Sudory

A record

The most fundamental thing the DNS does: look up a name, return an address. example.com goes in, 93.184.216.34 comes out. That is an A record.

Type code 1, defined in RFC 1035 §3.4.1. The value field is a single 32-bit IPv4 address, exactly the format defined by RFC 791. Everything the modern web does on top (HTTP, TLS, CDN, load balancers) depends on this one record resolving to a machine that is actually listening.

What it is

An A record is a name-to-address mapping. Nothing more.

example.com.  3600  IN  A  93.184.216.34
|              |    |   |  |
|              |    |   |  └─ the IPv4 address, four octets
|              |    |   └─ the record type (A = type 1)
|              |    └─ DNS class (IN = Internet; always this)
|              └─ TTL in seconds
└─ the owner name

Everything else about the record, including its meaning and lifecycle, is in those five fields.

The lookup

Your browser does not know where example.com lives. It asks a recursive resolver. The resolver walks the DNS tree from the root, step by step, until it finds the authoritative server for your zone and asks it for the A record.

Recursive lookupexample.com IN A
  1. clientrecursive resolver (1.1.1.1)
    queryA? example.com
  2. resolverroot (a.root-servers.net)
    queryA? example.com
    answerask .com: a.gtld-servers.net, ...
  3. resolver.com (a.gtld-servers.net)
    queryA? example.com
    answerask example.com: ns1.example.com, ...
  4. resolverauthoritative (ns1.example.com)
    queryA? example.com
    answerA 93.184.216.34 TTL 3600
  5. resolverclient
    answerA 93.184.216.34

Every hop is cached by the resolver for the TTL of the answer. In practice, most of these steps are served from cache and the whole lookup takes a few milliseconds. A cold cache can take 50-100 ms.

Multiple records

A name can have more than one A record. A resolver returns all of them, in randomised order. Clients pick the first one, which distributes load and gives basic redundancy.

example.com.  300  IN  A  198.51.100.10
example.com.  300  IN  A  198.51.100.11
example.com.  300  IN  A  198.51.100.12

This is the oldest load-balancing trick in the DNS playbook. Modern systems use anycast or dedicated load balancers, but round-robin A still works for simple cases. The weakness is that DNS has no health awareness: an A pointing at a dead host keeps getting served until the TTL expires or you remove it.

What the IP reveals

A single A record is enough to infer where a site is hosted. Every IP sits in a netblock announced by an autonomous system (AS), and BGP data tells you who owns that AS.

What an IP tells youIP → netblock → provider
104.16.0.0/12AS13335Cloudflare
151.101.0.0/16AS54113Fastly
76.76.21.0/24AS16509Vercel (on AWS)
3.5.0.0/16AS16509AWS
13.107.6.152/32AS8075Microsoft 365
216.58.0.0/16AS15169Google
185.199.108.0/22AS54113GitHub Pages
A single A record is enough to infer hosting, CDN, and often the stack behind it. Sudory matches the IP against BGP data to name the provider.

This is the first thing Sudory looks at when scanning a domain. A vendor behind Cloudflare, AWS, or Vercel signals very different operational posture from a vendor on a single static IP in a small ISP.

TTL and propagation

Every A record has a TTL: how long a resolver may cache the answer before asking again. Long TTLs (an hour, a day) reduce query volume and are fine for stable records. Short TTLs (60-300 seconds) let you change quickly, at the cost of more lookups.

Before a planned change, lower the TTL a few days ahead so resolvers hold the old value only briefly. After the change, raise it back. "DNS propagation" is really just waiting for cached TTLs to expire; DNS changes propagate worldwide in seconds, but stale caches keep the old answer alive until their TTL counts down.

Apex vs CNAME

You can put an A record at the zone apex (example.com) and at any subdomain (www.example.com). A CNAME works only at subdomains: the DNS spec forbids a CNAME at the apex because it would conflict with the zone's SOA and NS records.

This is the source of the "CNAME flattening" feature in Cloudflare, Route 53, and similar services. Behind the scenes the provider resolves the CNAME target and returns an A record at the apex on your behalf. It looks like a CNAME in the dashboard; it is an A record on the wire.

Common mistakes

A record to a private IP (10.x, 172.16.x, 192.168.x)

The IP is RFC 1918 space, unreachable from the public internet. Nothing outside your network resolves this. Usually a leftover from an internal DNS view leaking outward.

A pointing at a terminated host

The cloud VM is gone. A new customer takes over the IP. Your brand now serves someone else's content. This is a dangling-DNS subdomain takeover.

apex A + www CNAME mismatch

Apex resolves to one IP, www CNAMEs to a different host with a different cert. Users bounced between them land in broken states.

very long TTL on a record that must change

A 24-hour TTL means every cache in the world might hold the old IP for a full day after you update. Lower TTL before the change, not after.

only IPv4, no AAAA

Not broken, but dated. Every modern CDN and cloud supports IPv6. Pair A with AAAA so dual-stack clients prefer the IPv6 path.

Check what your A records resolve to, who the provider is, and whether anything points at a dead host: scan your domain.