February 7, 2026·12 min read

What is DNS? How the Domain Name System Works

Every time you visit a website, send an email, or use an app, DNS is working behind the scenes. It's the invisible system that translates human-friendly domain names like google.com into the IP addresses that computers actually use to communicate.

What is DNS?
Why DNS Exists
How DNS Resolution Works — Step by Step
The DNS Hierarchy
DNS Record Types Explained
DNS Caching & TTL
DNS Propagation — Why Changes Take Time
DNS Security — DNSSEC, DoH, and DoT
Public DNS Resolvers
Troubleshooting DNS Issues
Useful DNS Commands

What is DNS?

DNS (Domain Name System) is often called the "phone book of the internet." It's a globally distributed system that translates human-readable domain names (like example.com) into machine-readable IP addresses (like 93.184.216.34 or 2606:2800:220:1:248:1893:25c8:1946).

Without DNS, you'd have to remember the IP address of every website you want to visit. Instead of typing google.com, you'd need to type 142.250.80.46. DNS makes the internet usable by letting us use names instead of numbers.

DNS was created by Paul Mockapetris in 1983 and defined in RFC 1034 and RFC 1035. Before DNS, all hostname-to-IP mappings were maintained in a single file called HOSTS.TXTdistributed by the Stanford Research Institute — a system that clearly couldn't scale with the growing internet.

Why DNS Exists

Computers on the internet communicate using numerical IP addresses. But humans are much better at remembering names than numbers. DNS bridges this gap by providing:

Human-friendly naming — You type github.com instead of 140.82.121.4.
Indirection — A domain can point to different IP addresses over time. If a server moves, only the DNS record needs to change — not every link or bookmark pointing to it.
Load balancing — A single domain can resolve to multiple IP addresses, distributing traffic across servers.
Email routing — DNS MX records tell mail servers where to deliver email for a domain.
Service discovery — SRV records help applications find services like VoIP servers, chat protocols, and more.
Domain verification — TXT records let services verify domain ownership (e.g., Google Search Console, SSL certificate issuance).

How DNS Resolution Works — Step by Step

When you type www.example.cominto your browser, here's what happens behind the scenes:

You type: www.example.com

Step 1: Browser Cache
  → Browser checks its own DNS cache
  → If found and not expired: done! Use the cached IP.

Step 2: Operating System Cache
  → OS checks its DNS cache + /etc/hosts file
  → If found: done!

Step 3: Recursive Resolver (your ISP or public DNS like 8.8.8.8)
  → Your computer asks the recursive resolver
  → The resolver checks its cache
  → If found: done! Return the cached answer.

Step 4: Root Name Server
  → Resolver asks a root server: "Where is .com?"
  → Root server responds: "Ask the .com TLD servers at x.x.x.x"

Step 5: TLD (Top-Level Domain) Name Server
  → Resolver asks the .com TLD server: "Where is example.com?"
  → TLD server responds: "Ask example.com's nameservers at y.y.y.y"

Step 6: Authoritative Name Server
  → Resolver asks example.com's nameserver: "What is www.example.com?"
  → Authoritative server responds: "93.184.216.34" (with a TTL)

Step 7: Response
  → Resolver caches the answer and returns it to your computer
  → Browser connects to 93.184.216.34 and loads the page

Total time: typically 20–120 milliseconds (or <1ms if cached)

This entire process is called a recursive DNS query. The recursive resolver does the heavy lifting — walking the DNS hierarchy on your behalf so your computer only needs to make a single request.

The DNS Hierarchy

DNS is organized as an inverted tree, with the root at the top. Every domain name is read right-to-left through this hierarchy:

                    . (Root)
                    |
        ┌───────────┼───────────┐
       .com        .org        .net    ← TLD (Top-Level Domain)
        |           |           |
    example      wikipedia    cloud    ← Second-Level Domain
        |           |           |
      www         en          api      ← Subdomain (optional)

Full domain: www.example.com.
                              ^ (the trailing dot represents the root)

Level	Example	Managed By
Root	`.`	ICANN / 13 root server clusters worldwide
TLD	`.com`, `.org`, `.uk`	TLD registries (Verisign for .com, PIR for .org)
Second-Level	`example.com`	Domain owner (you, via a registrar)
Subdomain	`www`, `api`, `mail`	Domain owner (configured in DNS records)

There are only 13 root server addresses (labeled A through M), but thanks to anycast routing, each address is served by hundreds of physical servers spread across the globe. This makes the root DNS infrastructure extremely resilient.

DNS Record Types Explained

DNS doesn't just map names to IP addresses. It stores various types of records, each serving a different purpose:

A Record (Address)

The most fundamental record type. Maps a domain name to an IPv4 address.

example.com.      A      93.184.216.34
www.example.com.  A      93.184.216.34
api.example.com.  A      10.0.1.50

AAAA Record (IPv6 Address)

The IPv6 equivalent of the A record. Maps a domain to a 128-bit IPv6 address.

example.com.  AAAA  2606:2800:220:1:248:1893:25c8:1946

CNAME Record (Canonical Name)

Creates an alias from one domain name to another. The DNS resolver follows the chain to find the final A/AAAA record.

www.example.com.    CNAME  example.com.
blog.example.com.   CNAME  mysite.netlify.app.
shop.example.com.   CNAME  shops.myshopify.com.

Resolution chain:
  www.example.com → CNAME → example.com → A → 93.184.216.34

CNAME Restriction

A CNAME record cannot coexist with other records at the same name. You can't have both a CNAME and an MX record for example.com. This is why many DNS providers offer "ALIAS" or "ANAME" as non-standard alternatives for the root domain.

MX Record (Mail Exchange)

Tells mail servers where to deliver email for a domain. Each MX record has a priority — lower numbers mean higher priority.

example.com.  MX  10  mail1.example.com.
example.com.  MX  20  mail2.example.com.
example.com.  MX  30  mail-backup.example.com.

Priority 10 is tried first. If it's unavailable, 20 is tried, then 30.

Google Workspace MX records:
example.com.  MX  1   ASPMX.L.GOOGLE.COM.
example.com.  MX  5   ALT1.ASPMX.L.GOOGLE.COM.
example.com.  MX  5   ALT2.ASPMX.L.GOOGLE.COM.
example.com.  MX  10  ALT3.ASPMX.L.GOOGLE.COM.
example.com.  MX  10  ALT4.ASPMX.L.GOOGLE.COM.

TXT Record (Text)

Stores arbitrary text data. Originally designed for human-readable notes, TXT records now serve critical security and verification functions:

SPF (email authentication — who can send email for your domain):
example.com.  TXT  "v=spf1 include:_spf.google.com ~all"

DKIM (email signing verification):
google._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGf..."

DMARC (email policy):
_dmarc.example.com.  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Domain verification:
example.com.  TXT  "google-site-verification=abc123..."
example.com.  TXT  "v=verifydns verify=abc123"

NS Record (Name Server)

Specifies which nameservers are authoritative for a domain — i.e., which servers hold the definitive DNS records.

example.com.  NS  ns1.example.com.
example.com.  NS  ns2.example.com.

Cloudflare nameservers:
example.com.  NS  aria.ns.cloudflare.com.
example.com.  NS  bob.ns.cloudflare.com.

Other Record Types

Type	Purpose	Example
SOA	Start of Authority — zone metadata, serial number, refresh intervals	One per zone, at the root
SRV	Service locator — specifies host/port for services	`_sip._tcp.example.com`
PTR	Reverse DNS — maps an IP address back to a domain name	`34.216.184.93.in-addr.arpa`
CAA	Certificate Authority Authorization — which CAs can issue SSL certs	`0 issue "letsencrypt.org"`
NAPTR	Name Authority Pointer — used in VoIP (ENUM), URI mapping	Telephony and SIP routing

DNS Caching & TTL

DNS is heavily cached at every level to improve performance and reduce load on authoritative servers. Every DNS record includes a TTL (Time To Live) value that specifies how long it can be cached.

example.com.  300   A  93.184.216.34
                    ^^^
                    TTL = 300 seconds (5 minutes)

After 300 seconds, caches must discard this entry and re-query.

Common TTL values:
  300    (5 min)   — Dynamic/frequently changing records
  3600   (1 hour)  — Standard for most records
  86400  (24 hrs)  — Stable records that rarely change
  604800 (7 days)  — Very stable infrastructure records

Caching happens at multiple levels:

Browser cache — Chrome, Firefox, etc. maintain their own DNS cache
OS cache — Windows, macOS, and Linux all cache DNS results
Router cache — Your home router may cache DNS responses
Recursive resolver cache — Your ISP's DNS server caches heavily

Pro Tip: Lower TTL Before DNS Changes

If you're planning to change DNS records (like migrating servers), lower the TTL to 300 seconds 24–48 hours before the change. This ensures caches worldwide pick up your new records quickly. After the migration is stable, raise the TTL back up.

DNS Propagation — Why Changes Take Time

DNS propagationis the time it takes for DNS changes to spread across all DNS servers worldwide. When you update a DNS record, the change doesn't happen everywhere instantly because:

Existing caches must expire — Resolvers worldwide have cached the old record and will keep using it until the TTL expires.
Multiple cache layers — The record may be cached at the browser, OS, router, ISP resolver, and other intermediate DNS servers.
Non-compliant resolvers — Some DNS resolvers don't strictly respect TTL values and may cache records longer than specified.

Change Type	Typical Propagation	Notes
A/AAAA record update	Minutes to 48 hours	Depends on the previous TTL value
Nameserver change	24–72 hours	NS records at the TLD level have long TTLs
New subdomain	Minutes to a few hours	No old cache to expire — usually fast
MX record update	1–24 hours	Email delivery may be delayed during propagation

DNS Security — DNSSEC, DoH, and DoT

DNS was designed in the 1980s without security in mind. By default, DNS queries are sent in plaintext and are vulnerable to interception and manipulation. Several technologies have been developed to address this:

DNSSEC (DNS Security Extensions)

DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that records haven't been tampered with. It prevents DNS spoofing (cache poisoning) attacks where an attacker injects fake DNS records.

Without DNSSEC:
  Resolver: "What is example.com?"
  Attacker: "It's 6.6.6.6!" (fake response)
  Resolver: "OK!" (no way to verify)

With DNSSEC:
  Resolver: "What is example.com?"
  Attacker: "It's 6.6.6.6!" (fake response)
  Resolver: "The signature doesn't match — REJECTED!"
  Real server: "It's 93.184.216.34" (with valid signature)
  Resolver: "Signature verified ✓"

DNS over HTTPS (DoH)

DoH encrypts DNS queries inside HTTPS(port 443), making them indistinguishable from regular web traffic. This prevents ISPs, network admins, or attackers on the network from seeing which domains you're looking up.

DNS over TLS (DoT)

DoT encrypts DNS queries using TLS on a dedicated port (853). Like DoH, it provides privacy, but on a separate port that network admins can still identify (and optionally block) as DNS traffic.

Feature	Traditional DNS	DNSSEC	DoH / DoT
Encrypted	No	No	Yes
Authenticated	No	Yes	No (just transport)
Prevents spoofing	No	Yes	Partially
Prevents snooping	No	No	Yes

For maximum security, use both DNSSEC and DoH/DoT together: DNSSEC ensures the records are authentic, and DoH/DoT ensures the queries are private.

Public DNS Resolvers

Instead of using your ISP's default DNS (which may be slow, unreliable, or log your queries), you can use a public DNS resolver:

Provider	IPv4	IPv6	Features
Google	`8.8.8.8` / `8.8.4.4`	`2001:4860:4860::8888`	DNSSEC, DoH, DoT
Cloudflare	`1.1.1.1` / `1.0.0.1`	`2606:4700:4700::1111`	Fastest, privacy-focused, DNSSEC, DoH, DoT
Quad9	`9.9.9.9` / `149.112.112.112`	`2620:fe::fe`	Blocks malicious domains, DNSSEC, DoH, DoT
OpenDNS	`208.67.222.222` / `208.67.220.220`	—	Content filtering options, DNSSEC

Troubleshooting DNS Issues

DNS problems can cause websites to appear "down" even when the server itself is running fine. Here are common issues and solutions:

Problem	Symptom	Solution
Stale cache	Old site loads after DNS change	Flush DNS cache, wait for TTL expiry
Wrong nameservers	Domain not resolving at all	Check NS records at registrar match your DNS provider
Missing A record	"DNS_PROBE_FINISHED_NXDOMAIN"	Add A/AAAA record for the domain/subdomain
Email not working	Emails bounce or disappear	Verify MX, SPF, DKIM, and DMARC records
SSL cert issues	Certificate doesn't match domain	Check CNAME chain resolves to the correct endpoint

Useful DNS Commands

These command-line tools are invaluable for debugging DNS issues:

nslookup

# Basic lookup
nslookup example.com

# Query specific record type
nslookup -type=MX example.com

# Query a specific DNS server
nslookup example.com 8.8.8.8

dig (Linux/macOS)

# Detailed A record lookup
dig example.com A

# Query MX records
dig example.com MX

# Query a specific DNS server
dig @8.8.8.8 example.com

# Trace the full resolution path
dig +trace example.com

# Short output
dig +short example.com

Flush DNS Cache

# Windows
ipconfig /flushdns

# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches

# Chrome browser
chrome://net-internals/#dns → "Clear host cache"

Look Up DNS Records Instantly

Use our free DNS Checker tool to look up A, AAAA, CNAME, MX, TXT, NS, SOA, and other DNS records for any domain — with real-time results and export options.

Try DNS Checker →

References

Mockapetris, P. (1987). RFC 1034 — Domain Names: Concepts and Facilities. https://datatracker.ietf.org/doc/html/rfc1034
Mockapetris, P. (1987). RFC 1035 — Domain Names: Implementation and Specification. https://datatracker.ietf.org/doc/html/rfc1035
Arends, R., et al. (2005). RFC 4033 — DNS Security Introduction and Requirements. https://datatracker.ietf.org/doc/html/rfc4033
Hoffman, P. & McManus, P. (2018). RFC 8484 — DNS Queries over HTTPS (DoH). https://datatracker.ietf.org/doc/html/rfc8484
ICANN. Root Server Technical Operations. https://root-servers.org/

Table of Contents