Learn Web: Domain & DNS Management — DNS Record Types, Zone Files, DNSSEC, Migration, and Troubleshooting

Domain & DNS Management — DNS Record Types, Zone Files, DNSSEC, Migration, and Troubleshooting

DodaTech Updated Jun 20, 2026 10 min read

DNS (Domain Name System) is the phonebook of the internet — it translates domain names to IP addresses. Misconfigured DNS causes downtime, email failures, and security vulnerabilities. This guide covers all DNS record types, zone file configuration, DNSSEC for security, migration between providers, troubleshooting with dig/nslookup, and protecting DNS against DDoS attacks.

What You’ll Learn

You’ll configure A, AAAA, CNAME, MX, TXT, NS, and SRV records, write and understand zone files, sign zones with DNSSEC and validate signatures, manage DNS propagation, migrate between DNS providers without downtime, troubleshoot resolution issues with dig and nslookup, and secure DNS against amplification attacks. DodaTech uses DNS-based failover and geo-routing for Durga Antivirus Pro update distribution.

DNS Learning Path

    flowchart LR
  A[Hosting Basics] --> B[DNS Records & Types]
  B --> C[Zone Files & Management]
  C --> D[DNSSEC]
  D --> E[Migration & Troubleshooting]
  E --> F[DNS Management<br/>You are here]
  style F fill:#f90,color:#fff

DNS Record Types

# A Record — Maps domain to IPv4
example.com.    IN  A   203.0.113.10

# AAAA Record — Maps domain to IPv6
example.com.    IN  AAAA    2001:db8::1

# CNAME — Canonical name (alias)
www.example.com.    IN  CNAME   example.com.

# MX — Mail exchange (priority + hostname)
example.com.    IN  MX  10  mail.example.com.
example.com.    IN  MX  20  backup-mail.example.com.

# TXT — Text (SPF, DKIM, DMARC, verification)
example.com.    IN  TXT "v=spf1 include:_spf.google.com ~all"

# NS — Name server (delegation)
example.com.    IN  NS  ns1.dodatech.com.
example.com.    IN  NS  ns2.dodatech.com.

# SRV — Service location
_sip._tcp.example.com.  IN  SRV 10 60 5060 sip.example.com.
# Priority: 10, Weight: 60, Port: 5060, Target: sip.example.com

# CAA — Certification Authority Authorization
example.com.    IN  CAA 0 issue "letsencrypt.org"

# PTR — Reverse DNS (IP → domain)
10.0.113.203.in-addr.arpa.  IN  PTR example.com.

Record Type Quick Reference

Record	Purpose	TTL Suggestion
A	IPv4 address	300–3600s
AAAA	IPv6 address	300–3600s
CNAME	Domain alias	600–3600s
MX	Mail server	3600s
TXT	Text metadata	3600s
NS	Nameserver delegation	86400s (24h)
CAA	Allowed SSL issuers	86400s
PTR	Reverse DNS	Set by ISP

Zone File Configuration

; /var/named/example.com.zone
$TTL 3600
@   IN  SOA ns1.example.com. admin.example.com. (
        2026062001  ; Serial (YYYYMMDDNN)
        3600        ; Refresh
        900         ; Retry
        604800      ; Expire (7 days)
        86400       ; Minimum TTL
    )

; Name servers
@       IN  NS  ns1.example.com.
@       IN  NS  ns2.example.com.

; A/AAAA records
@       IN  A   203.0.113.10
@       IN  AAAA    2001:db8::1
www     IN  A   203.0.113.10
api     IN  A   203.0.113.11

; CNAME records
mail    IN  CNAME   gh-svcs.example.com.
blog    IN  CNAME   gh-svcs.example.com.

; MX records (Google Workspace)
@       IN  MX  1   ASPMX.L.GOOGLE.COM.
@       IN  MX  5   ALT1.ASPMX.L.GOOGLE.COM.
@       IN  MX  5   ALT2.ASPMX.L.GOOGLE.COM.

; TXT records
@       IN  TXT "v=spf1 include:_spf.google.com ~all"
@       IN  TXT "google-site-verification=abc123"
_dmarc  IN  TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

; CAA — Only Let's Encrypt can issue
@       IN  CAA 0 issue "letsencrypt.org"
@       IN  CAA 0 iodef "mailto:security@example.com"

; Subdomain delegation
asia    IN  NS  ns1.asia.example.com.
asia    IN  NS  ns2.asia.example.com.

DNSSEC

# DNSSEC adds cryptographic signatures to DNS records.
# This prevents DNS spoofing (cache poisoning).

# Generate DNSSEC keys (on your primary DNS server)
# ZSK (Zone Signing Key) — signs zone records
dnssec-keygen -a ECDSAP384SHA384 -n ZONE example.com
# Produces: Kexample.com.+013+12345.key, Kexample.com.+013+12345.private

# KSK (Key Signing Key) — signs the ZSK
dnssec-keygen -a ECDSAP384SHA384 -n ZONE -f KSK example.com

# Sign the zone
dnssec-signzone -o example.com -t example.com.zone

# Output files:
# example.com.zone.signed  — signed zone file
# dsset-example.com.       — DS record for parent zone

# View the DS record (give this to your registrar)
cat dsset-example.com.
# example.com. IN DS 12345 13 2 ABCDEF...

DNSSEC Validation

# Check if a domain has valid DNSSEC
dig example.com +dnssec +multiline

# flags: ad (authentic data) = DNSSEC validated
# ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1

# Check the DS record at the parent
dig example.com DS +short

# Verify the trust chain
delv example.com

# Check if your resolver validates
dig +dnssec www.dnssec-enabled.com
# Should show: flags: ad (if your resolver validates)

DNS Propagation

# DNS changes propagate according to TTL values.
# Old TTL: 3600s (1 hour) → all caches expire within 1 hour
# New TTL: 300s (5 min) → changes propagate faster

# Before changing records, lower the TTL:
# 1. Days before: set TTL to 300s
# 2. Make changes → they propagate in 5 minutes
# 3. After stable: set TTL back to 3600s+

# Check propagation from multiple global locations
dig @1.1.1.1 example.com        # Cloudflare resolver
dig @8.8.8.8 example.com        # Google resolver
dig @9.9.9.9 example.com        # Quad9 resolver

Migration Between DNS Providers

#!/bin/bash
# dns-migrate.sh — Migrate DNS zones between providers

SOURCE_PROVIDER=$1    # e.g., godaddy, cloudflare
TARGET_PROVIDER=$2    # e.g., route53, dnsmadeeasy
DOMAIN=$3

echo "=== DNS Migration: $DOMAIN ==="
echo ""

# Step 1: Export current zone (from provider API or zone file)
echo "1. Exporting current records..."
# Using dig to get all records (basic method)
for type in A AAAA CNAME MX TXT NS SRV CAA; do
    dig $DOMAIN $type +short | while read line; do
        echo "$type: $line"
    done
done > current-dns.txt

# Step 2: Import to new provider (using provider API or web UI)
echo "2. Import to $TARGET_PROVIDER..."
echo "   Manual: configure zone in $TARGET_PROVIDER dashboard"
echo "   API: use provider's CLI or Terraform"

# Step 3: Set low TTLs on old provider
echo "3. Setting low TTLs (300s) on $SOURCE_PROVIDER..."
# Provider-specific API call here

# Step 4: Update nameservers at registrar
echo "4. Update NS records at registrar to:"
echo "   ns1.$TARGET_PROVIDER.com"
echo "   ns2.$TARGET_PROVIDER.com"

# Step 5: Verify
echo "5. Verifying..."
sleep 300  # Wait for propagation
dig $DOMAIN NS +short

# Step 6: After 48h, remove old provider
echo "6. After 48 hours: delete zone from $SOURCE_PROVIDER"

Troubleshooting with dig and nslookup

# Basic lookup
dig example.com
nslookup example.com

# Query specific record type
dig example.com MX
dig example.com TXT
dig example.com CNAME

# Trace the full resolution path
dig +trace example.com
# Shows: root → TLD → nameserver → answer

# Short output
dig example.com +short
# 203.0.113.10

# Query a specific nameserver
dig @8.8.8.8 example.com

# Reverse DNS (PTR)
dig -x 203.0.113.10

# Check which nameserver is authoritative
dig example.com NS +short
dig SOA example.com +short

# Check delegation
dig example.com NS @a.root-servers.net

# Port and protocol tests
dig +tcp example.com     # Force TCP (UDP blocked?)
dig +dnssec example.com  # Check DNSSEC

# Batch query from file
dig -f domains.txt +short

# nslookup interactive mode
nslookup
> server 8.8.8.8
> set type=MX
> example.com
> exit

Common DNS Errors

1. Wrong TTL Before Migration

Changing nameservers without first lowering TTL means old records remain cached for hours/days. Always set TTL to 300s at least 24 hours before migration.

2. Missing Trailing Dot in Zone Files

example.com. (with dot) is a fully qualified domain name. example.com (without dot) is relative to the current zone. Missing dots cause resolution failures.

3. CNAME at Zone Apex

CNAME records cannot coexist with other records at the same node. You cannot have example.com CNAME ... with MX, TXT, or NS records. Use A record + redirect instead.

4. DNSSEC Chain Broken

If the DS record at the registrar doesn’t match the KSK, DNSSEC validation fails. Always verify: dig example.com DS matches your dnssec-signzone output. Recovery requires registrar delay.

5. SPF Record Too Many Lookups

SPF has a 10-DNS-lookup limit. Each include: counts as one lookup. Exceed 10 and SPF fails permanently (no delivery). Use ip4: ranges instead of include: where possible.

6. Wrong MX Priority

Lower priority values are preferred. If your primary MX is 10 and backup is 20, mail always tries 10 first. If both are the same priority, mail splits between them.

7. Nameserver Glue Records Missing

For custom nameservers (ns1.example.com), the registrar needs glue records (A/AAAA at the TLD) to prevent circular dependency. Without glue, your domain resolves but nameservers don’t.

Practice Questions

1. What does the AAAA record type do? Maps a domain name to an IPv6 address. Example: example.com. IN AAAA 2001:db8::1. Required for IPv6 connectivity.

2. How does DNSSEC prevent DNS spoofing? DNSSEC signs DNS records with cryptographic keys. Resolvers verify signatures against the parent zone’s DS record. Spoofed responses without valid signatures are rejected.

3. What happens to MX records if the TTL is set too high? Mail servers cache MX records for the TTL duration. If you change mail providers, high TTL delays delivery to the new server. Keep MX TTL at 3600s or lower.

4. How do you check if a domain’s DNSSEC is working? Use dig example.com +dnssec +multiline and check for the ad (authentic data) flag: ;; flags: qr rd ra ad;. Also use delv example.com for detailed validation.

5. Challenge: Design a multi-region failover DNS strategy. Answer: Use Route53 latency-based routing or GeoDNS. Configure health checks on each region’s endpoint. If primary region fails, DNS returns the secondary region’s IP. Set TTL to 60s for fast failover. Use a weighted record set: primary weight 100, secondary weight 0 (manual) or automate via health checks.

Mini Project: DNS Health Check Script

#!/bin/bash
# dns-health.sh — Monitor DNS health

DOMAINS=("example.com" "dodatech.com" "durgaav.com")
RECORDS=("A" "MX" "NS" "TXT")
EXPECTED_IPS=("203.0.113.10" "198.51.100.20" "192.0.2.30")

echo "=== DNS Health Check — $(date) ==="
echo ""

FAILURES=0

for domain in "${DOMAINS[@]}"; do
    echo "--- $domain ---"

    # Check A record
    IP=$(dig +short "$domain" A | head -1)
    if [ -n "$IP" ]; then
        echo "  A: $IP ✓"
    else
        echo "  A: MISSING ✗"
        ((FAILURES++))
    fi

    # Check MX
    MX=$(dig +short "$domain" MX | head -3)
    if [ -n "$MX" ]; then
        echo "  MX: ✓"
        echo "$MX" | while read line; do
            echo "       $line"
        done
    else
        echo "  MX: MISSING ✗"
        ((FAILURES++))
    fi

    # Check NS
    NS=$(dig +short "$domain" NS)
    if echo "$NS" | grep -q "dodatech\|cloudflare\|awsdns"; then
        echo "  NS: ✓"
    else
        echo "  NS: UNEXPECTED ✗"
        echo "$NS" | head -3
        ((FAILURES++))
    fi

    # Check DNSSEC
    DNSSEC=$(dig +dnssec "$domain" +multiline 2>/dev/null | grep "ad")
    if [ -n "$DNSSEC" ]; then
        echo "  DNSSEC: ✓"
    else
        echo "  DNSSEC: NOT VALIDATED ✗"
        ((FAILURES++))
    fi

    # Check propagation from global resolvers
    for resolver in "1.1.1.1" "8.8.8.8" "9.9.9.9"; do
        RESOLVER_IP=$(dig @"$resolver" +short "$domain" A | head -1)
        if [ "$RESOLVER_IP" != "$IP" ]; then
            echo "  Propagation ($resolver): MISMATCH ✗"
            ((FAILURES++))
        fi
    done
    echo "  Propagation: ✓"
    echo ""
done

echo "=== Summary ==="
if [ "$FAILURES" -eq 0 ]; then
    echo "All checks passed ✓"
    exit 0
else
    echo "$FAILURES failures found ✗"
    exit 1
fi

FAQ

How long does DNS propagation take?

With TTL=300, most resolvers update within 5 minutes. Full global propagation takes 24-48 hours due to ISP DNS caches that ignore TTL. Use dig @resolver domain to check specific resolvers.

What is the difference between authoritative and recursive DNS?

Authoritative DNS: the source of truth for a domain (you control its records). Recursive DNS: resolves queries by walking the DNS tree (Google 8.8.8.8, Cloudflare 1.1.1.1).

Can I use Cloudflare DNS with any registrar?

Yes — Cloudflare’s authoritative DNS is free. Point your domain’s NS records to Cloudflare’s nameservers. Cloudflare also acts as a CDN and DDoS protection layer.

How do I set up a domain alias/redirect?

Use a CNAME (www → apex) or forward from the registrar. For apex → www redirect, most registrars offer URL forwarding. Alternatively, use the web server: return 301 with the canonical domain.

What is DNS-based DDoS mitigation?

Providers like Cloudflare and AWS Shield sit between the user and origin server. All traffic passes through their network, filtering malicious requests before reaching your server.

Do I need DNSSEC?

DNSSEC prevents DNS spoofing and cache poisoning. It’s essential for security-critical domains (banking, email, authentication). For personal blogs, the additional complexity may not be worth it.

What’s Next

Web Server Security Hardening

Hosting Comparison Guide

Apache Basics

Prerequisite

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Updated 2026-06-20.

Previous Web Hosting Comparison Guide — Shared, VPS, Dedicated, Cloud, Serverless, and PaaS Next Web Server Security Hardening — TLS Best Practices, Security Headers, WAF, Rate Limiting, and Compliance

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Web Servers & Hosting