Deep-dive references for every technical aspect of domain management โ from DNS record types to HTTP error diagnostics.
The Domain Name System (DNS) is the backbone of the internet โ translating human-readable names into machine-readable IP addresses. DNS zones contain resource records that define how a domain behaves.
A DNS zone is a distinct portion of the domain namespace. It is managed by a specific organization using a zone file โ a text file that maps domain names to IP addresses and other resources.
| Record | Full Name | Purpose | Example Value | TTL Typical |
|---|---|---|---|---|
| A | Address | Maps a hostname to an IPv4 address | 93.184.216.34 | 3600s |
| AAAA | IPv6 Address | Maps a hostname to an IPv6 address | 2606:2800:220:1:248:1893:25c8:1946 | 3600s |
| CNAME | Canonical Name | Alias โ points one domain to another | example.com. | 3600s |
| MX | Mail Exchange | Directs email to mail servers | 10 mail.example.com. | 3600s |
| TXT | Text | Holds arbitrary text โ SPF, DKIM, verification | v=spf1 include:_spf.google.com ~all | 3600s |
| NS | Name Server | Delegates a domain to name servers | ns1.example.com. | 86400s |
| SOA | Start of Authority | Primary info about a DNS zone | ns1 admin 2024010101 3600 900โฆ | 86400s |
| PTR | Pointer | Reverse DNS โ maps IP to hostname | example.com. | 3600s |
| SRV | Service | Defines location of servers for specific services | 10 5 443 sip.example.com. | 3600s |
| CAA | Certification Authority Authorization | Restricts which CAs can issue SSL certs | 0 issue "letsencrypt.org" | 3600s |
| DKIM | DomainKeys Identified Mail | Email authentication via cryptographic signatures | v=DKIM1; k=rsa; p=MIGfโฆ | 3600s |
| DMARC | Domain Message Auth | Email policy: reject/quarantine unauthenticated mail | v=DMARC1; p=reject; rua=mailto:โฆ | 3600s |
| DS | Delegation Signer | DNSSEC โ delegates signing authority | 12345 8 2 [hash] | 86400s |
| NAPTR | Name Authority Pointer | Used in VoIP/ENUM for number mapping | 100 10 "u" "E2U+sip" โฆ | 3600s |
To receive email, set MX records pointing to your mail server. Add a TXT record with SPF policy. Configure DKIM via your mail provider's TXT record. Add DMARC to enforce policy.
Point your root domain (@) with an A record to your server IP. Use a CNAME for www to point to your root domain or CDN. Never use CNAME at the root โ use A records or ALIAS.
Use NS records to delegate a subdomain (e.g. shop.example.com) to a completely separate DNS zone and nameservers โ useful for separating infrastructure.
DNSSEC uses cryptographic signatures (RRSIG, DS, DNSKEY) to prevent DNS spoofing and cache poisoning attacks. Enable it at your registrar and DNS provider simultaneously.
HTTP status codes are 3-digit numbers returned by a server in response to a client request. They indicate whether a request was successful, redirected, or failed โ and why.
| Code | Name | Description |
|---|---|---|
| 100 | Continue | Server has received the request headers; client should proceed to send the body. |
| 101 | Switching Protocols | Server is switching protocols as requested (e.g. upgrading to WebSocket). |
| 102 | Processing | Request received; no response available yet (WebDAV). |
| 103 | Early Hints | Used to preload resources while the server prepares a response. |
| Code | Name | Description |
|---|---|---|
| 200 | OK | Standard successful response. The request has succeeded. |
| 201 | Created | Request succeeded and a new resource was created. |
| 202 | Accepted | Request received but not yet acted upon (async processing). |
| 203 | Non-Authoritative Information | Response is from a proxy and may differ from the origin server's response. |
| 204 | No Content | Request succeeded but there's no content to return. |
| 205 | Reset Content | Client should reset the document view. |
| 206 | Partial Content | Server is delivering only part of the resource (range request). |
| 207 | Multi-Status | Multiple resources with multiple statuses (WebDAV). |
| 208 | Already Reported | Members of a DAV binding already enumerated in a previous reply. |
| 226 | IM Used | Server fulfilled a GET request using instance manipulation. |
| Code | Name | Description | SEO Impact |
|---|---|---|---|
| 301 | Moved Permanently | Resource has permanently moved. Clients should use the new URL. | Passes link equity โ |
| 302 | Found | Temporary redirect. Client should continue using original URL. | Does not pass equity โ ๏ธ |
| 303 | See Other | Response to a POST request โ redirect to a GET resource. | N/A |
| 304 | Not Modified | Resource hasn't changed since cached version โ use cache. | N/A (caching) |
| 307 | Temporary Redirect | Same as 302 but method must not change (POST stays POST). | Minimal equity โ ๏ธ |
| 308 | Permanent Redirect | Same as 301 but method must not change. | Passes link equity โ |
| Code | Name | Description | Common Cause |
|---|---|---|---|
| 400 | Bad Request | Server cannot process the request due to client error. | Malformed syntax, invalid framing |
| 401 | Unauthorized | Authentication is required and has failed or not been provided. | Missing/invalid credentials |
| 402 | Payment Required | Reserved for future use; used by some APIs for payment paywalls. | Subscription required |
| 403 | Forbidden | Server understood the request but refuses to authorize it. | Insufficient permissions |
| 404 | Not Found | Server cannot find the requested resource. | Wrong URL, deleted page |
| 405 | Method Not Allowed | HTTP method not supported for this endpoint. | POST to a GET-only endpoint |
| 406 | Not Acceptable | Server cannot produce a response matching Accept headers. | Content negotiation failure |
| 407 | Proxy Auth Required | Authentication required with a proxy server. | Corporate proxy misconfiguration |
| 408 | Request Timeout | Server timed out waiting for the request. | Slow network, large payload |
| 409 | Conflict | Request conflicts with the current state of the server. | Edit conflicts, duplicate resource |
| 410 | Gone | Resource no longer exists and won't return. | Permanently deleted content |
| 411 | Length Required | Server requires Content-Length header. | Missing Content-Length |
| 412 | Precondition Failed | Condition in the request headers evaluated to false. | If-Match / If-None-Match failed |
| 413 | Content Too Large | Request body exceeds server limit. | File upload too large |
| 414 | URI Too Long | Request URI is longer than the server is willing to process. | Very long query strings |
| 415 | Unsupported Media Type | Media format not supported. | Wrong Content-Type header |
| 416 | Range Not Satisfiable | Range specified by Range header cannot be fulfilled. | Invalid byte range in request |
| 417 | Expectation Failed | Expect request header cannot be met by server. | Expect: 100-continue failure |
| 418 | I'm a Teapot | April Fools' joke in RFC 2324 โ server refuses to brew coffee with a teapot. | Easter egg / humor |
| 421 | Misdirected Request | Request directed at server not able to produce a response. | Misconfigured reverse proxy |
| 422 | Unprocessable Content | Request well-formed but unable to be followed due to semantic errors. | Validation errors in API |
| 423 | Locked | Resource is locked (WebDAV). | File locking collision |
| 424 | Failed Dependency | Request failed because a dependency failed (WebDAV). | Dependent operation failed |
| 425 | Too Early | Server unwilling to risk processing a request that might be replayed. | TLS early data replay attack |
| 426 | Upgrade Required | Client should switch to a different protocol. | HTTP/1.1 โ HTTP/2 upgrade |
| 428 | Precondition Required | Origin server requires conditional request. | Missing If-Match header |
| 429 | Too Many Requests | User has sent too many requests in a given time (rate limiting). | API rate limit exceeded |
| 431 | Headers Too Large | Server unwilling to process request because headers are too large. | Too many/large cookies |
| 451 | Unavailable For Legal Reasons | Resource unavailable due to legal demands (censorship, GDPR, DMCA). | Government takedown notice |
| Code | Name | Description | Fix |
|---|---|---|---|
| 500 | Internal Server Error | Generic catch-all. The server encountered an unexpected condition. | Check server logs, fix application bugs |
| 501 | Not Implemented | Server doesn't support the functionality required to fulfill the request. | Upgrade server software |
| 502 | Bad Gateway | Gateway received an invalid response from upstream server. | Check upstream server / backend |
| 503 | Service Unavailable | Server temporarily unable to handle requests (overloaded or maintenance). | Scale server, check maintenance mode |
| 504 | Gateway Timeout | Gateway did not receive a timely response from upstream. | Increase timeout, fix slow backend |
| 505 | HTTP Version Not Supported | Server does not support the HTTP version used in the request. | Update server configuration |
| 506 | Variant Also Negotiates | Server has a configuration error in content negotiation. | Fix server content negotiation setup |
| 507 | Insufficient Storage | Server unable to store the representation to complete request (WebDAV). | Free up disk space |
| 508 | Loop Detected | Server detected an infinite loop while processing the request. | Fix redirect or WebDAV loop |
| 510 | Not Extended | Server requires further extensions to fulfill the request. | Implement required extensions |
| 511 | Network Auth Required | Client needs to authenticate to gain network access (captive portals). | Log into captive portal (e.g. hotel WiFi) |
After making DNS changes, the new records must spread across all DNS servers worldwide โ a process called DNS propagation.
You update a DNS record at your registrar or DNS provider. The change is applied to the authoritative nameserver.
Resolvers cache records for the TTL (Time To Live) duration. Until TTL expires, cached values remain. Lower TTL = faster propagation.
When cached records expire, resolvers query authoritative nameservers and fetch new values.
Eventually (24โ48 hours typical), all resolvers worldwide serve the new record. You can check progress with tools like whatsmydns.net.
Best practices for minimizing propagation time and issues:
ipconfig /flushdns (Win) or sudo dscacheutil -flushcache (Mac)Every time you see a padlock ๐ in your browser's address bar, there is an SSL/TLS certificate at work. Understanding what it is and how it works is fundamental for anyone managing a domain or website.
SSL (Secure Sockets Layer) is a cryptographic protocol originally developed by Netscape in the 1990s to secure communications over the internet. It creates an encrypted link between a web server and a browser, ensuring that all data passed between them remains private.
SSL has since been deprecated and replaced by TLS (Transport Layer Security), which is the modern, more secure version of the same protocol. Despite this, the term "SSL" is still widely used in everyday language, even when referring to TLS.
When a website uses SSL/TLS, its URL begins with https:// instead of http:// โ the "S" standing for "Secure".
When your browser connects to a secure website, it initiates a "TLS handshake." The server presents its SSL certificate, which contains its public key and identity information issued by a trusted Certificate Authority (CA).
Your browser checks the certificate against a built-in list of trusted CAs. If the certificate is valid, signed by a trusted CA, and has not expired, the connection proceeds. Otherwise, you see a browser warning.
Browser and server agree on a shared encryption key using asymmetric cryptography (public/private keys). This session key is used for all subsequent communication.
All data exchanged โ passwords, form submissions, payment details, personal data โ is encrypted using the shared session key. Even if intercepted, it appears as random, unreadable data.
The most basic type. The Certificate Authority simply verifies that you control the domain. Issued automatically, often within minutes. Suitable for personal websites, blogs, and informational pages.
The CA verifies both your domain ownership and your organization's legal identity. Takes days. The company name appears in the certificate. Suitable for businesses, e-commerce, and organizations that want to prove legitimacy.
The most rigorous validation process. The CA thoroughly vets the legal, operational, and physical existence of the entity. Used by banks, financial institutions, large corporations, and government sites.
| Type | Covers | Example | Best For |
|---|---|---|---|
| Single Domain | One specific domain | example.com | Simple sites with one domain |
| Wildcard | All subdomains of a domain | *.example.com | Sites with many subdomains |
| Multi-Domain (SAN) | Multiple different domains | example.com, example.net, shop.example.org | Organizations managing many domains |
| Unified Communications | Microsoft Exchange/Lync environments | mail.example.com, autodiscover.example.com | Enterprise email infrastructure |
A Certificate Authority is a trusted organization that issues SSL certificates after verifying the applicant's identity. Browsers ship with a built-in list of trusted CAs.
| CA | Type | Notable For |
|---|---|---|
| Let's Encrypt | DV only | Free, automated via the ACME protocol. Backed by Mozilla, EFF, and others. Revolutionized HTTPS adoption. |
| DigiCert | DV, OV, EV | Enterprise-grade authority; widely trusted across all major browsers and operating systems. |
| Sectigo (Comodo) | DV, OV, EV | One of the largest volume issuers worldwide; strong brand recognition. |
| GlobalSign | DV, OV, EV | Strong presence in enterprise and Internet of Things (IoT) certificate management. |
| Entrust | DV, OV, EV | Trusted by government agencies and financial institutions for decades. |
| ZeroSSL | DV only | ACME-compatible free alternative to Let's Encrypt with a user-friendly dashboard. |