Overview & Summary
DNS (Domain Name System) is the backbone of the internet — it translates human-readable domain names like www.google.com into machine-readable IP addresses like 8.8.8.8. But DNS design and architecture goes far beyond simple name-to-IP resolution.
This guide covers all major DNS record types (A, AAAA, CNAME, NS, SOA, TXT, and Alias), explains the complete DNS resolution chain, and provides a practical troubleshooting framework for real-world issues like migration failures, email spam, and latency problems.
Who is this for? IT professionals, system administrators, cloud engineers, and anyone preparing for architect-level or senior engineering roles.
Key Concepts & Definitions
| Term | Definition |
|---|---|
| DNS Record | An entry in the DNS database containing Name, Type, Value, and TTL fields. |
| TTL (Time To Live) | Duration (seconds) a DNS record stays cached. E.g., 3600 = 1 hour. |
| Root Domain | The invisible . at the end of every domain (e.g., google.com.). Entry point of resolution. |
| TLD | Top Level Domain — .com, .org, .net, etc. |
| Authoritative NS | The server holding definitive DNS records for a domain. Provides the final answer. |
| Recursive Resolver | DNS server (often ISP-provided) that chases the resolution chain on your behalf. |
| Dual-Stack | A network running both IPv4 and IPv6 simultaneously. |
| Negative TTL | How long a “domain doesn’t exist” (NXDOMAIN) response is cached. |
| SPF | Sender Policy Framework — email authentication mechanism configured via TXT record. |
| DKIM | DomainKeys Identified Mail — cryptographic email verification via TXT record. |
DNS Record Types — Step by Step
A Record
Address Record — The most fundamental DNS recordMaps a domain name directly to an IPv4 address. This is the first record to check when a website is unreachable.
| Name | Type | Value | TTL |
|---|---|---|---|
| www.example.com | A | 203.0.113.6 | 3600 (1 hr) |
Migration Trap: During server migrations, if the A record still points to the old IP, users reach the old server until the TTL expires. Always update the A record and verify TTL.
AAAA Record
Quad-A Record — IPv6 mappingMaps a domain name to an IPv6 address. Considered optional today, but becoming increasingly important.
| Name | Type | Value | TTL |
|---|---|---|---|
| www.example.com | AAAA | 2001:db8:1::1 | 3600 |
Dual-Stack Latency: In environments with both IPv4 & IPv6, if IPv6 is prioritized but no AAAA record exists, the system tries IPv6 first, fails, then falls back to IPv4 — adding noticeable latency.
Migration Tip: Lower TTL to 60 seconds before migrations for faster propagation instead of waiting hours.
CNAME Record
Canonical Name — Forwarding aliasA forwarding record that points one domain to another domain (not an IP). Think of it like a receptionist directing you to the correct floor. Heavily used with CDNs and Load Balancers in cloud environments.
| Name | Type | Value | TTL |
|---|---|---|---|
| www.example.com | CNAME | lb1.aws.com | 3600 |
| blog.example.com | CNAME | lb1.aws.com | 3600 |
| api.example.com | CNAME | lb2.aws.com | 3600 |
Critical Limitation: A root domain (e.g., example.com) cannot be a CNAME. You must use a subdomain or an Alias record instead.
NS Record
Name Server — Domain authority delegationDesignates the authoritative name servers responsible for a domain. This record tells root and TLD servers where to go to find the actual DNS records.
| Name | Type | Value | TTL |
|---|---|---|---|
| example.com | NS | ns1.aws.com | 172800 (48 hrs) |
48-Hour Propagation: When migrating domains (e.g., GoDaddy → AWS Route 53), NS record changes can take up to 48 hours to propagate worldwide due to the high TTL.
SOA Record
Start of Authority — The “Constitution” of DNSDefines administrative metadata about the DNS zone. Does not route traffic — it’s purely informational. Think of it as the constitution that governs how the DNS zone operates.
Key SOA Fields
| Field | Example | Purpose |
|---|---|---|
| Primary NS | ns1.dns.com | Main authoritative name server |
| Admin Email | admin@example.com | Zone administrator contact |
| Serial Number | 2023120 | Version of the DNS config |
| Refresh Interval | 3600 | How often secondary servers sync |
| Negative TTL | 86400 | Cache duration for “does not exist” responses |
Negative TTL Example: If someone searches nope.example.com and it doesn’t exist, the Negative TTL (e.g., 24 hours) tells resolvers not to re-query for that period.
TXT Record
Text Record — Ownership & email authenticationUsed for domain ownership verification and email authentication. Tells the world who owns the domain and who can send legitimate emails on its behalf.
Common Uses
SPF (Sender Policy Framework): Declares which mail servers can send email for your domain.
v=spf1 include:_spf.google.com ~allDKIM: Cryptographic signature to prevent email spoofing.
Domain Verification: Services like Google Workspace, Slack, and Notion require TXT records to verify you own the domain.
If emails land in spam: Your TXT record (SPF/DKIM) is likely misconfigured. Without proper TXT records, Google and Gmail servers cannot legitimize emails from your domain.
Alias Record
A-Alias — Solves the root domain CNAME limitationSince root domains (example.com) cannot use CNAME, the Alias record was created. It behaves like a CNAME but resolves at the DNS level, returning an IP address directly. Essential when pointing a root domain to a load balancer.
DNS Resolution Flow
When you type a URL in your browser, here’s the complete chain of events:
┌───────────┐ ┌──────────────────┐ ┌─────────────┐
│ Browser │ ──1──► │ Recursive │ ──2──► │ Root │
│ (User) │ │ Resolver (ISP) │ │ Server . │
└───────────┘ └──────────────────┘ └──────┬──────┘
│ │
7 ◄──┤ Returns IP 3
│ & caches (TTL) │
│ ┌──────▼──────┐
│ 4 ◄── │ TLD Server │
│ │ (.com .org) │
│ └─────────────┘
┌──────▼──────────┐
5 ► │ Authoritative │
│ Name Server │ ──6──► Returns actual IP
│ (A/AAAA/CNAME) │
└─────────────────┘Complete DNS resolution path: Browser → Resolver → Root → TLD → Authoritative NS → IP returned & cached
Step-by-step
1. User types www.example.com in the browser.
2. Query goes to the Recursive Resolver (usually ISP’s DNS).
3. Resolver contacts a Root Server (the hidden . at the end of the domain).
4. Root Server directs to the appropriate TLD Server (e.g., .com).
5. TLD Server directs to the Authoritative Name Server (defined by the NS record).
6. Authoritative Server returns the actual IP address.
7. Resolver caches the result (per TTL) and returns it to the browser.
Configuration & Best Practices
Lowering TTL Before a Migration
The single most important practice for any DNS migration: lower the TTL days before the actual change.
# BEFORE migration — lower TTL to 60 seconds
www.example.com. 60 IN A 203.0.113.6
# AFTER migration — update IP, then restore TTL
www.example.com. 3600 IN A 198.51.100.10DNS ZoneSPF TXT Record Setup
example.com. IN TXT "v=spf1 include:_spf.google.com ~all"
# v=spf1 → declares SPF record
# include:... → authorizes Google's mail servers
# ~all → soft-fail for unauthorized sendersTXT RecordKey Takeaways
- A Record is king — the most fundamental record. Always check it first when a website is unreachable.
- Lower TTL before any migration — set it to 60 seconds days before so caches expire quickly.
- CNAME cannot be used on root domains — use an Alias record instead.
- NS record propagation takes up to 48 hours — plan domain migrations well in advance.
- TXT records protect email reputation — misconfigured SPF/DKIM means your emails land in spam.
- SOA record controls refresh behavior — check its refresh interval if DNS changes aren’t propagating.
- Dual-stack IPv6 fallback adds latency — no AAAA record means slow fallback to IPv4.
- CNAME misconfiguration = silent failures — wrong load balancer endpoint breaks traffic without clear errors.
- Don’t forget the root dot — every domain ends with
.— understanding this helps debug resolution chains.
Troubleshooting Guide
| Problem | Likely Cause | Fix |
|---|---|---|
| Website not found | A record pointing to wrong/old IP | Update A record; verify TTL expired |
| Slow page loads | Missing AAAA in dual-stack env | Add AAAA record or disable IPv6 preference |
| “Domain not found” | CNAME or NS records not updated | Verify CNAME targets; confirm NS points to new provider |
| Works for some, not others | SOA refresh too long; TTL too high | Lower SOA refresh interval & reduce TTL |
| Emails in spam | TXT (SPF/DKIM) misconfigured | Add proper SPF and DKIM TXT records |
| Root domain can’t use LB | CNAME used on root domain | Use Alias (A-Alias) record instead |
| Changes not propagating | Old TTL still cached; NS delay | Wait for TTL expiry; NS changes need up to 48h |
| Service can’t verify domain | TXT record missing/incorrect | Add verification TXT record from the service |
Recall Questions
Click each question to reveal the answer.
Mind Map
DNS Design & Architecture
│
├── DNS Resolution
│ ├── Name → IP Translation
│ ├── Recursive Resolver → Root → TLD → Authoritative Server
│ └── Root Domain (hidden "." at end of every domain)
│
├── Core DNS Records
│ ├── A Record ─────── Domain → IPv4 (most fundamental)
│ ├── AAAA Record ──── Domain → IPv6 (optional, growing)
│ │ └── ⚠ Dual-stack fallback latency risk
│ ├── CNAME Record ─── Domain → Another Domain
│ │ ├── Used with CDNs & Load Balancers
│ │ └── 🚫 Cannot be used on root domains
│ ├── NS Record ────── Delegates to Authoritative Servers
│ │ └── ⏳ Propagation up to 48 hours
│ ├── SOA Record ───── Zone Admin Metadata
│ │ ├── Refresh Interval
│ │ └── Negative TTL
│ ├── TXT Record ───── Ownership & Email Auth
│ │ ├── SPF (email authorization)
│ │ └── DKIM (email signing)
│ └── Alias Record ─── Solves CNAME root limitation
│
├── Key Concept: TTL
│ ├── Controls cache duration
│ ├── Lower before migration (60s)
│ └── High TTL = slow propagation
│
└── Troubleshooting
├── Site not found ──── Check A / CNAME / NS
├── Latency ─────────── Check AAAA / dual-stack
├── Partial propagation ─ Check SOA refresh + TTL
└── Email spam ──────── Check TXT (SPF / DKIM)Additional References
| Resource | Description |
|---|---|
| AWS Route 53 | Amazon’s DNS service with native Alias record support |
| GoDaddy | Popular domain registrar, common in migration scenarios |
| CDN | Content Delivery Network — CNAME records often point to CDN endpoints |
nslookup | CLI tool to query DNS records |
dig | Advanced DNS lookup utility (Linux/Mac) |
host | Simple DNS lookup command |
whois | Domain registration information lookup |