DNS — How Domains Actually Work

~20 min · Foundations · Glossary →

Ref

Primary Source

Cloudflare Learning Center — What is DNS?

The clearest explanation of DNS available. Covers the full resolution chain with diagrams. Essential before configuring any domain. cloudflare.com/learning →

Why You Need to Understand DNS

You will configure DNS for every project you deploy. Get it wrong and your site is unreachable. Get it right and you can point domains to CDNs, route traffic between regions, verify domain ownership for SSL, and configure email authentication — all through DNS records.

The DNS Resolution Chain

When a browser requests api.yourapp.com, here's exactly what happens:

DNS resolution: browser cache → recursive resolver → root → TLD → authoritative nameserver → IP

Record Types You'll Actually Use

Record	What it does	When you use it
`A`	Maps a hostname → IPv4 address	Pointing `api.yourapp.com` to your EC2 IP
`AAAA`	Maps a hostname → IPv6 address	Same as A, for IPv6
`CNAME`	Alias one hostname → another hostname	`www.yourapp.com` → `yourapp.com`; also CloudFront distributions
`MX`	Mail exchange — where email for your domain is delivered	Google Workspace, Fastmail, etc.
`TXT`	Arbitrary text data	Domain verification (Google, GitHub), SPF, DKIM (email auth)
`NS`	Nameserver — which servers answer queries for your domain	Delegating a domain to Cloudflare
`CAA`	Certificate Authority Authorization — which CAs can issue certs for your domain	Security hardening

⚠️ CNAME gotcha

You cannot put a CNAME on a bare/apex domain (yourapp.com) — only on subdomains. Use Cloudflare's "CNAME flattening" or an ALIAS record (Route 53) for the apex. This trips everyone up the first time.

TTL — Time to Live

TTL (in seconds) tells DNS resolvers how long to cache your record before checking for updates.

Low TTL (60–300s) — changes propagate fast, good before migrations or changes. But more DNS queries = slight latency overhead.
High TTL (3600–86400s) — resolvers cache longer, fewer queries. But if you change the record, it takes hours to propagate.

💡 Pro tip

Before any planned infrastructure change (new server, new IP), lower your TTL to 60 seconds 24 hours in advance. After the migration, bump it back to 3600. This minimises downtime during the cutover.

Nameservers — Who Controls Your DNS

When you buy a domain (e.g., from Namecheap), the domain registrar sets the nameservers. Those nameservers hold your DNS records. When you move to Cloudflare, you change your domain's nameservers to Cloudflare's — Cloudflare then controls all DNS records.

# Check who controls DNS for a domain
dig NS yourapp.com

# Look up an A record
dig A api.yourapp.com

# Check what IP a domain resolves to
dig +short api.yourapp.com

# Query a specific nameserver directly
dig @ns1.cloudflare.com A yourapp.com

# Check TXT records (SPF, DKIM, verification)
dig TXT yourapp.com

Check Your Understanding

1. You want to point api.yourapp.com to your EC2 instance at IP 54.210.1.100. Which DNS record type do you create?

2. You change an A record but users still see the old IP 2 hours later. What's the most likely cause?

3. You want www.yourapp.com to always resolve to the same place as yourapp.com, without duplicating records. Which record type?

4. You're migrating to a new server tomorrow. Your current TTL is 86400 (24 hours). What should you have done yesterday?