/12 min read

What is DNS? How the Domain Name System Works

Every time you visit a website, send email, or use an app, DNS works behind the scenes. It translates names like google.com into the IP addresses computers use to communicate.

What is DNS?

DNS, or Domain Name System, is a globally distributed naming system for the internet. It translates human-readable domain names into IP addresses.

Without DNS, you would need to remember addresses like 142.250.80.46 instead of names like google.com.

DNS was created by Paul Mockapetris in the 1980s and standardized in RFC 1034 and RFC 1035. It replaced the old HOSTS.TXT approach that could not scale with the growing internet.

Why DNS Exists

DNS exists because humans prefer names, while networks route traffic using numbers. It provides:

  • Human-friendly names - type github.com instead of an IP address.
  • Indirection - a domain can point to a new server without changing every bookmark or link.
  • Load balancing - one name can resolve to multiple IP addresses.
  • Email routing - MX records tell mail servers where to deliver mail.
  • Domain verification - TXT records prove domain ownership for services, certificates, SPF, DKIM, and DMARC.

How DNS Resolution Works

When your browser needs an IP address, a recursive resolver walks the DNS hierarchy for you.

You type: www.example.com

1. Browser cache
   If the answer is cached and not expired, use it.

2. Operating system cache
   The OS checks its DNS cache and hosts file.

3. Recursive resolver
   Your ISP resolver or a public resolver checks its cache.

4. Root name server
   Resolver asks: where are the .com servers?

5. TLD name server
   Resolver asks .com: where are example.com's nameservers?

6. Authoritative name server
   Resolver asks example.com's nameserver: what is www.example.com?

7. Answer
   Resolver caches the result and returns the IP address to your device.

The DNS Hierarchy

DNS is organized like an inverted tree, read from right to left through the domain name.

                    . (root)
                    |
           ---------------------
          .com       .org      .net       top-level domains
           |          |         |
       example    wikipedia   cloud      second-level domains
           |          |         |
         www         en        api       subdomains

Full domain: www.example.com.
The final dot represents the DNS root.
LevelExampleManaged By
Root.ICANN and root server operators
TLD.com, .org, .net, .thTop-level domain registries
Second-level domainexample.comDomain owner through a registrar
Subdomainwww, api, mailDomain owner through DNS records

DNS Record Types Explained

DNS stores different record types for different jobs:

A      example.com.       93.184.216.34
AAAA   example.com.       2606:2800:220:1:248:1893:25c8:1946
CNAME  www.example.com.   example.com.
MX     example.com.       10 mail.example.com.
TXT    example.com.       "v=spf1 include:_spf.example.com ~all"
NS     example.com.       ns1.example.com.
RecordPurposeExample
AMaps a name to an IPv4 addressexample.com -> 93.184.216.34
AAAAMaps a name to an IPv6 addressexample.com -> 2606:...
CNAMECreates an alias to another namewww -> example.com
MXRoutes email for a domain10 mail.example.com
TXTStores text for verification and email securitySPF, DKIM, DMARC, ownership checks
NSLists authoritative nameserversns1.example.com
SOAStores zone authority and timing dataserial, refresh, retry, expire, TTL
CAAControls which CAs may issue certificatesletsencrypt.org allowed

CNAME restriction

A CNAME cannot coexist with other records at the same name. This is why many DNS providers offer ALIAS or ANAME records for root-domain hosting.

DNS Caching and TTL

DNS answers are cached to make lookups faster. The cache duration is controlled by TTL, or Time To Live, measured in seconds.

  • Short TTL values, such as 300 seconds, help changes take effect quickly.
  • Long TTL values, such as 3600 or 86400 seconds, reduce DNS traffic and improve speed.
  • Before a planned migration, lower TTL 24-48 hours ahead of time, then raise it again after the change is stable.

DNS Propagation

DNS propagation is the time it takes for old cached answers to expire across resolvers worldwide.

Change TypeTypical TimeNotes
A/AAAA updateMinutes to 48 hoursDepends mostly on previous TTL
Nameserver change24-72 hoursTLD-level NS records often have long TTLs
New subdomainMinutes to a few hoursUsually no old cache exists
MX update1-24 hoursEmail may be delayed during transition

DNS Security

Classic DNS was not designed with privacy or authentication in mind. Modern extensions improve different parts of the system:

Without DNSSEC:
  Resolver asks: What is example.com?
  Attacker replies: It is 6.6.6.6
  Resolver has no built-in way to verify the answer.

With DNSSEC:
  Resolver checks cryptographic signatures.
  Fake answers fail validation and are rejected.
TechnologyWhat It DoesWhat It Does Not Do
DNSSECSigns DNS records so resolvers can validate authenticityDoes not encrypt DNS queries
DoHSends DNS queries over HTTPS on port 443Does not prove records are signed unless DNSSEC is also used
DoTSends DNS queries over TLS on port 853Can still be identified as DNS traffic

For best protection, DNSSEC helps with authenticity while DoH or DoT helps with privacy in transit.

Public DNS Resolvers

You can use a public resolver instead of your ISP resolver. Common choices include:

ProviderIPv4Features
Google8.8.8.8 / 8.8.4.4DNSSEC, DoH, DoT
Cloudflare1.1.1.1 / 1.0.0.1Fast, privacy-focused, DNSSEC, DoH, DoT
Quad99.9.9.9 / 149.112.112.112Blocks malicious domains, DNSSEC, DoH, DoT
OpenDNS208.67.222.222 / 208.67.220.220Filtering options and DNSSEC

Troubleshooting DNS Issues

DNS problems can make a working server look down. Common causes include:

ProblemSymptomFix
Stale cacheOld site loads after a DNS changeFlush cache and wait for TTL expiry
Wrong nameserversDomain does not resolveCheck NS records at the registrar
Missing A/AAAA recordNXDOMAIN or browser DNS errorAdd records for the domain or subdomain
Email not workingMessages bounce or disappearCheck MX, SPF, DKIM, and DMARC
CNAME target wrongSite points to wrong serviceTrace the CNAME chain

Useful DNS Commands

These commands are useful for debugging DNS from a terminal:

# nslookup
nslookup example.com
nslookup -type=MX example.com
nslookup example.com 8.8.8.8

# dig
dig example.com A
dig example.com MX
dig @8.8.8.8 example.com
dig +trace example.com
dig +short example.com

# Flush DNS cache on Windows
ipconfig /flushdns

Look Up DNS Records Instantly

Use our free DNS Checker tool to look up A, AAAA, CNAME, MX, TXT, NS, SOA, and other DNS records for any domain.

Try DNS Checker

References

  1. Mockapetris, P. (1987). RFC 1034 - Domain Names: Concepts and Facilities. https://datatracker.ietf.org/doc/html/rfc1034
  2. Mockapetris, P. (1987). RFC 1035 - Domain Names: Implementation and Specification. https://datatracker.ietf.org/doc/html/rfc1035
  3. Arends, R., et al. (2005). RFC 4033 - DNS Security Introduction and Requirements. https://datatracker.ietf.org/doc/html/rfc4033
  4. Hoffman, P. & McManus, P. (2018). RFC 8484 - DNS Queries over HTTPS (DoH). https://datatracker.ietf.org/doc/html/rfc8484
  5. ICANN. Root Server Technical Operations. https://root-servers.org/
USTHJP