DNS Best Practices
How to configure DNS correctly - record types, TTL settings, security, and the mistakes that cause real problems.
DNS record types you need to know
DNS translates domain names into IP addresses and routes traffic to the right place. Get it wrong and your site goes down, email stops working, or your domain becomes vulnerable. Here are the records that matter most.
A Record
Maps a domain to an IPv4 address. This is the most basic record - it tells browsers where to find your server. Example: example.com → 192.0.2.1
AAAA Record
Same as A, but for IPv6 addresses. If your host supports IPv6, add this alongside your A record.
CNAME Record
Points one domain to another domain name (not an IP). Use it for subdomains like www. Never use CNAME on the root domain - it breaks MX and other records.
MX Record
Directs email to your mail server. You need at least one MX record for email to work. Most providers give you two for redundancy.
TXT Record
Stores text data. Used for domain verification, SPF (email authentication), DKIM, and DMARC. Critical for email deliverability.
NS Record
Specifies which nameservers are authoritative for your domain. These are set at your registrar, not your DNS provider.
TTL settings
TTL (Time to Live) controls how long DNS resolvers cache your records. It's measured in seconds.
- 3600 (1 hour): Good default for most records. Changes propagate within an hour.
- 86400 (24 hours): Fine for stable records that rarely change. Reduces DNS query load.
- 300 (5 minutes): Use this before making changes. Lower TTL means faster propagation when you update records.
- Best practice: Drop TTL to 300 a day before any planned DNS change, make the change, then raise it back after confirming everything works.
Nameserver configuration
Your nameservers are set at your registrar. They tell the internet which DNS provider is authoritative for your domain. Always use at least two nameservers - if one goes down, the other handles queries.
Cloudflare is the most popular choice for good reason: it's fast, free, and includes DDoS protection. Other solid options include AWS Route 53 (good for AWS-hosted sites) and NS1. Avoid using your registrar's default nameservers if you care about performance or uptime.
DNSSEC
DNSSEC adds cryptographic signatures to DNS records, preventing attackers from redirecting your traffic through DNS spoofing. It's not required, but it's worth enabling for any domain you care about.
Both your registrar and DNS provider need to support DNSSEC. Cloudflare makes it one-click. The main downside is slightly more complex DNS management - but for high-value domains, the protection is worth it.
Common DNS mistakes
❌ CNAME on root domain
✓ Use an A record or ALIAS/ANAME record for the root. CNAME breaks MX records and causes email failures.
❌ Forgetting SPF/DKIM/DMARC
✓ Without these TXT records, your email lands in spam. Set them up when you configure email.
❌ High TTL before changes
✓ Always lower TTL before making changes. Otherwise propagation takes 24+ hours.
❌ Single nameserver
✓ Always configure at least two nameservers. One point of failure is one too many.
❌ Leaving old records
✓ Clean up unused records. Stale A records and CNAMEs can create security vulnerabilities.
Tools for DNS management
- Cloudflare DNS: Free, fast, and the most widely used. Includes analytics and security features.
- MXToolbox: Check MX records, test email deliverability, and diagnose DNS issues.
- DNSChecker.org: See how your DNS has propagated across global servers.
- dig / nslookup: Command-line tools for querying DNS records directly. Useful for debugging.
- WhatsMyDNS: Visual propagation checker across multiple locations.
Ready to put this into practice?
Use our free tools to research, value, and find domains.