Back to the curriculum
Part 2 · Lesson 04
Routing the Internet to Your Server

DNS, Domains & How Traffic Flows

A records, CNAMEs, and how the browser finds your container.

beginner10 min readUpdated 2026-04-11

The four-hop journey from name to server

When you type example.com in a browser, four things happen in sequence: your computer asks a recursive resolver (usually your ISP or 1.1.1.1), the resolver walks the DNS hierarchy (root → .com → your registrar's nameservers), the nameservers hand back an IP address, and the browser opens a TCP connection to that IP on port 443. The whole chain takes tens of milliseconds. Understanding it is how you debug "why is my site down?" when the answer is "it is not, your DNS is stale".

The only two records you need

An A record maps a name to an IPv4 address. example.com → 203.0.113.10. That is it. Almost every self-hosted setup works with nothing more exotic.

A CNAME record maps a name to another name. www.example.com → example.com. Use this for subdomains that should follow the main domain. One catch: you cannot put a CNAME on the apex (example.com itself) per the spec. Some DNS providers (Cloudflare, Route 53) emulate this with "CNAME flattening" or "ALIAS" records.

TTL: the reason your changes take hours

Every DNS record has a TTL (time to live) that tells resolvers how long to cache it. A TTL of 3600 means for the next hour, even if you changed the record, half the internet still sees the old value. Before a migration, lower your TTL to 300 (5 minutes) a day in advance. After, raise it back so you are not hammering your DNS provider.

Use Cloudflare as your nameserver

Your registrar (Namecheap, Porkbun, whoever) is for buying domains. Your nameserver is for answering DNS queries, and Cloudflare's free plan is the best choice for 99% of self-hosters: global anycast, fast propagation, free DDoS protection, and a clean UI. Point your registrar's nameservers at Cloudflare once, then never touch the registrar again.

Proxied vs DNS-only

In Cloudflare, the orange cloud toggle is "proxied" — traffic flows through Cloudflare's edge and your origin IP is hidden. The grey cloud is "DNS only" — Cloudflare just returns your real IP. You must start in DNS-only mode while Let's Encrypt issues your first certificate via HTTP challenge. Flip to proxied after SSL is working, not before.

Key takeaways

  • A records are 95% of what you need — map a name to an IP
  • TTLs cache DNS; lower yours before migrations
  • Cloudflare free tier is the best nameserver for self-hosters
  • Start in DNS-only mode so Let's Encrypt HTTP challenges succeed

Related documentation

Adding a Domain to Your App

Configure a custom domain with automatic SSL certificate for your deployed application.

Understanding SSL Certificates

How Server Compass manages SSL certificates automatically with Let's Encrypt.