Complete Guide to DNS Lookup: A, MX, TXT, NS Records Explained
DNS records are the building blocks of the internet. This guide explains every record type, what it does, how to read it, and when you need to change it.
What Is DNS and Why Does It Matter?
The Domain Name System (DNS) is the internet's distributed phonebook. When you type google.com into a browser, DNS translates that human-readable name into an IP address like 142.250.80.46 that computers can route to. Without DNS, you'd have to memorize IP addresses for every website.
DNS is hierarchical and distributed across thousands of servers worldwide, making it extremely resilient. A DNS query travels through several steps before reaching your browser:
- Browser Cache — Has the browser looked this up recently?
- Operating System Cache — Has the OS cached it?
- Recursive Resolver — Your ISP's or chosen DNS server (1.1.1.1, 8.8.8.8)
- Root Nameservers — 13 root servers that know who manages each TLD (.com, .org, .uk)
- TLD Nameservers — Responsible for .com, .net, .org, etc.
- Authoritative Nameservers — The final authority for your specific domain
The entire process typically completes in 10–100 milliseconds.
Every DNS Record Type Explained
A Record (Address Record)
Maps a domain to an IPv4 address. This is the most fundamental record — it tells the internet where to send traffic for your domain.Example: \u0060\u0060\u0060 example.com. 300 IN A 93.184.216.34 \u0060\u0060\u0060
- TTL (300 seconds) — How long this record can be cached
- IN — Internet class
- A — Record type
- 93.184.216.34 — The IPv4 address
You can have multiple A records for load balancing (different servers). DNS will round-robin between them.
AAAA Record (IPv6 Address Record)
The IPv6 equivalent of an A record. IPv6 addresses are 128-bit, written as eight groups of four hexadecimal digits.Example: \u0060\u0060\u0060 example.com. 300 IN AAAA 2606:2800:220:1:248:1893:25c8:1946 \u0060\u0060\u0060
IPv6 adoption is accelerating — having AAAA records is increasingly important for full internet reachability.
CNAME Record (Canonical Name)
An alias that points one domain name to another domain name (not an IP address). The DNS resolver follows the chain until it reaches an A record.Example: \u0060\u0060\u0060 www.example.com. 300 IN CNAME example.com. \u0060\u0060\u0060
Critical rule: You cannot use a CNAME at the root/apex of your domain (example.com). Only subdomains (www.example.com) can use CNAME. Some DNS providers offer CNAME flattening (ALIAS records) to work around this.
MX Record (Mail Exchanger)
Specifies which mail servers accept email for your domain. The priority value determines the order — lower numbers = higher priority.Example: \u0060\u0060\u0060 example.com. 3600 IN MX 10 mail1.example.com. example.com. 3600 IN MX 20 mail2.example.com. \u0060\u0060\u0060
If mail1 is unreachable, senders will try mail2. This provides mail server redundancy.
Common MX configurations:
- Google Workspace: aspmx.l.google.com (priority 1)
- Microsoft 365: domain.mail.protection.outlook.com
- Protonmail: mail.protonmail.ch (priority 10)
NS Record (Nameserver)
Delegates authority for your domain to specific nameservers. These records tell the internet which servers are authoritative for your domain's DNS.Example: \u0060\u0060\u0060 example.com. 86400 IN NS ns1.cloudflare.com. example.com. 86400 IN NS ns2.cloudflare.com. \u0060\u0060\u0060
NS records are set at your domain registrar, not your DNS provider. Changing nameservers triggers propagation that can take up to 48 hours.
TXT Record (Text Record)
Stores arbitrary text data. Originally designed for human-readable information, TXT records are now critical for email authentication and domain verification.Common TXT record uses:
SPF (Sender Policy Framework): \u0060\u0060\u0060 v=spf1 include:_spf.google.com ~all \u0060\u0060\u0060 Specifies which mail servers are authorized to send email for your domain. Prevents email spoofing.
DKIM (DomainKeys Identified Mail): \u0060\u0060\u0060 v=DKIM1; k=rsa; p=MIGfMA0GCS... \u0060\u0060\u0060 A public key used to verify email signatures. Email is signed by the sending server and recipients verify the signature.
DMARC (Domain-based Message Authentication): \u0060\u0060\u0060 v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com \u0060\u0060\u0060 Tells receivers what to do with emails that fail SPF/DKIM checks (none, quarantine, or reject).
Domain Verification: \u0060\u0060\u0060 google-site-verification=abcdef123456 \u0060\u0060\u0060 Used by Google Search Console, AWS, and other services to prove domain ownership.
SOA Record (Start of Authority)
Contains administrative information about the DNS zone. Includes the primary nameserver, admin email, serial number (for tracking changes), and various timing parameters.\u0060\u0060\u0060 example.com. 3600 IN SOA ns1.example.com. admin.example.com. ( 2024011501 ; Serial 3600 ; Refresh 900 ; Retry 604800 ; Expire 300 ; Minimum TTL ) \u0060\u0060\u0060
PTR Record (Pointer Record)
The reverse of an A record — maps an IP address back to a domain name. Used primarily for reverse DNS lookups and verifying mail server identities.SRV Record (Service Record)
Specifies the location of servers for specific services. Format:_service._protocol.name TTL class SRV priority weight port targetUsed by SIP (VoIP), XMPP (chat), and Microsoft services like Teams.
DNS Propagation: Why Changes Take Time
When you change a DNS record, the change isn't instant worldwide because:
- TTL Caching — Every DNS record has a TTL. Resolvers that cached the old record won't check for updates until the TTL expires.
- Resolver Caches — Millions of recursive resolvers cache records independently.
- ISP Caches — Some ISPs ignore TTL values and cache longer.
Best practices for DNS changes:
- Lower your TTL to 300 seconds (5 minutes) 24 hours before making a change
- Make the change
- Verify propagation using multiple geographic locations
- After propagation, raise TTL back to 3600 seconds (1 hour) or higher
How to Troubleshoot DNS Problems
Check if DNS resolves at all
Use our DNS Lookup Tool to query records from our servers. If records appear here but not in your browser, the issue is your local DNS cache or resolver.Test from multiple locations
DNS propagation can leave some locations with old data. Check from different regions to see if the records are consistent.Verify your TTL settings
Long TTLs mean slow propagation. If you need to make changes, temporarily reduce TTL before making them.Common DNS errors and fixes
| Error | Likely Cause | Fix |
|---|---|---|
| NXDOMAIN | Domain doesn't exist or expired | Check domain registration |
| SERVFAIL | Nameserver not responding | Check NS records are correct |
| REFUSED | Nameserver won't answer | Authoritative NS misconfigured |
| TIMEOUT | Nameserver unreachable | Network issue between resolver and NS |
DNS Security: DNSSEC
DNSSEC adds cryptographic signatures to DNS records, preventing attackers from forging DNS responses (DNS spoofing/cache poisoning). It creates a chain of trust from the root down to your domain.
Check if a domain uses DNSSEC by looking for DS records in the parent zone. Most major DNS providers (Cloudflare, Route 53, Google Cloud DNS) support DNSSEC.
Practical DNS Checklist for Website Owners
Before launching a website, verify:
- ☐ A record points to the correct server IP
- ☐ www CNAME or A record configured
- ☐ MX records set if using custom email
- ☐ SPF TXT record configured
- ☐ DKIM set up with your email provider
- ☐ DMARC policy in place
- ☐ TTLs are reasonable (300–3600 seconds)
- ☐ NS records match your registrar settings