⚡ What are DNS Records?
A DNS record is an entry in a DNS zone file that maps a name to a value — most commonly a domain name to an IP address, but also defining which server handles email, pointing subdomains to other names, and publishing security policy information. Different record types serve different purposes. The exam tests whether you know which record type solves which problem — not just that A records exist, but that an A record is the answer when "a host needs to resolve a name to an IPv4 address."
Core DNS Record Types
A
Address Record — IPv4
Most Common
Maps a hostname to an IPv4 address. The most fundamental DNS record — every website and server you reach by name relies on an A record. A single hostname can have multiple A records (for load balancing or redundancy).
www.example.com. IN A 93.184.216.34
mail.example.com. IN A 93.184.216.35
Exam use case: "A user can ping 93.184.216.34 but not www.example.com — what record is missing or misconfigured?" → A record. Any time a name fails to resolve to an IPv4 address, the A record is the first suspect.
AAAA
Address Record — IPv6
IPv6
Maps a hostname to an IPv6 address. Called "quad-A" — the four As reference the fact that IPv6 addresses are four times the length of IPv4. Functionally identical to the A record but for 128-bit IPv6 addresses. Modern dual-stack deployments have both A and AAAA records for the same hostname.
www.example.com. IN AAAA 2606:2800:220:1:248:1893:25c8:1946
Exam use case: "Which DNS record type resolves a hostname to an IPv6 address?" → AAAA. Easy points if you remember: A = IPv4, AAAA = IPv6.
MX
Mail Exchanger Record
Email Routing
Specifies the mail server responsible for accepting email for a domain. MX records include a priority value — lower number means higher priority. When email is sent to user@example.com, the sending server queries DNS for MX records to find where to deliver it. MX records point to hostnames (not IPs directly) — the hostname must have its own A record.
example.com. IN MX 10 mail1.example.com.
example.com. IN MX 20 mail2.example.com. ; backup
Exam use case: "Email to the domain is not being delivered. Which DNS record type should be checked?" → MX. Also: "Which server receives email for a domain?" → the server pointed to by the MX record with the lowest priority number.
CNAME
Canonical Name — Alias
Alias
Creates an alias from one hostname to another (the canonical name). Instead of pointing directly to an IP, a CNAME points to another hostname which then resolves to an IP. Commonly used to point multiple names (www, ftp, mail) to a single canonical hostname so you only update one A record when the IP changes. A CNAME cannot coexist with other records for the same name — and cannot be used for the zone apex (naked domain like example.com).
www.example.com. IN CNAME example.com.
ftp.example.com. IN CNAME example.com.
Exam use case: "An admin wants www.example.com and ftp.example.com to resolve to the same server without managing two A records. Which record type?" → CNAME. Key trap: CNAME points to a hostname, not an IP — the canonical name must have an A record.
PTR
Pointer Record — Reverse DNS
Reverse Lookup
The reverse of an A record — maps an IP address back to a hostname. PTR records live in special reverse lookup zones (in-addr.arpa for IPv4). Used for reverse DNS lookups — tools like
nslookup and dig use PTR records when you query an IP to find its name. Email servers check PTR records to verify sending mail servers are legitimate.; Reverse zone for 93.184.216.0/24
34.216.184.93.in-addr.arpa. IN PTR www.example.com.
Exam use case: "Which DNS record type is used in a reverse lookup zone?" → PTR. "A technician runs nslookup with an IP address and gets a hostname — which record type was queried?" → PTR.
NS
Name Server Record
Zone Authority
Identifies the authoritative name servers for a DNS zone. NS records tell the DNS system which servers hold the official records for a domain. Every domain registered on the internet has NS records pointing to at least two authoritative name servers for redundancy. NS records are set at the domain registrar and propagated to the root DNS servers.
example.com. IN NS ns1.exampledns.com.
example.com. IN NS ns2.exampledns.com.
Exam use case: "Which DNS record type identifies the authoritative name servers for a domain?" → NS. If DNS for a domain is completely broken (no records resolve), checking NS records at the registrar is the first troubleshooting step.
SOA
Start of Authority
Zone Metadata
The first record in every DNS zone file — contains administrative information about the zone: the primary name server, the email address of the zone administrator, the zone serial number (incremented every time the zone is updated), and timing values for how long secondary servers cache zone data (refresh, retry, expire, TTL).
example.com. IN SOA ns1.example.com. admin.example.com. (
2026010101 ; Serial
3600 ; Refresh
900 ; Retry
604800 ; Expire
300 ) ; Minimum TTL
Exam use case: "Which DNS record marks the beginning of a zone and contains the zone serial number?" → SOA. The serial number is how secondary DNS servers know when the zone has been updated and needs to be transferred.
TXT
Text Record
SPF · DKIM · DMARC
Stores arbitrary text data in DNS — originally for human-readable info but now used almost entirely for machine-readable verification data. The three critical Security+ TXT record uses are SPF (Sender Policy Framework — which servers can send email for a domain), DKIM (DomainKeys Identified Mail — public key for verifying email signatures), and DMARC (Domain-based Message Authentication, Reporting and Conformance — policy for handling SPF/DKIM failures). Also used for domain ownership verification by Google, Microsoft, and other services.
; SPF record — only mail1 and mail2 can send for example.com
example.com. IN TXT "v=spf1 ip4:93.184.216.34 ip4:93.184.216.35 -all"
; DMARC policy
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
Exam use case: "An organisation wants to prevent email spoofing — attackers sending email that appears to come from their domain. Which DNS records should be configured?" → SPF (TXT record), DKIM (TXT record), DMARC (TXT record). All three live in TXT records. SPF = who can send. DKIM = prove the email wasn't tampered with. DMARC = what to do when SPF/DKIM fail.
CAA
Certification Authority Authorization
Security
Specifies which Certificate Authorities are permitted to issue SSL/TLS certificates for a domain. If a CAA record is present, CAs that check (required by the CA/Browser Forum) will refuse to issue certificates for the domain unless they are listed. Prevents rogue or compromised CAs from issuing fraudulent certificates for your domain without your permission.
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "digicert.com"
Exam use case (Security+): "Which DNS record restricts which Certificate Authorities can issue certificates for a domain?" → CAA. Directly referenced in the PKI and certificate management Security+ domain. Cross-references with the PKI and digital certificates article.
SRV
Service Record
Service Discovery
Specifies the hostname and port for specific services — allows clients to discover where a service runs without hardcoding server addresses. Used by VoIP (SIP), Microsoft Active Directory (Kerberos, LDAP), Microsoft Teams, and other services. SRV records include priority, weight (for load balancing), port, and target hostname.
; AD domain controller — Kerberos service
_kerberos._tcp.example.com. IN SRV 10 100 88 dc1.example.com.
; SIP VoIP service
_sip._tcp.example.com. IN SRV 10 100 5060 voip.example.com.
Exam use case: "Active Directory clients use which DNS record type to locate domain controllers?" → SRV. AD is entirely dependent on SRV records — if SRV records are missing or corrupt, domain join, authentication, and Group Policy all fail.
⚡ The high-frequency exam distinctions
A vs AAAA: A = IPv4. AAAA = IPv6. That's the entire difference.
CNAME vs A: CNAME points to another hostname (alias). A record points to an IP. CNAME cannot be used at the zone apex (example.com itself — only subdomains like www.example.com).
MX priority: Lower number = higher priority. If MX 10 is unreachable, senders try MX 20. Easy to get backwards on the exam.
PTR = reverse DNS — IP to hostname. Lives in in-addr.arpa zones. Used by email servers to verify sender legitimacy.
SPF/DKIM/DMARC all live in TXT records — the exam tests whether you know the function of each. SPF = which servers can send. DKIM = email signing/verification. DMARC = enforcement policy when SPF/DKIM fail.
DNS Security — SPF, DKIM, DMARC in Depth
These three TXT records work together to prevent email spoofing and phishing — a heavily tested Security+ topic:
| Record | What It Does | How It Works | Limitation |
|---|---|---|---|
| SPF | Defines which mail servers are authorised to send email for the domain | Receiving server checks the sending server's IP against the SPF TXT record. If the IP isn't listed, the email fails SPF. | Breaks with email forwarding — forwarded email changes the sending IP, causing SPF failures |
| DKIM | Allows the sending mail server to cryptographically sign outgoing email | Sender signs email headers with a private key. Receiver retrieves the public key from a DKIM TXT record and verifies the signature. Proves the email wasn't modified in transit. | Doesn't prevent the From: address from being spoofed — only proves the signing domain's integrity |
| DMARC | Tells receiving servers what to do when SPF or DKIM checks fail (none / quarantine / reject) | Queries _dmarc.example.com TXT record for policy. Also enables reporting — organisations receive reports of who is sending email claiming to be from their domain. | Only as effective as its strictest policy setting. p=none provides reporting but no enforcement. |
DNS Record Quick Reference
| Record | Maps / Identifies | Primary Use Case |
|---|---|---|
| A | Hostname → IPv4 address | All forward DNS lookups for IPv4 |
| AAAA | Hostname → IPv6 address | All forward DNS lookups for IPv6 |
| MX | Domain → mail server hostname | Email routing — where to deliver email for a domain |
| CNAME | Alias hostname → canonical hostname | Subdomains pointing to same server, CDN aliases |
| PTR | IP address → hostname | Reverse DNS lookups, email server verification |
| NS | Zone → authoritative name servers | Identifies which DNS servers hold zone records |
| SOA | Zone metadata (serial, TTL, admin) | Zone synchronisation between primary/secondary DNS |
| TXT | Domain → arbitrary text | SPF, DKIM, DMARC, domain ownership verification |
| CAA | Domain → authorised CAs | Restrict which CAs can issue certificates for the domain |
| SRV | Service → hostname + port | Active Directory, VoIP (SIP), service discovery |
DNS Attacks Targeting Records
Security+ DNS attack types
DNS Spoofing / Cache Poisoning: Attacker injects malicious A records into a DNS resolver's cache — victims querying that resolver get a fake IP and are redirected to an attacker-controlled server. Defence: DNSSEC (cryptographically signs DNS records).
DNS Hijacking: Attacker modifies legitimate DNS records (by compromising the registrar account or DNS provider) — everyone resolving the domain gets the attacker's IP. Defence: registrar account MFA, registry lock.
DNS Zone Transfer Attack: Unauthorised zone transfer (AXFR) reveals all DNS records for a domain — a complete map of the organisation's infrastructure. Defence: restrict zone transfers to authorised secondary servers only.
DNS Tunnelling: Data exfiltration encoded in DNS queries/responses — bypasses firewalls that allow DNS traffic. Defence: DNS query monitoring, restrict outbound DNS to trusted resolvers.
Exam Scenarios
💬 "Users can access a website by IP but not by hostname. Which DNS record type is most likely missing?" → A record — the forward lookup mapping the hostname to the IPv4 address is missing or misconfigured.
💬 "An administrator configures DNS so that both www.example.com and shop.example.com resolve to the same server. Rather than creating two A records, they want to manage a single IP. Which record type achieves this?" → CNAME — create CNAME records for www and shop pointing to the canonical hostname, which has a single A record. Update only the A record when the IP changes.
💬 "Email sent to users at example.com is bouncing. The MX record points to mail.example.com. What else must exist for email delivery to work?" → An A record for mail.example.com — MX records point to hostnames, not IPs. The mail server hostname must have its own A record resolving to an IP.
💬 "A security engineer wants to prevent attackers from obtaining fraudulent SSL certificates for the company's domain. Which DNS record should be added?" → CAA record — lists the authorised Certificate Authorities for the domain. CAs that comply with the CA/Browser Forum rules will not issue certificates to unlisted requestors.
💬 "Which three DNS records work together to prevent email spoofing and should be configured for every domain sending email?" → SPF (TXT) — authorised sending servers. DKIM (TXT) — cryptographic email signing. DMARC (TXT) — enforcement policy when SPF/DKIM fail.
💬 "A technician queries an IP address using nslookup and receives the associated hostname. Which DNS record type was queried?" → PTR record — pointer records in reverse lookup zones map IP addresses back to hostnames.
💬 "Active Directory clients cannot locate the domain controller after a DNS change. Which record type is most likely affected?" → SRV records — Active Directory relies on SRV records to locate domain controllers for Kerberos (port 88), LDAP (port 389), and other AD services.
💬 "What is the purpose of the serial number in the SOA record?" → Secondary DNS servers compare their cached serial number with the primary's SOA serial number to determine whether the zone has been updated and a zone transfer is needed.
Preparing for Network+?
See the best study guides and practice exams for the N10-009 exam.