10.10.2024

DNS

What Does DNS Do and How Does It Work?

DNS (Domain Name System) is the internet's distributed naming infrastructure that translates human-readable domain names — such as example.com — into machine-readable IP addresses like 93.184.216.34. Without DNS, every browser request, API call, and email delivery would require users and applications to know the exact numeric address of every remote host, making the modern internet operationally impossible at scale.

At its core, DNS is a globally distributed, hierarchical database. It is not a single server or a centralized registry — it is a delegation tree spanning hundreds of thousands of authoritative name servers worldwide, coordinated through a small set of root servers and governed by standards defined in RFC 1034 and RFC 1035.

Why DNS Is More Than Just a "Phonebook"

The phonebook analogy is useful for beginners, but it dramatically undersells what DNS actually does. DNS is a real-time, fault-tolerant, globally replicated lookup system that also handles:

Mail routing via MX records, directing email to the correct mail servers
Service discovery via SRV records, used by protocols like SIP, XMPP, and Kubernetes internal networking
Domain ownership verification via TXT records, used for SPF, DKIM, DMARC, and Google Search Console
Canonical naming via CNAME records, enabling CDN integration and load balancing
IPv6 addressing via AAAA records
Reverse lookups via PTR records in the in-addr.arpa zone, critical for mail server reputation and security auditing
DNSSEC validation, which adds cryptographic signatures to DNS responses to prevent cache poisoning

Every time you send an email, connect to a VPN, or load a web application, DNS is resolving multiple record types in the background — often dozens of queries per page load.

The DNS Hierarchy: How the Namespace Is Structured

DNS is organized as an inverted tree. Understanding this structure is essential to understanding why resolution works the way it does.

.  (Root Zone)
├── com
│   ├── example.com  (Second-Level Domain)
│   │   └── www.example.com  (Subdomain / FQDN)
├── org
├── net
└── uk
    └── co.uk

Root Zone (.): Managed by IANA. There are 13 logical root server addresses (A through M), operated by organizations like Verisign, NASA, and ICANN. In practice, these are served by hundreds of physical machines via anycast routing.
Top-Level Domains (TLDs): Generic TLDs like .com, .net, .org, and country-code TLDs like .uk, .de, .md. Each TLD has its own set of authoritative name servers.
Second-Level Domains (SLDs): The domain you register — example.com. The authoritative DNS for this zone is controlled by whoever registered the domain.
Subdomains: www, mail, api, staging — these are records within the SLD zone, fully controlled by the domain owner.

Step-by-Step: How a DNS Query Is Resolved

A full recursive DNS resolution involves up to seven distinct network exchanges. Here is the precise sequence:

Step 1 — Browser Cache Check

When you type www.example.com into your browser, the operating system first checks its local DNS cache. On Linux, this may be managed by systemd-resolved; on Windows, by the DNS Client service. If a valid cached record exists and its TTL (Time to Live) has not expired, resolution stops here.

You can inspect the local DNS cache on Linux with:

resolvectl statistics

Or flush it with:

sudo resolvectl flush-caches

On Windows:

ipconfig /displaydns
ipconfig /flushdns

Step 2 — Recursive Resolver Query

If no cached answer exists, the OS forwards the query to the configured recursive resolver (also called a recursive DNS server or full-service resolver). This is typically:

Your ISP's resolver (assigned via DHCP)
A public resolver: 8.8.8.8 (Google), 1.1.1.1 (Cloudflare), 9.9.9.9 (Quad9)
A self-hosted resolver like Unbound or BIND on your own VPS Hosting infrastructure

The recursive resolver does the heavy lifting. It will traverse the DNS hierarchy on your behalf and cache results to serve future queries faster.

Step 3 — Root Server Referral

The recursive resolver queries one of the 13 root server clusters. The root server does not know the IP address of www.example.com. Instead, it returns a referral — a list of authoritative name servers for the .com TLD zone, along with their IP addresses (called glue records).

Step 4 — TLD Name Server Query

The resolver queries the .com TLD name servers (operated by Verisign). These servers also do not hold the final answer. They return another referral — the authoritative name servers for example.com specifically (e.g., ns1.example.com, ns2.example.com).

Step 5 — Authoritative Name Server Query

The resolver queries the authoritative name server for example.com. This server holds the actual zone file and returns the definitive answer — the A record containing the IPv4 address (or AAAA for IPv6).

Step 6 — Response Caching and Delivery

The recursive resolver caches the response according to the record's TTL value (e.g., 300 seconds = 5 minutes, 86400 seconds = 24 hours). It then returns the IP address to the client's OS, which passes it to the browser.

Step 7 — TCP/IP Connection

The browser uses the resolved IP address to open a TCP connection (typically on port 443 for HTTPS). DNS's job is now complete. The web server responds and the page loads.

This entire process — steps 2 through 6 — typically completes in 20–120 milliseconds on a warm resolver cache, and under 500 milliseconds for a fully cold, uncached resolution traversing all hierarchy levels.

DNS Record Types: A Technical Reference

Record Type	Purpose	Example Value
————-	———	—————
`A`	Maps hostname to IPv4 address	`93.184.216.34`
`AAAA`	Maps hostname to IPv6 address	`2606:2800:220:1:248:1893:25c8:1946`
`CNAME`	Alias pointing to another hostname	`www` → `example.com`
`MX`	Mail exchange server with priority	`10 mail.example.com`
`TXT`	Arbitrary text; used for SPF, DKIM, verification	`v=spf1 include:_spf.google.com ~all`
`NS`	Authoritative name servers for a zone	`ns1.example.com`
`PTR`	Reverse DNS — IP to hostname	`34.216.184.93.in-addr.arpa`
`SOA`	Start of Authority — zone metadata	Serial, refresh, retry, expire intervals
`SRV`	Service location record	`_sip._tcp.example.com`
`CAA`	Certificate Authority Authorization	`0 issue "letsencrypt.org"`

CAA records deserve special mention: they instruct Certificate Authorities which organizations are permitted to issue SSL Certificates for your domain — a critical security control that is frequently overlooked.

DNS Query Types: Recursive vs. Iterative vs. Non-Recursive

Query Type	Who Does the Work	Used By
————	——————	———
Recursive	Resolver does full traversal, returns final answer	Client → Recursive Resolver
Iterative	Each server returns a referral; caller does next query	Recursive Resolver → Root/TLD/Auth
Non-Recursive	Answer is already cached; returned immediately	Any resolver with valid cache

Most end-user devices send recursive queries to their configured resolver. The resolver itself uses iterative queries when traversing the hierarchy.

TTL: The Most Misunderstood DNS Parameter

TTL (Time to Live) is the number of seconds a DNS record may be cached by resolvers and clients. It is set by the domain owner in the zone file.

Low TTL (60–300 seconds): Faster propagation of changes. Essential before planned migrations, IP changes, or failover events. Increases query load on authoritative servers.
High TTL (3600–86400 seconds): Reduces resolver load and speeds up repeat queries. Changes take longer to propagate globally.

Critical operational insight: When planning a server migration or IP change, reduce your TTL to 300 seconds at least 48 hours before the change. This ensures that by the time you update the A record, no resolver is caching the old value for more than 5 minutes. Failing to do this is one of the most common causes of extended downtime during migrations.

When you register a domain through Domain Registration and point it to a new server, the propagation window is directly governed by the previous TTL value — not some arbitrary "24–48 hour" rule that is often cited incorrectly.

DNS Transport Protocols: UDP, TCP, DoH, and DoT

Traditional DNS operates over UDP port 53 for queries under 512 bytes. Responses exceeding this size trigger a fallback to TCP port 53. DNSSEC responses, zone transfers (AXFR), and large TXT records commonly require TCP.

Modern DNS privacy protocols have changed this landscape significantly:

Protocol	Port	Encryption	Use Case
———-	——	———–	———
DNS over UDP	53	None	Traditional resolution
DNS over TCP	53	None	Large responses, zone transfers
DNS over TLS (DoT)	853	TLS	Privacy-focused clients, mobile
DNS over HTTPS (DoH)	443	TLS via HTTPS	Browser-level, bypasses network filters
DNS over QUIC (DoQ)	853	QUIC/TLS 1.3	Emerging standard, low latency

DoH vs. DoT — the real operational difference: DoH tunnels DNS inside HTTPS traffic on port 443, making it indistinguishable from regular web traffic. This is useful for privacy but makes enterprise network monitoring and filtering significantly harder. DoT uses a dedicated port (853), which network administrators can monitor, block, or inspect independently. For self-managed infrastructure on a Dedicated Server, running a local DoT or DoH resolver gives you both privacy and full control over resolution policy.

DNSSEC: Cryptographic Integrity for DNS

DNSSEC (DNS Security Extensions) adds a chain of cryptographic signatures to DNS responses, allowing resolvers to verify that a response is authentic and has not been tampered with in transit. It protects against DNS cache poisoning (Kaminsky attack) and man-in-the-middle DNS spoofing.

DNSSEC does not encrypt DNS traffic — it only signs it. The signature chain works as follows:

The zone owner generates a Zone Signing Key (ZSK) and a Key Signing Key (KSK)
Each DNS record set is signed with the ZSK, producing RRSIG records
The KSK signs the DNSKEY record set
A DS (Delegation Signer) record is published in the parent zone (e.g., .com), creating the chain of trust back to the root

Enabling DNSSEC is strongly recommended for any domain handling financial transactions, authentication, or email. Misconfigured DNSSEC — particularly an expired signature or a mismatched DS record — will cause complete resolution failure for validating resolvers, which is a harder failure mode than no DNSSEC at all.

Common DNS Failures and How to Diagnose Them

NXDOMAIN — Non-Existent Domain

The authoritative server confirmed the domain does not exist. Common causes: typo in the domain name, expired domain registration, deleted DNS record.

dig www.example.com
# Look for: status: NXDOMAIN

SERVFAIL — Server Failure

The resolver could not complete the query. Common causes: DNSSEC validation failure, unreachable authoritative server, misconfigured zone file.

dig +dnssec example.com
# Look for: status: SERVFAIL

To bypass DNSSEC validation and isolate the issue:

dig +cd example.com
# +cd = checking disabled; bypasses DNSSEC validation

Stale Cache / Propagation Delay

After updating a DNS record, old values persist in resolver caches until the TTL expires. To query the authoritative server directly and bypass resolver cache:

dig @ns1.example.com www.example.com

Checking DNS Propagation Globally

Use dig with specific public resolvers to check propagation status:

dig @8.8.8.8 www.example.com A
dig @1.1.1.1 www.example.com A
dig @9.9.9.9 www.example.com A

DNS in Hosting Environments: Practical Configurations

When you deploy a website or application on a VPS with cPanel, DNS management is typically handled through WHM's DNS cluster or cPanel's Zone Editor. Understanding the underlying zone file structure lets you make changes that the GUI does not expose.

A minimal zone file for example.com looks like this:

$TTL 3600
@   IN  SOA  ns1.example.com. admin.example.com. (
            2024010101  ; Serial
            3600        ; Refresh
            900         ; Retry
            604800      ; Expire
            300 )       ; Minimum TTL

@       IN  NS      ns1.example.com.
@       IN  NS      ns2.example.com.
@       IN  A       203.0.113.10
www     IN  A       203.0.113.10
mail    IN  A       203.0.113.20
@       IN  MX  10  mail.example.com.
@       IN  TXT     "v=spf1 ip4:203.0.113.20 ~all"

For Email Hosting to function correctly, the MX record must point to a hostname (not an IP address directly), and that hostname must itself resolve via an A record. A common misconfiguration is pointing MX directly to an IP — this violates RFC 2821 and causes delivery failures with strict mail servers.

DNS Performance: What Actually Affects Resolution Speed

Resolver proximity: A resolver geographically close to the client (or on the same network) reduces round-trip time dramatically.
Cache hit rate: High-traffic domains with reasonable TTLs are almost always served from cache. Cold cache resolution is 5–20x slower.
Anycast routing: Root servers and major public resolvers use anycast, routing queries to the nearest physical node automatically.
Number of DNS lookups per page: A single web page can trigger 20–50 DNS queries (CDN assets, analytics, fonts, ad networks). Browsers parallelize these, but each unique hostname requires its own lookup.
DNS prefetching: Modern browsers support <link rel="dns-prefetch" href="//cdn.example.com"> to resolve third-party hostnames before they are needed, reducing perceived latency.

DNS vs. Alternative Resolution Mechanisms

Mechanism	How It Works	Scope	Use Case
———–	————-	——-	———
Public DNS	Recursive resolution via UDP/TCP	Global	Standard internet access
Private DNS / Split-Horizon	Different answers for internal vs. external queries	Network-scoped	Corporate intranets, VPNs
mDNS (Multicast DNS)	Zero-config local resolution via `224.0.0.251`	LAN only	IoT devices, local service discovery
LLMNR	Windows-native local name resolution	LAN only	Windows peer networks
Hosts file (`/etc/hosts`)	Static local override, checked before DNS	Local machine	Development, blocking, testing
WINS	NetBIOS name resolution	LAN only	Legacy Windows environments

The /etc/hosts file is evaluated before DNS on virtually every operating system. This makes it invaluable for local development — you can map myapp.local to 127.0.0.1 without touching any DNS infrastructure.

Key Takeaways and Decision Checklist

Use this checklist when configuring or troubleshooting DNS for any production environment:

Before any server migration: Lower TTL to 300 seconds at least 48 hours in advance
For email deliverability: Verify MX, SPF (TXT), DKIM (TXT), DMARC (TXT), and PTR records are all correctly configured
For security: Enable DNSSEC on your domain and add CAA records to restrict certificate issuance
For privacy: Use DoT or DoH on client devices and servers; avoid sending plaintext DNS over untrusted networks
For performance: Set TTL to 3600–86400 for stable records; use 300 only for records that change frequently
For diagnostics: Always query the authoritative server directly with dig @ns1.yourdomain.com to distinguish propagation delay from a genuine misconfiguration
For zone management: Increment the SOA serial number every time you modify a zone file — resolvers use it to detect changes
For hosting: Confirm your registrar's nameserver delegation matches the NS records in your zone file — a mismatch is the single most common cause of "DNS not working" after a domain transfer

Frequently Asked Questions

What is the difference between a DNS resolver and an authoritative DNS server?

A recursive resolver (e.g., 8.8.8.8) is a middleman that queries the DNS hierarchy on behalf of your device and caches results. An authoritative name server holds the actual zone records for a specific domain and provides definitive answers. Your resolver queries many authoritative servers; your domain's authoritative server only answers for zones it hosts.

Why does DNS propagation take time after I update a record?

Propagation delay is caused by TTL-based caching. Every resolver that previously cached your old record will continue serving it until the TTL expires. If your TTL was 86400 (24 hours), resolvers may serve the old record for up to 24 hours after your update. This is not a bug — it is the intended caching mechanism that makes DNS scalable.

What is a DNS leak and why does it matter?

A DNS leak occurs when your device sends DNS queries outside your intended resolver — typically your ISP's resolver — even when using a VPN or privacy tool. This exposes your browsing activity to your ISP. You can test for leaks at dnsleaktest.com and fix them by configuring your VPN client to enforce DNS routing through its own resolver.

Can DNS be used as an attack vector?

Yes. Common DNS-based attacks include cache poisoning (injecting false records into a resolver's cache), DNS amplification DDoS (using open resolvers to flood a target with large DNS responses), DNS hijacking (redirecting queries to malicious servers), and DNS tunneling (exfiltrating data by encoding it in DNS query strings). DNSSEC mitigates cache poisoning; rate limiting and response-rate limiting (RRL) on authoritative servers mitigate amplification.

How do I find the authoritative name servers for any domain?

Use dig with the NS record type and the +short flag for clean output:

dig NS example.com +short

To trace the full delegation path from root to authoritative, use:

dig +trace example.com

This shows every referral hop — root → TLD → authoritative — which is the most reliable way to diagnose delegation misconfigurations.

Save 15% on All Hosting Services