DNS Explained for Web Developers: A-Z Guide

Everything web developers need to know about DNS — A records, CNAME, MX, TTL, propagation, DNSSEC, and the misconfigurations most likely to break your website.

11 min read DNS & Hosting

DNS (Domain Name System) is the internet's phone book — it translates human-readable domain names into IP addresses that servers understand. For developers, DNS misconfigurations are one of the most common causes of mysterious site outages and email delivery failures.

This guide covers everything you need to know.

How DNS Works (in 60 seconds)

When a user types websitelinter.com into their browser:

  1. Browser checks its local cache
  2. If not cached, asks the OS resolver
  3. OS resolver asks a recursive resolver (usually your ISP or 8.8.8.8)
  4. Recursive resolver walks the DNS tree: Root → TLD (.com) → Authoritative nameserver
  5. Authoritative nameserver returns the IP address
  6. Browser connects to the IP and loads your site

This entire process usually takes under 50ms and is cached for a duration specified by the TTL.

DNS Record Types

A Record

Maps a domain to an IPv4 address.

websitelinter.com.    300    IN    A    104.21.44.123

AAAA Record

Maps a domain to an IPv6 address.

websitelinter.com.    300    IN    AAAA    2606:4700:3032::ac43:c8b3

CNAME Record

Creates an alias that points to another domain name (not an IP).

www.websitelinter.com.    300    IN    CNAME    websitelinter.com.

Important: You cannot use a CNAME at the apex (root) domain. For websitelinter.com, you need an A record or a CNAME-flattening feature (which Cloudflare calls "CNAME at root").

MX Record

Specifies mail servers for your domain. The priority value (lower = higher priority):

websitelinter.com.    300    IN    MX    10    mail.example.com.
websitelinter.com.    300    IN    MX    20    mail2.example.com.

TXT Record

Arbitrary text data — used for domain verification, SPF, DKIM, DMARC, and more.

websitelinter.com.    300    IN    TXT    "v=spf1 include:_spf.google.com ~all"

NS Record

Delegates DNS authority to nameservers.

websitelinter.com.    86400    IN    NS    ns1.cloudflare.com.

SOA Record

Start of Authority — contains metadata about the zone (primary nameserver, admin email, serial number).

SRV Record

Service locator records — used by XMPP, SIP, and other protocols.

_sip._tcp.example.com.    86400    IN    SRV    10 20 5060 sip.example.com.

CAA Record

Certificate Authority Authorization — restricts which CAs can issue SSL certs for your domain.

websitelinter.com.    300    IN    CAA    0 issue "letsencrypt.org"

Understanding TTL

TTL (Time to Live) is the number of seconds DNS resolvers should cache a record. It's a trade-off:

TTL Pros Cons
Short (60–300s) Fast propagation on changes More DNS queries, slightly slower resolution
Long (3600–86400s) Fewer queries, faster resolution Slow propagation when you change records

Best practice: Lower your TTL to 300s (5 min) before making a critical DNS change, wait for the old TTL to expire, then make the change. Afterwards, restore the higher TTL.

DNS Propagation

"DNS propagation" refers to the time it takes for changes to spread across the internet's recursive resolvers. It's widely misunderstood:

  • Your authoritative nameserver updates instantly
  • Recursive resolvers worldwide hold cached copies until TTL expires
  • "Propagation" can take minutes to 48 hours, depending on TTL and resolver behavior

Use dnschecker.org to see what different resolvers worldwide are returning for your domain. If you see inconsistent results, resolvers are still serving the cached old record.

Email DNS: SPF, DKIM, and DMARC

Three TXT records that drastically improve email deliverability and prevent spoofing:

SPF (Sender Policy Framework)

Lists which IP addresses and services are authorized to send email for your domain:

"v=spf1 include:_spf.google.com include:sendgrid.net ~all"
  • ~all = soft fail (mark as suspicious but deliver)
  • -all = hard fail (reject)

DKIM (DomainKeys Identified Mail)

Adds a cryptographic signature to outgoing emails. Your email provider generates a key pair; you publish the public key as a TXT record:

google._domainkey.example.com.    TXT    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B..."

DMARC

Ties SPF and DKIM together and tells receiving servers what to do with emails that fail checks:

_dmarc.example.com.    TXT    "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"
  • p=none — monitor only
  • p=quarantine — send to spam
  • p=reject — reject outright

DNSSEC

DNSSEC adds cryptographic signatures to DNS responses, preventing DNS cache poisoning attacks where an attacker tricks resolvers into returning fraudulent IP addresses.

Enabling DNSSEC requires:

  1. Your DNS provider to sign your zone
  2. Publishing a DS record with your registrar

Cloudflare and Route 53 both support DNSSEC and handle most of the complexity automatically.

Common DNS Mistakes

Forgetting to lower TTL before changes

Always pre-lower TTL before a planned migration. If you change your A record while TTL is 86400, some users may see the old IP for up to 24 hours.

Using CNAME at the apex

This violates RFC 1034. Use A records or a service with CNAME flattening.

Missing SPF/DKIM/DMARC

Without these, your transactional emails are likely hitting spam. Gmail and Outlook now reject or flag email from domains without proper DMARC policies.

Broken CAA records after cert provider switch

If you move from DigiCert to Let's Encrypt but your CAA record still says issue "digicert.com", your new cert issuance will fail.

Forgetting trailing dots

In zone files, a domain without a trailing dot is relative to the zone origin. mail.example.com and mail.example.com. mean different things in a zone file.

Tools for Debugging DNS

  • dig websitelinter.com A — query a specific record type
  • dig +trace websitelinter.com — trace the full DNS resolution path
  • nslookup websitelinter.com 8.8.8.8 — query Google's resolver specifically
  • dnschecker.org — check propagation globally
  • mxtoolbox.com — email DNS diagnostics

Checking Your Site's DNS Health

A misconfigured DNS record can cause SSL certificate failures, email delivery problems, and intermittent outages. Website Linter scans your site's technical configuration — run a free audit to check your current state alongside performance, security headers, and SEO signals all in one report.