DNS Records

DNS records are instructions contained in zone files hosted on DNS servers (or NS for NameServers). These instructions are necessary for resolving a domain name and are essential for the success of a DNS query.

What is a DNS record?

A DNS record is a server instruction contained in a zone file and hosted by an authoritative DNS server (Master NS). DNS records provide information about a domain name, including web and email services for that domain, specifying the associated IP address and how to handle DNS queries for that domain. These records consist of a series of text files written in what is called DNS syntax. DNS syntax is a string of characters and expressions used as commands to tell a DNS server what to do. All DNS records also have a Time To Live (TTL) that indicates their lifespan or expiration date and determines how often a DNS server will refresh and update the record.

DNS Records Types

The most common types of DNS records

You will find below a comprehensive and complete guide to understanding different DNS record types and their uses. Each record type serves a specific purpose, from mapping and pointing to IP addresses to routing email, transferring domains, and securing your services.

A record (Host address): The record that indicates the IP address of a domain (IPv4). The DNS A record points to the IP address of a given domain name. Learn more about the A record.
AAAA record (IPv6 host address): The record that contains the IPv6 address of a domain (unlike A records, which list the IPv4 address). Learn more about AAAA records.
CNAME (Canonical Name for an Alias) record: Used to map an alias name to a true or canonical domain name. Transfers a domain or subdomain to another domain; does NOT provide an IP address. Learn more about CNAME records.
DKIM (DomainKeys Identified Mail) registration : Allows you to sign and authenticate your domain and email senders. It's an email authentication method that prevents spammers and other malicious actors from spoofing an email identity and impersonating a legitimate domain. It's an important element of email security. Learn more about DKIM records.
DMARC (Domain-based Message Authentication, Reporting and Conformance) registration : Enables email authentication via a mail and mail reporting policy, aiming to secure communications and reduce email spoofing and misuse by providing a solution for deploying and monitoring issues related to email and content authentication. A DMARC policy instructs the mail server receiving an email what to do after verifying a domain's SPF and DKIM records. It is an important element of email security. Learn more about DMARC records.
MX record (Mail Exchange): Specifies the mail servers associated with the domain for incoming mail. Directs incoming mail to a specific mail server. Learn more about MX records.
NS record (Name Server): Identifies the authoritative name servers for a zone. Stores the name servers for a DNS entry. Learn more about NS records.
PTR record (Pointer/Reverse DNS): Provides a domain name in reverse lookups. Used for reverse DNS lookups when an IP address is associated with a domain/hostname, to find the domain/server associated with that IP. Learn more about PTR records.
SOA record (Start of Authority): This is the first record for a zone and determines how a domain's zone propagates to secondary name servers. It stores the administrative information for a domain. Learn more about SOA records.
SPF record (Sender Policy Framework): Lists the servers authorized to send emails on behalf of a domain, using a list of IP addresses and hostnames (servers/domains). It allows you to authenticate authorized email senders from a domain. Learn more about SPF records.
SRV record (Service Resource Record): Specifies a port for specific services – DNS server specifications by hostname and port number. Learn more about SRV records.
TXT record (Descriptive Text): Text information intended for external sources. Allows you to store notes within the record. These records are often used for email security, spam prevention, and for verifying and validating domain ownership. The "value" field of a TXT record accepts only text and strings. This can be any text associated with a domain. DNS servers typically impose a limit on the size of TXT records and the number of characters they can store. More information is available here (RFC 1035) .

The types of records used for DNSSEC

The Domain Name System Security Extensions (DNSSEC) protocol secures a DNS zone by signing records with a series of zone signing keys and key signing keys, and by providing final resolvers with a mechanism to authenticate and verify the integrity of DNS responses to queries. DNSSEC thus protects against attacks by digitally signing data to help ensure its validity. To ensure the security of a lookup, signing must occur at each stage of the DNS lookup process. The following DNS records are part of DNSSEC and are used for it.

DNSKEY record (DNSSEC public key): Contains a public key used by resolvers to verify DNSSEC (Domain Name System Security Extension) signatures in RRSIG records.
DS record (Delegation Signer): used by DNSSEC to enable the transfer of trust from a parent zone to a child zone. The DS record contains a cryptographic hash of a DNSKEY record.
NSEC and NSEC3 record (Next Secure/Next Secure v.3): It is used to prove that a requested DNS resource does not exist.
RRSIG record (RRset Signature - Resource Record Signature): contains a DNSSEC signature for a set of records (one or more DNS records with the same name and type). It stores the digital signatures used to authenticate records according to DNSSEC.

Learn more about DNSSEC and all its records.

The least used types of DNS records

These records are not used much or frequently, but you might need to know or use them.

AFSDB record (AFS Data Base location): Used for clients of the Andrews File System (AFS) developed by Carnegie Mellon. The AFSDB record looks up other AFS cells.
APL record (Address Prefix List): Experimental record that specifies lists of IP address ranges.
ATMA record (Asynchronous Transfer Mode address).
CAA record (Certification Authority Authorization): Allows domain owners to specify which Certificate Authorities (CAs) are authorized to issue and deliver certificates for a domain. Without a CAA record, any authority can issue a certificate for a domain. These registrations are also inherited by subdomains of the domain. Learn more about CAA registration (and RFC 8659).
CDS/CDNSKEY Record (DS/DNSKEY Copy): This is a child copy of the DS and DNSKEY records, intended to be transferred to a parent. It is used to transmit the desired DS state from the child zone to its parent. These records are published in the child zone (manually or automatically) and indicate what the child zone wants the DS RRset to look like after the change. A parent uses the child DS (CDS) records and replaces (by whatever means necessary) the DS RRset in the parent zone.
CERT record (Certificate/CRL): The certificate record stores public key certificates and associated revocation lists (CRLs) for cryptographic keys.
DHCID record (DHCP information): The DHCP identifier stores information from DHCP (Dynamic Host Configuration Protocol), a standardized network protocol used in IP networks.
DNAME record (Non-Terminal DNS Name Redirection): Used to map and rename an entire subtree of the DNS namespace (a domain and all its subdomains) to another domain. The "Delegation Name" record creates a domain alias, just like a CNAME, but this alias will also redirect all subdomains.
HINFO record (Host information): Allows you to define the type of hardware and operating system (OS) used on a host.
HIP record: This record uses the "Host Identity Protocol".
ISDN record (ISDN address)
LOC record (Location Information): Contains the geographic information of a domain in the form of coordinates. Allows you to specify a physical location for a domain name: latitude, longitude, altitude, as well as the physical size of the host/subnet and the accuracy of the location.
MB, MG, MINFO, MR (Mailbox records)
NAPTR record (Name Authority Pointer): Enables the mapping of servers and user addresses in the SIP (Session Initiation Protocol). It can be combined with an SRV record to dynamically create URIs to point to based on a regular expression. Learn more
NSAP record (Network service access point address)
RP record (Responsible Person): Stores the email address of the person responsible for the domain for identification.
RT record (Route Through)
SSHFP record (Secure Shell Fingerprint): Identifies the SSH keys associated with the hostname. This record stores the "SSH public key fingerprints".
TLSA record (Transport Layer Security Authentication): Used to associate a service with an SSL certificate, such as HTTPS for a website, or SMTP for a mail server.
URI record (Uniform Resource Identifier): Allows resolving hostnames into URIs (a URI identifies a resource on a network, such as a website or an email sender for example).
WALLET record: Allows you to associate a domain name with a cryptocurrency digital wallet address (Web3). It consists of two fields: an identifier indicating the cryptocurrency used (for example, BTC for Bitcoin or ETH for Ethereum) and a string of characters (Blockchain) representing the digital wallet address. This makes it possible for a user to perform a financial transaction simply by entering a domain name such as "example.com", thus avoiding the frequent errors associated with entering long and complex cryptographic strings. Learn more about WALLET records.
X25 record (X.25 PSDN address): Learn more about X25 records.

BrandShelter supports a wide variety of DNS records (note that not all records listed here will necessarily be supported by our services), as well as additional services such as easy configuration of SPF, DKIM, and DMARC.

BrandShelter also offers advanced DNS security solutions, such as Premium DNS, DNSSEC, and Registry Lock. Learn more about managing DNS records on your BrandShelter portal.

More information about DNS records and their settings

→ Official list of DNS records on the IANA website

Was this article helpful?

0 out of 0 found this helpful