Advanced Record Configurations
This guide covers advanced DNS record configurations and specialized setups for experienced users who need to implement complex DNS scenarios in the UK DNS Privacy Project authoritative DNS service.
Complex DNS Scenarios
Wildcard Records
Wildcard DNS records match any subdomain that doesn’t have an explicit record. They’re created using an asterisk:
-
To create a wildcard record:
-
Name: Enter
*
- Type: Select the desired record type (A, AAAA, CNAME, etc.)
- Content: Enter the appropriate value
- TTL: Set as needed
-
Name: Enter
-
Example for pointing all subdomains to a single IP:
-
Name:
*
- Type: A
-
Content:
192.248.144.82
- TTL: Auto
-
Name:
Note: Specific records take precedence over wildcard records. For instance, if you have both a wildcard record and a specific blog
record, requests for blog.example.com
will use the specific record.
Apex Domain Optimization
Traditionally, the apex domain (example.com without www) cannot use a CNAME record. You can address this with:
- A/AAAA records: Direct IP address mapping
- ALIAS/ANAME records: Provided as a special record type that functions like CNAME but works at the apex
Multi-Value Records
Some record types (MX, NS) can have multiple values for redundancy:
-
MX records: Create multiple records with different priorities:
- First record:
10 primary-mail.example.com
- Second record:
20 backup-mail.example.com
- First record:
-
A/AAAA records: Create multiple records with the same name but different IPs for round-robin DNS:
- First record: Name:
www
, Type: A, Content:192.0.2.1
- Second record: Name:
www
, Type: A, Content:192.0.2.2
- First record: Name:
Specialized Record Types
SRV Records
Service records specify the location of specific services:
Format: [Priority] [Weight] [Port] [Target]
Example for a SIP service:
-
Name:
_sip._tcp
- Type: SRV
-
Content:
10 60 5060 sip.example.com
- TTL: 3600
CAA Records
Certificate Authority Authorization records specify which CAs can issue certificates for your domain:
Format: [Flag] [Tag] [Value]
Example allowing Let’s Encrypt:
-
Name:
@
- Type: CAA
-
Content:
0 issue "letsencrypt.org"
- TTL: 3600
Additional CAA for reporting violations:
-
Content:
0 iodef "mailto:security@example.com"
SSHFP Records
SSH Fingerprint records allow verification of SSH keys via DNS:
Format: [Algorithm] [Type] [Fingerprint]
Example:
-
Name:
@
- Type: SSHFP
-
Content:
2 1 123456789abcdef67890123456789abcdef67890
- TTL: 3600
Multi-Service Configurations
Email Service Setup
A complete email configuration typically requires multiple record types:
-
MX Records: Direct email to your mail servers
-
Name:
@
- Type: MX
-
Content:
10 mail.example.com
-
Name:
-
SPF Record: Specify authorized email senders
-
Name:
@
- Type: TXT
-
Content:
"v=spf1 include:_spf.example.com ~all"
-
Name:
-
DKIM Record: Email authentication
-
Name:
selector._domainkey
- Type: TXT
-
Content:
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHMbfS..."
-
Name:
-
DMARC Record: Policy for email authentication
-
Name:
_dmarc
- Type: TXT
-
Content:
"v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
-
Name:
Web Application Setup
For a web application with various subdomains:
-
Main website:
-
Name:
@
- Type: A
-
Content:
192.0.2.1
-
Name:
-
WWW subdomain:
-
Name:
www
- Type: CNAME
-
Content:
example.com
-
Name:
-
API subdomain:
-
Name:
api
- Type: A
-
Content:
192.0.2.2
-
Name:
-
Development environment:
-
Name:
dev
- Type: A
-
Content:
192.0.2.3
-
Name:
Geo-DNS and Traffic Management
While our service doesn’t directly provide geo-routing, you can implement basic traffic distribution:
Round-Robin DNS
Create multiple A/AAAA records with the same name but different IP addresses:
- Record 1:
www
→192.0.2.1
- Record 2:
www
→192.0.2.2
- Record 3:
www
→192.0.2.3
DNS resolvers will rotate through these IPs, distributing traffic across servers.
DNS Security Implementations
DNSSEC Implementation
Beyond basic enabling, advanced DNSSEC configurations can be managed:
- Enable DNSSEC in your domain settings
- Configure the appropriate DS records at your registrar
- Verify DNSSEC is working with online tools
For detailed instructions, see our DNSSEC documentation.
Subdomain Delegation with DNSSEC
When delegating a subdomain to another DNS provider:
- Create the appropriate NS records for the subdomain
- If both the parent and child zones use DNSSEC, ensure proper DS records are in place
- Coordinate key signing with both providers
Scripting and Automation
API-Based Management
For advanced users managing numerous records, our API offers programmatic control:
- Generate API credentials in your account settings
- Use the API to create, update, and delete records
- Integrate with your CI/CD pipelines
Example API call to create a record:
curl -X POST "https://api.dnsprivacy.org.uk/v1/domains/{domain_id}/records" \
-H "Authorization: Bearer {your_api_token}" \
-H "Content-Type: application/json" \
-d '{
"name": "api",
"type": "A",
"content": "192.0.2.10",
"ttl": 3600
}'
See our API documentation for complete details.
Testing and Verification
Record Validation
After implementing complex configurations:
-
Use dig or online DNS tools to verify individual records:
dig @ns1.dnsprivacy.org.uk SRV _sip._tcp.example.com
-
Verify entire DNS setup with comprehensive tools:
dig @ns1.dnsprivacy.org.uk example.com ANY
Propagation Verification
For critical DNS changes:
- Check multiple DNS resolvers to confirm propagation
- Use online propagation checkers to verify global availability
- Test from different geographic locations or networks
Troubleshooting Advanced Setups
DNSSEC Issues
If you encounter DNSSEC validation failures:
- Verify DS records match the KSK in your DNSSEC configuration
- Check for timing issues in key rollovers
- Ensure proper chain of trust from root to your domain
Delegation Problems
For subdomain delegation issues:
- Confirm the NS records exist and point to the correct nameservers
- Verify glue records if using in-bailiwick nameservers
- Test delegation using dig +trace to follow the delegation chain
Cache-Related Problems
When changes aren’t visible immediately:
- Account for TTL values in your testing timeframe
- Use DNS resolvers that haven’t cached previous values
- Force cache clearing in your testing environment
Best Practices
Performance Optimization
Optimize DNS performance with these practices:
- Minimize DNS lookups: Consolidate services on fewer domains when possible
- Use appropriate TTL values: Higher for stable records, lower for frequently changed ones
- Avoid unnecessary wildcard records: They can increase lookup times and cache sizes
Security Considerations
Enhance your domain security:
- Implement DNSSEC: Protect against DNS spoofing
- Use restrictive CAA records: Limit which CAs can issue certificates
- Apply SPF, DKIM, and DMARC: Prevent email spoofing
- Regularly audit DNS records: Remove unused or outdated entries