DNS & Domain Management

Domains and DNS, handled.

The boring records that quietly govern whether your website resolves, your email arrives, and your domain is recognised across every platform that needs to see it. We register, configure, document, and maintain — so the technical layer of your identity stops being someone’s anxious afterthought.

Get a free SEO report See what’s included
Sub-techniques covered · A Records · CNAME · MX · TXT · DNSSEC · Cloudflare · Registrar Migration · Subdomain Architecture · TTL Strategy
01 — What’s Included

Nine moving parts.
One tidy record set.

DNS is one of those layers everyone touches and almost nobody owns. A record gets added during a marketing launch, a developer points an MX entry the wrong way, a TTL is left at thirty days because nobody felt confident lowering it — and then, one ordinary Tuesday, something quiet breaks.

Our work is to take a complete inventory, fix what is wrong, document everything that remains, and keep the record set clean as your business grows. We do not sell domains, but we help you buy, transfer, and manage them across whichever registrars and DNS providers make sense for you.

N° 01

A & AAAA Records

Where the site lives

The records that point your domain at the IP address of the server hosting the website. We audit existing A and AAAA records, eliminate stale entries pointing at decommissioned servers, and configure them correctly for your current hosting setup — whether that is a single VPS, a load-balanced cluster, or a managed platform behind a hostname. We also coordinate IPv6 (AAAA) records where the host supports them, because IPv6 reachability is no longer optional for a properly modern domain.

N° 02

CNAME & Alias Records

Aliasing

CNAME records map subdomains to other hostnames — pointing www at a CDN, shop at a Shopify storefront, app at a SaaS instance. They are simple in theory and quietly prone to misuse: stacked CNAMEs that increase resolution time, CNAMEs at the apex (which the DNS spec forbids), and CNAMEs that conflict with MX or TXT records on the same host. We audit every alias, replace flat-CNAME-at-root setups with ALIAS or ANAME equivalents where the provider supports them, and keep the chain shallow so resolution stays fast.

N° 03

MX & Email Routing

Mail delivery

The MX records that decide which mail server receives email for your domain. Wrong priorities, missing fall-backs, lingering MX entries from a previous provider, or a single typo in a hostname — these are the difference between mail that arrives and mail that bounces silently for a week before anyone notices. We configure MX correctly for Google Workspace, Microsoft 365, Tencent Exmail, Zoho, or self-hosted servers, verify delivery end-to-end, and keep the records aligned with the SPF, DKIM, and DMARC work covered on the email-setup page.

N° 04

TXT Records

Verification & policy

TXT records have quietly become one of the most loaded entries in modern DNS — they carry SPF policies, DKIM keys, DMARC reports, domain-ownership verifications for Google, Microsoft, Apple Business, and Cloudflare, and a long tail of platform attestations. We organise them, remove the dozen orphan verifications nobody remembers, keep SPF under the ten-lookup limit, ensure DKIM selectors stay rotated, and document what every record is for so the next person to inherit the zone is not solving a mystery.

N° 05

DNSSEC

Authenticity

DNSSEC adds cryptographic signatures to your DNS responses so resolvers can verify the records were not tampered with in transit. It is increasingly recommended — and in some industries, required — but it is also the single most common way to break a domain through a registrar transfer or DS-record mismatch. We turn DNSSEC on correctly, coordinate the DS record between your DNS provider and your registrar, monitor for signature failures, and roll keys without disruption when rotation is due. We also know when DNSSEC is not the right call for a particular setup, and we will say so.

N° 06

Cloudflare-Hosted DNS

Edge integration

Cloudflare is the default DNS provider for many of the businesses we work with — fast, free, audit-friendly, and tightly integrated with the CDN, WAF, and bot-management layers. We configure Cloudflare DNS with proxied versus DNS-only records set correctly per use case, handle the subtle interactions between Cloudflare’s flattened CNAME-at-root and your registrar’s NS records, and tune SSL modes so the certificate chain works whether Cloudflare is in front or your origin is exposed directly. The deeper Cloudflare configuration lives on its own page — the DNS surface lives here.

N° 07

Registrar & Provider Migration

Carry without break

Moving a domain between registrars, or moving DNS hosting between providers, is the single highest-risk operation in this entire discipline. The wrong sequence drops mail for hours, breaks the website, or — at worst — leaves the domain temporarily unowned. We plan migrations against a written checklist: lower TTLs in advance, replicate the full record set on the destination, validate every entry, switch nameservers, monitor propagation, and only then complete the transfer. We do not sell domains, but we will help you choose a registrar (we use Cloudflare Registrar, Namecheap, and Porkbun most often), buy or transfer the domain, and document who holds the keys.

N° 08

Subdomain Architecture

Naming discipline

A handful of well-named subdomains is a quiet form of brand discipline; a sprawl of app2., new-shop., old-blog., and test-final-v3. is technical debt accumulating in plain sight. We help you decide what deserves a subdomain, what should live on a path instead, and what should be retired entirely. We also coordinate the SSL coverage that follows — wildcard certificates, multi-SAN certificates, or per-subdomain provisioning — so security never lags behind naming.

N° 09

TTL Strategy & Propagation

Time-to-live

TTLs control how long DNS resolvers cache a record before checking again. Set them too high and a planned migration takes a day to roll forward; set them too low everywhere and you spend resolver capacity for no benefit. We tune TTLs by record type — long for stable apex records, short for records under active change, lowered well in advance of any planned cut-over — and we know how to check propagation honestly using authoritative resolvers rather than the misleading “DNS checker” sites that often misreport. Once a change has settled, we restore sensible defaults so the zone is not perpetually thrashing.

02 — Our Approach

Audit. Document.
Change carefully.

DNS is the area of infrastructure where confidence has to come from process rather than instinct. A wrong record has a propagation delay before it visibly fails, which means mistakes are discovered hours after they were made, by the people they affect rather than by the person who made them. Our approach is shaped by that reality.

i

Inventory before any change

The first deliverable on every DNS engagement is a complete record-set inventory — every A, AAAA, CNAME, MX, TXT, NS, CAA, and SRV entry across every zone you own. We annotate what each record is for, who depends on it, and whether it is current or orphaned. Most clients have never seen this artefact before, and the inventory alone often surfaces three or four entries that should have been removed years ago.

ii

Lower TTLs ahead of cut-over

Any change with rollback risk — a hosting move, a mail-provider switch, a registrar transfer — gets a TTL-lowering pass at least twenty-four hours before the change itself. That way, if something goes wrong, the rollback propagates in minutes rather than hours. After the change has settled, we restore TTLs to sensible long-term values. It is a small piece of discipline that saves entire afternoons.

iii

Verify with authoritative tools

Every change is verified against the authoritative nameserver, not against the local resolver, and not against a third-party DNS-checker site. We use dig, kdig, and the registrar’s own propagation report. Mail records are verified by sending and receiving real test messages. We do not call a change done because the dashboard says it saved.

iv

Document everything, hand it back

The final artefact of every DNS engagement is a written record-set document — your authoritative reference for what is configured, why, and where. We update it whenever a change lands, store it in a place you can access without us, and design it so any competent technical person could pick up maintenance without a knowledge-transfer call. The records are yours. The documentation is yours. Both stay yours when the engagement ends.

03 — Who It’s For

When the records
need a grown-up.

DNS work is rarely the reason a business calls — it is what they discover they need on the way to fixing something else. A migration, a new mail provider, a launch of a new product subdomain, a brand acquisition, an outage with no obvious cause. These are the moments when a tidy DNS layer becomes the difference between a quiet afternoon and a long evening.

A handful of recurring situations where careful DNS work is the unlock.

  • i Businesses preparing a hosting or platform migrationYou’re moving from shared hosting to a VPS, from WordPress to Webflow, from Shopify to a custom build — and you would like the cut-over to happen on a Tuesday morning rather than a Friday night.
  • ii Teams whose DNS lives somewhere uncomfortableYour records are still at the registrar that came free with the domain ten years ago. The control panel is awkward, propagation is slow, and you would like to consolidate to Cloudflare or a modern provider without breaking anything in transit.
  • iii Organisations with portfolios of domainsPrimary brand, regional variants, redirect domains, defensive registrations, and a long tail of campaign URLs. Each lives in a different account, with different TXT records, and nobody is fully sure which still need to renew.
  • iv Founders inheriting an undocumented zoneThe previous developer or agency held the keys, and now the keys are with you. You need somebody to walk through the records, identify what is current, retire what is dead, and document what remains.
  • v Companies whose mail keeps landing in spamThe diagnosis is almost always at the DNS layer — missing or broken SPF, DKIM, and DMARC entries that nobody has audited end-to-end. We pair this work tightly with the email-setup discipline so the fix is structural rather than cosmetic.

A note on registration: we do not sell domains. We do, however, help you buy them — researching availability, checking trademark conflicts, choosing a registrar that fits your needs, and walking through the purchase with you. If you already own domains, we will help you transfer them to a registrar that suits the rest of your stack, or leave them where they are and manage the DNS layer separately. The choice is yours; our job is to make it informed.

04 — A complimentary report

Curious how Google sees your site?

Send us your URL. We’ll send back a Premium SEO Report, prepared by hand, within 48 hours — domain authority, keyword rankings, backlinks, competitor gap, and the quick wins worth chasing first. We’ll flag any DNS issues we notice along the way.

No sales call required.

DNS is where small mistakes break everything for everyone, hours after the keystroke. The discipline is patience, not cleverness.
— The Aureole Practice —
05 — Frequently Asked

Questions we
get about DNS.

If a question is missing here, the contact link at the foot of the page goes straight to the person who would answer it. No ticket queues, no funnels.

i Do you sell domains, or do we buy them ourselves?
We do not sell domains. We will, however, help you buy, transfer, and manage them. For most clients we recommend Cloudflare Registrar (at-cost pricing, free WHOIS privacy, tightly integrated with Cloudflare DNS), Namecheap (familiar interface, fair pricing, good support), or Porkbun (modern, low-friction, generous TLD coverage). You hold the registrar account and the keys; we configure and maintain the DNS records that live on top. This separation is deliberate — it keeps your domain ownership clean, prevents lock-in, and means a transition to or from us is never blocked by a credential we control.
ii Our DNS is at our registrar — should we move it to Cloudflare?
Most of the time, yes. Cloudflare’s DNS is fast, free, audit-friendly, and integrates cleanly with the CDN, WAF, and SSL layers we typically configure on top. It also has a much better interface for change management and rollback than the average registrar’s bundled DNS. The exceptions are when you have heavy investment in a different DNS provider (Route 53, NS1, DNSimple) for compliance or tooling reasons, or when your registrar’s DNS is already adequate and the migration risk outweighs the gain. We assess your specific situation rather than recommending the move by default.
iii How long does a DNS or domain change actually take to take effect?
It depends on the record’s TTL and the resolvers caching it along the way. A record with a one-hour TTL will fully propagate in roughly an hour after the change. A record with a twenty-four-hour TTL can take up to a day. Nameserver changes — the kind involved in moving DNS hosting — can take up to forty-eight hours in the worst case, though most resolvers see them within a couple of hours. We always lower TTLs at least a day before any planned change, so propagation is fast in both directions. The myth of “forty-eight hours for any DNS change” comes from people who never lower their TTLs first.
iv Can you take over a zone someone else configured?
Yes — and this is a common starting point. We will inventory the existing record set, identify orphan or risky entries, document what each record is for, and either keep the zone where it is and clean it up, or migrate it to a provider that fits the rest of your stack. We do not insist on rebuilding from scratch unless the existing zone is genuinely broken; most of the time, a careful audit and a documentation pass is enough to bring things back into good order. Either way, you keep ownership of the records and the registrar account throughout.
v Is DNSSEC worth turning on?
For most modern domains, yes. DNSSEC adds cryptographic verification so resolvers can detect tampered DNS responses, and most quality registrars and DNS providers now make it a one-click toggle. The catch is that DNSSEC interacts with registrar transfers — moving a DNSSEC-signed domain between registrars without coordinating the DS record correctly will take the domain offline. We turn DNSSEC on carefully, monitor for signature failures, and disable it temporarily before any planned registrar transfer. For a handful of domains where the tooling is poor or the operational risk outweighs the security benefit, we leave it off and document the decision.
vi What’s the difference between this and the Cloudflare and SSL pages?
The DNS layer is one thing; the CDN, WAF, and certificate layers are others. This page covers records, registrars, and zone management — the layer that decides where a hostname resolves. The Cloudflare & CDN page covers the proxying, caching, security, and edge-rule configuration that sits in front of your origin. The SSL/TLS & Security Baseline page covers certificate provisioning, renewal automation, and the security headers that protect visitors. The three disciplines overlap — DNS is the foundation, Cloudflare often sits on top, and SSL spans both — and we frequently engage on all three together. They live on separate pages so you can scope each independently if you need to.
06 — Connected Practice

Where DNS fits
in the wider stack.

DNS sits below almost everything else in your web infrastructure — when it is right, the layers above feel effortless. The link below returns to the parent service; the pills extend laterally to the sister IT disciplines that depend on a clean record set.

Parent service

IT ServicesLess hassle, more growth. The full IT practice — hosting, DNS, email, Cloudflare, SSL, backups, and monitoring — under one accountable team. Startup-grade web infrastructure without the sysadmin hire.

Sister sub-disciplines

Hosting & Cloud Email Setup Cloudflare & CDN SSL/TLS & Security Backup & Recovery Server Health Monitoring

Adjacent services

SEO Technical SEO Web Design & Development Maintenance & Care Plans
The Invitation

Ready to tidy
the records?

Tell us what is on the zone today — or what you wish were. We’ll respond within one business day with a clear assessment, a record-set inventory plan, and a scope that fits your timeline.

Get in touch Or request a free SEO report
Mon–Fri · 9–6 PT support@aureoleintelligence.com Reply within 1 business day