DNS Basics
DNS turns names into IPs. A hierarchy of lookups, cached aggressively. The #1 source of "it works on my machine" bugs.
1 credit
Record types
8 itemsA
Name → IPv4 address (1.2.3.4)AAAA
Name → IPv6 addressCNAME
Alias — www.example.com → example.com. Can't be at the apex.ALIAS / ANAME
Non-standard — lets you do CNAME-like at apex. Supported by some providers.MX
Mail server, with priority (10 mx1.host. 20 mx2.host.)TXT
Arbitrary text — domain verification, SPF, DKIM, DMARCNS
Which nameservers host this zoneCAA
Which CAs are allowed to issue certs for this domainResolution flow
- Browser checks its own cache → OS cache → configured resolver (ISP / 8.8.8.8 / 1.1.1.1).
- Resolver asks root → TLD → authoritative nameservers.
- Each answer has a TTL (time-to-live). Cached that long everywhere en route.
- Lowering TTL does NOT retroactively shorten currently-cached answers — plan changes 2× the old TTL ahead.
Debugging
5 itemsResolve a name
dig example.com A +short / nslookup example.comAuthoritative answer
dig example.com @ns1.example.comTrace the whole path
dig +trace example.comAll record types
dig example.com ANY (many servers refuse; use specific types)Flush OS cache
macOS: sudo dscacheutil -flushcache / Linux systemd: systemd-resolve --flush-cachesCommon snags
- Propagation delays — changes can take minutes to hours to reach all caches globally. Not instant.
- `www.` vs apex — apex can only be A/AAAA (not CNAME). Use an ALIAS record or add A records for both.
- Don't forget AAAA if your infra is IPv4-only — some clients prefer IPv6 and fail silently if AAAA points nowhere.
- SPF/DKIM/DMARC all go in TXT records. Missing them = your mail ends up in spam.
- `.dev`, `.app`, and a few others have HSTS preloaded in browsers — HTTP only doesn't work.