49 terms explained in plain English. No jargon-to-explain-jargon — just clear definitions that make DNS and networking approachable.
A DNS record that maps a domain name to an IPv4 address.
An A record (Address record) is the most fundamental type of DNS record. It tells the internet which IPv4 address to connect to when someone types your domain name into a browser. For example, an A record for example.com might point to 93.184.216.34. Without an A record, browsers would not know where to find your website. Every website that is reachable by its domain name has at least one A record (or an AAAA record for IPv6).
A DNS record that maps a domain name to an IPv6 address.
An AAAA record (pronounced "quad-A") works exactly like an A record, but for IPv6 addresses instead of IPv4. IPv6 addresses are longer (like 2606:4700::6810:85e5) and were created because the world is running out of IPv4 addresses. If your server supports IPv6, adding an AAAA record ensures it is reachable on the modern internet. Many websites have both A and AAAA records so they work on both IPv4 and IPv6 networks.
A networking technique where the same IP address is advertised from multiple locations worldwide.
Anycast is a routing method where many servers in different geographic locations all share the same IP address. When you send a request to an anycast IP, the internet automatically routes you to the nearest server. CDNs like Cloudflare use anycast so that a user in Tokyo connects to a server in Japan while a user in London connects to one in Europe — both using the same IP address. This reduces latency and provides automatic failover if one location goes down.
Autonomous System Number — a unique identifier assigned to a network on the internet.
An ASN (Autonomous System Number) is a unique number that identifies a network or group of IP addresses managed by a single organization. Every ISP, hosting provider, and large company that operates its own network has an ASN. For example, Cloudflare is AS13335 and Google is AS15169. ASNs are used by routers to determine how to send traffic across the internet. When you look up an IP address, the ASN tells you which organization owns that part of the internet.
Border Gateway Protocol — the routing system that determines how data travels across the internet.
BGP (Border Gateway Protocol) is the GPS of the internet. It is the protocol that routers use to figure out the best path to send your data from point A to point B across thousands of interconnected networks. When BGP has a problem (a "BGP leak" or "BGP hijack"), traffic can be sent to the wrong place, causing outages or security incidents. Major internet outages — like when a large cloud provider goes down — are often caused by BGP misconfigurations.
A DNS record that specifies which certificate authorities are allowed to issue SSL certificates for a domain.
A CAA (Certificate Authority Authorization) record is a DNS record that tells certificate authorities (like Let's Encrypt or DigiCert) whether they are allowed to issue an SSL certificate for your domain. It is a security measure that prevents unauthorized parties from obtaining certificates for your domain. For example, if your CAA record only authorizes Let's Encrypt, other certificate authorities will refuse to issue certificates even if someone requests one.
Content Delivery Network — a globally distributed network of servers that delivers web content faster.
A CDN (Content Delivery Network) is a network of servers spread across the world that stores copies of your website's files (images, CSS, JavaScript) closer to your visitors. Instead of every visitor connecting to your single origin server in one location, they connect to the nearest CDN server. This dramatically reduces loading times — a visitor in Sydney gets content from an Australian server instead of waiting for it to travel from a server in New York. Cloudflare, AWS CloudFront, and Fastly are popular CDNs.
A DNS record that maps one domain name to another domain name (an alias).
A CNAME (Canonical Name) record creates an alias from one domain to another. Instead of pointing directly to an IP address like an A record, a CNAME says "this domain is the same as that domain." For example, www.example.com might have a CNAME pointing to example.com, which then has an A record with the actual IP. CNAMEs are commonly used for subdomains and for services like Heroku or AWS that give you a hostname instead of a static IP. A CNAME cannot coexist with other record types at the same name.
DomainKeys Identified Mail — an email authentication method that adds a digital signature to outgoing emails.
DKIM (DomainKeys Identified Mail) is an email security standard that lets the receiving mail server verify that an email was actually sent by the domain it claims to be from and was not modified in transit. It works by adding a cryptographic signature to every outgoing email, which the recipient can verify using a public key published in your DNS records. DKIM is one of three email authentication standards (along with SPF and DMARC) that help prevent email spoofing and improve deliverability.
Domain-based Message Authentication — a policy that tells email servers what to do with unauthenticated emails.
DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM to give domain owners control over what happens when an email fails authentication. Your DMARC policy can tell receiving servers to deliver the email anyway (none), put it in spam (quarantine), or reject it outright (reject). DMARC also sends you reports about who is sending email using your domain, helping you detect spoofing and phishing attempts. It is published as a TXT record at _dmarc.yourdomain.com.
Domain Name System — the phonebook of the internet that translates domain names to IP addresses.
DNS (Domain Name System) is what allows you to type "google.com" into your browser instead of memorizing 142.250.80.46. When you visit a website, your device asks a DNS server "what is the IP address for this domain?" and the DNS server responds with the correct address. This lookup happens in milliseconds, usually before you even notice. DNS is one of the most critical pieces of internet infrastructure — if DNS is down, websites become unreachable even if the servers are running perfectly.
The process of DNS changes spreading across all DNS servers worldwide.
DNS propagation is the time it takes for a DNS change (like updating your website's IP address) to be recognized by all DNS servers around the world. When you change a DNS record, it does not update everywhere instantly. DNS servers cache records for a period defined by the TTL (Time to Live), so some servers may still serve the old record until their cache expires. Full propagation can take anywhere from a few minutes to 48 hours, though most changes are visible within 1-4 hours.
An entry in the DNS database that provides information about a domain.
A DNS record is a single instruction stored in a domain's DNS zone that tells the internet something about the domain. Different record types serve different purposes: A records point to IPv4 addresses, MX records direct email, TXT records hold text data like SPF policies, NS records delegate to nameservers, and so on. A domain typically has many DNS records working together. Think of them as rows in a lookup table that DNS servers consult when someone asks about your domain.
A server that looks up DNS records on your behalf when you visit a website.
A DNS resolver (also called a recursive resolver) is the server that does the work of finding the IP address for a domain name when you type it in your browser. Your ISP usually provides one automatically, but you can use public ones like Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9). When you make a DNS query, the resolver checks its cache first. If it does not have the answer, it queries the root servers, then the TLD servers, then the authoritative nameserver for the domain, and caches the result.
DNS Security Extensions — a set of protocols that add cryptographic verification to DNS responses.
DNSSEC (DNS Security Extensions) adds a layer of trust to DNS by digitally signing DNS records. Without DNSSEC, there is no way to verify that a DNS response actually came from the legitimate nameserver — an attacker could forge responses and redirect you to a malicious site (DNS spoofing). With DNSSEC enabled, your resolver can verify the cryptographic signature on each response to confirm it is authentic and has not been tampered with. Not all domains use DNSSEC, but adoption is growing.
A security system that monitors and controls incoming and outgoing network traffic.
A firewall is a security barrier between a trusted network (like your server) and an untrusted one (like the internet). It examines every incoming and outgoing network connection and decides whether to allow or block it based on a set of rules. Firewalls can be software running on your server (iptables, ufw, Windows Firewall), hardware appliances, or cloud-based services (Cloudflare WAF, AWS Security Groups). A properly configured firewall is your first line of defense against unauthorized access.
The secure version of HTTP that encrypts all data between the browser and server.
HTTPS (HyperText Transfer Protocol Secure) is the encrypted version of HTTP, the protocol your browser uses to communicate with web servers. When you see the padlock icon in your browser's address bar, the connection is using HTTPS. It encrypts all data in transit using TLS, preventing anyone from eavesdropping on or tampering with the communication — including passwords, credit card numbers, and personal data. Modern browsers mark HTTP sites as "Not Secure." HTTPS requires an SSL/TLS certificate on the server.
A unique numerical label assigned to every device connected to the internet.
An IP address (Internet Protocol address) is the unique number that identifies a device on the internet, like a street address for your computer or server. IPv4 addresses look like 192.168.1.1 (four numbers separated by dots), while IPv6 addresses are longer like 2001:0db8:85a3::8a2e:0370:7334. Every website, email server, and internet-connected device has at least one IP address. When you visit a website, your browser uses DNS to translate the domain name into the server's IP address.
The fourth version of the Internet Protocol, using 32-bit addresses like 93.184.216.34.
IPv4 (Internet Protocol version 4) is the original addressing system of the internet, using 32-bit addresses written as four numbers separated by dots (e.g., 93.184.216.34). It supports about 4.3 billion unique addresses, which seemed like plenty in the 1980s but is now almost completely exhausted. Most of the internet still runs on IPv4, but organizations increasingly use IPv6 alongside it to handle the growing number of connected devices.
The latest version of the Internet Protocol, using 128-bit addresses to support far more devices.
IPv6 (Internet Protocol version 6) is the successor to IPv4, designed to solve the address shortage. IPv6 addresses are 128 bits long (e.g., 2606:4700:4700::1111), providing a virtually unlimited number of unique addresses — enough for every grain of sand on Earth to have its own IP. IPv6 is being adopted gradually alongside IPv4. If your server supports IPv6, you should add AAAA records to your DNS so it is reachable on both protocols.
Internet Service Provider — the company that provides your internet connection.
An ISP (Internet Service Provider) is the company that connects you to the internet — like Comcast, AT&T, Vodafone, or BT. Your ISP assigns your IP address, provides a DNS resolver (unless you configure a different one), and controls the "last mile" of your internet connection. ISPs can affect your experience by blocking certain ports, throttling traffic, or filtering DNS requests. When troubleshooting connectivity issues, your ISP is often part of the chain you need to investigate.
The time delay between sending a request and receiving a response, measured in milliseconds.
Latency is the time it takes for data to travel from one point to another on the internet, measured in milliseconds (ms). Lower latency means faster response times. When you ping a server and get "12ms," that is the round-trip latency. Latency is affected by physical distance (light in fiber takes ~5ms per 1,000 km), network congestion, the number of routers in the path, and server processing time. CDNs reduce latency by serving content from servers closer to the user.
A DNS record that tells the internet which mail server handles email for a domain.
An MX (Mail Exchange) record is a DNS record that directs email to the correct mail server. When someone sends an email to [email protected], the sending server looks up the MX records for example.com to find which mail server to deliver to. MX records include a priority number — lower numbers are tried first, and higher numbers serve as backups. If you use Gmail, your MX records point to Google's mail servers. If you use Microsoft 365, they point to Microsoft's.
A server that stores DNS records for a domain and answers DNS queries.
A nameserver (NS) is the server responsible for storing and serving the DNS records for your domain. When someone looks up your domain, the DNS system eventually asks your nameservers for the answer. Your domain registrar lets you set which nameservers to use — you can use your registrar's nameservers, your hosting provider's, or a third-party like Cloudflare. If your nameservers are down or misconfigured, your entire domain becomes unreachable. Most domains use at least two nameservers for redundancy.
Network Address Translation — allows multiple devices to share a single public IP address.
NAT (Network Address Translation) is the technology that lets all the devices in your home or office share a single public IP address. Your router assigns private IP addresses (like 192.168.1.x) to each device internally, then translates these to your single public IP when traffic goes to the internet. This is why port forwarding exists — since the router has one public IP, you need to tell it which internal device should receive incoming connections on specific ports.
A DNS record that specifies which nameservers are authoritative for a domain.
An NS (Name Server) record tells the DNS system which nameservers are responsible for answering queries about your domain. When a DNS resolver needs to find records for your domain, it follows the NS records to find your authoritative nameservers. If you switch to Cloudflare or a new hosting provider, you change the NS records at your registrar to point to the new nameservers. NS records exist at every level of the DNS hierarchy — from root servers to TLD servers to your domain.
A networking technique that silently drops all traffic to a specific IP address.
A null route (also called a blackhole route) is when a network sends all traffic destined for a specific IP address to nowhere — effectively making that IP unreachable. Hosting providers sometimes null-route a customer's IP address during a DDoS attack to protect their network from the flood of traffic. While this stops the attack from affecting other customers, it also makes the targeted server completely unreachable until the null route is removed. This can cause Cloudflare error 523 (Origin Unreachable).
The actual web server where your website's files and application code live.
The origin server is your actual web server — the machine (physical or virtual) that hosts your website's files, runs your application code, and generates responses. When you use a CDN or reverse proxy like Cloudflare, visitors do not connect directly to the origin. Instead, Cloudflare sits in front and forwards requests to the origin on their behalf. Most Cloudflare 5xx errors (520-526) indicate a problem between Cloudflare and your origin server. The origin is sometimes called the "upstream" server.
A numbered endpoint on a server that identifies a specific service (e.g., port 80 for HTTP, 443 for HTTPS).
A port is a number (0-65535) that identifies a specific service running on a server. Think of the IP address as the building's street address and the port as the apartment number. Web servers listen on port 80 (HTTP) and 443 (HTTPS). SSH uses port 22. Email uses ports 25, 587, and 993. When you visit https://example.com, your browser connects to port 443 on example.com's IP address. Firewalls control which ports are open (accepting connections) and which are blocked.
Configuring a router to direct incoming internet traffic on a specific port to a device on the local network.
Port forwarding is a router configuration that redirects incoming internet traffic from a specific port to a specific device on your local network. Since NAT hides all your internal devices behind one public IP, the router needs to know which device should receive connections. For example, if you run a Minecraft server on your PC, you would forward port 25565 to your PC's local IP so players on the internet can connect. Without port forwarding, incoming connections stop at the router.
A technique that limits how many requests a user or IP can make in a given time period.
Rate limiting is a security and performance mechanism that restricts the number of requests a client can make to a server within a defined time window (e.g., 100 requests per minute). If the limit is exceeded, subsequent requests are blocked or delayed, typically returning an HTTP 429 (Too Many Requests) response. Rate limiting protects against brute-force attacks, API abuse, web scraping, and denial-of-service attempts. Cloudflare error 1015 appears when a visitor exceeds a rate limit configured by the site owner.
A server that sits in front of your web server and handles requests on its behalf.
A reverse proxy is a server that intercepts requests before they reach your origin server. It can cache content, filter malicious traffic, balance load across multiple servers, terminate SSL, and compress responses. Cloudflare is a reverse proxy — visitors connect to Cloudflare's network, and Cloudflare forwards legitimate requests to your origin. Nginx and HAProxy are common self-hosted reverse proxies. The "reverse" distinguishes it from a forward proxy, which sits in front of clients rather than servers.
A virtual firewall in cloud platforms (AWS, GCP, Azure) that controls traffic to and from your server.
A security group is a cloud-based firewall provided by platforms like AWS, Google Cloud, and Azure. It defines which incoming (inbound) and outgoing (outbound) traffic is allowed to reach your cloud server. By default, security groups block all incoming traffic, so you must explicitly open ports like 80 (HTTP), 443 (HTTPS), and 22 (SSH). Misconfigured security groups are the most common cause of cloud data breaches — accidentally leaving database ports (3306, 5432, 6379) open to the public internet is a critical vulnerability.
Server Name Indication — a TLS extension that lets a server host multiple SSL certificates on one IP.
SNI (Server Name Indication) is an extension to the TLS protocol that allows a client to specify which hostname it is trying to connect to at the start of the SSL/TLS handshake. Before SNI, each SSL website needed its own dedicated IP address because the server could not know which certificate to present. With SNI, a single server on a single IP can host hundreds of HTTPS websites, each with its own certificate. Virtually all modern browsers and servers support SNI. Cloudflare error 525 can sometimes be caused by SNI issues.
Start of Authority — a DNS record containing administrative information about a DNS zone.
The SOA (Start of Authority) record is a mandatory DNS record at the top of every DNS zone. It contains administrative information including the primary nameserver, the email address of the zone administrator, a serial number that increments with each change, and timing values that control how often secondary nameservers check for updates. While you rarely need to edit SOA records directly, the serial number is important — secondary nameservers use it to know when zone data has changed.
Sender Policy Framework — a DNS record that lists which servers are allowed to send email for your domain.
SPF (Sender Policy Framework) is an email authentication standard published as a TXT record in your DNS. It lists the IP addresses and servers that are authorized to send email on behalf of your domain. When a receiving mail server gets an email from your domain, it checks the SPF record to see if the sending server is on the authorized list. If not, the email may be marked as spam or rejected. A common SPF record looks like: v=spf1 include:_spf.google.com ~all (authorizing Google to send email for the domain).
The encryption protocols that secure data transmitted between a browser and a web server.
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between two parties on the internet. TLS is the modern successor to SSL — when people say "SSL" today, they usually mean TLS. The protocol works through a "handshake" where the client and server agree on encryption methods and exchange keys. TLS protects against eavesdropping and data tampering. The current standard is TLS 1.3, and anything below TLS 1.2 is considered insecure. Cloudflare errors 525 and 526 are caused by TLS problems between Cloudflare and the origin.
A digital certificate that proves a website's identity and enables encrypted HTTPS connections.
An SSL/TLS certificate is a digital document installed on a web server that does two things: it proves the server's identity (you are really connecting to example.com, not an imposter) and it enables encryption via HTTPS. Certificates are issued by trusted Certificate Authorities (CAs) like Let's Encrypt (free), DigiCert, or Cloudflare's Origin CA. They contain the domain name, the issuing CA, the expiration date, and a public key used for encryption. Expired or misconfigured certificates cause Cloudflare errors 525 and 526, and browsers will show security warnings.
A domain that is part of a larger domain, like blog.example.com or api.example.com.
A subdomain is a prefix added to your main domain to create a separate web address. In blog.example.com, "blog" is the subdomain and "example.com" is the parent domain. Subdomains can have their own DNS records, pointing to different servers or services. Common uses include api.example.com for APIs, mail.example.com for email, and staging.example.com for testing. Each subdomain needs its own A, AAAA, or CNAME record in DNS. There is no limit to how many subdomains you can create.
Transmission Control Protocol — a reliable, connection-based protocol used for most internet traffic.
TCP (Transmission Control Protocol) is one of the two main transport protocols of the internet (the other being UDP). TCP establishes a connection using a three-way handshake (SYN, SYN-ACK, ACK) before sending data, guarantees that all data arrives in order, and automatically retransmits lost packets. This reliability makes TCP the protocol of choice for web browsing (HTTP/HTTPS), email, file transfers, and SSH. The trade-off is slightly higher latency compared to UDP because of the connection setup and error checking overhead.
The three-step process (SYN, SYN-ACK, ACK) that establishes a TCP connection.
The three-way handshake is how two devices establish a TCP connection before exchanging data. First, the client sends a SYN (synchronize) packet. The server responds with SYN-ACK (synchronize-acknowledge). Finally, the client sends ACK (acknowledge) and the connection is established. This process confirms both sides are ready to communicate. When a port scan shows a port as "open," it means the three-way handshake completed successfully. If the server sends RST (reset) instead of SYN-ACK, the port is "closed." If there is no response at all, the port is "filtered."
Top-Level Domain — the last part of a domain name, like .com, .org, or .io.
A TLD (Top-Level Domain) is the rightmost segment of a domain name — the part after the last dot. In example.com, ".com" is the TLD. TLDs come in several categories: generic TLDs (gTLDs) like .com, .org, .net; country-code TLDs (ccTLDs) like .uk, .de, .jp; and newer TLDs like .io, .dev, .app. Each TLD is managed by a registry (e.g., Verisign manages .com). The TLD you choose affects your domain's perception, availability, and sometimes its rules for registration.
The process where a client and server negotiate encryption before exchanging data over HTTPS.
The TLS handshake happens after the TCP connection is established and before any HTTP data is exchanged. During the handshake, the client and server agree on a TLS version and cipher suite, the server presents its SSL certificate, the client verifies the certificate's validity, and both sides generate session keys for encryption. This entire process typically takes one round-trip (TLS 1.3) or two (TLS 1.2). Cloudflare error 525 occurs when this handshake fails between Cloudflare and the origin server.
Time to Live — how long a DNS record is cached before it is looked up again.
TTL (Time to Live) is a value on every DNS record that tells DNS resolvers how long to cache the record before checking for an update. A TTL of 3600 means the record is cached for 1 hour. Low TTLs (60-300 seconds) mean changes take effect quickly but generate more DNS queries. High TTLs (86400 seconds = 24 hours) reduce DNS traffic but mean changes propagate slowly. Before making DNS changes, it is common practice to lower the TTL in advance so the old record expires quickly from caches worldwide.
A DNS record that holds arbitrary text data, commonly used for domain verification and email security.
A TXT (Text) record is a flexible DNS record type that stores text strings. While it can hold any text, TXT records are most commonly used for: SPF records (email authentication), DKIM public keys, DMARC policies, domain ownership verification (Google, Microsoft, and other services ask you to add a specific TXT record to prove you own the domain), and security policies. A single domain can have multiple TXT records, and each can contain up to 255 characters per string (with multiple strings concatenated).
User Datagram Protocol — a fast, connectionless protocol used for DNS, gaming, and streaming.
UDP (User Datagram Protocol) is the other main transport protocol alongside TCP. Unlike TCP, UDP does not establish a connection first — it just sends data and hopes it arrives. There is no handshake, no guaranteed delivery, and no ordering. This makes UDP faster and more efficient for use cases where speed matters more than reliability: DNS queries, online gaming, video streaming, VoIP calls, and VPN tunnels (WireGuard). The trade-off is that lost packets are not automatically retransmitted. UDP port scans are inherently ambiguous because no response could mean "open" or "filtered."
A string sent with every HTTP request that identifies the browser or client making the request.
The User-Agent is an HTTP header that every browser and HTTP client sends with each request to identify itself. It typically includes the browser name, version, operating system, and rendering engine. For example, Chrome on Windows might send: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0." Servers use this to serve appropriate content, and security tools use it to detect bots. Cloudflare's Browser Integrity Check (error 1010) blocks requests with suspicious or missing User-Agent headers.
Web Application Firewall — a security layer that filters and blocks malicious HTTP traffic.
A WAF (Web Application Firewall) is a specialized firewall that sits in front of a web application and inspects every HTTP request for malicious patterns. It protects against common attacks like SQL injection, cross-site scripting (XSS), file inclusion, and other OWASP Top 10 vulnerabilities. Unlike a traditional firewall that works at the network level (IP addresses and ports), a WAF understands HTTP and can analyze URLs, headers, cookies, and request bodies. Cloudflare's WAF is responsible for error 1020 (Access Denied) when a rule matches a request.
A text file containing all DNS records for a domain — the complete DNS configuration.
A zone file is a plain text file that contains all the DNS records for a domain, stored on the authoritative nameserver. It defines everything about the domain's DNS: its A records, MX records, CNAME records, TXT records, nameservers, and more. Each line in the zone file is a DNS record. When you edit DNS records through a web interface (like Cloudflare's dashboard or your registrar's control panel), you are modifying the zone file behind the scenes. System administrators can also import and export zone files directly for bulk DNS management.