The Domain Name System (DNS) is the backbone of the internet. Every time a user types a URL into their browser, DNS is the invisible mechanism that translates that human-readable domain name into a machine-readable IP address. Yet despite its critical importance, DNS remains one of the most misunderstood technologies among web developers and even some sysadmins.
This guide covers everything you need to know about DNS: how it works under the hood, the different record types you will encounter, how propagation works, email authentication records, DNSSEC, domain blacklists, and the tools you can use on GF.dev to inspect and troubleshoot DNS issues.
At its core, DNS is a distributed, hierarchical database. When you type example.com into your browser, a multi-step resolution process begins:
.com server).This entire process typically completes in under 100 milliseconds. The recursive resolver caches the result according to the record's TTL (Time To Live) value, so subsequent queries are even faster.
You can trace this entire resolution chain yourself using our DNS Lookup tool, which shows you the records returned for any domain.
DNS supports dozens of record types, but as a web developer you will work with a handful regularly. Here are the most important ones:
The A record maps a domain name to an IPv4 address (e.g., 93.184.216.34). The AAAA record (sometimes called a "quad-A" record) does the same for IPv6 addresses (e.g., 2606:2800:220:1:248:1893:25c8:1946). Every domain that serves a website needs at least one A or AAAA record.
A CNAME (Canonical Name) record creates an alias from one domain name to another. For example, you might point www.example.com as a CNAME to example.com. The resolver then looks up the target domain to find the final IP. CNAMEs cannot coexist with other record types at the same name, and you should never use a CNAME at the zone apex (the bare domain).
MX (Mail Exchange) records specify which mail servers accept email for a domain. Each MX record has a priority value; lower numbers indicate higher priority. When someone sends an email to user@example.com, the sending server queries the MX records for example.com and delivers mail to the highest-priority server that responds.
TXT records hold arbitrary text data. They were originally intended for human-readable notes, but today they serve critical roles in domain verification (Google Search Console, cloud providers), email authentication (SPF, DKIM, and DMARC), and other protocols. A single domain can have multiple TXT records.
NS (Name Server) records delegate a DNS zone to specific authoritative name servers. When you register a domain and set its name servers to ns1.provider.com and ns2.provider.com, you are configuring NS records at the registry level. NS records are fundamental to the hierarchical delegation model of DNS.
For a deeper dive into each record type with practical examples, read our article DNS A, AAAA, CNAME, MX Records Explained Simply. You can also query any domain's records live with our DNS Lookup tool.
One of the most common questions developers ask is: "How long does DNS propagation take?" The answer depends on the TTL (Time To Live) of the old record.
When you change a DNS record, every recursive resolver that has the old record cached will continue serving it until the TTL expires. If the old TTL was set to 86400 seconds (24 hours), it can take up to 24 hours for the change to be visible globally. Some ISP resolvers are known to ignore TTLs and cache records longer than they should, which can extend this window.
Pro tip: Before making a critical DNS change (like a server migration), lower the TTL to 300 seconds (5 minutes) at least 24–48 hours in advance. After the change has propagated, you can raise the TTL back to a longer value for better performance.
You can verify whether your DNS changes have propagated by querying your domain with our DNS Lookup tool from multiple vantage points.
Every registered domain has associated Whois data that includes the registrant's contact information, the registrar, registration and expiration dates, and the name servers. While GDPR-era privacy regulations have redacted much personal data from Whois results, the remaining information is still valuable for troubleshooting and security investigations.
Common uses of Whois data include:
Use our Whois & Hosting Lookup tool to query Whois data for any domain. For a guide on interpreting the results, see How to Read a Whois Record (And Why It Matters).
Email authentication is one of the most important and most overlooked aspects of DNS management. If you manage a domain that sends email — whether transactional emails from your application, marketing campaigns, or simple team communication — you need to configure three DNS-based authentication mechanisms:
Without these records properly configured, your emails are far more likely to land in spam folders or be rejected entirely. Check your domain's email authentication with our SPF Record Test tool, and read the full guide: SPF, DKIM, and DMARC: Stop Your Emails from Going to Spam.
Standard DNS has no built-in mechanism to verify that a response actually came from the authoritative server and was not tampered with in transit. This makes DNS vulnerable to cache poisoning and man-in-the-middle attacks.
DNSSEC (Domain Name System Security Extensions) solves this by adding cryptographic signatures to DNS records. Each zone signs its records with a private key, and the corresponding public key is published in a DS (Delegation Signer) record at the parent zone. This creates a chain of trust from the root zone all the way down to the individual domain.
When a DNSSEC-validating resolver receives a response, it verifies the signature against the published key. If the signature does not match, the response is discarded, protecting users from spoofed DNS data.
DNSSEC adoption has grown steadily, but it is not yet universal. Whether you should enable it for your domain depends on your threat model and your registrar's support. Read our full analysis: What is DNSSEC and Should You Enable It?
If your domain or IP address ends up on a DNS-based blacklist (DNSBL), it can severely impact your email deliverability and even your website's reputation. Blacklists are maintained by organizations that track sources of spam, malware, and other abuse.
Common reasons for being blacklisted include:
You should periodically check your domain and mail server IPs against major blacklists. Use our Blacklist Test tool to scan multiple blacklists simultaneously. For a complete walkthrough, see How to Check if Your Domain or IP is Blacklisted.
Beyond DNSSEC, there are several best practices every developer and sysadmin should follow:
When things go wrong with DNS, having the right tools at hand makes all the difference. GF.dev provides a suite of free tools for DNS and domain troubleshooting:
Whether you are setting up a new domain, migrating servers, debugging email deliverability, or investigating a security incident, these tools give you instant visibility into how DNS is working for your domain right now.
DNS is foundational to everything you do on the web. Understanding how it works — from basic resolution to record types, propagation, email authentication, and security extensions — makes you a more effective developer and a better troubleshooter. Bookmark this guide and our DNS Lookup tool for the next time DNS throws you a curveball.