DNS Record Reference

Maps a hostname to an IPv4 address. The most common record — every domain that resolves to a server has at least one.

example.com.   IN  A      93.184.216.34

Maps a hostname to an IPv6 address. Pronounced "quad-A".

example.com.   IN  AAAA   2606:2800:220:1:248:1893:25c8:1946

Aliases one hostname to another. The target must itself resolve; CNAMEs cannot coexist with other records at the same name, and cannot appear at the apex (root) of a zone.

www.example.com.   IN  CNAME  example.com.

Mail exchanger — where SMTP for the domain should be delivered. Includes a priority (lower = preferred).

example.com.   IN  MX  10 mail.example.com.

Arbitrary text. Used for SPF (mail anti-spoofing), DKIM keys, domain verification (Google, Facebook, etc.), and human-readable notes.

example.com.   IN  TXT  "v=spf1 include:_spf.google.com ~all"

Delegates a (sub)domain to a set of authoritative name servers. Every zone has NS records at its apex.

example.com.   IN  NS  ns1.example.com.

Start of Authority — administrative info for the zone: primary name server, hostmaster email, serial number, and TTLs for negative caching.

example.com.   IN  SOA  ns1.example.com. hostmaster.example.com. 2025010101 7200 3600 1209600 3600

Reverse lookup — maps an IP back to a hostname. Lives under the `in-addr.arpa` (v4) or `ip6.arpa` (v6) zones.

34.216.184.93.in-addr.arpa.   IN  PTR  example.com.

Locates the host and port for a named service (with priority and weight). XMPP, SIP, and Microsoft AD all use SRV.

_sip._tcp.example.com.   IN  SRV  10 60 5060 sipserver.example.com.

Certification Authority Authorization — restricts which CAs may issue TLS certs for the domain. Modern CAs are required to check CAA before issuing.

example.com.   IN  CAA  0 issue "letsencrypt.org"

DNSSEC public key used to verify signatures in the zone. Paired with RRSIG records.

example.com.   IN  DNSKEY  257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0d…

Delegation Signer — published at the parent zone to fingerprint the child zone's DNSKEY. Forms the DNSSEC chain of trust.

example.com.   IN  DS  31589 13 2 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE…

Resource Record Signature — cryptographic signature over a record set, validated against the zone's DNSKEY. Added automatically when the zone is signed.

example.com.   IN  RRSIG  A 13 2 300 20260101000000 …

DNSSEC "authenticated denial of existence" — proves a record does not exist. NSEC3 hashes names to discourage zone walking.

example.com.   IN  NSEC  www.example.com. A NS SOA MX TXT RRSIG NSEC

DANE — binds a TLS certificate (or its public key) to a hostname via DNSSEC. Lets clients verify certs without trusting a CA.

_443._tcp.example.com.   IN  TLSA  3 1 1 ABCD…

Service Binding — advertises alternative endpoints, ALPNs, port, and ECH config for a service. `HTTPS` is the HTTPS-specific subtype enabling HTTP/3 and ECH.

example.com.   IN  HTTPS  1 . alpn="h3,h2"

Rewrites a name to a URI / regex result. Used by ENUM and SIP for service discovery.

example.com.   IN  NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:info@example.com!" .

Geographic location — latitude, longitude, altitude. Rarely used in practice.

example.com.   IN  LOC  37 30 N 127 0 E 30m

A non-standard "flattened CNAME" supported by some providers (Route 53 alias, Cloudflare CNAME flattening). Lets you point the zone apex at another hostname.

example.com.   IN  ALIAS  app.example.cdn.com.