DNS Record Types
DNS (the Domain Name System — the internet’s phone book that turns names like example.com into the numeric addresses computers use) does its job through small entries called records. Each record is one line in your domain’s settings that answers a specific question: “What server hosts this name?”, “Where does email go?”, “Who is allowed to issue certificates?” Knowing the handful of record types below is the single most useful skill for getting a domain to point at your Ubuntu server, route email correctly, and pass verification checks. This page is your reference — keep it open while you edit your DNS.
How a DNS record is structured
Every record has the same basic shape, no matter the type:
| Field | Meaning | Example |
|---|---|---|
| Name (host) | The subdomain or @ for the root domain | @, www, mail |
| Type | The record type (A, CNAME, MX, …) | A |
| Value (data) | What the record points to | 203.0.113.10 |
| TTL | Time To Live — how long to cache it (seconds) | 3600 |
The Name field is relative to your domain.
wwwmeanswww.example.com, and@means the bareexample.com(the “root” or “apex”). Some control panels want the full name typed out — check whether yours expectswwworwww.example.com.
The record types you actually use
| Type | Purpose | Points to | Example value |
|---|---|---|---|
| A | Maps a name to an IPv4 address | IPv4 (4 numbers) | 203.0.113.10 |
| AAAA | Maps a name to an IPv6 address | IPv6 (long hex) | 2001:db8::1 |
| CNAME | Alias — points one name at another name | Another hostname | myapp.herokudns.com |
| MX | Where email for the domain is delivered | A mail hostname (+ priority) | 10 mail.example.com |
| TXT | Free-form text — used for verification, SPF, DKIM | A text string | "v=spf1 include:_spf.google.com ~all" |
| NS | Which nameservers are authoritative for the domain | A nameserver hostname | ns1.cloudflare.com |
| CAA | Which certificate authorities may issue SSL certs | A CA domain | 0 issue "letsencrypt.org" |
A and AAAA — the address records
These are the core of pointing a domain at a server. An A record maps a name to an IPv4 address (the familiar 203.0.113.10 style). An AAAA record does the same for IPv6 (the newer, longer 2001:db8::1 style). They are not alternatives — if your server has both kinds of address, create both so all visitors reach you.
When to use: any time a name should resolve straight to a server you control by IP. This is what you set for the root domain (@) of your VPS.
Check your Ubuntu server’s public addresses before you create the records:
curl -4 ifconfig.co
curl -6 ifconfig.coOutput:
203.0.113.10
2001:db8::1Then create an A record for @ → 203.0.113.10 and an AAAA record for @ → 2001:db8::1 in your DNS panel.
CNAME — the alias record
A CNAME (Canonical Name) record points a name at another name rather than an IP. The browser then looks up that second name to find the actual address. This is perfect when a provider gives you a hostname instead of a fixed IP (common with managed hosting, CDNs, and load balancers) — if their IP changes, your domain follows automatically.
When to use: pointing www at your root domain, or pointing a subdomain at a platform like Netlify, Vercel, or a CDN.
When NOT to use: never put a CNAME on the root domain (@). The DNS rules forbid a CNAME alongside the other required root records (like NS and SOA). For the apex, use an A record, or a provider’s “ALIAS”/“ANAME” / “CNAME flattening” feature instead.
MX — the mail record
An MX (Mail Exchange) record tells other mail servers where to deliver email for your domain. Each MX record carries a priority number — lower numbers are tried first, so a backup server gets a higher number.
Priority 1 aspmx.l.google.com
Priority 5 alt1.aspmx.l.google.com
Priority 10 alt2.aspmx.l.google.comWhen to use: whenever you receive email at the domain. If you use Google Workspace or Microsoft 365, paste the exact MX values they give you. When NOT to use: the MX value must point to a hostname (which itself has an A/AAAA record), never to a raw IP address.
TXT — verification, SPF, and DKIM
A TXT record holds arbitrary text. It powers three common jobs:
- Domain verification: a provider asks you to add a unique string to prove you own the domain.
- SPF (Sender Policy Framework): lists which servers may send mail as your domain, cutting down on spoofing.
- DKIM (DomainKeys Identified Mail): publishes a signing key so receivers can verify your mail wasn’t tampered with.
v=spf1 include:_spf.google.com ~allNS — the nameserver record
NS (Name Server) records say which servers hold the authoritative DNS data for your domain. They are usually set at your registrar and rarely edited inside the zone itself. When to use: when you delegate a subdomain to a different DNS provider, or move your whole domain to Cloudflare.
CAA — locking down certificates
A CAA (Certification Authority Authorization) record lists which certificate authorities are allowed to issue SSL/TLS certificates for your domain. It’s a safety net: even if an attacker tricks another CA, that CA must refuse.
0 issue "letsencrypt.org"Add a CAA record for the CA you actually use (e.g.
letsencrypt.org). If you set CAA records but forget your real CA, certificate renewals will silently start failing — a nasty surprise weeks later.
Understanding TTL
TTL (Time To Live) is how long, in seconds, other servers are allowed to cache a record before asking again. A TTL of 3600 means “remember this for one hour.”
| TTL value | Caches for | Good for |
|---|---|---|
300 | 5 minutes | Right before/during a migration — changes propagate fast |
3600 | 1 hour | A sensible everyday default |
86400 | 24 hours | Stable records that almost never change |
The trade-off: low TTL means faster updates but slightly more DNS traffic; high TTL means snappier lookups but slow propagation. Tip: a day or two before changing an IP, lower the TTL to 300, make the switch, confirm it works, then raise it back.
Verify what’s actually live from your Ubuntu box with dig:
sudo apt update && sudo apt install -y dnsutils
dig +nocmd example.com A +noall +answer
dig +nocmd example.com MX +noall +answerOutput:
example.com. 3600 IN A 203.0.113.10
example.com. 3600 IN MX 10 mail.example.com.The number after the name (3600) is the remaining TTL the resolver is reporting.
Best Practices
- Always create both A and AAAA records if your server has an IPv6 address — half your visitors may be IPv6-only.
- Never put a CNAME on the root domain; use A/AAAA or your provider’s ALIAS/flattening feature.
- Lower the TTL to
300a day before any planned IP change, then restore it afterward. - Point MX records at hostnames, never raw IPs, and double-check the priority numbers.
- Add a CAA record naming the CA you use (e.g. Let’s Encrypt) to block rogue certificate issuance.
- After every change, confirm it with
digfrom the server rather than trusting the control panel UI alone. - Keep SPF and DKIM TXT records in sync with your mail provider’s current instructions to avoid bounced or spam-flagged email.