How DNS Works: A Complete Guide to Domain Name Resolution

· 12 min read

Table of Contents

What Is DNS?

The Domain Name System (DNS) is often called the "phonebook of the internet." It translates human-friendly domain names like google.com into machine-readable IP addresses like 142.250.80.46. Without DNS, you'd need to memorize long strings of numbers to visit any website—an impractical task given the billions of websites in existence.

DNS operates as a distributed, hierarchical database spanning millions of servers worldwide. This distributed architecture ensures that no single point of failure can bring down the entire system, and queries are resolved quickly by leveraging caching at multiple levels.

Every time you open a webpage, send an email, or stream a video, DNS works behind the scenes to route your request to the correct server. Understanding how DNS works is essential for web developers, system administrators, and anyone who wants to troubleshoot internet connectivity issues.

🛠️ Try it yourself: Use our DNS Lookup Tool to see real-time DNS resolution in action.

Why DNS Matters for Your Website

DNS performance directly impacts your website's speed and availability. A slow DNS provider can add hundreds of milliseconds to every page load, frustrating users and hurting your search engine rankings. Google considers page speed a ranking factor, and DNS resolution time is part of that equation.

Beyond performance, DNS configuration affects email deliverability, subdomain routing, CDN integration, and security. Misconfigured DNS records can break your website entirely or expose you to attacks like DNS spoofing and cache poisoning.

The DNS Resolution Process

When you type a domain name into your browser, a fascinating chain of lookups occurs in milliseconds. Here's how a DNS query travels from your device to the answer:

Step 1: Browser Cache

Your browser first checks its own cache for a recently resolved IP address. Modern browsers like Chrome, Firefox, and Safari maintain their own DNS cache to speed up repeat visits. If the domain was accessed recently and the TTL (Time To Live) hasn't expired, the browser uses the cached IP address immediately.

You can view your browser's DNS cache in Chrome by visiting chrome://net-internals/#dns. This shows all cached DNS entries and their expiration times.

Step 2: Operating System Cache

If the browser cache misses, the OS checks its DNS cache and the hosts file. On Linux and macOS, this is /etc/hosts. On Windows, it's C:\Windows\System32\drivers\etc\hosts. The hosts file allows manual IP-to-domain mappings that override DNS entirely.

System administrators often use the hosts file for local development, blocking unwanted domains, or creating custom internal network mappings.

Step 3: Recursive Resolver

The query goes to your configured DNS resolver, usually provided by your ISP or a public DNS service like Google's 8.8.8.8 or Cloudflare's 1.1.1.1. The recursive resolver does the heavy lifting of tracking down the authoritative answer.

This resolver acts as an intermediary, making multiple queries on your behalf and caching results to speed up future requests. Most users never interact directly with recursive resolvers—they're configured automatically via DHCP when you connect to a network.

Step 4: Root Name Server

If the recursive resolver doesn't have the answer cached, it contacts one of the 13 root name server clusters (labeled A through M). These servers don't know the IP address for specific domains, but they know which TLD (Top-Level Domain) servers to ask.

For example, if you're looking up example.com, the root server responds with the addresses of the .com TLD servers. Despite being called "13 servers," there are actually hundreds of physical servers distributed globally using anycast routing.

Step 5: TLD Name Server

The resolver then queries the appropriate TLD server (like .com, .org, or .net). The TLD server responds with the authoritative name servers for the specific domain. These are the servers that actually host the DNS records for example.com.

TLD servers are managed by registry operators. For .com and .net, that's Verisign. Each TLD has its own set of name servers maintained by different organizations.

Step 6: Authoritative Name Server

Finally, the resolver queries the authoritative name server for the domain. This server has the actual DNS records and responds with the IP address. The resolver caches this answer and returns it to your device.

Authoritative name servers are typically provided by your domain registrar or DNS hosting service. Popular options include Cloudflare, AWS Route 53, Google Cloud DNS, and traditional registrars like GoDaddy or Namecheap.

Pro tip: Use the DNS Propagation Checker to verify that DNS changes have spread across global name servers. DNS updates can take 24-48 hours to fully propagate.

Recursive vs. Iterative Queries

DNS queries come in two flavors. A recursive query means the resolver must return either the final answer or an error—it can't refer you elsewhere. An iterative query allows the server to return a referral to another server.

Your device makes a recursive query to the resolver, which then makes iterative queries to root, TLD, and authoritative servers. This division of labor keeps the system efficient and scalable.

Understanding the DNS Hierarchy

DNS is organized as an inverted tree structure, with the root at the top and individual domains branching downward. This hierarchy enables the distributed nature of DNS and allows different organizations to manage different parts of the namespace.

The Root Zone

At the top of the hierarchy is the root zone, represented by a dot (.). When you type example.com, the full domain name is actually example.com. with a trailing dot. Most systems hide this trailing dot for convenience.

The root zone is managed by ICANN (Internet Corporation for Assigned Names and Numbers) and contains pointers to all TLD servers. The root zone file is only about 2MB and changes relatively infrequently.

Top-Level Domains (TLDs)

TLDs are the extensions at the end of domain names. They fall into several categories:

Each TLD has its own registry operator responsible for maintaining the TLD zone file and operating the TLD name servers. Some TLDs have specific requirements—for example, .edu is restricted to accredited educational institutions.

Second-Level Domains and Subdomains

The second-level domain is what you register—like example in example.com. You have full control over this domain and can create unlimited subdomains beneath it.

Subdomains like blog.example.com or api.example.com allow you to organize services and route traffic differently. Each subdomain can have its own DNS records pointing to different servers or services.

DNS Record Types Explained

DNS records are instructions stored on authoritative name servers. Different record types serve different purposes, from pointing domains to IP addresses to configuring email and verifying domain ownership.

Record Type Purpose Example
A Maps domain to IPv4 address example.com → 192.0.2.1
AAAA Maps domain to IPv6 address example.com → 2001:db8::1
CNAME Creates alias to another domain www.example.com → example.com
MX Specifies mail servers example.com → mail.example.com (priority 10)
TXT Stores text data (SPF, DKIM, verification) v=spf1 include:_spf.google.com ~all
NS Delegates subdomain to name servers example.com → ns1.example.com
SOA Start of Authority (zone metadata) Contains serial number, refresh intervals
PTR Reverse DNS lookup (IP to domain) 192.0.2.1 → example.com
SRV Service location (port and priority) _sip._tcp.example.com
CAA Certificate Authority Authorization 0 issue "letsencrypt.org"

A and AAAA Records

These are the most fundamental DNS records. An A record maps a domain to an IPv4 address (like 192.0.2.1), while an AAAA record maps to an IPv6 address (like 2001:db8::1).

You can have multiple A records for the same domain, which enables simple load balancing. DNS resolvers typically return all IP addresses, and the client chooses one (often the first). Some DNS providers offer geographic routing to return different IPs based on the user's location.

CNAME Records

A CNAME (Canonical Name) creates an alias from one domain to another. For example, you might point www.example.com to example.com using a CNAME. When someone looks up the CNAME, DNS follows the chain to the final A record.

Important limitation: You cannot use a CNAME at the root domain (also called the apex or naked domain). This is because CNAME records must be the only record for that name, but root domains require NS and SOA records. Some DNS providers offer proprietary solutions like Cloudflare's CNAME flattening or AWS Route 53's ALIAS records to work around this.

MX Records

Mail Exchange (MX) records tell email servers where to deliver mail for your domain. Each MX record has a priority value—lower numbers have higher priority. If the primary mail server is unavailable, senders try the next priority level.

Example MX configuration for Google Workspace:

example.com.  MX  1  aspmx.l.google.com.
example.com.  MX  5  alt1.aspmx.l.google.com.
example.com.  MX  5  alt2.aspmx.l.google.com.
example.com.  MX  10 alt3.aspmx.l.google.com.
example.com.  MX  10 alt4.aspmx.l.google.com.

TXT Records

TXT records store arbitrary text data and have become essential for email authentication and domain verification. Common uses include:

Quick tip: Use our DNS Record Lookup Tool to query specific record types and see exactly what's configured for any domain.

NS Records

Name Server (NS) records delegate a domain or subdomain to specific name servers. Your domain registrar sets NS records at the TLD level to point to your DNS hosting provider. You can also use NS records to delegate subdomains to different name servers.

For example, you might delegate blog.example.com to a blogging platform's name servers while keeping the main domain on your own DNS provider.

CAA Records

Certificate Authority Authorization (CAA) records specify which certificate authorities are allowed to issue SSL/TLS certificates for your domain. This prevents unauthorized certificate issuance and improves security.

Example CAA record allowing only Let's Encrypt:

example.com.  CAA  0 issue "letsencrypt.org"

DNS Caching and TTL

Caching is what makes DNS fast and scalable. Without caching, every DNS query would require multiple round trips to root, TLD, and authoritative servers—adding significant latency to every web request.

How TTL Works

Time To Live (TTL) is a value in seconds that tells resolvers how long to cache a DNS record. When the TTL expires, the resolver must fetch a fresh copy from the authoritative server.

Common TTL values and their use cases:

Lower TTLs mean faster propagation of changes but more queries to your authoritative servers. Higher TTLs reduce server load and improve performance but make updates slower to propagate.

Pro tip: Lower your TTL to 60 seconds at least 24-48 hours before making DNS changes. After the change is complete and verified, raise the TTL back to a higher value.

Caching Layers

DNS caching happens at multiple levels, each with its own TTL and cache size:

  1. Browser cache: Typically respects TTL but may have minimum/maximum limits
  2. Operating system cache: Managed by the OS resolver (systemd-resolved on Linux, mDNSResponder on macOS)
  3. Router cache: Many home routers cache DNS queries for all connected devices
  4. ISP resolver cache: Large caches serving thousands of customers
  5. Public resolver cache: Services like Google DNS and Cloudflare cache globally

This multi-layer caching means that even with a low TTL, some clients may see stale data until all cache layers expire.

Negative Caching

DNS also caches negative responses (NXDOMAIN) when a domain doesn't exist. This prevents repeated queries for typos or non-existent domains. The negative cache TTL is specified in the SOA record's minimum field.

Negative caching can cause problems if you create a new subdomain immediately after it was queried and returned NXDOMAIN. Clients may continue seeing "domain not found" errors until the negative cache expires.

DNS Security Considerations

DNS was designed in the 1980s without security in mind. Over the decades, various attacks have emerged, and security extensions have been developed to address them.

Common DNS Attacks

DNS Spoofing (Cache Poisoning): Attackers inject false DNS records into a resolver's cache, redirecting users to malicious sites. This was easier before source port randomization and DNSSEC became widespread.

DNS Hijacking: Attackers compromise your domain registrar account or DNS hosting provider to change your DNS records. This can redirect all traffic to attacker-controlled servers.

DDoS Attacks: Overwhelming DNS servers with queries to make domains unreachable. DNS amplification attacks use open resolvers to multiply attack traffic.

DNS Tunneling: Encoding data in DNS queries to exfiltrate information or create covert communication channels. This bypasses many firewalls that allow DNS traffic.

DNSSEC (DNS Security Extensions)

DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that responses haven't been tampered with. It creates a chain of trust from the root zone down to individual domains.

How DNSSEC works:

  1. Each DNS zone has a public/private key pair
  2. The zone owner signs all DNS records with the private key
  3. The public key (DNSKEY record) is published in DNS
  4. The parent zone signs the child's public key (DS record)
  5. Resolvers verify the entire chain from root to target domain

DNSSEC adoption has been slow due to complexity and operational challenges. As of 2026, only about 30% of domains use DNSSEC. Major obstacles include key management, increased DNS response sizes, and compatibility issues with some DNS providers.

DNS over HTTPS (DoH) and DNS over TLS (DoT)

Traditional DNS queries are sent in plaintext, allowing ISPs and network operators to see every domain you visit. DoH and DoT encrypt DNS queries to protect privacy.

DNS over TLS (DoT): Encrypts DNS queries using TLS on port 853. It's a dedicated protocol specifically for DNS.

DNS over HTTPS (DoH): Sends DNS queries over HTTPS (port 443), making them indistinguishable from regular web traffic. This prevents network-level blocking of encrypted DNS.

Major browsers like Firefox and Chrome now support DoH by default, using providers like Cloudflare (1.1.1.1) or Google (8.8.8.8). This has sparked controversy with ISPs and governments who lose visibility into DNS traffic.

Best Practices for DNS Security

Troubleshooting DNS Issues

DNS problems are among the most common causes of website downtime and connectivity issues. Knowing how to diagnose and fix them quickly is essential.

Common DNS Problems

DNS Propagation Delays: After changing DNS records, updates can take 24-48 hours to propagate globally. Different resolvers cache records for different durations based on TTL.

Misconfigured Records: Typos in IP addresses, missing trailing dots in CNAME targets, or incorrect MX priorities can break services.

Expired Domains: If you forget to renew your domain, DNS stops working immediately. Most registrars offer a grace period, but your site will be down during this time.

Name Server Issues: If your authoritative name servers are down or unreachable, no one can resolve your domain.

Essential DNS Troubleshooting Tools

The dig command (Domain Information Groper) is the most powerful DNS troubleshooting tool on Linux and macOS. Windows users can use nslookup or install dig via WSL.

Basic dig usage:

# Query A record
dig example.com

# Query specific record type
dig example.com MX

# Query specific name server
dig @8.8.8.8 example.com

# Trace full resolution path
dig +trace example.com

# Short answer only
dig +short example.com

The +trace option is particularly useful—it shows the entire resolution process from root servers through TLD servers to authoritative servers, helping you identify where problems occur.

Using nslookup

The nslookup command is available on all operating systems and provides basic DNS query functionality:

# Basic query
nslookup example.com

# Query specific server
nslookup example.com 8.8.8.8

# Query specific record type
nslookup -type=MX example.com

Checking DNS Propagation

After making DNS changes, you need to verify they've propagated. Our DNS Propagation Checker queries DNS servers worldwide to show you the current state of propagation.

You can also manually check different resolvers:

dig @8.8.8.8 example.com        # Google DNS
dig @1.1.1.1 example.com        # Cloudflare DNS
dig @208.67.222.222 example.com # OpenDNS

Flushing DNS Cache

Sometimes you need to clear cached DNS records to see fresh results:

Windows:

ipconfig /flushdns

macOS:

sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

Linux (systemd-resolved):

sudo systemd-resolve --flush-caches

Chrome browser:

Visit chrome://net-internals/#dns and click "Clear host cache"

Quick tip: Use our WHOIS Lookup Tool to check domain registration details, name servers, and expiration dates when troubleshooting DNS issues.

Testing Email DNS Configuration

Email delivery problems are often caused by DNS misconfigurations. Check your MX, SPF, DKIM, and DMARC records:

# Check MX records
dig example.com MX

# Check SPF record
dig example.com TXT | grep spf

# Check DMARC record
dig _dmarc.example.com TXT

# Check DKIM record (replace 'selector' with your actual selector)
dig selector._domainkey.example.com TXT

Choosing a DNS Provider

Your DNS provider significantly impacts website performance, reliability, and security. While many people use their domain registrar's DNS service by default, dedicated DNS providers often offer better performance and features.

Key Factors to Consider

Performance: DNS resolution speed varies dramatically between providers. Premium providers use anycast routing and have servers in dozens of locations worldwide, reducing latency.

Reliability: Look for providers with 100% uptime SLAs and redundant infrastructure. DNS downtime means your entire website is unreachable.

Features: Advanced features include geographic routing, load balancing, health checks, DNSSEC support, and API access for automation.

Security: DDoS protection, rate limiting, and DNSSEC support are essential for protecting against attacks.

Pricing: Many providers offer free tiers for basic use. Paid plans typically add features like more queries, advanced routing, and priority support.

Popular DNS Providers Comparison

Provider Best For Key Features Pricing
Cloudflare Most users Free tier, DDoS protection, fast global network Free / $20+/mo

Related Tools

đź“š You May Also Like

We use cookies for analytics. By continuing, you agree to our Privacy Policy.