DNS Records

A Record

AAAA Record

AFSDB Record

CAA Record

CNAME Record

DNSSEC

DNSKEY Record

DS Record

HINFO Record

HTTPS Record

KEY Record

LOC Record

MX Record

NAPTR Record

NS Record

OPENPGPKEY Record

PTR Record

RP Record

SMIMEA Record

SOA Record

SMIMEA Record

SRV Record

SVCB Record

TLSA Record

TXT Record

URI Record

What is an HTTPS record?

An HTTPS record is a DNS record type used to convey information about how to reach an HTTPS service endpoint, along with parameters that describe how to connect to it securely. It is a specialization of the SVCB (Service Binding) record type defined in RFC 9460, tailored specifically for HTTP and HTTPS services. An HTTPS record allows clients to discover in a single DNS lookup whether a service supports modern protocols such as HTTP/2 or HTTP/3 over QUIC, what port to connect on, and whether Encrypted Client Hello (ECH) is available — eliminating additional round trips and enabling faster, more private connections. Browsers and HTTP clients that support HTTPS records will use them automatically when connecting to web services.

HTTPS record format

A typical HTTPS record looks like the following in standard BIND format:

$ORIGIN example.com.
@ 3600 IN HTTPS 1 . alpn="h2,h3" port="443"

An anatomy of the HTTPS Record looks like the below:

Host Label	TTL	Record Class	Record Type	SvcPriority	TargetName	SvcParams
example.com.	3600	IN	HTTPS	1	. (same as owner name)	alpn="h2,h3" port="443"

Host Label
The host label identifies the domain or subdomain for which the HTTPS service binding applies. Unlike SVCB, which uses a _service._proto.name format, HTTPS records are looked up directly under the hostname of the service. For example, to publish an HTTPS record for example.com, the owner name is simply example.com., and for a subdomain such as www.example.com, the owner name is www.example.com.. The @ symbol in the BIND format above represents the zone apex (the root of the domain).

TTL
The time-to-live in seconds. It specifies how long a resolver is supposed to cache or remember the DNS query before the query expires and a new one needs to be done.

Record Class
Mainly 3 classes of DNS records exist:

• IN (Internet) – default and generally what internet uses.
• CH (Chaosnet) – used for querying DNS server versions.
• HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.

Record Type
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of an HTTPS record, the record type is HTTPS.

SvcPriority
An integer value that controls the order in which HTTPS records are tried when multiple records exist for the same owner name. Lower values indicate higher priority. The special value 0 designates the record as an AliasMode record, directing the client to follow the TargetName for the actual service parameters. Any value of 1 or greater designates the record as a ServiceMode record that directly describes the endpoint. When multiple ServiceMode records share the same priority, clients may choose among them at random.

TargetName
The domain name of the endpoint that provides the HTTPS service. In AliasMode (SvcPriority 0), the client follows this name to find the actual ServiceMode HTTPS records. In ServiceMode (SvcPriority 1 or greater), this is the hostname clients connect to. A value of . (a single dot) indicates that the TargetName is the same as the owner name of the record, which is the most common configuration when the HTTPS record is published directly at the service hostname.

SvcParams
An optional set of key-value parameters that describe how to connect to the HTTPS endpoint. SvcParams are only present in ServiceMode records (SvcPriority >= 1). Common SvcParam keys for HTTPS records include:

• alpn – A comma-separated list of Application-Layer Protocol Negotiation (ALPN) protocol identifiers supported by the service, such as h2 for HTTP/2 or h3 for HTTP/3 over QUIC. Clients use this to negotiate the best available protocol without an additional round trip.
• port – The TCP or UDP port number of the HTTPS endpoint, if different from the default port 443.
• ipv4hint – A comma-separated list of IPv4 addresses that clients may use as a connection hint for the target, avoiding a separate A record lookup.
• ipv6hint – A comma-separated list of IPv6 addresses that clients may use as a connection hint for the target, avoiding a separate AAAA record lookup.
• ech – Encrypted Client Hello configuration, encoded in Base64, allowing clients to encrypt the TLS ClientHello to protect the SNI and other sensitive handshake fields from network observers.
• no-default-alpn – A flag indicating that the default HTTPS protocol should not be assumed; only the protocols explicitly listed in the alpn parameter are supported by this endpoint.

How to add an HTTPS record?

For instructions on how to add an HTTPS record with us, you may refer to the tutorial here.

HTTPS record glossary

AliasMode
An HTTPS record with SvcPriority set to 0 operates in AliasMode. It directs the client to follow the TargetName to find the actual ServiceMode HTTPS records, functioning similarly to a CNAME. AliasMode is particularly useful at the zone apex, where a CNAME record cannot be used, allowing the domain root to delegate HTTPS service binding lookups to another name such as a CDN or load balancer hostname.

ServiceMode
An HTTPS record with SvcPriority set to 1 or greater operates in ServiceMode. It directly describes the HTTPS endpoint and its connection parameters via SvcParams. Clients try ServiceMode records in priority order, lowest number first, and may use the ip hints to connect immediately without waiting for additional A or AAAA lookups.

ALPN (Application-Layer Protocol Negotiation)
ALPN is a TLS extension that allows the client and server to agree on which application-layer protocol to use during the TLS handshake. By advertising supported ALPN identifiers in an HTTPS record, a server lets clients know in advance whether HTTP/2 (h2) or HTTP/3 (h3) is available, enabling protocol upgrades without an extra connection attempt.

ECH (Encrypted Client Hello)
Encrypted Client Hello is a TLS extension that encrypts the TLS ClientHello message, concealing the Server Name Indication (SNI) and other metadata from network observers. The ECH configuration needed for a client to encrypt its hello is distributed via the ech SvcParam in an HTTPS record.

HTTP/3 and QUIC
HTTP/3 is the latest version of the HTTP protocol, running over the QUIC transport rather than TCP. QUIC provides multiplexed streams, built-in encryption, and faster connection establishment. An HTTPS record advertising h3 in its alpn parameter signals to clients that the server supports HTTP/3, allowing them to connect over QUIC directly.

SVCB record
The SVCB (Service Binding) record is the general-purpose parent type from which the HTTPS record is derived. SVCB and HTTPS share the same wire format and SvcParam keys. While SVCB can be used for any service type using the _service._proto.name label convention, the HTTPS record type is reserved specifically for HTTP and HTTPS services and is looked up directly at the service hostname.

BIND
Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.