DNS Deep Dive: Records, Propagation, and CDN Routing Explained

DNS Is the Foundation of Everything

Every time a user visits your website, DNS translates your domain name into an IP address. If DNS is slow, your site feels slow. If DNS is down, your site is down. Understanding DNS is fundamental to running production infrastructure.

DNS Record Types

A Record (IPv4 Address)

Maps a domain to an IPv4 address:

techsaas.cloud.    IN  A  104.21.32.123

AAAA Record (IPv6 Address)

Maps a domain to an IPv6 address:

techsaas.cloud.    IN  AAAA  2606:4700:3030::6815:207b

CNAME Record (Canonical Name)

Alias one domain to another. The most used record for subdomains:

www.techsaas.cloud.    IN  CNAME  techsaas.cloud.
git.techsaas.cloud.    IN  CNAME  a0838c12.cfargotunnel.com.

Important: CNAME records cannot coexist with other record types on the same name. You cannot have both a CNAME and an MX record for the same subdomain.

MX Record (Mail Exchange)

Where to deliver email for your domain:

techsaas.cloud.    IN  MX  10  mail1.example.com.
techsaas.cloud.    IN  MX  20  mail2.example.com.

The number (10, 20) is priority — lower means preferred.

TXT Record (Text)

Used for verification, SPF, DKIM, and DMARC:

techsaas.cloud.    IN  TXT  "v=spf1 include:_spf.google.com ~all"
_dmarc.techsaas.cloud.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:[email protected]"

SRV Record (Service)

Specifies host and port for specific services:

_matrix._tcp.techsaas.cloud.  IN  SRV  10 0 8448 chat.techsaas.cloud.

Format: priority weight port target

CAA Record (Certificate Authority Authorization)

Controls which CAs can issue certificates for your domain:

techsaas.cloud.    IN  CAA  0 issue "letsencrypt.org"
techsaas.cloud.    IN  CAA  0 issuewild "letsencrypt.org"
techsaas.cloud.    IN  CAA  0 iodef "mailto:[email protected]"

TTL Strategy

TTL (Time To Live) controls how long DNS resolvers cache a record. Getting TTL right is critical:

TTL migration strategy:

Day -7:  Lower TTL from 3600 to 300
Day -1:  Lower TTL from 300 to 60
Day 0:   Change record (IP migration)
Day +1:  Verify traffic shifted
Day +2:  Raise TTL back to 3600

How DNS Propagation Works

DNS "propagation" is really about cache expiration:

Browser Cache (minutes)
    ↓
OS Resolver Cache (varies)
    ↓
ISP Recursive Resolver (honors TTL)
    ↓
Authoritative Nameserver (source of truth)

When you update a DNS record:

1. The authoritative nameserver has the new record immediately
2. Recursive resolvers serve the cached old record until TTL expires
3. Each resolver expires independently — there is no global "propagation"

Troubleshooting DNS:

# Query authoritative nameserver directly
dig @ns1.cloudflare.com techsaas.cloud A

# Query Google's resolver
dig @8.8.8.8 techsaas.cloud A

# Query Cloudflare's resolver
dig @1.1.1.1 techsaas.cloud A

# Check all record types
dig techsaas.cloud ANY

# Trace the full resolution path
dig +trace techsaas.cloud

# Check CNAME chain
dig +short techsaas.cloud CNAME

# Check TTL remaining
dig techsaas.cloud | grep -E "^techsaas"
# techsaas.cloud.  257  IN  A  104.21.32.123
# (257 seconds remaining in cache)

Cloudflare DNS and Proxied Records

Cloudflare offers two modes for DNS records:

DNS Only (grey cloud): Normal DNS, returns your actual IP address. Use for:

• MX records (email)
• SRV records
• Non-HTTP services
• Records that must resolve to the real IP

Proxied (orange cloud): Traffic goes through Cloudflare's network. Use for:

• Web applications (HTTP/HTTPS)
• DDoS protection
• CDN caching
• WAF rules
• Cloudflare Tunnel endpoints

# Cloudflare API: Create proxied CNAME record
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records" \
  -H "Authorization: Bearer CF_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CNAME",
    "name": "app",
    "content": "a0838c12.cfargotunnel.com",
    "proxied": true,
    "ttl": 1
  }'

GeoDNS and CDN Routing

CDNs use DNS to route users to the nearest edge server:

User in Tokyo → DNS query → Anycast resolves to Tokyo POP → Content served from Tokyo
User in London → DNS query → Anycast resolves to London POP → Content served from London

Cloudflare uses Anycast (same IP announced from 300+ locations) instead of GeoDNS. The network layer routes packets to the nearest POP automatically.

For multi-region deployments, you can use Cloudflare Load Balancer:

api.techsaas.cloud → Cloudflare LB
    ├── Pool: US-East (primary, weight 50%)
    │   ├── server-us-1: 10.0.1.1
    │   └── server-us-2: 10.0.1.2
    ├── Pool: EU-West (primary, weight 50%)
    │   ├── server-eu-1: 10.0.2.1
    │   └── server-eu-2: 10.0.2.2
    └── Pool: AP-South (fallback)
        └── server-ap-1: 10.0.3.1

DNS Security

DNSSEC

DNSSEC adds cryptographic signatures to DNS records, preventing spoofing:

# Check if domain has DNSSEC
dig +dnssec techsaas.cloud

# Verify DNSSEC chain
delv @8.8.8.8 techsaas.cloud

DNS over HTTPS (DoH) and DNS over TLS (DoT)

Encrypts DNS queries to prevent ISP snooping:

DoH: https://1.1.1.1/dns-query
DoT: tls://1.1.1.1:853

At TechSaaS, all our subdomains (33 services) point to our Cloudflare Tunnel via CNAME records. This means zero ports exposed on our server, DDoS protection, and CDN caching — all controlled through DNS. We manage our DNS records programmatically using the Cloudflare API, with automated CNAME creation whenever we deploy a new service.