Domains, DNS & SSL/TLS

Your domain name is your address on the internet. It's how users find your website. But domains are just the beginning. You also need to configure DNS records to connect your domain a hosting service and SSL/TLS certificates to secure the connection.

Domain Registration

What is a Domain Name?

A domain name is a human-readable address that points to your website's location on the internet. Instead of remembering IP addresses like 192.168.1.1, users can type example.com to visit your site.

Domain structure:

example.com
└───┬───┘ └─────┬─────┘
protocol   hostname
         ├── subdomain: "www"
         ├── second-level domain: "example"
         └── top-level domain: "com"

Full Domain structure:

https://www.example.com:8080/products/view?id=42#reviews

┌──────────────────────────────────────────────────── Full URL
│
├── https://           ← Protocol / Scheme
│
├── www.example.com    ← Hostname
│   ├── www            ← Subdomain (optional)
│   ├── example        ← Second-Level Domain (SLD)
│   └── com            ← Top-Level Domain (TLD)
│
├── :8080              ← Port (optional, defaults: 80 for HTTP, 443 for HTTPS)
│
├── /products/view     ← Path (resource location on the server)
│
├── ?id=42             ← Query String (parameters sent to the server)
│   └── id=42          ← Key-value pair (can have multiple, separated by &)
│
└── #reviews           ← Fragment / Anchor (client-side jump within page)

What Do Domain Registrars Do?

Domain registrars are companies authorised by ICANN (Internet Corporation for Assigned Names and Numbers) to sell and manage domain names. They act as intermediaries between you and the global domain name system.

Registrar responsibilities:

• Domain sales: Register new domain names
• DNS management: Provide basic DNS hosting
• WHOIS data: Maintain domain ownership information
• Renewal services: Handle domain renewals
• Transfer support: Facilitate domain transfers between registrars
• Privacy protection: Offer WHOIS privacy services

DNS Configuration

What is DNS?

DNS (Domain Name System) is like the internet's phone book. It translates human-readable domain names into IP addresses that computers can understand. When someone types example.com, DNS tells their browser where to find your website.

DNS resolution process:

User types example.com
        ↓
Browser checks local DNS cache
        ↓
If not found, asks ISP DNS server
        ↓
ISP server asks root DNS servers
        ↓
Root servers point to TLD servers
        ↓
TLD servers point to authoritative servers
        ↓
Authoritative server returns IP address
        ↓
Browser connects to your server

DNS Record Types Explained

A Records (Address Records):

• Purpose: Maps domain names to IPv4 addresses
• Use case: Point your domain to your web server
• Example:

  Type    Name    Value           TTL
  A       @       192.168.1.1    300
  A       www     192.168.1.1    300
  

AAAA Records (IPv6 Address Records):

• Purpose: Maps domain names to IPv6 addresses
• Use case: Enable IPv6 connectivity for your website
• Example:

  Type    Name    Value                    TTL
  AAAA    @       2001:db8::1            300
  AAAA    www     2001:db8::1            300
  

CNAME Records (Canonical Name Records):

• Purpose: Creates aliases for existing domain names
• Use case: Point subdomains to other services
• Example:

  Type    Name    Value                   TTL
  CNAME   blog    myblog.wordpress.com   300
  CNAME   shop    shopify.com            300
  CNAME   mail    gmail.com              300
  

MX Records (Mail Exchange Records):

• Purpose: Specifies mail servers for your domain
• Use case: Route email to your email provider
• Example:

  Type    Name    Value                   TTL    Priority
  MX      @       mail.example.com       300    10
  MX      @       backup-mail.example.com 300   20
  

TXT Records (Text Records):

• Purpose: Store text information for various services
• Use case: Email authentication, domain verification, security policies
• Example:

  Type    Name    Value                                    TTL
  TXT     @       "v=spf1 include:_spf.google.com ~all"   300
  TXT     @       "google-site-verification=abc123"       300
  TXT     @       "keybase-verification=def456"           300
  

NS Records (Name Server Records):

• Purpose: Specify authoritative name servers for your domain
• Use case: Delegate DNS management to external providers
• Example:

  Type    Name    Value                    TTL
  NS      @       ns1.cloudflare.com      300
  NS      @       ns2.cloudflare.com      300
  

PTR Records (Pointer Records):

• Purpose: Reverse DNS lookup (IP to domain)
• Use case: Email server reputation, security verification
• Example:

  Type    Name    Value           TTL
  PTR     1.1.168.192.in-addr.arpa example.com 300
  

SRV Records (Service Records):

• Purpose: Define services available on your domain
• Use case: VoIP, instant messaging, game servers
• Example:

  Type    Name    Value                    TTL    Priority Weight Port
  SRV     _sip    _tcp.example.com        300    0        5       5060
  SRV     _xmpp   _tcp.example.com        300    0        5       5222
  

TTL (Time To Live)

TTL determines how long DNS records are cached by other servers. Lower TTL values mean faster updates but more DNS queries.

Common TTL values:

• 300 seconds (5 minutes): Fast updates, development/testing
• 3600 seconds (1 hour): Standard for most websites
• 86400 seconds (24 hours): Long-term stability, production sites

TTL strategy:

• Low TTL before making changes
• High TTL for stable production environments
• Consider costs: More DNS queries = higher costs with some providers

DNS Management Best Practices

Security:

• Use DNSSEC (Domain Name System Security Extensions)
• Enable DNS monitoring and alerting
• Regularly audit DNS records
• Use strong authentication for DNS changes

Performance:

• Use CDN providers for global DNS distribution
• Implement DNS caching strategies
• Monitor DNS response times
• Use geographically distributed name servers

Reliability:

• Have backup name servers
• Use multiple DNS providers
• Regular DNS health checks
• Document all DNS configurations

SSL/TLS Certificates

What are SSL/TLS Certificates?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) certificates create encrypted connections between web browsers and servers. They ensure that data transmitted between users and your website is secure and private.

What they protect:

• Data encryption: All data is encrypted in transit
• Authentication: Verifies your website's identity
• Data integrity: Ensures data hasn't been tampered with
• User trust: Shows the padlock icon in browsers

Types of SSL/TLS Certificates

Domain Validation (DV) Certificates:

• Validation level: Basic domain ownership verification
• Issuance time: Minutes to hours
• Use case: Personal websites, development sites
• Cost: Free to low cost
• Trust indicators: Basic padlock icon

Organization Validation (OV) Certificates:

• Validation level: Company information verification
• Issuance time: 1-3 business days
• Use case: Business websites, e-commerce
• Cost: Medium cost
• Trust indicators: Company name in certificate details

Extended Validation (EV) Certificates:

• Validation level: Comprehensive business verification
• Issuance time: 1-5 business days
• Use case: Financial institutions, high-security sites
• Cost: High cost
• Trust indicators: Green address bar, company name prominently displayed

Wildcard Certificates:

• Coverage: Protects main domain and all subdomains
• Use case: Multi-subdomain websites
• Cost: Higher than single domain certificates
• Example: *.example.com covers www.example.com, blog.example.com, api.example.com

Multi-Domain (SAN) Certificates:

• Coverage: Protects multiple domains with one certificate
• Use case: Multiple websites under one organisation
• Cost: Varies by number of domains
• Example: example.com, example.org, example.net

SSL/TLS Providers

Free Options:

• Let's Encrypt: Completely free, automated renewal, 90-day validity
• ZeroSSL: Free tier available, user-friendly interface
• Cloudflare: Free SSL with their CDN service

Paid Options:

• DigiCert
• Sectigo
• GlobalSign
• Comodo

Platform-Integrated:

• Vercel: Automatic SSL for all deployments
• Netlify: Free SSL certificates with automatic renewal
• AWS Certificate Manager: Free certificates for AWS services
• Google Cloud: Free SSL certificates for Google Cloud services

Cloudflare SSL

Cloudflare SSL modes:

• Off: No SSL encryption
• Flexible: Encrypts traffic between users and Cloudflare, but not between Cloudflare and your server.
• Full: Encrypts traffic between users and Cloudflare and between Cloudflare and your server.
• Full (Strict): Same as Full, but requires valid SSL certificate on your server.

Setup process:

1. Add your domain to Cloudflare
2. Update your domain's name servers to Cloudflare's
3. Choose SSL mode in Cloudflare dashboard
4. Configure SSL/TLS settings
5. Enable security features like HSTS

Benefits:

• Automatic SSL certificate generation
• Edge computing for better performance
• DDoS protection included
• Global CDN distribution

Vercel SSL Integration

Vercel provides automatic SSL certificates for all deployments. When you deploy to Vercel:

1. Automatic HTTPS: Every domain gets a free SSL certificate
2. Automatic renewal: Certificates are managed and renewed automatically
3. Global CDN: SSL termination at the edge for optimal performance
4. HSTS support: Built-in security headers
5. Custom domains: Easy SSL setup for custom domains

Vercel SSL features:

• Zero configuration: Works out of the box
• Multiple domains: SSL for main domain and all subdomains
• Automatic redirects: HTTP to HTTPS redirection
• Security headers: Built-in security best practices

SSL/TLS Best Practices

Certificate Management:

• Automate renewal: Use tools like Certbot or platform automation
• Monitor expiration: Set up alerts for certificate expiration
• Backup certificates: Keep secure backups of private keys
• Version control: Track certificate configurations

Security Configuration:

• Use strong ciphers: Prefer TLS 1.2 and 1.3
• Enable HSTS: Force HTTPS connections
• Implement CSP: Content Security Policy headers
• Regular security audits: Check SSL configuration regularly

Performance Optimisation:

• OCSP stapling: Reduce certificate validation overhead
• Session resumption: Enable TLS session caching
• HTTP/2 support: Better performance with modern protocols
• CDN integration: Use CDN for SSL termination

Common Issues and Solutions

DNS Problems

Domain not resolving:

• Check DNS propagation with tools like dig or nslookup
• Verify name server configuration
• Check for typos in DNS records
• Wait for TTL expiration if changes were made

Subdomain not working:

• Verify CNAME or A record exists
• Check for conflicting records
• Ensure proper TTL values
• Test with different DNS lookup tools

Email delivery issues:

• Verify MX record configuration
• Check SPF, DKIM, and DMARC records
• Test with email testing tools
• Verify reverse DNS (PTR) records

SSL/TLS Issues

Certificate errors:

• Check certificate expiration
• Verify domain name matches
• Check certificate chain
• Test with SSL testing tools

Mixed content warnings:

• Ensure all resources use HTTPS
• Update hardcoded HTTP URLs
• Use relative URLs where possible
• Implement Content Security Policy

Performance issues:

• Enable HTTP/2
• Use OCSP stapling
• Optimise cipher suites
• Consider CDN for SSL termination

Monitoring and Maintenance

DNS Monitoring

Tools and services:

• UptimeRobot: Free DNS monitoring
• Pingdom: Comprehensive uptime monitoring
• StatusCake: DNS and website monitoring
• Custom scripts: Automated DNS health checks

Key metrics:

• DNS resolution time
• Record propagation speed
• Name server response time
• DNS query success rate

SSL/TLS Monitoring

Certificate monitoring:

• Expiration tracking: Monitor certificate validity
• Renewal automation: Ensure certificates are renewed
• Security scanning: Regular SSL configuration audits
• Performance monitoring: Track SSL handshake times

Security monitoring:

• Vulnerability scanning: Check for known SSL/TLS vulnerabilities
• Certificate transparency: Monitor for unauthorized certificates
• HSTS compliance: Ensure security headers are working
• CSP monitoring: Track Content Security Policy violations

Next Steps

After setting up your domain, DNS and SSL:

1. Implement security best practices like HSTS and CSP
2. Set up monitoring for DNS and SSL health
3. Automate certificate renewal to prevent expiration
4. Consider advanced DNS features like DNSSEC and GeoDNS
5. Plan for scaling with multiple domains and subdomains
6. Implement backup strategies for critical DNS configurations

Remember: Your domain is your digital identity. Proper DNS management and SSL security are essential for building trust with your users and protecting their data.

Related Topics

Continue building your web infrastructure knowledge:

• Hosting & Deployment - Understanding hosting platforms and strategies
• Deployment & Getting Started - Getting your applications online
• Security Concepts - Protecting your websites and applications
• Networking Fundamentals - Understanding how the internet works