Understand DNS resolution, record types (A, CNAME, MX, TXT), TTL, and how to debug DNS issues — practical knowledge for every web developer.
You type a URL and see a webpage in milliseconds. DNS is the global phonebook that makes this possible. Understanding DNS will save you hours when debugging deployment issues.
When you visit heolab.com:
1. Browser cache — checked first (TTL-limited)
↓ not found
2. OS cache / /etc/hosts — checked next
↓ not found
3. Recursive Resolver (your ISP or 8.8.8.8)
↓ not in cache
4. Root Nameservers (13 clusters: a.root-servers.net … m.root-servers.net)
→ 'I don't know heolab.com, but .com is at: 192.5.6.30'
↓
5. TLD Nameserver (for .com)
→ 'I don't know heolab.com, but its nameserver is: ns1.vercel-dns.com'
↓
6. Authoritative Nameserver (your DNS provider)
→ 'heolab.com is at: 76.76.21.21'
↓
7. Browser connects to 76.76.21.21 :443
The whole lookup takes 20–120ms on the first visit, then subsequent visits use the cache (TTL-limited).
| Type | Purpose | Example |
|---|---|---|
| A | Domain → IPv4 address | heolab.com → 76.76.21.21 |
| AAAA | Domain → IPv6 address | heolab.com → 2606:4700::1 |
| CNAME | Domain → another domain | www → heolab.com |
| MX | Mail server address | heolab.com → mail.google.com |
| TXT | Arbitrary text (SPF, DKIM, verification) | v=spf1 include:... |
| NS | Authoritative nameservers | heolab.com → ns1.vercel-dns.com |
| SOA | Start of authority (zone metadata) | — |
| SRV | Service location | _http._tcp.example.com |
| CAA | Certificate authority authorization | 0 issue 'letsencrypt.org' |
# A record — direct IP mapping
heolab.com. 300 IN A 76.76.21.21
# CNAME — alias to another domain (cannot be on root/apex domain!)
www.heolab.com. 300 IN CNAME heolab.com.
blog.heolab.com. 300 IN CNAME heolab.ghost.io.
# ALIAS / ANAME / Flattened CNAME (provider-specific)
# Allows CNAME-like behavior on apex domains
heolab.com. 300 IN ALIAS cname.vercel-dns.com.
You can't put a CNAME on a root domain (heolab.com) because DNS requires the apex domain to have an SOA and NS record. Vercel, Cloudflare, and others solve this with proprietary ALIAS/ANAME records.
TTL tells resolvers how long to cache a record (in seconds):
300 = 5 minutes (good during active changes)
3600 = 1 hour (default for most records)
86400 = 24 hours (stable records)
Lower TTL = faster propagation = more DNS queries (more cost)
Higher TTL = slower propagation = fewer queries (cheaper, faster for users)
Tip: Before a migration, lower your TTL to 300 seconds 24 hours before the change. After the migration, raise it back to 3600.
# MX — which server handles email
heolab.com. MX 10 smtp.google.com.
heolab.com. MX 20 smtp2.google.com. (lower priority = higher number)
# SPF — which servers can send email for your domain
heolab.com. TXT "v=spf1 include:_spf.google.com ~all"
# DKIM — cryptographic signature for emails
google._domainkey.heolab.com. TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
# DMARC — policy for failed SPF/DKIM
_dmarc.heolab.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@heolab.com"
# Basic lookup
nslookup heolab.com
dig heolab.com A
dig heolab.com AAAA
dig heolab.com MX
dig heolab.com TXT
# Query a specific nameserver
dig @8.8.8.8 heolab.com A # query Google DNS
dig @1.1.1.1 heolab.com A # query Cloudflare DNS
# Trace the full resolution
dig +trace heolab.com A
# Check propagation (different resolvers)
# Use: https://dnschecker.org/
# Check TTL remaining
dig heolab.com A | grep -i TTL
# Reverse lookup (IP to domain)
dig -x 76.76.21.21
nslookup 76.76.21.21
| Problem | Likely cause |
|---|---|
| Site shows old IP after migration | TTL not expired yet — wait it out |
| Email not working | MX/SPF record missing or wrong priority |
| SSL cert fails | CAA record blocking your CA |
| www works but apex doesn't | Missing A record or ALIAS at apex |
| DNS resolution slow | High TTL on CNAME chains (each adds a lookup) |
Use the IP Lookup tool to verify where an IP resolves to geographically, and the URL Parser to inspect domain components.