DNS FAQ

How long does a DNS change take to propagate?

On our managed DNS (Cloudflare), authoritative servers receive the change in under five seconds. End-user resolvers cache previous answers up to the previous record’s TTL — so if the old record had ttl=3600, some users may see stale data for an hour.

If a fast change matters, lower the TTL on the existing record several hours before the change. Then the change is fast.

What’s the difference between A and CNAME?

A points to an IP address. CNAME points to another hostname. Browsers and resolvers chase CNAMEs until they reach an A or AAAA.

You can’t have a CNAME at the apex (example.com.au) on traditional DNS — the apex must answer authoritatively. Cloudflare-managed zones flatten apex CNAMEs by resolving them at request time, so CNAME example.com.au → cname.vercel-dns.com works on managed DNS even though it’d fail elsewhere.

What’s a TTL? What should I set it to?

TTL (time-to-live) is how long resolvers cache a record. Higher = less load, less responsive. Lower = more load, faster changes.

For most records, our default of auto (Cloudflare-tuned, usually around 300s) is right. Drop to 60s before a planned migration. Set 3600+ for stable infrastructure records that never change.

What’s the difference between proxied and DNS-only?

Proxied (orange cloud in Cloudflare terminology) routes traffic through Cloudflare’s CDN — the client sees a Cloudflare IP, not your origin. You get caching, DDoS protection, and free TLS.

DNS-only (grey cloud) returns your origin IP directly. Use it for records that need the real IP exposed: mail (MX), some SaaS verifications (TXT), or origin-pull CDNs.

My SPF/DKIM/DMARC records aren’t working. Why?

The three most common causes:

1. Multiple SPF records. RFC says one TXT record beginning with v=spf1. Combine them.
2. Quoted vs unquoted. SPF and DKIM records contain v=spf1 etc. Don’t wrap in extra quotes — just paste the value verbatim into the content field.
3. DKIM split incorrectly. Long DKIM keys are split into 255-char segments separated by spaces. Our API accepts the full key as one string and chunks it correctly. If you’ve manually split it elsewhere, paste the full unsplit version.

Can I move DNS away from DomainGenius without transferring the domain?

Yes. Update the domain’s nameservers to point elsewhere (Route 53, Google Cloud DNS, your own BIND, whatever):

curl -X PATCH "https://api.domaingenius.com.au/api/v1/orgs/$DG_ORG/domains/example.com.au" \
  -H "Authorization: Bearer $DG_KEY" \
  -d '{ "nameserver_one": "ns1.elsewhere.com", "nameserver_two": "ns2.elsewhere.com" }'

The domain stays registered with us; DNS authority moves. You lose the convenience of managed DNS (presets, our API, our edge) but keep registration.

What about DNSSEC?

Managed DNS zones get DNSSEC signed automatically — Cloudflare handles key rollover. The DS record at the registry is published on registration. To disable (rare — usually only for migration), email support@domaingenius.com.au.

Why does dig show different results from my browser?

Browsers and OSes have multiple cache layers (DNS resolver cache, browser cache, OS resolver cache). dig +short @1.1.1.1 queries Cloudflare’s public resolver directly, bypassing all of them. If dig is correct and the browser is wrong, flush:

• macOS: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
• Linux (systemd): sudo systemd-resolve --flush-caches
• Windows: ipconfig /flushdns
• Browser: hard reload, or restart.

How many records can a single zone hold?

Practically: thousands. Cloudflare’s plan-level limits start at 1,000 records and scale up. We don’t add a layer on top.

Can I import a zone from somewhere else?

Yes — paste a BIND zone file at /dashboard/domains/<name>/dns/import. Records are previewed before being applied. Imports are atomic — all or none.