What is DNS? How the Domain Name System Works
Every time you visit a website, send email, or use an app, DNS works behind the scenes. It translates names like google.com into the IP addresses computers use to communicate.
Table of Contents
What is DNS?
DNS, or Domain Name System, is a globally distributed naming system for the internet. It translates human-readable domain names into IP addresses.
Without DNS, you would need to remember addresses like 142.250.80.46 instead of names like google.com.
DNS was created by Paul Mockapetris in the 1980s and standardized in RFC 1034 and RFC 1035. It replaced the old HOSTS.TXT approach that could not scale with the growing internet.
Why DNS Exists
DNS exists because humans prefer names, while networks route traffic using numbers. It provides:
- Human-friendly names - type
github.cominstead of an IP address. - Indirection - a domain can point to a new server without changing every bookmark or link.
- Load balancing - one name can resolve to multiple IP addresses.
- Email routing - MX records tell mail servers where to deliver mail.
- Domain verification - TXT records prove domain ownership for services, certificates, SPF, DKIM, and DMARC.
How DNS Resolution Works
When your browser needs an IP address, a recursive resolver walks the DNS hierarchy for you.
You type: www.example.com
1. Browser cache
If the answer is cached and not expired, use it.
2. Operating system cache
The OS checks its DNS cache and hosts file.
3. Recursive resolver
Your ISP resolver or a public resolver checks its cache.
4. Root name server
Resolver asks: where are the .com servers?
5. TLD name server
Resolver asks .com: where are example.com's nameservers?
6. Authoritative name server
Resolver asks example.com's nameserver: what is www.example.com?
7. Answer
Resolver caches the result and returns the IP address to your device.The DNS Hierarchy
DNS is organized like an inverted tree, read from right to left through the domain name.
. (root)
|
---------------------
.com .org .net top-level domains
| | |
example wikipedia cloud second-level domains
| | |
www en api subdomains
Full domain: www.example.com.
The final dot represents the DNS root.| Level | Example | Managed By |
|---|---|---|
| Root | . | ICANN and root server operators |
| TLD | .com, .org, .net, .th | Top-level domain registries |
| Second-level domain | example.com | Domain owner through a registrar |
| Subdomain | www, api, mail | Domain owner through DNS records |
DNS Record Types Explained
DNS stores different record types for different jobs:
A example.com. 93.184.216.34
AAAA example.com. 2606:2800:220:1:248:1893:25c8:1946
CNAME www.example.com. example.com.
MX example.com. 10 mail.example.com.
TXT example.com. "v=spf1 include:_spf.example.com ~all"
NS example.com. ns1.example.com.| Record | Purpose | Example |
|---|---|---|
| A | Maps a name to an IPv4 address | example.com -> 93.184.216.34 |
| AAAA | Maps a name to an IPv6 address | example.com -> 2606:... |
| CNAME | Creates an alias to another name | www -> example.com |
| MX | Routes email for a domain | 10 mail.example.com |
| TXT | Stores text for verification and email security | SPF, DKIM, DMARC, ownership checks |
| NS | Lists authoritative nameservers | ns1.example.com |
| SOA | Stores zone authority and timing data | serial, refresh, retry, expire, TTL |
| CAA | Controls which CAs may issue certificates | letsencrypt.org allowed |
CNAME restriction
A CNAME cannot coexist with other records at the same name. This is why many DNS providers offer ALIAS or ANAME records for root-domain hosting.
DNS Caching and TTL
DNS answers are cached to make lookups faster. The cache duration is controlled by TTL, or Time To Live, measured in seconds.
- Short TTL values, such as 300 seconds, help changes take effect quickly.
- Long TTL values, such as 3600 or 86400 seconds, reduce DNS traffic and improve speed.
- Before a planned migration, lower TTL 24-48 hours ahead of time, then raise it again after the change is stable.
DNS Propagation
DNS propagation is the time it takes for old cached answers to expire across resolvers worldwide.
| Change Type | Typical Time | Notes |
|---|---|---|
| A/AAAA update | Minutes to 48 hours | Depends mostly on previous TTL |
| Nameserver change | 24-72 hours | TLD-level NS records often have long TTLs |
| New subdomain | Minutes to a few hours | Usually no old cache exists |
| MX update | 1-24 hours | Email may be delayed during transition |
DNS Security
Classic DNS was not designed with privacy or authentication in mind. Modern extensions improve different parts of the system:
Without DNSSEC:
Resolver asks: What is example.com?
Attacker replies: It is 6.6.6.6
Resolver has no built-in way to verify the answer.
With DNSSEC:
Resolver checks cryptographic signatures.
Fake answers fail validation and are rejected.| Technology | What It Does | What It Does Not Do |
|---|---|---|
| DNSSEC | Signs DNS records so resolvers can validate authenticity | Does not encrypt DNS queries |
| DoH | Sends DNS queries over HTTPS on port 443 | Does not prove records are signed unless DNSSEC is also used |
| DoT | Sends DNS queries over TLS on port 853 | Can still be identified as DNS traffic |
For best protection, DNSSEC helps with authenticity while DoH or DoT helps with privacy in transit.
Public DNS Resolvers
You can use a public resolver instead of your ISP resolver. Common choices include:
| Provider | IPv4 | Features |
|---|---|---|
| 8.8.8.8 / 8.8.4.4 | DNSSEC, DoH, DoT | |
| Cloudflare | 1.1.1.1 / 1.0.0.1 | Fast, privacy-focused, DNSSEC, DoH, DoT |
| Quad9 | 9.9.9.9 / 149.112.112.112 | Blocks malicious domains, DNSSEC, DoH, DoT |
| OpenDNS | 208.67.222.222 / 208.67.220.220 | Filtering options and DNSSEC |
Troubleshooting DNS Issues
DNS problems can make a working server look down. Common causes include:
| Problem | Symptom | Fix |
|---|---|---|
| Stale cache | Old site loads after a DNS change | Flush cache and wait for TTL expiry |
| Wrong nameservers | Domain does not resolve | Check NS records at the registrar |
| Missing A/AAAA record | NXDOMAIN or browser DNS error | Add records for the domain or subdomain |
| Email not working | Messages bounce or disappear | Check MX, SPF, DKIM, and DMARC |
| CNAME target wrong | Site points to wrong service | Trace the CNAME chain |
Useful DNS Commands
These commands are useful for debugging DNS from a terminal:
# nslookup
nslookup example.com
nslookup -type=MX example.com
nslookup example.com 8.8.8.8
# dig
dig example.com A
dig example.com MX
dig @8.8.8.8 example.com
dig +trace example.com
dig +short example.com
# Flush DNS cache on Windows
ipconfig /flushdnsLook Up DNS Records Instantly
Use our free DNS Checker tool to look up A, AAAA, CNAME, MX, TXT, NS, SOA, and other DNS records for any domain.
Try DNS CheckerReferences
- Mockapetris, P. (1987). RFC 1034 - Domain Names: Concepts and Facilities. https://datatracker.ietf.org/doc/html/rfc1034
- Mockapetris, P. (1987). RFC 1035 - Domain Names: Implementation and Specification. https://datatracker.ietf.org/doc/html/rfc1035
- Arends, R., et al. (2005). RFC 4033 - DNS Security Introduction and Requirements. https://datatracker.ietf.org/doc/html/rfc4033
- Hoffman, P. & McManus, P. (2018). RFC 8484 - DNS Queries over HTTPS (DoH). https://datatracker.ietf.org/doc/html/rfc8484
- ICANN. Root Server Technical Operations. https://root-servers.org/