DNS Record Types
Every DNS record type you will encounter. Zone file syntax, query commands, and rules for each type.
A Record — IPv4 Address Mapping
ns1 IN A 10.50.1.90
ise-01 IN A 10.50.1.20
dc01 IN A 10.50.1.50Maps a hostname to an IPv4 address. One A record per IP. Multiple A records at the same name provide round-robin load distribution.
dig inside.domusdigitalis.dev A +shortAAAA Record — IPv6 Address Mapping
ns1 IN AAAA 2001:db8::1Identical purpose to A records but for IPv6. Dual-stack hosts have both A and AAAA records.
CNAME Record — Canonical Name Alias
www IN CNAME webserver.inside.domusdigitalis.dev.
portal IN CNAME ise-01.inside.domusdigitalis.dev.CNAME creates an alias. The resolver follows the chain to the canonical name’s A record. Cannot coexist with other record types at the same name — no CNAME + MX, no CNAME + NS.
dig www.example.com CNAME +shortMX Record — Mail Exchange
@ IN MX 10 mail.inside.domusdigitalis.dev.
@ IN MX 20 backup-mail.inside.domusdigitalis.dev.Lower preference number means higher priority. Mail servers try MX 10 first; if unreachable, fall to MX 20. The target must be an A/AAAA record, never a CNAME.
dig example.com MX +shortNS Record — Nameserver Delegation
@ IN NS ns1.inside.domusdigitalis.dev.
@ IN NS ns2.inside.domusdigitalis.dev.NS records define which servers are authoritative for a zone. Minimum two for redundancy. The trailing dot makes the name absolute.
lab IN NS ns1.lab.example.com.Delegates the lab subdomain to a different nameserver. Requires a glue A record if the NS target is within the delegated zone.
SOA Record — Start of Authority
@ IN SOA ns1.inside.domusdigitalis.dev. admin.domusdigitalis.dev. (
2026041001 ; Serial
3600 ; Refresh (1h)
900 ; Retry (15m)
604800 ; Expire (7d)
86400 ; Negative cache TTL (1d)
)Every zone has exactly one SOA. The serial must increment on every edit. The admin email uses . instead of @ (admin.domusdigitalis.dev = admin@domusdigitalis.dev).
PTR Record — Reverse Lookup
20 IN PTR ise-01.inside.domusdigitalis.dev.
50 IN PTR dc01.inside.domusdigitalis.dev.
90 IN PTR ns1.inside.domusdigitalis.dev.PTR records live in in-addr.arpa zones with octets reversed. Forward (A) and reverse (PTR) records must match — ISE, RADIUS, Kerberos, and SMTP all validate this.
dig -x 10.50.1.20 +shortSRV Record — Service Location
_ldap._tcp IN SRV 0 100 389 dc01.inside.domusdigitalis.dev.
_kerberos._tcp IN SRV 0 100 88 dc01.inside.domusdigitalis.dev.
_gc._tcp IN SRV 0 100 3268 dc01.inside.domusdigitalis.dev.Format: priority weight port target. AD clients discover domain controllers, KDCs, and Global Catalog servers through SRV records. Without them, domain join and authentication fail.
dig _ldap._tcp.dc._msdcs.inside.domusdigitalis.dev SRV +shortTXT Record — Text Data
@ IN TXT "v=spf1 mx ip4:10.50.1.0/24 -all"_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."dig example.com TXT +short
dig _dmarc.example.com TXT +shortCAA Record — Certificate Authority Authorization
@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issuewild ";"issue authorizes a CA for standard certs. issuewild with ";" prohibits wildcard certificate issuance. CAs are required to check CAA before issuing.
Record Rules Summary
-
A CNAME cannot coexist with any other record type at the same name
-
MX and NS targets must point to A/AAAA records, never CNAMEs
-
PTR records must match their corresponding A records
-
SOA serial must always increase — never decrease or slaves ignore updates
-
The trailing dot on FQDNs is not optional in zone files — without it, BIND appends the zone origin