding cryptographic signatures to DNS responses.

How DNSSEC Works

DNSSEC uses a chain of trust built on public-key cryptography. The process involves three record types that do not exist in unsigned zones:

RRSIG (Resource Record Signature): Every record set (for example, all A records for a domain) gets a corresponding RRSIG record containing a digital signature generated using the zone's private key. Resolvers use the matching public key to verify the signature before accepting the response.

DNSKEY: Stores the public keys used to verify RRSIG signatures. Each signed zone publishes at least two keys: a Zone Signing Key (ZSK) that signs individual record sets, and a Key Signing Key (KSK) that signs the DNSKEY record set itself.

DS (Delegation Signer): Published in the parent zone (for example, the .com zone for example.com). The DS record contains a hash of the child zone's KSK. This is the link that connects the child zone's signatures to the parent zone's trust, forming the chain of trust from the root zone down to the individual domain.

What DNSSEC Prevents

DNSSEC protects against cache poisoning attacks where an attacker injects forged DNS responses into a resolver's cache, redirecting traffic to a malicious server. It also prevents on-path (man-in-the-middle) modification of DNS responses in transit.

DNSSEC does not encrypt DNS queries or responses. It only authenticates them. For encryption, DNS over HTTPS (DoH) and DNS over TLS (DoT) are separate mechanisms that protect query privacy.

DNSSEC Adoption

As of 2024, DNSSEC validation is enabled on approximately 30% of DNS resolvers worldwide according to APNIC measurement data. Adoption varies significantly by country and by TLD. Some TLDs like .se (Sweden) and .nl (Netherlands) have DNSSEC signing rates above 50%, while others remain below 5%. Checking whether a domain's zone is signed is a standard step in domain security audits.

Managing and Configuring DNS Records

Administrators typically use web interfaces provided by hosting companies or dedicated DNS management tools to edit and manage DNS records. Changes to DNS records often require propagation time, ranging from a few minutes to 48 hours, for updates to take effect globally.

Steps for Editing DNS Records

  1. Log in to your DNS management platform.
  2. Select the domain for which you want to modify records.
  3. Choose the type of DNS record (e.g., A, CNAME, MX) you wish to edit.
  4. Input the necessary data (e.g., IP address, canonical name).
  5. Save and apply changes.

Propagation Time

The time it takes for DNS changes to propagate depends on the Time-to-Live (TTL) setting in the DNS record. Lower TTL values allow faster propagation but can increase server load due to more frequent queries.

Troubleshooting Common DNS Record Issues

  • Site Not Found
    If a website isn’t loading, the issue could be related to incorrect A or CNAME records. Double-check that the correct IP addresses are entered and the DNS servers are functioning properly.
  • Email Delivery Issues
    Problems with email delivery often stem from misconfigured MX records or missing SPF and DKIM (DomainKeys Identified Mail) records. Verifying these settings ensures reliable email routing.

Conclusion

DNS records are the operational layer that makes domain names functional. An A record connects a browser to a server. An MX record connects a sender to the right mail infrastructure. TXT records carrying SPF, DKIM, and DMARC tell the internet whether email from your domain is legitimate. SOA and PTR records provide the authority metadata and reverse-lookup data that security tools rely on for verification.

Knowing what each record type does and how to read zone file format is a practical skill for anyone managing domains, troubleshooting infrastructure, or investigating security incidents.

To check the live DNS records for any domain, use the WhoisFreaks DNS lookup tool, which queries authoritative nameservers directly and returns results across all major record types. For teams that need programmatic access to live, historical, and reverse DNS records at scale, the WhoisFreaks DNS API supports bulk lookups and structured JSON responses across all record types.

Frequently Asked Questions

Explore frequently asked questions to better understand our features, functionality, and usage.

What is the purpose of an A record?

An A record maps a domain name to its corresponding IPv4 address. When a browser receives an A record response, it uses that IP address to open a TCP connection to the web server hosting the requested page. A single domain can have multiple A records pointing to different IPs for load balancing. The TTL value on the A record determines how long resolvers cache the IP before re-querying.

What is the difference between A and AAAA records?

An A record maps a domain to an IPv4 address (32-bit, formatted as four decimal numbers like 192.0.2.1). An AAAA record maps a domain to an IPv6 address (128-bit, formatted as eight hexadecimal groups like 2001:0db8::1). Both serve the same function: telling the resolver which IP to connect to. The difference is the IP version. Most domains maintain both record types so the domain is reachable over both IPv4 and IPv6 networks. When both exist, the resolver's preference depends on the client's network configuration, but modern systems generally prefer IPv6 when available.

How do CNAME records work?

A CNAME record maps one domain name (the alias) to another domain name (the canonical name). The resolver follows the chain: it queries the alias, receives the canonical name in response, then queries the canonical name to get the actual IP address. CNAME records are commonly used to point subdomains like www.example.com to the root domain example.com, or to point a custom domain to a SaaS provider endpoint. A domain cannot have a CNAME record at the zone apex (the root domain) if any other record types exist there.

What is DNS propagation?

DNS propagation is the time it takes for DNS record changes to reach all resolvers and caches across the internet after a change is made. The propagation window depends on the TTL value of the record being changed. A record with a TTL of 3,600 seconds (one hour) may take up to an hour to expire from all caches. A TTL of 300 seconds propagates changes within about 5 minutes. Changes do not apply instantly because resolvers serve cached responses until the TTL expires, at which point they re-query the authoritative nameserver.

Can DNS records affect website performance?

Yes. DNS resolution time is a factor in total page load time. A high TTL reduces DNS lookup latency for returning visitors because resolvers serve the cached response rather than querying authoritative nameservers. A low TTL increases query volume and resolution latency but allows faster propagation of IP changes. Pointing an A record to a CDN edge IP rather than an origin server can reduce DNS-to-first-byte time significantly. Broken or conflicting CNAME chains also increase resolution time by forcing multiple sequential lookups.

What are TTL settings in DNS records?

TTL (Time-to-Live) is a field in every DNS record that tells resolvers how many seconds to cache the response before discarding it and re-querying the authoritative nameserver. A TTL of 86,400 (24 hours) means the record is cached for a full day; a TTL of 300 (5 minutes) means it expires in 5 minutes. Lower TTLs allow faster propagation of record changes but increase query load on authoritative nameservers. Higher TTLs reduce query volume but slow down propagation. Before a planned IP migration, reducing the TTL to 300 seconds 24-48 hours in advance is standard practice.

How do I check DNS records for a domain?

You can query DNS records using command-line tools like dig (Linux/macOS) or nslookup (Windows). For example, dig example.com A returns the A records for a domain, and dig example.com ANY attempts to return all record types, though many authoritative servers now restrict ANY queries. Online DNS lookup tools provide a faster option: the WhoisFreaks DNS lookup tool queries authoritative nameservers and returns all major record types in a structured format without requiring command-line access.

How can I secure my DNS records?

DNS security involves multiple layers. DNSSEC adds cryptographic signatures to DNS responses using DNSKEY and RRSIG records, preventing resolvers from accepting forged or tampered responses. TXT records carrying SPF, DKIM, and DMARC protect against email spoofing by defining which servers can send email as your domain and what to do when authentication fails. Monitoring NS and A records for unauthorized changes is a baseline security practice, since nameserver hijacking and A record substitution are common attack vectors. Registry locks at the registrar level prevent unauthorized zone transfers and delegation changes.

What is DNSSEC and how does it work?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS responses so resolvers can verify the data has not been tampered with. It uses three record types: RRSIG records contain the signature, DNSKEY records publish the public key used for verification, and DS records link the trust chain between parent and child zones. DNSSEC prevents cache poisoning and response forgery but does not encrypt DNS traffic.

Related Posts

Understanding DNS Poisoning

Understanding DNS Poisoning: Risks and Prevention Strategies

Discover essential insights on DNS poisoning and learn practical steps to safeguard your online presence. Read the article for vital protection tips.

Read More >

9 min read

Defending Against DNS Flood Attacks: Leveraging WhoisFreaks Tools for Security

Defending Against DNS Flood Attacks: Leveraging WhoisFreaks Tools for Security

Learn how a DNS flooder can threaten your network security and discover practical measures to protect your systems. Read more to safeguard your network.

Read More >

9 min read

DNS Server Purpose: What It Does and How It Works

DNS Server Purpose: What It Does and How It Works

Discover the essential role of DNS servers in internet functionality and learn how they enhance your online experience. Read the article for insights.

Read More >

11 min read