← All articlesCloud Infrastructure

DNS Deep Dive: Records, Propagation, and CDN Routing Explained

Everything you need to know about DNS for web infrastructure. Record types, TTL strategies, propagation mechanics, GeoDNS, Cloudflare routing, and...

Y
Yash Pritwani
15 min read

DNS Is the Foundation of Everything

Every time a user visits your website, DNS translates your domain name into an IP address. If DNS is slow, your site feels slow. If DNS is down, your site is down. Understanding DNS is fundamental to running production infrastructure.

<div style="margin:2.5rem auto;max-width:600px;width:100%;text-align:center;"><svg viewBox="0 0 600 170" xmlns="http://www.w3.org/2000/svg" style="width:100%;height:auto;"><rect width="600" height="170" rx="12" fill="#1a1a2e"/><text x="60" y="30" text-anchor="middle" fill="#94a3b8" font-size="10" font-family="system-ui">Internet</text><circle cx="60" cy="60" r="25" fill="none" stroke="#3b82f6" stroke-width="1.5"/><text x="60" y="57" text-anchor="middle" fill="#3b82f6" font-size="18" font-family="system-ui">&#x1F310;</text><rect x="155" y="25" width="120" height="120" rx="10" fill="#6366f1" opacity="0.15"/><rect x="155" y="25" width="120" height="120" rx="10" fill="none" stroke="#6366f1" stroke-width="1.5"/><text x="215" y="50" text-anchor="middle" fill="#6366f1" font-size="11" font-family="system-ui" font-weight="bold">Reverse</text><text x="215" y="65" text-anchor="middle" fill="#6366f1" font-size="11" font-family="system-ui" font-weight="bold">Proxy</text><text x="215" y="85" text-anchor="middle" fill="#94a3b8" font-size="8" font-family="system-ui">TLS termination</text><text x="215" y="98" text-anchor="middle" fill="#94a3b8" font-size="8" font-family="system-ui">Load balancing</text><text x="215" y="111" text-anchor="middle" fill="#94a3b8" font-size="8" font-family="system-ui">Path routing</text><text x="215" y="124" text-anchor="middle" fill="#94a3b8" font-size="8" font-family="system-ui">Rate limiting</text><rect x="350" y="20" width="110" height="35" rx="6" fill="#2dd4bf" opacity="0.8"/><text x="405" y="42" text-anchor="middle" fill="#1a1a2e" font-size="10" font-family="system-ui">app.example.com</text><rect x="350" y="65" width="110" height="35" rx="6" fill="#a855f7" opacity="0.8"/><text x="405" y="87" text-anchor="middle" fill="#ffffff" font-size="10" font-family="system-ui">api.example.com</text><rect x="350" y="110" width="110" height="35" rx="6" fill="#f59e0b" opacity="0.8"/><text x="405" y="132" text-anchor="middle" fill="#1a1a2e" font-size="10" font-family="system-ui">cdn.example.com</text><defs><marker id="arrow11" markerWidth="8" markerHeight="6" refX="8" refY="3" orient="auto"><path d="M0,0 L8,3 L0,6" fill="#e2e8f0"/></marker></defs><line x1="87" y1="60" x2="153" y2="75" stroke="#e2e8f0" stroke-width="1.5" marker-end="url(#arrow11)"/><line x1="277" y1="55" x2="348" y2="37" stroke="#e2e8f0" stroke-width="1" marker-end="url(#arrow11)"/><line x1="277" y1="85" x2="348" y2="82" stroke="#e2e8f0" stroke-width="1" marker-end="url(#arrow11)"/><line x1="277" y1="115" x2="348" y2="127" stroke="#e2e8f0" stroke-width="1" marker-end="url(#arrow11)"/><text x="120" y="55" text-anchor="middle" fill="#2dd4bf" font-size="8" font-family="system-ui">HTTPS</text><text x="505" y="42" text-anchor="start" fill="#94a3b8" font-size="8" font-family="system-ui">:3000</text><text x="505" y="87" text-anchor="start" fill="#94a3b8" font-size="8" font-family="system-ui">:8080</text><text x="505" y="132" text-anchor="start" fill="#94a3b8" font-size="8" font-family="system-ui">:9000</text></svg><p style="margin-top:0.75rem;font-size:0.85rem;color:#94a3b8;font-style:italic;line-height:1.4;">A reverse proxy terminates TLS, routes requests by hostname, and load-balances across backend services.</p></div>

DNS Record Types

A Record (IPv4 Address)

Maps a domain to an IPv4 address:

techsaas.cloud.    IN  A  104.21.32.123

AAAA Record (IPv6 Address)

Maps a domain to an IPv6 address:

techsaas.cloud.    IN  AAAA  2606:4700:3030::6815:207b

CNAME Record (Canonical Name)

Alias one domain to another. The most used record for subdomains:

www.techsaas.cloud.    IN  CNAME  techsaas.cloud.
git.techsaas.cloud.    IN  CNAME  a0838c12.cfargotunnel.com.

Important: CNAME records cannot coexist with other record types on the same name. You cannot have both a CNAME and an MX record for the same subdomain.

MX Record (Mail Exchange)

Where to deliver email for your domain:

techsaas.cloud.    IN  MX  10  mail1.example.com.
techsaas.cloud.    IN  MX  20  mail2.example.com.

The number (10, 20) is priority — lower means preferred.

TXT Record (Text)

Used for verification, SPF, DKIM, and DMARC:

techsaas.cloud.    IN  TXT  "v=spf1 include:_spf.google.com ~all"
_dmarc.techsaas.cloud.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:[email protected]"

SRV Record (Service)

Specifies host and port for specific services:

_matrix._tcp.techsaas.cloud.  IN  SRV  10 0 8448 chat.techsaas.cloud.

Format: priority weight port target

<div style="margin:2.5rem auto;max-width:600px;width:100%;text-align:center;"><svg viewBox="0 0 600 200" xmlns="http://www.w3.org/2000/svg" style="width:100%;height:auto;"><rect width="600" height="200" rx="12" fill="#1a1a2e"/><text x="80" y="25" text-anchor="middle" fill="#94a3b8" font-size="10" font-family="system-ui">Input</text><circle cx="80" cy="50" r="14" fill="none" stroke="#3b82f6" stroke-width="2"/><circle cx="80" cy="100" r="14" fill="none" stroke="#3b82f6" stroke-width="2"/><circle cx="80" cy="150" r="14" fill="none" stroke="#3b82f6" stroke-width="2"/><text x="230" y="25" text-anchor="middle" fill="#94a3b8" font-size="10" font-family="system-ui">Hidden</text><circle cx="230" cy="45" r="14" fill="#6366f1" opacity="0.8"/><circle cx="230" cy="85" r="14" fill="#6366f1" opacity="0.8"/><circle cx="230" cy="125" r="14" fill="#6366f1" opacity="0.8"/><circle cx="230" cy="165" r="14" fill="#6366f1" opacity="0.8"/><text x="380" y="25" text-anchor="middle" fill="#94a3b8" font-size="10" font-family="system-ui">Hidden</text><circle cx="380" cy="55" r="14" fill="#a855f7" opacity="0.8"/><circle cx="380" cy="100" r="14" fill="#a855f7" opacity="0.8"/><circle cx="380" cy="145" r="14" fill="#a855f7" opacity="0.8"/><text x="520" y="25" text-anchor="middle" fill="#94a3b8" font-size="10" font-family="system-ui">Output</text><circle cx="520" cy="80" r="14" fill="none" stroke="#2dd4bf" stroke-width="2"/><circle cx="520" cy="130" r="14" fill="none" stroke="#2dd4bf" stroke-width="2"/><line x1="94" y1="50" x2="216" y2="45" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="50" x2="216" y2="85" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="50" x2="216" y2="125" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="50" x2="216" y2="165" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="100" x2="216" y2="45" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="100" x2="216" y2="85" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="100" x2="216" y2="125" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="100" x2="216" y2="165" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="150" x2="216" y2="45" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="150" x2="216" y2="85" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="150" x2="216" y2="125" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="94" y1="150" x2="216" y2="165" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="45" x2="366" y2="55" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="45" x2="366" y2="100" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="45" x2="366" y2="145" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="85" x2="366" y2="55" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="85" x2="366" y2="100" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="85" x2="366" y2="145" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="125" x2="366" y2="55" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="125" x2="366" y2="100" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="125" x2="366" y2="145" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="165" x2="366" y2="55" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="165" x2="366" y2="100" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="244" y1="165" x2="366" y2="145" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="394" y1="55" x2="506" y2="80" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="394" y1="55" x2="506" y2="130" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="394" y1="100" x2="506" y2="80" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="394" y1="100" x2="506" y2="130" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="394" y1="145" x2="506" y2="80" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/><line x1="394" y1="145" x2="506" y2="130" stroke="#e2e8f0" stroke-width="0.5" opacity="0.3"/></svg><p style="margin-top:0.75rem;font-size:0.85rem;color:#94a3b8;font-style:italic;line-height:1.4;">Neural network architecture: data flows through input, hidden, and output layers.</p></div>

CAA Record (Certificate Authority Authorization)

Controls which CAs can issue certificates for your domain:

techsaas.cloud.    IN  CAA  0 issue "letsencrypt.org"
techsaas.cloud.    IN  CAA  0 issuewild "letsencrypt.org"
techsaas.cloud.    IN  CAA  0 iodef "mailto:[email protected]"

TTL Strategy

TTL (Time To Live) controls how long DNS resolvers cache a record. Getting TTL right is critical:

Scenario
TTL
Why

|----------|-----|-----|

Static records (MX, SPF)
86400 (24h)
Rarely changes, cache aggressively
Normal records (A, CNAME)
3600 (1h)
Good balance of cache and flexibility
Pre-migration
300 (5m)
Lower TTL before changing records
Active migration
60 (1m)
Minimize stale cache during changes
Failover records
30-60 (30s-1m)
Fast failover between endpoints

TTL migration strategy:

Day -7:  Lower TTL from 3600 to 300
Day -1:  Lower TTL from 300 to 60
Day 0:   Change record (IP migration)
Day +1:  Verify traffic shifted
Day +2:  Raise TTL back to 3600

How DNS Propagation Works

DNS "propagation" is really about cache expiration:

Browser Cache (minutes)
    ↓
OS Resolver Cache (varies)
    ↓
ISP Recursive Resolver (honors TTL)
    ↓
Authoritative Nameserver (source of truth)

When you update a DNS record: 1. The authoritative nameserver has the new record immediately 2. Recursive resolvers serve the cached old record until TTL expires 3. Each resolver expires independently — there is no global "propagation"

Troubleshooting DNS:

# Query authoritative nameserver directly
dig @ns1.cloudflare.com techsaas.cloud A

# Query Google's resolver
dig @8.8.8.8 techsaas.cloud A

# Query Cloudflare's resolver
dig @1.1.1.1 techsaas.cloud A

# Check all record types
dig techsaas.cloud ANY

# Trace the full resolution path
dig +trace techsaas.cloud

# Check CNAME chain
dig +short techsaas.cloud CNAME

# Check TTL remaining
dig techsaas.cloud | grep -E "^techsaas"
# techsaas.cloud.  257  IN  A  104.21.32.123
# (257 seconds remaining in cache)

Cloudflare DNS and Proxied Records

Cloudflare offers two modes for DNS records:

DNS Only (grey cloud): Normal DNS, returns your actual IP address. Use for:

MX records (email)
SRV records
Non-HTTP services
Records that must resolve to the real IP

Proxied (orange cloud): Traffic goes through Cloudflare's network. Use for:

Web applications (HTTP/HTTPS)
DDoS protection
CDN caching
WAF rules
Cloudflare Tunnel endpoints
# Cloudflare API: Create proxied CNAME record
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records" \
  -H "Authorization: Bearer CF_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CNAME",
    "name": "app",
    "content": "a0838c12.cfargotunnel.com",
    "proxied": true,
    "ttl": 1
  }'

GeoDNS and CDN Routing

CDNs use DNS to route users to the nearest edge server:

User in Tokyo → DNS query → Anycast resolves to Tokyo POP → Content served from Tokyo
User in London → DNS query → Anycast resolves to London POP → Content served from London

Cloudflare uses Anycast (same IP announced from 300+ locations) instead of GeoDNS. The network layer routes packets to the nearest POP automatically.

For multi-region deployments, you can use Cloudflare Load Balancer:

api.techsaas.cloud → Cloudflare LB
    ├── Pool: US-East (primary, weight 50%)
    │   ├── server-us-1: 10.0.1.1
    │   └── server-us-2: 10.0.1.2
    ├── Pool: EU-West (primary, weight 50%)
    │   ├── server-eu-1: 10.0.2.1
    │   └── server-eu-2: 10.0.2.2
    └── Pool: AP-South (fallback)
        └── server-ap-1: 10.0.3.1

DNS Security

DNSSEC

DNSSEC adds cryptographic signatures to DNS records, preventing spoofing:

# Check if domain has DNSSEC
dig +dnssec techsaas.cloud

# Verify DNSSEC chain
delv @8.8.8.8 techsaas.cloud

<div style="margin:2.5rem auto;max-width:600px;width:100%;text-align:center;"><svg viewBox="0 0 600 180" xmlns="http://www.w3.org/2000/svg" style="width:100%;height:auto;"><rect width="600" height="180" rx="12" fill="#1a1a2e"/><rect x="30" y="60" width="80" height="50" rx="25" fill="#3b82f6" opacity="0.85"/><text x="70" y="90" text-anchor="middle" fill="#ffffff" font-size="11" font-family="system-ui">Prompt</text><rect x="145" y="50" width="90" height="70" rx="8" fill="#6366f1" opacity="0.85"/><text x="190" y="80" text-anchor="middle" fill="#ffffff" font-size="10" font-family="system-ui">Embed</text><text x="190" y="95" text-anchor="middle" fill="#ffffff" font-size="10" font-family="system-ui">[0.2, 0.8...]</text><rect x="270" y="50" width="90" height="70" rx="8" fill="#a855f7" opacity="0.85"/><text x="315" y="75" text-anchor="middle" fill="#ffffff" font-size="10" font-family="system-ui">Vector</text><text x="315" y="90" text-anchor="middle" fill="#ffffff" font-size="10" font-family="system-ui">Search</text><text x="315" y="105" text-anchor="middle" fill="#ffffff" font-size="9" font-family="system-ui" opacity="0.7">top-k=5</text><rect x="395" y="50" width="90" height="70" rx="8" fill="#2dd4bf" opacity="0.85"/><text x="440" y="80" text-anchor="middle" fill="#1a1a2e" font-size="11" font-family="system-ui" font-weight="bold">LLM</text><text x="440" y="95" text-anchor="middle" fill="#1a1a2e" font-size="9" font-family="system-ui">+ context</text><rect x="520" y="60" width="55" height="50" rx="25" fill="#f59e0b" opacity="0.85"/><text x="547" y="90" text-anchor="middle" fill="#1a1a2e" font-size="10" font-family="system-ui">Reply</text><defs><marker id="arrow4" markerWidth="8" markerHeight="6" refX="8" refY="3" orient="auto"><path d="M0,0 L8,3 L0,6" fill="#e2e8f0"/></marker></defs><line x1="112" y1="85" x2="143" y2="85" stroke="#e2e8f0" stroke-width="1.5" marker-end="url(#arrow4)"/><line x1="237" y1="85" x2="268" y2="85" stroke="#e2e8f0" stroke-width="1.5" marker-end="url(#arrow4)"/><line x1="362" y1="85" x2="393" y2="85" stroke="#e2e8f0" stroke-width="1.5" marker-end="url(#arrow4)"/><line x1="487" y1="85" x2="518" y2="85" stroke="#e2e8f0" stroke-width="1.5" marker-end="url(#arrow4)"/><text x="300" y="155" text-anchor="middle" fill="#94a3b8" font-size="10" font-family="system-ui">Retrieval-Augmented Generation (RAG) Flow</text></svg><p style="margin-top:0.75rem;font-size:0.85rem;color:#94a3b8;font-style:italic;line-height:1.4;">RAG architecture: user prompts are embedded, matched against a vector store, then fed to an LLM with retrieved context.</p></div>

DNS over HTTPS (DoH) and DNS over TLS (DoT)

Encrypts DNS queries to prevent ISP snooping:

DoH: https://1.1.1.1/dns-query
DoT: tls://1.1.1.1:853

At TechSaaS, all our subdomains (33 services) point to our Cloudflare Tunnel via CNAME records. This means zero ports exposed on our server, DDoS protection, and CDN caching — all controlled through DNS. We manage our DNS records programmatically using the Cloudflare API, with automated CNAME creation whenever we deploy a new service.

#dns#cloudflare#networking#cdn#infrastructure

Need help with cloud infrastructure?

TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.

Get a Free ConsultationCall +91 84569 84870

Related Articles

Cloud Infrastructure

Kubernetes vs Docker Compose: An Honest Comparison for 2025

11 min

Cloud Infrastructure

Running Docker in Proxmox LXC: Complete Guide and Best Practices

13 min

Cloud Infrastructure

Terraform Modules and Workspace Patterns for Real-World Infrastructure

15 min