Zero Signup ToolsFree browser tools

Developer Tools

HTTPS and SVCB Record Generator

Build and parse DNS HTTPS and SVCB records in your browser. Set priority, target, ALPN, IP hints, ECH, and port, then copy Cloudflare and BIND snippets.

HTTPS and SVCB record generator and parser

HTTPS and SVCB records publish how to reach a service. The data is priority target parameters. Priority 0 is alias mode (a pointer); any higher number is service mode and carries ALPN, hints, ECH, and more.

Start from a common setup

Record

The name the record answers for. SVCB often uses a _service._proto prefix.

Optional. 300 is common during rollouts.

Mode and target

1 or higher = service mode. Lower is preferred.

A single dot means the owner name itself. Or name another host.

Service parameters

Only needed for a non-default port.

Comma-separated. Speeds up the first connection.

Comma-separated IPv6 addresses.

Encrypted ClientHello config from your CDN or server. Hides the server name during the TLS handshake.

Only for a DNS-over-HTTPS resolver record.

Keys a client must understand or it ignores the record.

Output

Your HTTPS record

Record data (priority target parameters)

1 . alpn="h2,h3" ipv4hint=203.0.113.10 ipv6hint=2001:db8::10

Full zone-file line

example.com. 300 IN HTTPS 1 . alpn="h2,h3" ipv4hint=203.0.113.10 ipv6hint=2001:db8::10
This is an HTTPS service-mode record at priority 1. Clients connecting to example.com are pointed at example.com itself and offers h2 and h3, with IPv4 and IPv6 address hints for a faster first connection.

DNS provider snippets

Publish the record

Copy the format your DNS host uses. Replace ZONE_ID, ZONE_NAME, SUB, RG, and RECORD placeholders with your own values.

BIND zone file

example.com. 300 IN HTTPS 1 . alpn="h2,h3" ipv4hint=203.0.113.10 ipv6hint=2001:db8::10

Cloudflare DNS

Cloudflare DNS (Add record, type HTTPS)
  Name:     example.com
  TTL:      Auto
  Value:    1 . alpn="h2,h3" ipv4hint=203.0.113.10 ipv6hint=2001:db8::10

AWS Route 53 (CLI)

aws route53 change-resource-record-sets \
  --hosted-zone-id ZONE_ID \
  --change-batch '{
    "Changes": [{
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "example.com.",
        "Type": "HTTPS",
        "TTL": 300,
        "ResourceRecords": [{ "Value": "1 . alpn=\"h2,h3\" ipv4hint=203.0.113.10 ipv6hint=2001:db8::10" }]
      }
    }]
  }'

Google Cloud DNS (gcloud)

gcloud dns record-sets create example.com. \
  --zone=ZONE_NAME \
  --type=HTTPS \
  --ttl=300 \
  --rrdatas='1 . alpn="h2,h3" ipv4hint=203.0.113.10 ipv6hint=2001:db8::10'

Azure DNS (REST)

# Azure DNS exposes service-binding records through the generic record API.
az rest --method put \
  --uri "https://management.azure.com/subscriptions/SUB/resourceGroups/RG/providers/Microsoft.Network/dnsZones/example.com/HTTPS/RECORD?api-version=2023-07-01-preview" \
  --body '{ "properties": { "TTL": 300, "HTTPSRecords": [{ "value": "1 . alpn=\"h2,h3\" ipv4hint=203.0.113.10 ipv6hint=2001:db8::10" }] } }'

Alias mode vs service mode

  • Priority 0 is alias mode: a pure pointer to another name. It is allowed at a zone apex where a CNAME is not, so it can replace ALIAS or ANAME tricks for HTTPS.
  • Priority 1+ is service mode: the record names an endpoint and attaches connection parameters. Lower priority numbers are tried first.
  • A . target in service mode means the owner name itself, so most apex HTTPS records read 1 . followed by parameters.
  • Parameters belong in ascending key order: mandatory, alpn, no-default-alpn, port, ipv4hint, ech, ipv6hint, dohpath.

Common mistakes this tool catches

  • Attaching parameters to an alias-mode record, or using a single-dot target with priority 0.
  • Putting an IP address in the target instead of using ipv4hint and ipv6hint.
  • A mandatory list that names a key the record does not actually include.
  • no-default-alpn with no alpn value, leaving clients nothing to negotiate.

Privacy

Records are built and validated entirely in your browser with plain string parsing. No DNS lookups are performed and the names, IP hints, ECH configs, and parameters you enter are never uploaded, logged, or stored.

How to use

  1. Keep the Build record tab selected and pick a preset like HTTP/2 and HTTP/3 or With IP hints to seed the fields, or start from scratch.
  2. Choose HTTPS or SVCB, set the owner name and TTL, then set the priority: 0 for alias mode (a pointer) or 1 and higher for service mode with parameters.
  3. Fill in the service parameters you need: ALPN protocols, a port, IPv4 and IPv6 hints, an ECH config, a DoH path, or a mandatory list. The tool writes them in the correct order.
  4. Copy the record data, the full zone-file line, or a provider snippet for BIND, Cloudflare, Route 53, Google Cloud DNS, or Azure, and watch the validation panel for any errors or warnings.
  5. Switch to Parse and explain to paste an existing HTTPS or SVCB record, validate every value, and read what each parameter does.

About this tool

HTTPS and SVCB Record Generator is a two-mode browser tool for the DNS service-binding resource records defined in RFC 9460. SVCB (Service Binding) and its HTTP-specific sibling HTTPS are the modern way to tell clients how to reach a service before they open a connection, replacing the awkward mix of SRV records, apex CNAME workarounds, and Alt-Svc headers that came before. The RDATA is a priority, a target name, and an ordered list of parameters. The priority decides the mode: a priority of 0 is AliasMode, a pure pointer that redirects the name to another host and, unlike a CNAME, is legal at a zone apex, so a bare domain can finally point at a provider hostname for HTTPS. Any priority of 1 or higher is ServiceMode, where the record names an endpoint (a real host, or a single dot meaning the owner name itself) and attaches connection parameters; among several ServiceMode records the lowest priority is tried first. The parameters are the interesting part. alpn lists the protocols the endpoint speaks, such as h2 and h3, which lets a browser jump straight to HTTP/3 instead of upgrading from HTTP/2 over an extra round trip. no-default-alpn drops the implicit default protocol so only the listed values are offered. port moves the service off its protocol default. ipv4hint and ipv6hint carry addresses the client can try immediately while it resolves A and AAAA records, shaving latency from the first connection. ech publishes the base64 Encrypted ClientHello configuration that hides the server name during the TLS handshake, and dohpath advertises the URI template of a DNS-over-HTTPS resolver. A mandatory list names keys a client must understand or it should ignore the record entirely. The Build tab gives each of these a dedicated field, starts from presets like HTTP/2 and HTTP/3, HTTP/3 only, IP hints, ECH, alias mode, and DoH server, shows the parameters always emitted in the correct ascending key order, and renders the record three ways: the raw RDATA, a full zone-file line, and ready-to-paste snippets for BIND, Cloudflare, the AWS Route 53 CLI, the Google Cloud DNS gcloud CLI, and the Azure DNS REST API. Live validation flags the mistakes the wire format quietly tolerates: parameters attached to an alias-mode record, a single-dot target in alias mode, an IP address used as the target instead of a hint, a mandatory key that the record never actually sets, no-default-alpn with no alpn value, malformed IPv4 or IPv6 hints, an out-of-range port, and ECH that is not valid base64. The Parse tab accepts a full zone-file line or just the RDATA, tokenizes it with full respect for double-quoted values, validates the priority, target, and every SvcParam, decodes each key into plain English, flags duplicate keys and keys written out of order, and explains in one summary how a client will treat the record. Useful for turning on HTTP/3 or Encrypted ClientHello at the apex, pointing a bare domain at a CDN without a CNAME hack, decoding an HTTPS record you looked up, and double-checking a record before it makes a site fail to load in Chrome or Firefox while the plain A record still answers. Everything runs locally in your browser. The names, addresses, ECH configs, and parameters you enter never leave your device, and no DNS queries are made.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

SRV Record Generator

Build an SRV record from service, protocol, priority, weight, port, and target, or parse one to validate and explain it.

Open tool

Security

CAA Record Generator

Build a CAA record from allowed CAs and iodef contacts, or parse an existing record to validate and explain it.

Open tool

Developer

MX Record Generator

Build MX records from a preference and mail server, or parse existing records to validate and explain the delivery order.

Open tool

Developer

NAPTR Record Generator

Build a NAPTR record from order, preference, flags, service, regexp, and replacement, or parse one to validate and explain it.

Open tool

Developer

SOA Record Generator

Build a DNS SOA record from the primary name server, contact email, serial, and timers, or parse one to validate it and read each value in plain English.

Open tool

Developer

DNS Record Types Reference

Searchable DNS record types cheat sheet with examples, RFC links, and a compare panel.

Open tool

All toolsDeveloper Tools