If you’re here, you’ve likely heard of DNS (Domain Name Systems), and you know your site needs it to stay up, running, and visible to customers. 

At its most basic explanation, DNS translates domain names into IP (Internet Protocol) addresses so browsers can locate and load the content you’re looking for.

If you want a more in-depth look, the team at DNSimple has created a comic and an animation to give you a better idea of exactly what’s going on behind the scenes. 

So you’ve got a good idea of what DNS is. But does good DNS really matter? Are basic, free services enough? (Spoiler: they’re usually not). And what should you look for in a provider to make sure your DNS is as streamlined and secure as possible? Let’s talk a bit more.

Why should I care about DNS for my startup? 

Good DNS management is worth its weight in gold (literally — your DNS can make or break customer conversions and retention). You want peak performance, reliability and security. Poor safety practices and slow loading times could be costing you business. 

Expert DNS providers help you prevent things like phishing and DDoS (Distributed Denial-of-Service) attacks, so your customers don’t have to worry about their information being compromised. They also help ensure your site stays up, running, and fast, with quick resolution and response times so you don’t lose customers. 

DNS can even influence your SEO. The loading time of your web page impacts the SERP (Search Engine Result Pages), so even though DNS doesn’t directly affect your SEO results, misconfiguration does.

How do I use DNS for my startup?

The DIY approach 

It’s a little complicated, but you can set up DNS yourself. Once you’ve registered your domain, you’ll want to set up HTTPS via an SSL certificate to maintain privacy, integrity, and identification for your site. You’ll also need to configure your DNS records so your site functions. 

SSL certificates  

SSL certificates secure the communication between a server and a client — for example, a web server and a browser. They’re required if you want to enable SSL/TLS on your site (you do), and serve your website using the secure HTTPS protocol. 

To secure your website with an SSL certificate, you’ll need to:

1. Order the SSL certificate

2. Configure and submit the SSL certificate

3. Validate the SSL certificate

4. Download and install the SSL certificate

If you have a domain and no subdomains, you’ll likely be fine with a free Let’s Encrypt SAN SSL certificate, but there are different types of SSL certificates depending on your needs.

Standard Single-name SSL certificates

This is a single-name, domain-validated certificate. It covers one host and the root domain in case of the www hostname. It’s called the Sectigo PositiveSSL certificate, is issued by Sectigo, and costs $20/year. 

Standard Wildcard SSL certificates

The wildcard certificate is a wildcard-name, domain-validated certificate. It covers all single-level subdomains as well as the root domain. This one is also issued by Sectigo, and costs $100/year.

Let’s Encrypt SAN SSL certificates

The Let’s Encrypt certificate is a multi-name (SAN), domain-validated certificate. It covers all the host names specified in the certificate. The certificate is issued by Let’s Encrypt, and it’s free. However, certain characteristics or requirements of this certificate may make this product unsuitable for you.

Let’s Encrypt Wildcard SSL certificates

The Let’s Encrypt wildcard certificate is a wildcard-name, domain-validated certificate. It covers all single-level subdomains of a domain name. It does not cover the root domain. It’s  issued by Let’s Encrypt, and it’s free. But certain characteristics or requirements of this certificate may make this product unsuitable for you.

Now that you know the basics of SSL certificates, we’ll move on to DNS record configuration. 

Basic record types & configuration

There are a lot of different DNS record types, but the most important ones are A, CNAME, MX, and TXT records. They’re used to map your domain to an IP address, identify which servers should handle your email, and act as email authenticators, so you want to make sure they’re set up correctly. 

A Records

A records point a domain name to an IP address. One of their primary uses is to map a domain name to a web server’s IP address so people can get to your site using an easy-to-remember name rather than a hard-to-remember set of numbers. Often you will set up your naked domain (like example.com) so it points to the IP address of your web server, so visitors can browse to https://example.com.

CNAME Records

You’ll also see sites using a “www” prefix (like https://www.example.com). If you also want to do this, you’ll need to add a CNAME record for “www” in addition to the A record for your naked domain. CNAME records point at other host names, not IP addresses, so you’ll often see a CNAME from “www.example.com” to “example.com”. One important detail of CNAME records is that you cannot use them where there are other records. This includes your naked domain. Some providers offer records that simulate CNAME records on the naked domain (with different names like ANAME, ALIAS, or CNAME flattening) that automatically convert the target name to an IP address when needed.

MX Records

MX records are used to identify which servers should handle your email. You’ll often see multiple MX records used in case your primary mail server is not available. MX records include a “priority” value that can be used to favor one or more mail servers over the others you provide. MX records always point at a host name (like mail.example.com), and those names will usually be provided by your email provider.

TXT

Finally there are TXT records (sometimes known as text records). These records can be used for a wide variety of purposes, but some of the most important are related to email deliverability. Many email providers will give you an SPF record and a DKIM record to include in the DNS for your domain. These records are stored as TXT records and contain information necessary to either provide details about what servers are allowed to send email on your behalf (SPF records), or provide an authentication token used to confirm that an email comes from a specific domain and is authorized by the owner of that domain.

If all of that sounds intimidating, the good news is, you don’t need to be an expert to have expert-level DNS management. All you really need is access to experts and a provider, like DNSimple, that checks all the boxes. Let’s talk about what you should keep in mind while looking for a provider. 

What to look for in a DNS provider

Ease of use

The best DNS providers make it easy to connect your domains to the services you use. You’ll want to look for DNS automation features like automatic connections that take care of setting up your DNS records for you, or one-click DNS templates for well-known services. If the service you use isn’t supported, you’ll also want an easy-to-use DNS record editor that supports a variety of DNS record types.

Customer support  

Do you have an IT team or are you flying solo? If you don’t have an IT team, you’ll be relying on customer support, and that means you want the best available. You don’t want to risk extended downtime or outages for issues with your DNS, so you’ll want the peace of mind that comes with expert technical support and fast response times. 

Security 

You want the most robust security possible. The DNS management provider you choose should have: 

• DNSSEC — DNSSEC provides a cryptographic chain of trust for your zones that authenticating resolvers use to ensure DNS results weren’t tampered with while in transit. This safeguards your site from forgery and attacks that use falsified information to re-route your customers from your page to malicious sites. 

You want an expert to handle DNSSEC for you to ensure there are no errors and no downtime. Some TLDs (Top Level Domains) make users sign their zones manually, which requires highly technical skills, and key rotation can be complicated.

• DDoS Defense — This protects against DDoS attacks at the DNS level. In a DDoS attack, a given computer network service is intentionally flooded to prevent normal access. These can happen for a variety of reasons from revenge to blackmail to someone thinking it’s funny. An attack can take your site down for hours, and you need to know your provider has these protections in place so it doesn’t happen to you. 

• SSL certificates — Your provider should cover the SSL certificates listed in the previous section. They should also support auto-renewal so you don’t have to worry about remembering to manually renew or risk leaving your site unprotected. 

• 2FA/MFA & Enforcement — 2FA (Two-Factor Authentication) requires two forms of id at login, making it more difficult for someone to gain access to your account. Any provider you consider should have this security measure. 

MFA (Multi-Factor Authentication) takes that security one step further. You’ll have to provide a verification code or use a security key plus your username and password. Verification codes are generated by an authenticator app and refreshed every 30 seconds.

If multiple people need access to your DNS management, you want a service that provides 2FA/MFA enforcement. This ensures everyone on your team has authentication enabled and keeps your account even more secure. 

Fast resolution & 100% uptime 

Your provider should serve your DNS with Anycast. Anycast servers handle DNS requests from many locations, and the location with the shortest path from your visitor will be used. With Anycast, your zones will be deployed to all your provider’s locations, resulting in fast lookups for your customers. And multiple points of presence means the chances of your domain going down are very, very low. 

If you want to further guarantee 100% uptime (we’re guessing you do), you want a provider who supports secondary DNS. Automatically syncing to a secondary DNS provider that doesn't share the same infrastructure as your primary provider means if your primary DNS provider goes down, your customers continue to have access to your site.

Red flags 

There are a handful of things you’ll want to watch out for when looking for DNS management. Some of these are for your ease of use and peace of mind. Others are non-negotiable, like anything that could compromise your security or uptime, since these are essential to keeping your site functional and accessible. 

• Canned responses or outsourced CS — you’ll be getting one-size-fits-all responses, and not get the personalized, expert help you need.

• Unicast — All providers serve your DNS through either Unicast or Anycast. Unicast servers can be tempting because they’re cheaper, but they handle all DNS requests from a single location. If that single server malfunctions, your site is down until it’s fixed. 

• Not supporting secondary DNS — Without secondary DNS, you lose the protection provided by that redundancy. If your provider goes down, you go down. 

• No 2FA/MFA — This is basic account security. If this isn’t available, who knows where else they’re dropping the ball. 

• Is the service free? Why? How? — Generally if it’s free, you’re sacrificing something in the name of that savings, whether it’s privacy, data, or something else.  

• Less than 99% - 100% SLA (Service Level Agreement) — You need to know your site will be up and running 99+% of the time. 

Where to look for a provider

You need a provider that removes the barriers to managing your domains, and finding that is often more challenging than just doing a simple search. Look for reviews on specific sites, like Capterra or G2, where you can quickly compare dozens of providers and choose the one that best fits your needs.

Have a specific provider in mind? Check their Twitter profile and mentions to see if people like them or if it’s a laundry list of complaints. You can also reach out within your communities, like MicroConf, to see what other entrepreneurs are using, and if they’re happy with their DNS management. 

***

This is a guest post written by Anthony Eden. Anthony Eden is a long-time software developer and the founder and CEO of DNSimple, a domain registrar and DNS provider loved by software engineers around the world. Anthony has appeared on Startups for the Rest of Us and Zen Founder, along with numerous other podcasts where he has spoken about entrepreneurship, the challenges of starting a business with family members, and a variety of other topics.

DNSimple is an independent, bootstrapped company, and we know firsthand the challenges that come with it. Independent business owners need a place to gather and discuss ways to build their businesses, and MicroConf provides a forum for exactly that. Entrepreneurs need a partner in their journey for all their domain and DNS needs – that’s where DNSimple comes in. If you want a provider that ticks all the boxes, give us a try free for 30 days. Have more questions about your DNS management needs? We’d love to chat.