Skip to content
AI Coding GuildAI Coding Guild
Sign InGet Started Free
Back to the Archives
Production Ready — Part 26 of 30

DNS Management: The Setup You Do Once

Tom Hundley
Written by claude-sonnet-4 · Edited by claude-sonnet-4
dnsdomainsvercelssldeploymentproduction

Production Ready -- Part 26 of 30

On April 16, 2025, Zoom went offline for nearly two hours. Not because of a DDoS attack, not because of a code bug, not because of a database failure. The root cause was a communication error between Zoom's domain registrar, MarkMonitor, and GoDaddy Registry -- the organization that manages the entire .us namespace. GoDaddy Registry mistakenly placed a server block on zoom.us, and since the authoritative nameservers for the domain lived behind that TLD record, none of the DNS resolvers in the world could find Zoom's servers. The servers were healthy. The code was fine. The DNS was broken, and that was enough to take down one of the most-used video platforms on the planet. (The Register, ThousandEyes)

A few months later, in July 2025, Cloudflare's 1.1.1.1 DNS resolver suffered a 62-minute global outage due to an internal configuration error -- not a cyberattack, just a misconfiguration made weeks earlier that silently waited for a trigger. Hundreds of billions of DNS queries per day, gone. (Xcitium Threat Labs)

Neither of these stories is about small developers. But the lesson scales down perfectly: DNS is the foundation everything else sits on. If it breaks, nothing else matters.

You are not Zoom, and you are not Cloudflare. Your DNS setup is far simpler. But you still need to understand it well enough to configure it correctly once, and protect it from the handful of things that can silently destroy your site.

What DNS Actually Is

DNS stands for Domain Name System. It is the phone book of the internet. When someone types yourdomain.com into a browser, their computer asks a DNS resolver: "What IP address corresponds to this name?" The resolver checks a hierarchy of records and eventually comes back with something like 76.76.21.21. The browser then connects to that IP address.

Without DNS, your users would need to memorize IP addresses. With DNS, you have a human-readable name that points to wherever your servers actually live. The system is global, distributed, and remarkably resilient -- until someone misconfigures a record.

The Record Types You Need to Know

You do not need to master every DNS record type. You need to understand five.

A record -- Points a domain directly to an IPv4 address. This is how yourdomain.com points to a server. Vercel's A record IP is 76.76.21.21.

Type: A
Name: @ (root domain)
Value: 76.76.21.21
TTL: 3600

CNAME record -- Points a domain name to another domain name (not an IP). Used for www subdomains and for services like Vercel that serve your site from their own infrastructure.

Type: CNAME
Name: www
Value: cname.vercel-dns.com
TTL: 3600

Note: You cannot use a CNAME on your root/apex domain (yourdomain.com). Only on subdomains. This is a hard DNS rule.

MX record -- Mail Exchange. Tells email servers where to deliver mail for your domain. If you use Google Workspace, your MX records point to Google's mail servers. If you skip these, email to @yourdomain.com simply does not work.

TXT record -- A catch-all text record used for domain verification and email security. When you verify your domain with Google Search Console, you add a TXT record. SPF, DKIM, and DMARC email security records all live here too.

Type: TXT
Name: @
Value: "v=spf1 include:_spf.google.com ~all"

NS record -- Nameserver records. These tell the internet which servers are authoritative for your domain. You set these at your registrar. If your NS records are wrong, nothing else works -- the Zoom outage on April 16, 2025 was essentially an NS record problem at the TLD level.

Setting Up a Custom Domain on Vercel

This is the actual workflow. Get into your project, go to Settings, then Domains. Add your domain.

Vercel will show you exactly what records to create. Here is what it looks like from the CLI (Vercel docs):

# Add domain to your project
vercel domains add yourdomain.com my-project

# Check what records are needed
vercel domains inspect yourdomain.com

# Add the A record for the apex domain
vercel dns add yourdomain.com '@' A 76.76.21.21

# Add the CNAME for www
vercel dns add yourdomain.com www CNAME cname.vercel-dns.com

# Verify it worked
vercel domains inspect yourdomain.com

# Confirm SSL was provisioned
vercel certs ls

If you manage DNS through an external provider (Cloudflare, Route 53, your registrar's panel), you cannot use vercel dns add. You add those same records manually in your provider's dashboard and let Vercel detect them.

The www vs. Bare Domain Question

You need both to work. The practical answer: make one the canonical version and redirect the other to it.

Most developers pick yourdomain.com as canonical and redirect www.yourdomain.com to it. Vercel makes this straightforward -- when you add an apex domain in the dashboard, it prompts you to also add the www version and configure a redirect.

Pick one. Be consistent. Set it up on day one and never think about it again.

DNS Propagation

When you change a DNS record, the change does not take effect instantly worldwide. DNS resolvers around the globe cache records based on their TTL (Time To Live) value. A TTL of 3600 means records cache for one hour. During propagation, some users see the old record, others see the new one.

During a migration, lower your TTL to 300 (five minutes) at least 24 hours before you make the change. After the migration, raise it back to 3600.

To check propagation:

# Check from your machine
dig yourdomain.com A

# Check NS records
dig yourdomain.com NS

# Check against a specific resolver
nslookup yourdomain.com 8.8.8.8

For a visual check across multiple regions, use whatsmydns.net. It shows you what DNS resolvers in different countries are currently returning for your domain.

Registrar vs. DNS Provider: Keep Them Separate

Your domain registrar is where you bought and registered your domain (Namecheap, GoDaddy, Google Domains, etc.). Your DNS provider is the service that answers DNS queries for your domain.

By default, your registrar is also your DNS provider. That is fine for most independent developers. But there is an argument for separating them: services like Cloudflare offer better DNS performance, more detailed analytics, DDoS protection, and a cleaner interface for managing records.

You can keep your domain registered at Namecheap but point the nameservers to Cloudflare. Cloudflare then manages all your DNS records. The registrar just holds the registration.

Domain Security: The Three Things You Must Do

Enable auto-renewal. This is non-negotiable. In August 2025, PyPI unverified over 1,800 user email addresses after their associated domains expired and became available for re-registration (The Hacker News). When a domain expires and someone else buys it, they gain full control -- including the ability to receive every email sent to any address on that domain. That means password reset links, banking notifications, and vendor invoices all go to a stranger. According to Cyber Security Magazine, attackers routinely configure catch-all email addresses on acquired expired domains to passively collect sensitive communications for months. Enable auto-renewal. Never let a domain expire.

Enable registrar lock. Also called "domain lock" or "transfer lock." This prevents your domain from being transferred to another registrar without additional verification steps. Domain hijacking is a real attack vector, and the lock is the easiest way to prevent unauthorized transfers.

Keep contact information current. Critical renewal notices and security alerts go to the email on your registrar account. If that email no longer exists -- common after startup pivots, rebrands, or email provider changes -- you will miss them.

SSL/TLS: What Vercel Does for You

Vercel automatically provisions SSL certificates through Let's Encrypt once your DNS records verify. You do not write any configuration. The certificate provisions within minutes of DNS verification and renews automatically.

What is actually happening: Vercel completes a domain validation challenge (usually via HTTP-01 or DNS-01), Let's Encrypt issues a certificate, Vercel installs it on their edge network. Your site gets HTTPS with no manual work.

# Verify certificate was issued
vercel certs ls

If you see your domain in that output, you are done. Your users get the padlock.

Common DNS Mistakes

Wrong CNAME value. Vercel's CNAME target may be project-specific -- always copy the exact value Vercel provides in your dashboard. Do not guess or reuse values from tutorials.

TTL too high during a migration. If your TTL is 86400 (24 hours), and you change your A record, some users will hit the old server for an entire day. Lower the TTL before you migrate.

Forgetting email records. You set up the domain, the site works, you ship. Then you discover that hello@yourdomain.com silently drops every email because you never configured MX records.

Using CNAME on the apex domain. yourdomain.com cannot be a CNAME. Only www.yourdomain.com can. This is a fundamental DNS constraint. Use an A record for the apex.

Conflicting A records. If you have multiple A records for the same name, DNS resolvers may route traffic unpredictably. When migrating to Vercel, delete the old A records before adding the new one.

Action Checklist

  • Add both apex domain and www to your Vercel project
  • Set A record for apex domain pointing to 76.76.21.21
  • Set CNAME for www pointing to Vercel's CNAME value from your dashboard
  • Configure redirect so one version is canonical
  • Add MX records if you are using a custom email address
  • Add SPF/DKIM/DMARC TXT records for email security
  • Enable auto-renewal at your registrar
  • Enable registrar lock (domain transfer lock)
  • Update registrar contact email to one you actively check
  • Lower TTL to 300 before any future DNS migration
  • Verify with dig yourdomain.com A that records resolve correctly
  • Confirm SSL provisioned with vercel certs ls

Ask The Guild

What DNS setup have you found works best for indie projects -- keeping DNS at the registrar, moving to Cloudflare, or pointing nameservers directly to Vercel? Share your registrar and DNS provider combination and whether you have ever had a DNS-related incident. The most useful setups are usually the ones that caused a crisis first.

Copy A Prompt Next

Review and debug

If this article changed how you think about the problem, copy a prompt that turns that judgment into one safe, reviewable next step.

Matching public prompts

23

Keep the task scoped, copy the prompt, then inspect one reviewable diff before the agent continues.

Open the filtered prompt setOpen featured prompt page

Need the safest first move instead? Open the curated sample prompts before you browse the broader library.

Working With AI ToolsWorking With AI Tools

v0 by Vercel — UI Components From a Text Prompt

Generate production-ready UI components with v0 and integrate them into your projects.

Preview
"I want v0 to generate a React component for this screen:
[describe the UI, data fields, visual style, empty state, loading state, and mobile behavior]
The component must:
1. work in a Next.js + Tailwind project
2. be easy to wire to real data later
View prompt pageRead the matching lesson
Production Ready

Use this production insight inside a full build sequence

Production articles show you what breaks in the real world. The right path turns that lesson into a sequence you can ship with instead of just nodding at.

Best Next Path

DevOps and Deployment

Guild Member · $29/mo

Connect the code to production: CI/CD, hosting, observability, DNS, and the runtime habits that keep launches boring.

25 lessonsIncluded with the full Guild Member library
Open DevOps and DeploymentBrowse all learning paths

Need the free route first?

Start with Start Here — Build Safely With AI if you want the workflow and vocabulary before you dive into the deeper path above.

T

About Tom Hundley

Tom Hundley writes for builders who need stronger technical judgment around AI-assisted software work. The Guild turns production experience into public articles, copy-paste prompts, and structured learning paths that help non-software developers supervise AI agents more safely.

Do this next

Leave this article with one concrete move. Copy the matching prompt, or start with the path that teaches the safest next skill in sequence.

Start with Start Here — Build Safely With AIOpen the filtered prompt setOpen prompt page