DNS – Should CNAME Be Used for Subdomains

cname-recorddomain-name-system

I manage multiple websites that currently have the following DNS configuration:

example.com      - A Record - Production Server IP
test.example.com - A Record - Test Server IP
www.example.com  - CNAME    - example.com
beta.example.com - CNAME    - test.example.com
dev.example.com  - CNAME    - test.example.com

Is this an appropriate use of CNAME records? I've looked online and have not found a clear answer. Some people claim that CNAME records are bad (they are not, however, clear on why this is) and propose the following setup:

example.com      - A Record - Production Server IP
test.example.com - A Record - Test Server IP
www.example.com  - A Record - Production Server IP
beta.example.com - A Record - Test Server IP
dev.example.com  - A Record - Test Server IP

Which one of these is the better approach (and why)?

Note: The subdomains do not require their own MX records, so that is not an issue here.

Best Answer

Yes, that's an appropriate use of CNAMEs. In the discussions I've been part of, the arguments tend to go like this:

Against CNAMEs:

There is a (tiny) performance penalty, as the downstream DNS caches need to perform 2 DNS lookups, one for the CNAME and one for the A-Record the CNAME points to.
Vague, bogus arguments about CNAMEs having less "authority" or compatibility issues.

In favor of CNAMEs:

They provide a clean abstraction between hardware (physical servers) and services.
They simplify DNS management -- when a server moves, you only need to change one record.

After trying a couple of different ways to do this, I now have a personal favorite style. It is:

One A Record for each physical server; with a fairly low TTL (perhaps 30 minutes); giving the server a human-friendly name.
One CNAME for each service; with a high TTL (perhaps 24 hours); pointing to the above server names.
As the sole exeption to the rules above, the domain root is an A-Record, pointing to the webserver / web load balancer. (The @ is required to be an A-record.)

I find that this setup works well. It keeps extra DNS lookups for the CNAMES down; and if a server crashes I can still change public DNS around fairly fast.

Here's a (improvised) example in BIND syntax:

;name     ttl   class rr     value 
server01  30m   IN    A      192.168.0.3
server02  30m   IN    A      192.168.0.4

webmail   24h   IN    CNAME  server01
extranet  24h   IN    CNAME  server02
ftp       24h   IN    CNAME  server02

Related Solutions

Subdomain CNAME Record – Adding CNAME Without Putting the Subdomain

When a label (name) is a CNAME, no other records are allowed for it. so you can't have something like:

www.example.com  A     1.2.3.4
www.example.com  CNAME test.example.com.

The effect of this, is that you can never have a CNAME for the bare example.com domain, as there are always other records for it: at least the SOA record and one or more NS records and usually one or more MX records. So this must be an A record instead.

What I usually do is go the other way around: make www.example.com a CNAME for example.com.

Best CNAME TTL strategy for fallover switching

Assuming that the apex A record for example.com. was pointing at a broken IP address, most companies I know would change the A record and skip the www change entirely:

Most admins would rather not have their website broken for users who key in the name of the website without the www prefix.
This goes double for admins who don't trust their webapp devs to consistently use www.example.com over example.com. (hint: most of us don't)

Moving on to your linked example, you're comparing apples and oranges. Apex DNS records in web hosting scenarios are a massive pain because of the well-known apex CNAME problem. There are only two correct choices in this circumstance: either the apex A record is changed as necessary to point it at a valid IP, or you forgo having an apex record entirely. Anything between the two is half-baked and inconsistent.

All of this is somewhat beside the point though: if you are relying on manual record changes to handle high availability for your service, you are doing something wrong. The IP address the web browser hits should be a load balancer, an anycast address, a CDN, or a webhosting provider who can provide this high availability if your own server farms cannot. Multiple address records can also work if you're confident that the primary applications consuming them follow follow RFC 6724 guidelines (i.e. most popular web browsers), but many applications are lazy and simply use the first address record returned.

For the sake of the argument, let's examine Google's CNAME chain on its own merits without putting it into the context of your original problem. This will look familiar, as it's the text of my original answer:

Record type is inconsequential here. If the record needs to be changed frequently, it should have a very low TTL. If it doesn't need to be changed frequently, it stands to reason that it doesn't need a low TTL and you can use whatever you're comfortable with.

No one (other than Google) can really comment on why Google wants ghs.l.google.com IN A to have a lower TTL than the CNAME records pointing at it. You can't draw any conclusions without understanding their larger design, and the design is what dictates your moving parts.

Best Answer

Related Solutions

Subdomain CNAME Record – Adding CNAME Without Putting the Subdomain

Best CNAME TTL strategy for fallover switching

Related Topic