A custom domain’s DNS records are a surprisingly complex, multi-layered system that determines not just where your website lives, but also how securely it’s accessed.
Let’s see what happens when a request hits your Vercel custom domain.
Imagine a user types www.example.com into their browser.
- DNS Resolution: The browser first asks a DNS resolver (usually provided by their ISP or a public service like Google’s 8.8.8.8) for the IP address associated with
www.example.com. - Vercel’s Role: The DNS resolver, through a chain of queries, eventually finds Vercel’s authoritative DNS servers for
example.com. These servers contain the specific DNS records Vercel has configured for your domain. - IP Address Return: Vercel’s DNS servers respond with an IP address (or more commonly, a CNAME target) that points to Vercel’s infrastructure.
- TLS Handshake: Once the browser has the IP address, it initiates a TLS (Transport Layer Security) handshake to establish a secure connection. This involves exchanging certificates and agreeing on encryption methods. Vercel automatically provisions and renews Let’s Encrypt certificates for your custom domains.
- HTTP Request: With a secure connection established, the browser sends an HTTP request for the content of
www.example.com. - Vercel Serves Content: Vercel’s edge network receives the request, routes it to the appropriate deployment, and serves the requested content.
Here’s a typical Vercel DNS configuration for a custom domain, as seen in your Vercel dashboard:
Type Name Value TTL
A @ 76.76.21.21 Automatic
CNAME www cname.vercel-dns.com. Automatic
TXT _vercel vercel=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Automatic
- The
Arecord for the apex domain (@orexample.com) points directly to Vercel’s Anycast IP address. This is a stable IP address that Vercel uses for its global edge network. - The
CNAMErecord forwwwpoints to Vercel’s specific CNAME target. This allows Vercel to manage the underlying IP addresses without you needing to update your DNS records. - The
TXTrecord is used by Vercel for domain verification, ensuring you own the domain and can manage its DNS.
The TLS certificate management is where Vercel truly shines. When you add a custom domain, Vercel automatically attempts to provision a Let’s Encrypt TLS certificate. This process involves Vercel’s servers proving to Let’s Encrypt that they control the domain, usually via the TXT record or by responding to HTTP challenges. Once provisioned, Vercel handles the renewal process automatically, typically every 60-90 days, ensuring your site remains secure without manual intervention.
The most surprising thing about Vercel’s TLS handling is that it’s entirely automated. You don’t need to upload or manage certificate files. Vercel’s system interfaces directly with Let’s Encrypt and handles the ACME (Automated Certificate Management Environment) protocol on your behalf. This means that as long as your domain’s DNS is correctly configured to point to Vercel, your TLS certificates will be issued, renewed, and deployed seamlessly.
Let’s delve into the DNS configuration for a root domain (example.com) versus a subdomain (www.example.com). For the root domain, you’ll typically use an A record pointing to Vercel’s Anycast IP: 76.76.21.21. This is a direct IP address assignment. However, for subdomains like www, Vercel strongly recommends using a CNAME record pointing to cname.vercel-dns.com.. This is because Vercel’s infrastructure, including the underlying IP addresses, can change. Using a CNAME allows Vercel to update their internal IP addresses without requiring you to manually change your DNS records. If you were to use an A record for www, you’d be responsible for keeping that IP address updated, which defeats much of the automation Vercel provides.
The crucial part of the CNAME record is the trailing dot: cname.vercel-dns.com.. This dot signifies the end of the domain name and is important for DNS resolution. Without it, a DNS resolver might interpret cname.vercel-dns.com as a subdomain of your own domain (e.g., cname.vercel-dns.com.example.com), leading to resolution failures. Always ensure your CNAME target includes the trailing dot when specified by Vercel.
Beyond the basic A and CNAME records, Vercel often requires a TXT record for domain verification. This record, typically TXT _vercel vercel=YOUR_VERIFICATION_STRING, acts as a cryptographic handshake. When Vercel needs to prove domain ownership to Let’s Encrypt for TLS certificate issuance (via DNS-01 challenge), it uses this TXT record. Let’s Encrypt queries for this specific record, and if it matches what Vercel expects, ownership is confirmed. This is a critical step for automated certificate provisioning, and if it’s missing or incorrect, your TLS certificate won’t be issued or renewed.
The actual process of Vercel issuing a certificate involves Let’s Encrypt sending a request to Vercel’s DNS servers for a specific TXT record. Vercel’s system then generates a unique token and adds it as a TXT record for your domain. Let’s Encrypt queries for this record. If it’s found, the domain is verified, and the certificate is issued. This entire process is automated, but it relies on the DNS records being correctly configured and propagated.
If you’re encountering issues with your custom domain, especially with TLS, the very first thing to check is the DNS propagation status. Tools like dig (on Linux/macOS) or online DNS checkers (like whatsmydns.net) are invaluable. For example, to check the A record for your root domain:
dig example.com A +short
And for the CNAME record for www:
dig www.example.com CNAME +short
You should see 76.76.21.21 for the A record and cname.vercel-dns.com. for the CNAME record. If these are not showing up correctly across multiple geographic locations, it indicates a DNS propagation delay or a misconfiguration at your domain registrar. The fix is usually to wait for propagation (which can take up to 48 hours, though often much faster) or to correct the records at your registrar.
The next common pitfall is the TXT record for verification. If your TLS certificate is stuck in a "Pending" state or fails to issue, check this record:
dig _vercel.example.com TXT +short
It should output a string starting with vercel=. If this is missing or incorrect, add or correct the TXT record in your DNS settings. This record is essential for Vercel to prove domain ownership to Let’s Encrypt.
Finally, ensure there are no conflicting DNS records. For instance, having both an A record and a CNAME record for the same host (e.g., www) will cause issues. DNS resolvers will typically prioritize CNAME records, but having both can lead to unpredictable behavior. Remove any extraneous or conflicting records for the host you are configuring.
Once your DNS is perfectly configured and verified, the next challenge you’ll likely face is managing redirects between www and the apex domain, or setting up internationalized domain names (IDNs).