For a website’s performance, security & availability to be top-notch, the DNS implementation must be flawless. Below are the life-saving DNS records you need to have in place.
DNS is probably the most critical part of hosting a website.
Without a properly-configured DNS, it might be impossible to access the domain, its websites, email, applications, and/or other services.
Thankfully, basic DNS configuration does not require high technical skills.
Or a deep understanding of how DNS works.
In this post, we want to share some of the most basic DNS records you need to have in place if you are hosting a website online.
We also share basic DNS best practices that you can adopt to protect your domain and the properties it serves.
A (also known as Address, host, or apex) record links your domain to a physical IP address (this could be a web server hosting the domain’s services) using an IPv4 address in dotted-decimal notation.
A typical example is when you are accessing this website.
If you look at the browser URL field, you will see blog.webhostingmagic.com.
We have an A record that points to the IP address of this website.
So whenever a request from your browser to blog.webhostingmagic.com comes, it is directed to the server with the IP address.
To find a website IPv4, you use a command such as:
dig a webcomm.dev
dig +nocmd google.com a +noall +answer
where webcomm.dev or google.com is the name of the website you want to get its A record.
AAAA record (considered the latest version of the Internet Protocol (IP)) links your domain to the physical IP address using an IPv6 address in colon-separated hexadecimal format.
Similar to the A record, it allows you to specify the IPv6 address of a web server hosting your domain’s services, rather than the IPv4.
That is, A record holds IPv4 addresses.
If the host machine is configured to support IPv6 and the website has an IPv6 address, it can also use an “AAAA” record.
It is important to point out that at this time (at least when hosting a website with cPanel), AAAA records are only used when a domain has an IPv6 address in addition to an IPv4 address.
But this will soon change as IPv6 adoption is rapidly growing and supported.
To find a website IPv6, you use a command such as:
dig aaaa webcomm.dev
CNAME (Canonical Name Record) record maps DNS queries for the name of the current record, such as acme.webcomm.dev, to another domain (webcomm.dev) or subdomain (zenith.webcomm.dev).
In a simpler term, it creates an alias for another domain name, which DNS resolves.
You can use this when you want to point multiple CNAME records to a single A record in order to simplify DNS maintenance.
It is important to note that CNAME record sets can’t coexist with other record sets with the same name.
To look up a domain CNAME record (if configured):
dig cname mail.google.com
dig +nocmd mail.google.com cname +noall +answer
An MX (Mail Exchanger) record identifies & specifies the names of the mail server(s) that handle your domain’s email.
Most businesses have two or more mail servers to ensure availability.
Each value for an MX record contains two values, priority and domain name.
The value for each MX record determines the order (known as the priority order) in which other mail servers will use the domain’s mail server.
The lower the value, the higher the priority level.
So a value of 0 indicates the highest priority level.
While a value of “10” indicates the lowest priority level.
The most basic way to understand is with the following.
When an e-mail is sent via the internet to your domain, the sending mail transfer agent (MTA) queries the DNS for the MX records of your domain name.
This returns a list of hostnames of mail exchange servers accepting incoming mail for that domain and their preferences.
The sending agent then attempts to establish an SMTP connection, first trying the host with the lowest “priority” value.
That is, the mail server with the lowest priority value takes precedence before any other mail server that might be available.
For example, if you have successfully created a cPanel hosting account, the system automatically assigns the value of “0” to the mail server hosting your domain.
If you have another email server or other email servers you want to also use to route your mails, you might want to specify values of 5, 10, and 20 as the priority.
Or delete the automatically created one and use only the one you have chosen.
That way emails to your domain will always go to the server hosting your account (the one with a priority of 0) unless it’s unavailable.
This is especially true if you are using Google Workspace and want to solely use Google’s mail servers.
In that case, you have to change your domain’s MX records.
To do that, log in to your cPanel.
Scroll down to Files >> Jetbackup.
When the page loads, back up, download, and save your DNS records.
Scroll down to Domains >> Zone Editor.
Click on the Zone Editor and then Manage.
Delete the existing MX records that were automatically created for your domain.
Whenever you want to stop Google mail servers, just undo the changes.
And then either re-add the record with a priority of “0”.
Or use the DNS version you earlier backed up.
To check a domain’s MX records:
dig mx webcomm.dev
dig webcomm.dev mx
dig google.com MX +short
dig @126.96.36.199 webcomm.dev MX +short
Then please visit Email >> Email Deliverability.
When the page loads, select the domain you are editing and then scroll down to SPF.
Use the “Customize an SPF Record” to add additional email servers or hosts.
The NS (Name serve) records determine which servers will communicate DNS information for a domain.
This is often used to control how internet traffic is routed for your domain.
In simpler terms, this crucial record indicates which server is authoritative for your domain.
An authoritative server is a server that holds the DNS name records, including A, AAAA, and CNAME.
A non-authoritative server constructs a cache file based on previous queries for domains. It does not hold original name records.
For your domain to be available online, there must be primary and secondary name server records.
It is recommended to use four (4) name servers as part of your NS record.
That way, if one nameserver set goes down or is unavailable, DNS queries can go to the other set.
If the NS records are not properly configured, your website or application will be inaccessible.
When using our web hosting services, you are given 4 NS records that you need to add to your domain DNS for DNS queries.
If you purchase a domain through our services, this is often automatically done for you.
We provide a globally distributed and high-availability name server infrastructure that as a customer, you can use to host your domain.
By hosting your domains on our platform and using our DNS, you can manage your DNS records with the same APIs, tools, billing, and support as your other Web Hosting Magic services.
Our current name-server set is:
ns1.mydnsnode.com ns2.mydnsnode.com ns3.mydnsnode.com ns4.mydnsnode.com
It is worth noting that changes to this on the webserver hosting your data have to be made either at the root or reseller level.
To check a domain’s NS records:
dig ns google.com
dig +nocmd google.com ns +noall +answer
A PTR record maps an IP address to the corresponding domain name.
That is, it defines the reverse DNS lookup or reverse DNS resolution (rDNS) associated with the external IP address of a web server so applications (e.g. emails) that rely on these records can work as intended.
A typical use case would be SMTP which often requires reverse DNS records (PTR records) to point to the domain from which an email is being sent.
This helps your email from being marked as spam by spam filters.
For customers hosting their website on our systems, this is automatically done.
If you visit Email >> Email Deliverability, you will something like: $hostname.cpanelcontrolpanel.com
where $hostname is the name of the server hosting your data.
If you are using a dedicated IP address and want a PTR configured for the IP address, please reach out to our technical/security team as there is a process involved in getting this done.
To confirm a properly configured reverse DNS:
To check PTR records with the dig utility and the -x flag:
dig +short -x $IPaddress
An SOA (Start of Authority) record specifies or designates the authoritative information about a DNS zone.
Part of the information it stores about your domain includes things such as:
- the domain serial number
- the email address of the administrator
- when the domain was last updated
- how long the server should wait between refreshes
- the primary nameserver
The last two records (NS and SOA) must be properly configured for your domain to work.
NS records identify the name servers, responsible for your DNS zone.
SOA record contains valuable information for your DNS zone.
When your web hosting account is created, our system automatically generates the primary domain’s SOA record.
TXT records are used to specify data for your domain’s DNS.
For example, TXT records can be used to:
- verify domain ownership
- add SPF records
- turn on TLS reporting
- set up DMARC email authentication
- set up DKIM
- turn on MTA-STS reporting
- SPF lets servers verify that messages appearing to come from a particular domain are sent from servers authorized by the domain owner.
- DKIM (DomainKeys Identified Email) adds a digital signature to every message. This lets receiving servers verify that messages aren’t forged, and weren’t changed during transit.
- DMARC enforces SPF and DKIM authentication, and lets admins get reports about message authentication and delivery.
TXT records are expected to include up to 255 characters.
If the record you are adding is longer, break it into strings of 255 characters or fewer.
Each of the strings can be enclosed in double quotation marks (“) and a backslash () character before the quotation mark: \”.
But even with this, the max length of any given value in a TXT record cannot exceed 4,000 characters.
Even if you have no use for other things you can do with TXT, at least implement SPF with it.
Again, the sender policy framework (SPF) records are used to specify which email servers can send an email on behalf of your domain name.
So a correct configuration of SPF records is important to prevent your recipients from marking your email as junk.
It might also be interesting to know that the TXT record was originally meant for human-readable notes but is now machine-readable.
To check for these TXT records:
dig txt +short google.com
dig txt google.com
dig txt _dmarc.google.com
dig +short google._domainkey.example.com TXT
dig txt +short google._domainkey.webcomm.dev
To manage your SPF, DKIM, and PTR records directly from the cPanel interface or to identify problems with your mail-related DNS records:
Log in to cPanel
Scroll to Email and select Email Deliverability
Select the Domain you want to check
Check the Email Deliverability Status
Either use the Repair to automatically repair the domain’s invalid records
Or click the Manage the Domain option to manually resolve the issues.
As you may know, any public CA can issue certificates for any domain name in the public DNS.
The only condition is that the requester can validate control of that domain name.
CAA (Certification Authority Authorization) is a record you can use to specify or control the certificate authorities that can issue certificates for your domains and subdomains.
Having this record in place is especially useful for medium/larger organizations as it will:
- help prevent a situation where the wrong CA issues a certificate for their domains
- prevent bad actors from creating unauthorized SSL/TLS certificates for your domains once they have gained control of your domain
- reduce the chance of unauthorized certificate issuance
- promotes standardization of certificates issuance process
With CAA records, you can specify:
- the certificate authorities (CAs) that can issue SSL/TLS certificates
- the email address or URL to contact when a CA issues a certificate for the domain or subdomain
Should you want to let multiple CAs issue certificates create multiple CAA records.
It is important to point out that CAA records are also inherited by subdomains.
That is, if a CAA record is set on webcomm.dev, it will also apply to its subdomain.
Luckily, a subdomain can loosen or override a restriction put in place by its parent domain.
To add this record using cPanel:
Log in to your cPanel.
Scroll down to the Domains section
Click on the Zone Editor option, then Manage.
Click + Add Record to add a new DNS record.
Select CAA in the drop-down menu next to the Type field and then fill in the details.
The format can be as simple as:
webcomm.dev 86400 IN CAA 0 issue "sectigo.com"
If you are using Let’s Encrypt:
webcomm.dev. IN CAA 0 issue "letsencrypt.org"
- 0 is the flags
- issue is the tag
- sectigo.com is the code for the CA that you authorize to issue a certificate for the domain or subdomain
Sectigo also allows these to be used with CAA records:
If you don’t want any CA to issue a certificate to a specific domain, add:
0 issue ";"
If you don’t want any CA to issue a certificate for example.com or its subdomains:
0 issuewild ";"
To look up a domain CAA record (if configured):
dig caa google.com
dig google.com type257
SRV (Service record) is a record used for accessing services, such as a service for email or communications.
It normally defines the location (i.e. a hostname and port number) of servers for specified services.
While other DNS records mostly specify a server or an IP address, SRV records also will include a specific port.
On our systems, CalDAV and CardDAV SRV records are automatically created at Zone Editor when your account is deployed:
- $Service.$Protocol.$Name: the name of the service, the transport protocol of the desired service (TCP or UDP), and the domain name for which this record is valid, ending in a dot.
- TTL: the standard DNS time to live field.
- Priority: the service record’s priority value. The lower the value, the higher the priority level. A value of 0 indicates the highest priority level.
- Weight: this value ranks entries that share the same Priority value. A record with a 0 priority level and an 8 weight value will rank lower than a record with a 0 priority level and 4 weight value.
- Port: the service’s target port number.
- Target: the service’s target hostname.
DNS Best Practices:
Note: The definition of “best practices” varies and largely depends on the environment and use case.
But for most web hosting accounts, these suggestions would do:
- even though registrars are required to send renewal reminders to registrants, add a domain renewal reminder to your calendar 45-60 days before the due date
- enable multi-factor authentication for access to your domain registration dashboard, DNS dashboard (if external), cPanel, and billing system
- always back up your DNS zone record. On our systems, you can do this by visiting Files >> JetBackup >> Restore & Download >> DNS Zones.
- check, and ensure that each domain CNAME is routable and reachable. You can do it with a simple “dig” command
- enable DNSSEC (Domain Name System Security Extensions) for your domains to ward off DNS spoofing attacks and cache poisoning
- before making changes to the name server of a domain with DNSSEC-enabled, disable the DNSSEC configuration 48 hrs before the change
- set a shorter TTL (300 seconds/5 minutes or the minimum allowed) before making changes to a DNS zone. That way local DNS server’s cache can be updated
- use at least three (3) name servers. If you notice any lag, flush the record.
- monitor and log DNS activities
- for an average website owner, TXT or MX records rarely change. Consider keeping the TTL between an hour (3600s), 4-hours (14400), or a day (86400s)
- if you are paying for DNS queries & want to reduce cost, set a TTL value of 86400 (24 hours)
How To Purchase A Domain Name
Web Hosting Magic is a web host and a domain name registrar.
You can use our domain name suggestion tool to search/find a great domain for your project.
Once found, purchase the domain name with just a click.
Purchasing a domain name gives you the right to control the DNS.
Once the domain is yours, you can from a single pane:
- host your website or applications
- change or register nameservers
- change the domain’s lock status
- change the domain auto-renewal setting or order renewals
- view or edit the WHOIS information
- manage DNS records
- configure email forwarding
- request EPP codes
But there is even more.
If you purchase a domain name from us … or
If you start hosting your website with us (we offer free migration if you have an existing website) …
We can handle every aspect of your DNS implementation including moving your DNS stack to a resilient, low-latency worldwide network (the same infrastructure as Google).
It means being able to spend time with your loved ones without worrying about your website and its DNS.
It means being able to do the things that truly matter to you even if have minimum technical skills.
When you want something gets done, just open a ticket and our team will get it done for you.
Yes, it is that simple.
To search and purchase a new domain, visit https://dashboard.webhostingmagic.com/cart.php?a=add&domain=register
To create a new web hosting account, visit https://dashboard.webhostingmagic.com/store/web-hosting-packages
To transfer an existing domain to our services, visit https://dashboard.webhostingmagic.com/cart.php?a=add&domain=transfer