Sidebar
  1. Home
  3. Advanced Record Configurations

Advanced Record Configurations

This guide covers advanced DNS record configurations and specialized setups for experienced users who need to implement complex DNS scenarios in the UK DNS Privacy Project authoritative DNS service.

Complex DNS Scenarios

Wildcard Records

Wildcard DNS records match any subdomain that doesn’t have an explicit record. They’re created using an asterisk:

  1. To create a wildcard record:

    • Name: Enter *
    • Type: Select the desired record type (A, AAAA, CNAME, etc.)
    • Content: Enter the appropriate value
    • TTL: Set as needed

  2. Example for pointing all subdomains to a single IP:

    • Name: *
    • Type: A
    • Content: 192.248.144.82
    • TTL: Auto

Note: Specific records take precedence over wildcard records. For instance, if you have both a wildcard record and a specific blog record, requests for blog.example.com will use the specific record.

Apex Domain Optimization

Traditionally, the apex domain (example.com without www) cannot use a CNAME record. You can address this with:

  1. A/AAAA records: Direct IP address mapping
  2. ALIAS/ANAME records: Provided as a special record type that functions like CNAME but works at the apex

Multi-Value Records

Some record types (MX, NS) can have multiple values for redundancy:

  1. MX records: Create multiple records with different priorities:

    • First record: 10 primary-mail.example.com
    • Second record: 20 backup-mail.example.com

  2. A/AAAA records: Create multiple records with the same name but different IPs for round-robin DNS:

    • First record: Name: www, Type: A, Content: 192.0.2.1
    • Second record: Name: www, Type: A, Content: 192.0.2.2

Specialized Record Types

SRV Records

Service records specify the location of specific services:

Format: [Priority] [Weight] [Port] [Target]

Example for a SIP service:

  • Name: _sip._tcp
  • Type: SRV
  • Content: 10 60 5060 sip.example.com
  • TTL: 3600

CAA Records

Certificate Authority Authorization records specify which CAs can issue certificates for your domain:

Format: [Flag] [Tag] [Value]

Example allowing Let’s Encrypt:

  • Name: @
  • Type: CAA
  • Content: 0 issue "letsencrypt.org"
  • TTL: 3600

Additional CAA for reporting violations:

  • Content: 0 iodef "mailto:security@example.com"

SSHFP Records

SSH Fingerprint records allow verification of SSH keys via DNS:

Format: [Algorithm] [Type] [Fingerprint]

Example:

  • Name: @
  • Type: SSHFP
  • Content: 2 1 123456789abcdef67890123456789abcdef67890
  • TTL: 3600

Multi-Service Configurations

Email Service Setup

A complete email configuration typically requires multiple record types:

  1. MX Records: Direct email to your mail servers

    • Name: @
    • Type: MX
    • Content: 10 mail.example.com

  2. SPF Record: Specify authorized email senders

    • Name: @
    • Type: TXT
    • Content: "v=spf1 include:_spf.example.com ~all"

  3. DKIM Record: Email authentication

    • Name: selector._domainkey
    • Type: TXT
    • Content: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHMbfS..."

  4. DMARC Record: Policy for email authentication

    • Name: _dmarc
    • Type: TXT
    • Content: "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

Web Application Setup

For a web application with various subdomains:

  1. Main website:

    • Name: @
    • Type: A
    • Content: 192.0.2.1

  2. WWW subdomain:

    • Name: www
    • Type: CNAME
    • Content: example.com

  3. API subdomain:

    • Name: api
    • Type: A
    • Content: 192.0.2.2

  4. Development environment:

    • Name: dev
    • Type: A
    • Content: 192.0.2.3

Geo-DNS and Traffic Management

While our service doesn’t directly provide geo-routing, you can implement basic traffic distribution:

Round-Robin DNS

Create multiple A/AAAA records with the same name but different IP addresses:

  • Record 1: www192.0.2.1
  • Record 2: www192.0.2.2
  • Record 3: www192.0.2.3

DNS resolvers will rotate through these IPs, distributing traffic across servers.

DNS Security Implementations

DNSSEC Implementation

Beyond basic enabling, advanced DNSSEC configurations can be managed:

  1. Enable DNSSEC in your domain settings
  2. Configure the appropriate DS records at your registrar
  3. Verify DNSSEC is working with online tools

For detailed instructions, see our DNSSEC documentation.

Subdomain Delegation with DNSSEC

When delegating a subdomain to another DNS provider:

  1. Create the appropriate NS records for the subdomain
  2. If both the parent and child zones use DNSSEC, ensure proper DS records are in place
  3. Coordinate key signing with both providers

Scripting and Automation

API-Based Management

For advanced users managing numerous records, our API offers programmatic control:

  1. Generate API credentials in your account settings
  2. Use the API to create, update, and delete records
  3. Integrate with your CI/CD pipelines

Example API call to create a record:

curl -X POST "https://api.dnsprivacy.org.uk/v1/domains/{domain_id}/records" \
  -H "Authorization: Bearer {your_api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "api",
    "type": "A",
    "content": "192.0.2.10",
    "ttl": 3600
  }'

See our API documentation for complete details.

Testing and Verification

Record Validation

After implementing complex configurations:

  1. Use dig or online DNS tools to verify individual records:

    dig @ns1.dnsprivacy.org.uk SRV _sip._tcp.example.com

  2. Verify entire DNS setup with comprehensive tools:

    dig @ns1.dnsprivacy.org.uk example.com ANY

Propagation Verification

For critical DNS changes:

  1. Check multiple DNS resolvers to confirm propagation
  2. Use online propagation checkers to verify global availability
  3. Test from different geographic locations or networks

Troubleshooting Advanced Setups

DNSSEC Issues

If you encounter DNSSEC validation failures:

  1. Verify DS records match the KSK in your DNSSEC configuration
  2. Check for timing issues in key rollovers
  3. Ensure proper chain of trust from root to your domain

Delegation Problems

For subdomain delegation issues:

  1. Confirm the NS records exist and point to the correct nameservers
  2. Verify glue records if using in-bailiwick nameservers
  3. Test delegation using dig +trace to follow the delegation chain

Cache-Related Problems

When changes aren’t visible immediately:

  1. Account for TTL values in your testing timeframe
  2. Use DNS resolvers that haven’t cached previous values
  3. Force cache clearing in your testing environment

Best Practices

Performance Optimization

Optimize DNS performance with these practices:

  1. Minimize DNS lookups: Consolidate services on fewer domains when possible
  2. Use appropriate TTL values: Higher for stable records, lower for frequently changed ones
  3. Avoid unnecessary wildcard records: They can increase lookup times and cache sizes

Security Considerations

Enhance your domain security:

  1. Implement DNSSEC: Protect against DNS spoofing
  2. Use restrictive CAA records: Limit which CAs can issue certificates
  3. Apply SPF, DKIM, and DMARC: Prevent email spoofing
  4. Regularly audit DNS records: Remove unused or outdated entries
Give us Feedback Support Our Project
Share Share Share Share
Our use of cookies
We use a session cookie to maintain your login state when you create an account with us. This cookie is essential for the operation of our website and is used solely for authentication purposes. For more information, please read our privacy policy.