DNS Record Types Explained: A, AAAA, CNAME, MX & More

A, AAAA, CNAME, MX, TXT, NS, and HTTPS Records

DNS records are the building blocks of the internet's naming system. They tell the world how to find your website, where to deliver your email, and how to verify your domain's identity. Understanding these record types is essential for managing domains and understanding how DNS filtering works.

Get Started

Step 1: What Are DNS Records?

DNS records are instructions stored in zone files on authoritative DNS servers. Every domain on the internet has a set of DNS records that tell the Domain Name System how to handle requests for that domain — where to send web traffic, where to deliver email, how to verify domain ownership, and more.

Think of DNS records as entries in a phonebook, where each entry serves a different purpose. One entry maps the domain to a web server's address. Another entry directs email to the correct mail server. Yet another stores verification text that proves you own the domain. Together, these records form a complete picture of how a domain operates on the internet.

When you register a domain and set up a website, you configure these DNS records through your domain registrar or DNS hosting provider. Each record has a specific type (which defines its purpose), a name (which domain or subdomain it applies to), a value (the data it contains), and a TTL (Time-to-Live, which controls how long the record is cached).

DNS resolvers — including filtering resolvers like CleanBrowsing — query these records when your device needs to connect to a domain. The resolver asks the authoritative DNS server for the appropriate record type and returns the result to your device. Understanding what each record type does helps you understand both how the internet works and how DNS filtering operates.

Step 2: Core Record Types

These are the most fundamental DNS record types that you will encounter when managing domains or understanding DNS.

  • A Record (Address Record): The most fundamental DNS record type. An A record maps a domain name to an IPv4 address. For example, example.com → 93.184.216.34. When you type a domain into your browser, the DNS resolver returns the A record to tell your browser which server to connect to. Every website needs at least one A record. A domain can have multiple A records pointing to different IP addresses for load balancing and redundancy.
  • AAAA Record (IPv6 Address Record): The AAAA record serves the same purpose as the A record but for IPv6 addresses. For example, example.com → 2606:2800:220:1:248:1893:25c8:1946. As IPv6 adoption grows, AAAA records are becoming increasingly important. Modern DNS resolvers query for both A and AAAA records, and the device or browser decides which to use based on its network configuration and capabilities. If a domain has both IPv4 and IPv6 addresses, devices with IPv6 connectivity will typically prefer the AAAA record.
  • CNAME Record (Canonical Name Record): A CNAME record creates an alias from one domain to another. Instead of pointing directly to an IP address, it points to another domain name. For example, www.example.com → example.com. When the resolver encounters a CNAME, it follows the chain and looks up the A or AAAA record for the target domain. CNAME records are useful for pointing multiple subdomains to the same server — if the server's IP changes, you only need to update one A record instead of updating every subdomain individually. Note that CNAME records cannot be used at the zone apex (the bare domain like example.com) — they are only valid for subdomains.
  • MX Record (Mail Exchange Record): MX records direct email to the correct mail server for a domain. When someone sends an email to user@example.com, the sending mail server queries the MX records for example.com to find out which server should receive the email. MX records include a priority value — a lower number indicates higher priority. For example, a domain might have MX records pointing to mail1.example.com (priority 10) and mail2.example.com (priority 20). Email servers try the highest priority (lowest number) first, falling back to the next if the primary is unavailable. This provides email redundancy and reliability.

Step 3: Additional Record Types

Beyond the core record types, several additional DNS records serve important roles in domain security, verification, and modern internet protocols.

  • TXT Record (Text Record): TXT records store arbitrary text data associated with a domain. While originally intended for human-readable notes, TXT records are now critical for domain security and verification. Their most important uses include: SPF (Sender Policy Framework) — specifies which mail servers are authorized to send email on behalf of your domain, helping prevent email spoofing. DKIM (DomainKeys Identified Mail) — stores cryptographic public keys used to verify that emails were not altered in transit. DMARC (Domain-based Message Authentication) — defines how receiving mail servers should handle emails that fail SPF or DKIM checks. TXT records are also commonly used for domain verification by services like Google Workspace, Microsoft 365, and SSL certificate authorities.
  • NS Record (Name Server Record): NS records identify the authoritative DNS servers for a domain. When a DNS resolver needs to look up records for a domain, it first finds the NS records to determine which servers hold the authoritative zone file. For example, example.com might have NS records pointing to ns1.dnshost.com and ns2.dnshost.com. These records delegate DNS responsibility — they tell the internet "if you want information about this domain, ask these servers." NS records are typically set at your domain registrar and point to your DNS hosting provider's name servers.
  • HTTPS Record (HTTPS Service Binding Record): The HTTPS record is a newer DNS record type (specified in RFC 9460) that provides connection configuration information for HTTPS services. It can indicate support for HTTP/3, specify ALPN (Application-Layer Protocol Negotiation) parameters, and provide Encrypted Client Hello (ECH) keys for enhanced privacy. HTTPS records allow browsers to establish optimized connections from the very first request, without needing to discover these capabilities through multiple round trips. As this record type gains adoption, it plays an increasingly important role in both performance and privacy on the web.

Step 4: How This Relates to DNS Filtering

DNS filtering services like CleanBrowsing primarily intercept A and AAAA record lookups — the queries that translate domain names into IP addresses. This is where the filtering decision happens.

When a device queries CleanBrowsing for the A record of a blocked domain, the resolver does not return the real IP address of that domain's server. Instead, it returns a different IP address — one that points to a block page. The user's browser connects to the block page IP and sees a notification that the domain has been filtered, rather than the actual website content.

This mechanism is what makes DNS filtering transparent and effective. It operates at the most fundamental level of internet connectivity — the point where a domain name is translated into a routable address. No software needs to be installed on the user's device, no traffic needs to be decrypted, and no proxy needs to be configured. The filtering happens before any connection to the blocked server is established.

Other record types are generally passed through without filtering. MX records, TXT records, and NS records are not typically intercepted because they serve infrastructure purposes (email routing, domain verification, DNS delegation) rather than user-facing content access. However, some DNS filtering services may also filter AAAA records to ensure that blocked domains cannot be accessed via IPv6 when they are blocked on IPv4.

Understanding how DNS records work helps you understand both the power and the boundaries of DNS filtering. It works at the A/AAAA record level — which covers the vast majority of web browsing — but it cannot inspect the content delivered after the connection is established. For deeper inspection, URL filtering and traffic analysis tools are needed.

Understanding DNS is the first step to protecting your network.

Explore Our DNS Filters