DNS Record Types and Troubleshooting Cues

Why DNS Sits Under Everything

The Domain Name System (DNS) translates human-friendly names into the data clients actually need: IP addresses, mail servers, and service endpoints. A server can be powered on, patched, and reachable by IP while every user reports an outage, because the name resolves to the wrong place or fails to resolve at all. The N10-009 blueprint expects you to read a symptom and name the specific record at fault.

DNS query traffic uses UDP port 53 for normal lookups and TCP port 53 for zone transfers and responses larger than 512 bytes. Newer privacy variants you should recognize by name are DNS over HTTPS (DoH) on TCP 443 and DNS over TLS (DoT) on TCP 853. Knowing the port a firewall must permit is a frequent exam detail. Remember that DoH blends into ordinary web traffic on 443, which makes it harder for a security team to inspect or block, while DoT is easier to identify on its dedicated port 853. The exam likes to ask which variant a firewall can filter by port versus which one hides inside HTTPS.

Keep one mental model: DNS is a layered system. The client asks a recursive resolver, the resolver walks the delegation chain from root to TLD to the authoritative server, and the answer flows back and is cached at every layer for the record's TTL. A failure at any layer looks identical to the end user - the name simply will not resolve - so the troubleshooting skill the exam tests is isolating which layer broke.

Common DNS Records

A classic trap: a CNAME cannot share its name with any other record type, so you cannot put a CNAME on a zone apex (example.com) that already needs MX or NS records. If web users cannot turn a hostname into an IPv4 address, the A record is the first suspect. If email for a domain fails, inspect MX and the TXT-based SPF/DKIM/DMARC entries that receiving servers validate.

Resolution Roles, Split DNS, and TTL

Internal networks frequently run split-horizon (split) DNS: internal clients receive private RFC 1918 answers while external clients receive public answers for the same name. A site that resolves a record internally but not externally points straight at split DNS or a missing public zone entry.

TTL and cutover procedure

The time-to-live (TTL) value tells every recursive resolver how long to cache an answer. Long TTLs cut query load but slow changes; short TTLs speed migrations but raise traffic. A safe cutover:

1. Lower the TTL (for example to 300 seconds) a day before the change.
2. Wait for the old TTL window to elapse so caches expire.
3. Update the record to the new target.
4. Validate from multiple resolver paths (internal, ISP, public 8.8.8.8).
5. Restore a normal TTL once the service is stable.

If some users hit the old server and others hit the new one, stale cached answers or inconsistent authoritative records are the cause - not a routing fault.

Troubleshooting Cues and Tools

Use nslookup or dig to query specific record types directly against an authoritative server; use ipconfig /displaydns and ipconfig /flushdns (Windows) or resolvectl (Linux) for client cache state. Ping is only a weak name-resolution clue - ICMP may be blocked, so ping failure alone does not prove a DNS fault.

PBQ-style DNS scenario

Facts: users connect to 10.20.30.40 directly; portal.example.com still resolves to 10.20.30.25; a migration moved the portal to 10.20.30.40; some users still reach the old service. Best actions: query the authoritative server for portal.example.com, verify the A/CNAME chain points to 10.20.30.40, check TTL and resolver caches, flush or wait out caches, then confirm firewall and app access to the new IP. The decision gate is whether DNS returns the correct answer; once it does, move to transport and application troubleshooting.