DNS (Domain Name System) record types are directly tested on CompTIA Network+ N10-009. You must recognize what each record type does, when it is used, and how DNS troubleshooting relates to each type. Network+ tests DNS at a conceptual and operational level — not configuration syntax — with questions about record purposes, TTL, forward and reverse lookups, and common DNS failure scenarios.
Practice this topic
A record (Address record): maps a hostname to an IPv4 address. This is the most fundamental DNS record — when you type google.com, a DNS A record returns the IPv4 address. AAAA record: maps a hostname to an IPv6 address (four times the bits of an A record — hence four A's).
CNAME (Canonical Name) record: creates an alias from one name to another. www.example.com can be a CNAME pointing to example.com. The client follows the CNAME chain until reaching an A or AAAA record. CNAMEs cannot point to IP addresses directly, and cannot coexist at the zone apex (the root domain itself).
MX (Mail Exchanger) record: specifies the mail server responsible for accepting email for a domain. Multiple MX records can exist with priority values — lower priority number = higher preference. When someone sends email to user@example.com, the sending server queries MX records to find where to deliver it.
PTR (Pointer) record: the reverse of an A record — maps an IP address to a hostname. Used for reverse DNS lookups (IP→hostname). PTR records live in the in-addr.arpa zone for IPv4 (or ip6.arpa for IPv6). Used by mail servers to verify sender legitimacy and in security tools.
NS (Name Server) record: identifies the authoritative name servers for a domain. Every domain must have at least two NS records for redundancy. SOA (Start of Authority) record: contains administrative information about the zone — primary name server, responsible person email, serial number, refresh/retry/expire timers, and minimum TTL.
TXT (Text) record: stores arbitrary text data. Modern uses: SPF (Sender Policy Framework) to prevent email spoofing, DKIM (DomainKeys Identified Mail) public keys, DMARC policies, and domain ownership verification for services like Google Workspace. SPF records in TXT format specify which servers are authorized to send email for a domain.
SRV (Service) record: specifies the location of services using a structured format including hostname, port, protocol, priority, and weight. Used by VoIP (SIP), Microsoft Active Directory (locating domain controllers), and other services that need to advertise their location in DNS.
TTL (Time to Live): controls how long DNS responses are cached by resolvers and clients. Short TTL = more DNS queries but faster propagation of changes. Long TTL = fewer queries but slower change propagation. During planned changes (migration, IP change), reduce TTL hours before the change to minimize caching delays.
DNS resolution process: client queries local cache → local DNS resolver (ISP or corporate DNS server) → root nameservers → TLD nameservers (e.g., .com, .org) → authoritative nameserver for the domain → returns the record. This iterative process is transparent to users.
Recursive resolver: the DNS server (typically your ISP or Google 8.8.8.8) that does the full lookup on your behalf and caches results. Authoritative nameserver: the server that holds the actual DNS records for a zone — the final answer. Forwarder: a DNS server that forwards queries it cannot answer to another DNS server rather than querying root servers directly.
| Record | Purpose | Maps |
|---|---|---|
| A | IPv4 address mapping | Hostname → IPv4 |
| AAAA | IPv6 address mapping | Hostname → IPv6 |
| CNAME | Alias | Name → Another name |
| MX | Mail server | Domain → Mail server hostname |
| PTR | Reverse lookup | IP address → Hostname |
| NS | Name server | Domain → Authoritative DNS server |
| TXT | Text data / SPF / DKIM | Domain → Text string |
| SOA | Zone authority | Zone → Administrative info |
| SRV | Service location | Service → Host + port |
CNAME records can point directly to IP addresses
CNAME records must point to another hostname (which eventually resolves to an IP via an A/AAAA record) — they cannot contain IP addresses directly
There can only be one MX record per domain
Multiple MX records are normal and recommended for redundancy. The priority value determines preference — the lowest number is tried first
PTR records are automatically created when A records are added
PTR records in the reverse DNS zone must be created separately. They are often managed by the ISP or cloud provider that owns the IP address block
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A mail server administrator reports that incoming email from their domain is being rejected by recipients as potential spam. After investigation, the sending IP address does not match the domain's DNS records. Which DNS record type should be checked and corrected?
Explanation: SPF (Sender Policy Framework) is stored in a DNS TXT record and specifies which IP addresses are authorized to send email for a domain. If the sending server's IP is not listed in the SPF record, receiving mail servers may reject or flag the email as spam. An A record maps names to IPs; MX records identify inbound mail servers; CNAME creates aliases.
A network technician needs to verify which mail server handles email for the domain example.com. Which DNS record type contains this information?
Explanation: MX (Mail Exchanger) records identify the mail servers responsible for accepting email for a domain. The technician would query: nslookup -type=MX example.com or dig MX example.com. A records map hostnames to IPs; PTR records are for reverse lookups; NS records identify name servers.
nslookup: built into Windows and Linux — nslookup -type=MX example.com. dig: powerful Linux/macOS DNS tool — dig MX example.com. host: simple Linux tool — host -t MX example.com. Online: dnschecker.org, mxtoolbox.com. For reverse lookup: nslookup 8.8.8.8 or dig -x 8.8.8.8.
DNS poisoning (cache poisoning) injects false DNS records into a resolver's cache, causing clients to be directed to malicious IPs. DNSSEC (DNS Security Extensions) adds digital signatures to DNS records, allowing resolvers to cryptographically verify that records are authentic and unmodified. DNSSEC does not encrypt DNS traffic — it only provides integrity verification.
Try free DNS Records practice questions with explanations, topic links and progress tracking.