DNS: The Internet's Phone Book
Table of Contents
What Is DNS?
DNS (Domain Name System) is the hierarchical, decentralized naming system that translates human-readable domain names like example.com into machine-readable IP addresses like 93.184.216.34. Without DNS, you would need to memorize the IP address of every website you want to visit — DNS makes the internet usable for humans.
DNS was created in 1983 by Paul Mockapetris, replacing the earlier HOSTS.TXT file that maintained a single flat list of all hostnames on the ARPANET. As the internet grew from hundreds to billions of devices, DNS evolved into the distributed, scalable system it is today, handling over 1 trillion queries per day globally.
Every time you type a URL into your browser, send an email, or connect to any internet service, a DNS lookup happens behind the scenes. Your device asks a DNS resolver "What is the IP address for example.com?" and the resolver finds and returns the answer. This entire process typically takes less than 100 milliseconds.
How DNS Resolution Works
DNS resolution is the process of converting a domain name into an IP address. It involves multiple servers working together in a chain. The key participants are:
- DNS Resolver (Recursive Resolver): The first stop for your query. Usually operated by your ISP or a public DNS provider (Google 8.8.8.8, Cloudflare 1.1.1.1). It does the heavy lifting of chasing down the answer across multiple servers.
- Root Name Servers: The top of the DNS hierarchy. There are 13 root server clusters (A through M) operated by organizations like ICANN, Verisign, NASA, and the US Army. They direct queries to the appropriate TLD server.
- TLD Name Servers: Manage top-level domains (.com, .org, .net, .uk, .de, etc.). They know which authoritative server handles each domain within their TLD.
- Authoritative Name Server: The final authority for a specific domain. It holds the actual DNS records (A, AAAA, MX, CNAME, etc.) and returns the definitive answer.
The resolver acts as an intermediary — your device only talks to the resolver, and the resolver talks to all the other servers on your behalf. This is called a recursive lookup because the resolver recursively follows referrals until it finds the answer.
The DNS Hierarchy
DNS is organized as a tree structure, similar to a file system. Understanding this hierarchy is essential to grasping how domain names are resolved:
. (root)
/ | \
.com .org .net .uk .de ... (TLDs)
/ | \
google wikipedia example ... (domains)
/ \
www mail (subdomains)
The hierarchy levels from top to bottom are:
- Root Zone (.): The invisible dot at the end of every domain (e.g.,
example.com.). The root zone contains pointers to all TLD servers. - Top-Level Domains (TLDs): Managed by IANA (part of ICANN). There are two types:
- gTLDs (Generic): .com, .org, .net, .info, .dev, .app (over 1,500 new gTLDs)
- ccTLDs (Country Code): .uk, .de, .fr, .jp, .au (over 240)
- Second-Level Domains: The registered domain name (e.g.,
googleingoogle.com). - Subdomains: Any prefix added to a domain (e.g.,
www,mail,api). You can create unlimited subdomains.
Each level is separated by a dot, and the hierarchy is read right to left. In mail.google.com, .com is the TLD, google is the second-level domain, and mail is a subdomain.
Common DNS Record Types
DNS records are stored on authoritative name servers and define different types of information about a domain. Here are the most commonly used record types:
| Record | Purpose | Example | TTL Example |
|---|---|---|---|
| A | Maps domain to IPv4 address | example.com. IN A 93.184.216.34 |
3600 (1 hour) |
| AAAA | Maps domain to IPv6 address | example.com. IN AAAA 2606:2800:220:1:... |
3600 |
| CNAME | Alias pointing to another domain | www.example.com. IN CNAME example.com. |
86400 (24 hours) |
| MX | Mail server for the domain | example.com. IN MX 10 mail.example.com. |
3600 |
| TXT | Arbitrary text (SPF, DKIM, verification) | example.com. IN TXT "v=spf1 include:..." |
3600 |
| NS | Authoritative name servers for the domain | example.com. IN NS ns1.example.com. |
86400 |
| SOA | Start of Authority — zone metadata | Contains serial number, refresh/retry timers, admin email | 86400 |
| PTR | Reverse DNS — IP to domain name | 34.216.184.93.in-addr.arpa. IN PTR example.com. |
86400 |
| SRV | Service location (host + port) | _sip._tcp.example.com. IN SRV 10 60 5060 sip.example.com. |
3600 |
| CAA | Certificate Authority Authorization | example.com. IN CAA 0 issue "letsencrypt.org" |
86400 |
A CNAME record creates an alias — when a resolver encounters a CNAME, it must restart the lookup with the target domain. A CNAME cannot coexist with other records at the same name. An ALIAS or ANAME record (non-standard, provider-specific) works around this limitation by resolving to an A record at the zone level.
Caching and TTL
DNS caching is a critical performance optimization. Without caching, every DNS query would require traversing the full hierarchy from root to authoritative server. Caching stores answers at multiple levels so repeat lookups are nearly instant.
Every DNS record includes a TTL (Time To Live) value in seconds. This tells resolvers how long they can cache the answer before they must query the authoritative server again. Common TTL values:
| TTL | Duration | Use Case |
|---|---|---|
| 60 | 1 minute | Active DNS changes, failover setups, dynamic IPs |
| 300 | 5 minutes | Frequently changing records, load balancing |
| 3600 | 1 hour | Standard websites (good balance of freshness and performance) |
| 14400 | 4 hours | Stable records that rarely change |
| 86400 | 24 hours | NS records, CNAME records, very stable infrastructure |
Caching happens at multiple layers: your operating system's DNS cache, your router's cache, your ISP's recursive resolver cache, and sometimes application-level caches. When you lower a TTL before making a DNS change, you must wait for the old TTL to expire from all caches before the change fully propagates.
Full Lookup Process Walkthrough
Here is exactly what happens when you type www.example.com into your browser for the first time, step by step:
User types: www.example.com
|
v
[1] Browser cache -----------> Cache hit? Return IP. No? Continue.
|
v
[2] OS cache (hosts file) ---> Cache hit? Return IP. No? Continue.
|
v
[3] Router/ISP cache -------> Cache hit? Return IP. No? Continue.
|
v
[4] Recursive Resolver ------> (e.g., 8.8.8.8)
|
|--> [5] Ask Root Server: "Where is www.example.com?"
| Root responds: "Ask the .com TLD server"
| (provides .com NS IP addresses)
|
|--> [6] Ask .com TLD Server: "Where is www.example.com?"
| TLD responds: "Ask example.com's authoritative server"
| (provides example.com NS IP addresses)
|
|--> [7] Ask example.com Authoritative Server:
| "What is the IP for www.example.com?"
| Authoritative responds: "CNAME example.com"
| (restart lookup for example.com)
|
|--> [8] Ask example.com Authoritative Server:
| "What is the IP for example.com?"
| Authoritative responds: "A 93.184.216.34"
|
v
[9] Resolver caches the answer (TTL: 3600s)
|
v
[10] OS caches the answer
|
v
[11] Browser connects to 93.184.216.34
|
v
[12] Web page loads
This entire chain typically completes in 20-80 milliseconds. Subsequent visits to the same domain are nearly instant because the answer is cached at the OS and resolver level for the duration of the TTL.
DNS over HTTPS (DoH) and DNS over TLS (DoT)
Traditional DNS queries are sent in plaintext over UDP port 53. This means anyone on the network path (ISP, Wi-Fi operator, attacker) can see which domains you are visiting. Two protocols address this privacy concern:
| Feature | DNS over HTTPS (DoH) | DNS over TLS (DoT) |
|---|---|---|
| RFC | RFC 8484 | RFC 7858 |
| Port | 443 (same as HTTPS web traffic) | 853 (dedicated) |
| Protocol | HTTPS (HTTP/2 or HTTP/3) | TLS directly |
| Encryption | TLS 1.2/1.3 | TLS 1.2/1.3 |
| Stealth | Hard to block (blends with HTTPS) | Easy to block (dedicated port) |
| Browser Support | Firefox, Chrome, Edge, Safari | Android 9+, limited browser support |
| OS Support | Windows 11, macOS, Linux (systemd-resolved) | Android 9+, Linux (systemd-resolved) |
Both protocols encrypt DNS queries so that eavesdroppers cannot see which domains you are resolving. DoH has gained wider adoption because it uses the same port as regular HTTPS traffic, making it harder for network operators to block without disrupting all web traffic. Major providers like Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) all support both DoH and DoT.
DNS Troubleshooting
DNS issues can manifest as websites not loading, email delivery failures, or services appearing unreachable. Here are the essential tools and techniques for diagnosing DNS problems:
nslookup— Available on Windows, macOS, and Linux. Quick lookups:nslookup example.comdig— More detailed output (Linux/macOS):dig example.com A +shortordig @8.8.8.8 example.com ANYhost— Simple lookup tool:host example.com- DNS propagation checkers — Online tools that query DNS from multiple global locations to verify propagation status.
- Flush DNS cache — On Windows:
ipconfig /flushdns. On macOS:sudo dscacheutil -flushcache.
Common DNS problems and their causes:
- "Server not found" — Domain has no A/AAAA record, or the authoritative server is unreachable.
- Wrong IP returned — Stale cache (TTL not yet expired), or records were not updated correctly.
- Intermittent failures — Multiple authoritative servers returning different answers (split-brain DNS).
- Slow resolution — High TTL values, distant resolver, or authoritative server performance issues.
DNS is one of the most critical services on the internet. A DNS outage can make your entire domain unreachable, even if your servers are running perfectly. Understanding how DNS works helps you troubleshoot issues faster and make informed decisions about TTL values, record configuration, and provider selection. Use our DNS Lookup tool to inspect DNS records for any domain.