An A record maps a domain name to an IPv4 address. It is one of the most basic DNS building blocks and often underpins web access, service routing, and certificate validation paths that depend on the domain resolving to the correct endpoint.
Expanded Definition
An A record is the DNS resource record that translates a hostname into an IPv4 address. In NHI and agentic systems, that translation often becomes part of a trust path because service clients, callbacks, and validation routines depend on the hostname resolving consistently to the intended endpoint.
Although A records are simple at the protocol level, their operational meaning is broader. A single record can support web traffic, API routing, internal service discovery, and automated certificate checks. Definitions are stable at the DNS layer, but usage in the industry is still evolving when DNS is treated as an identity-adjacent control plane for non-human workloads. That makes A record governance relevant to NIST Cybersecurity Framework 2.0 style asset and access management, especially when service identities rely on name resolution to reach secrets stores, mTLS endpoints, or orchestration APIs.
Ultimate Guide to NHIs shows how often NHI risk is amplified by basic infrastructure assumptions that go unreviewed. The most common misapplication is treating an A record as a fixed, low-risk configuration item, which occurs when teams ignore how DNS changes can redirect automated trust decisions.
Examples and Use Cases
Implementing A records rigorously often introduces change-control overhead, requiring organisations to weigh routing stability against the operational speed needed for application updates and incident response.
- Publishing a public API hostname that resolves to a controlled IPv4 endpoint so automation can connect without embedding raw addresses in code.
- Pointing an internal service name to a load balancer or reverse proxy, while preserving a stable name for service-to-service authentication checks.
- Updating an A record during blue-green deployment so a workload agent or callback process reaches the new backend without changing application configuration.
- Using DNS-based validation paths where certificate issuance or renewal depends on the hostname resolving correctly during verification.
- Monitoring A record drift as part of NHI governance, since misrouting can expose service accounts, tokens, or admin interfaces to the wrong host.
For a broader NHI lens on how these changes intersect with credential exposure and operational control, see Ultimate Guide to NHIs. DNS record behavior is also discussed in NIST Cybersecurity Framework 2.0 terms of configuration and resilience.
Why It Matters in NHI Security
A record mistakes can become NHI incidents because non-human systems often trust DNS implicitly. If an A record is altered, stale, or pointed at an unmanaged host, an agent, service account, or CI/CD workflow may connect to an unintended endpoint and expose secrets, session tokens, or administrative actions. That makes DNS hygiene part of identity governance, not just network administration.
NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which highlights how infrastructure misconfigurations can turn into identity compromise quickly. The same research also shows that 97% of NHIs carry excessive privileges, so even a small routing error can create outsized blast radius when a workload reaches the wrong system.
Organizations should treat A records as security-relevant change objects, with ownership, review, and rollback procedures aligned to Ultimate Guide to NHIs and the resilience expectations in NIST Cybersecurity Framework 2.0. Organisations typically encounter the operational impact only after an outage or redirect event, at which point the A record becomes unavoidable to investigate and fix.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | DNS resolution can affect how services reach protected resources and verify endpoints. |
| NIST CSF 2.0 | PR.DS-1 | A record drift can expose data flows to unintended IPv4 endpoints. |
| OWASP Non-Human Identity Top 10 | A records can redirect NHI-enabled services toward rogue or unmanaged infrastructure. |
Track A record changes as access-relevant configuration and validate endpoint resolution after every update.
