DNS Explained: How Domain Name Resolution Works
· 12 min read
Every time you visit a website, send an email, or use an app, the Domain Name System (DNS) works behind the scenes to translate human-readable domain names into machine-readable IP addresses. It's one of the internet's most critical yet invisible infrastructures—often called the "phonebook of the internet."
Understanding DNS isn't just for network engineers. Whether you're a developer deploying applications, a business owner managing your online presence, or simply curious about how the internet works, knowing DNS fundamentals helps you troubleshoot issues, improve performance, and make informed decisions about your infrastructure.
This guide breaks down everything you need to know about DNS, from the resolution process to security considerations, with practical examples you can use today.
Table of Contents
- What Is DNS and Why Does It Matter?
- How DNS Resolution Works: Step by Step
- Understanding the DNS Hierarchy
- DNS Record Types Explained
- TTL and Caching Strategies
- Troubleshooting Common DNS Issues
- DNS Security: Threats and Protection
- Choosing the Right DNS Provider
- Optimizing DNS Performance
- Frequently Asked Questions
- Related Articles
What Is DNS and Why Does It Matter?
DNS (Domain Name System) is a distributed database that maps domain names to IP addresses. Without it, you'd need to memorize strings like 93.184.216.34 instead of typing example.com into your browser.
Think of DNS as a massive, decentralized contact list. When you request a website, DNS servers around the world work together to find the correct IP address for that domain, similar to how you'd look up a phone number in a directory.
But DNS does more than simple name-to-IP translation. It also handles:
- Email routing through MX records that direct messages to the correct mail servers
- Load balancing by distributing traffic across multiple servers
- Service discovery for applications that need to find specific services
- Security verification through records like SPF, DKIM, and DMARC
- Content delivery by pointing domains to CDN endpoints
The DNS system processes over 400 billion queries per day globally. A single misconfigured DNS record can take down an entire website or email system, making DNS knowledge essential for anyone managing online infrastructure.
Quick tip: Use our DNS Lookup tool to instantly check all DNS records for any domain and see how DNS resolution works in real-time.
How DNS Resolution Works: Step by Step
When you type example.com into your browser and press Enter, a complex chain of lookups happens in milliseconds. Here's the complete process:
The DNS Resolution Chain
- Browser cache check: Your browser first checks its own DNS cache to see if it recently looked up this domain. Modern browsers cache DNS records for the duration specified by the TTL (Time To Live) value.
- Operating system cache: If the browser cache misses, the OS checks its DNS cache. On Linux and Mac systems, this includes checking the
/etc/hostsfile for manual overrides. - Recursive resolver query: If still not found, your computer sends the query to a recursive DNS resolver—typically your ISP's DNS server or a public resolver like Cloudflare (1.1.1.1) or Google (8.8.8.8).
- Resolver cache check: The recursive resolver checks its own cache. If it has a recent answer, it returns it immediately. This is why subsequent visits to popular websites are nearly instant.
- Root nameserver query: For uncached queries, the resolver starts at the top of the DNS hierarchy by asking one of the 13 root nameserver clusters: "Who handles .com domains?" The root server responds with the addresses of .com TLD (Top-Level Domain) nameservers.
- TLD nameserver query: The resolver then asks a .com TLD nameserver: "Who is authoritative for example.com?" The TLD server responds with the authoritative nameservers for that specific domain.
- Authoritative nameserver query: Finally, the resolver asks the authoritative nameserver: "What is the A record for example.com?" The authoritative server responds with the IP address.
- Response and caching: The resolver caches this result according to the TTL value and returns the IP address to your computer, which also caches it. Your browser can now connect to the web server at that IP address.
This entire recursive resolution process typically takes 20-120ms for uncached queries. Cached queries resolve in under 1ms, which is why browsing feels instantaneous for frequently visited sites.
Pro tip: You can see this process in action using command-line tools. Run dig +trace example.com on Linux/Mac or use our DNS Propagation Checker to see how DNS records appear across different global locations.
Iterative vs. Recursive Queries
DNS uses two types of queries:
- Recursive queries: Your computer asks the resolver to do all the work and return the final answer. The resolver handles all the intermediate lookups.
- Iterative queries: The resolver asks each nameserver in the chain, and each responds with either the answer or a referral to the next nameserver to query.
Most client-to-resolver communication uses recursive queries for simplicity, while resolver-to-nameserver communication uses iterative queries for efficiency and control.
Understanding the DNS Hierarchy
DNS is organized as a hierarchical tree structure, starting from the root and branching down through increasingly specific levels. This distributed architecture is what makes DNS scalable to billions of domains.
The Four Levels of DNS
1. Root Level (.)
The root level sits at the top of the DNS hierarchy. There are 13 root nameserver identities (labeled A through M), though each is actually a cluster of hundreds of servers distributed globally using anycast routing. These servers know where to find all TLD nameservers.
2. Top-Level Domain (TLD)
TLDs are the extensions you see at the end of domain names. They fall into several categories:
- Generic TLDs (gTLDs): .com, .org, .net, .info, .biz
- Country-code TLDs (ccTLDs): .uk, .de, .jp, .ca, .au
- Sponsored TLDs: .gov, .edu, .mil (restricted use)
- New gTLDs: .app, .dev, .tech, .io, .ai (introduced since 2013)
3. Second-Level Domain (SLD)
This is the main part of your domain name—the part you register. In example.com, "example" is the second-level domain. You have full control over DNS records at this level.
4. Subdomain
Subdomains are prefixes you add to your domain: blog.example.com, shop.example.com, api.example.com. You can create unlimited subdomains and point them to different servers or services.
Delegation and Authority
Each level in the DNS hierarchy delegates authority to the level below it. The root delegates to TLDs, TLDs delegate to domain owners, and domain owners can delegate subdomains to other nameservers. This delegation is recorded using NS (nameserver) records.
When you register a domain, you specify which nameservers are authoritative for your domain. These nameservers then answer all queries about your domain and its subdomains.
DNS Record Types Explained
DNS records are instructions stored on authoritative nameservers that provide information about a domain. Each record type serves a specific purpose. Here are the most important ones you'll encounter:
| Record Type | Purpose | Example Value | Common Use |
|---|---|---|---|
| A | Maps domain to IPv4 address | 93.184.216.34 |
Pointing domain to web server |
| AAAA | Maps domain to IPv6 address | 2606:2800:220:1:248:1893:25c8:1946 |
IPv6 connectivity |
| CNAME | Alias to another domain | www.example.com → example.com |
Redirecting subdomains |
| MX | Mail server for the domain | 10 mail.example.com |
Email delivery routing |
| TXT | Text data for verification | v=spf1 include:_spf.google.com ~all |
SPF, DKIM, domain verification |
| NS | Authoritative nameservers | ns1.cloudflare.com |
Delegating DNS authority |
| SOA | Zone authority information | Primary NS, admin email, serial number | Zone management metadata |
| SRV | Service location (port + host) | _sip._tcp 10 5 5060 sip.example.com |
Service discovery |
| CAA | Certificate authority authorization | 0 issue "letsencrypt.org" |
SSL/TLS security |
| PTR | Reverse DNS (IP → domain) | 34.216.184.93.in-addr.arpa |
Email reputation, logging |
Deep Dive: Critical Record Types
A and AAAA Records
These are the most fundamental DNS records. A records map to IPv4 addresses (the traditional format), while AAAA records map to IPv6 addresses (the newer, expanded format). Most domains should have both to ensure compatibility across all networks.
You can have multiple A records for the same domain, which enables simple round-robin load balancing. DNS resolvers will rotate through the IP addresses, distributing traffic across multiple servers.
CNAME Records
CNAME (Canonical Name) records create aliases. They're perfect for pointing multiple subdomains to the same destination without duplicating configuration. However, CNAME records have important limitations:
- Cannot be used at the root domain (example.com) due to DNS specification requirements
- Cannot coexist with other record types for the same name
- Add an extra DNS lookup, slightly increasing resolution time
Use our CNAME Lookup tool to trace CNAME chains and verify your aliases are configured correctly.
MX Records
MX (Mail Exchange) records tell email servers where to deliver mail for your domain. Each MX record includes a priority number—lower numbers have higher priority. This allows you to set up backup mail servers that receive mail if your primary server is unavailable.
Example MX configuration:
example.com. MX 10 mail1.example.com.
example.com. MX 20 mail2.example.com.
example.com. MX 30 mail3.example.com.Check your mail server configuration with our MX Lookup tool to ensure email delivery works correctly.
TXT Records
TXT records store arbitrary text data and have become essential for email security and domain verification. Common uses include:
- SPF (Sender Policy Framework): Lists which mail servers can send email on behalf of your domain
- DKIM (DomainKeys Identified Mail): Provides cryptographic authentication for email
- DMARC: Specifies how to handle emails that fail SPF or DKIM checks
- Domain verification: Proves domain ownership to services like Google Workspace or Microsoft 365
- Site verification: Confirms ownership for search engines and other platforms
Pro tip: TXT records have a 255-character limit per string, but you can split longer values into multiple strings within the same record. Most DNS providers handle this automatically.
TTL and Caching Strategies
TTL (Time To Live) is a critical DNS concept that determines how long DNS records are cached by resolvers and clients. It's measured in seconds and directly impacts both performance and flexibility.
Understanding TTL Values
When an authoritative nameserver responds to a DNS query, it includes a TTL value with each record. This tells the resolver: "You can cache this answer for X seconds before checking again."
| TTL Value | Duration | Use Case | Pros | Cons |
|---|---|---|---|---|
| 60 | 1 minute | Active migrations, failover testing | Changes propagate quickly | High query load on nameservers |
| 300 | 5 minutes | Dynamic DNS, load balancing | Reasonable balance | Moderate query volume |
| 3600 | 1 hour | Standard websites, most services | Good performance | Changes take an hour to propagate |
| 86400 | 24 hours | Stable infrastructure, rarely changing | Minimal DNS queries, best performance | Changes take a full day |
| 604800 | 7 days | Extremely stable records (NS, SOA) | Maximum cache efficiency | Very slow change propagation |
TTL Strategy Best Practices
For normal operations: Use TTL values between 1-24 hours (3600-86400 seconds). This provides good caching performance while allowing reasonable change propagation times.
Before making changes: Lower your TTL to 300 seconds (5 minutes) at least 24-48 hours before planned changes. This ensures old records expire quickly once you make the change.
After changes stabilize: Raise the TTL back to normal values after confirming everything works correctly. This reduces load on your nameservers and improves performance.
For critical services: Consider using shorter TTLs (300-900 seconds) if you need the ability to quickly redirect traffic during incidents or perform blue-green deployments.
The Caching Hierarchy
DNS caching happens at multiple levels, each with its own behavior:
- Browser cache: Browsers maintain their own DNS cache, often with shorter TTLs than specified. Chrome, for example, caches for a maximum of 60 seconds regardless of the record's TTL.
- Operating system cache: Your OS caches DNS responses. On Windows, you can clear this with
ipconfig /flushdns. On Mac/Linux, the process varies by system. - Recursive resolver cache: Your ISP or public DNS provider caches responses according to TTL. This is the most important cache layer for propagation timing.
- Authoritative nameserver cache: Some authoritative nameservers cache zone data internally for performance, though this is transparent to users.
Quick tip: Use our DNS Propagation Checker to see how your DNS changes are propagating across different global DNS servers in real-time.
Negative Caching
DNS also caches negative responses (NXDOMAIN - domain doesn't exist). If someone queries a non-existent subdomain, that negative result is cached according to the SOA record's minimum TTL. This prevents repeated queries for typos or deleted records but can cause issues if you create a new subdomain that was recently queried and returned NXDOMAIN.
Troubleshooting Common DNS Issues
DNS problems can manifest in various ways: websites not loading, email delivery failures, or intermittent connectivity issues. Here's how to diagnose and fix the most common problems.
Essential DNS Troubleshooting Tools
Command-line tools:
nslookup- Basic DNS queries (available on all platforms)dig- Detailed DNS information (Linux/Mac, or Windows with BIND tools)host- Simple DNS lookups (Linux/Mac)ping- Tests connectivity and performs DNS resolutiontraceroute/tracert- Shows network path and can reveal DNS issues
Online tools:
- DNS Lookup - Check all record types for any domain
- DNS Propagation Checker - Verify changes across global DNS servers
- WHOIS Lookup - Check domain registration and nameserver details
Common DNS Problems and Solutions
Problem: "DNS server not responding" or "DNS_PROBE_FINISHED_NXDOMAIN"
This usually means your computer can't reach a DNS server or the domain doesn't exist.
Solutions:
- Check your internet connection
- Try switching to public DNS servers (1.1.1.1, 8.8.8.8)
- Flush your DNS cache:
ipconfig /flushdns(Windows) orsudo dscacheutil -flushcache(Mac) - Restart your router to refresh DHCP-assigned DNS servers
- Verify the domain exists using a WHOIS lookup
Problem: DNS changes not taking effect
You've updated DNS records but still see old values.
Solutions:
- Check the TTL of the old record—you must wait at least that long for caches to expire
- Verify changes on the authoritative nameserver using
dig @ns1.yourprovider.com example.com - Use our DNS Propagation Checker to see which servers have updated
- Clear local caches (browser, OS, resolver)
- Remember that some ISPs ignore TTL and cache longer than specified
Problem: Intermittent DNS failures
DNS works sometimes but fails randomly.
Solutions:
- Check if you have multiple nameservers configured—one might be failing
- Test each nameserver individually:
dig @ns1.example.com example.com - Look for network issues between you and the DNS servers (use
traceroute) - Check for DNS server rate limiting or firewall issues
- Consider switching to more reliable DNS providers
Problem: Email not being delivered
Emails bounce or never arrive.
Solutions:
- Verify MX records are configured correctly using our MX Lookup tool
- Check that MX records point to A records (not CNAME records)
- Ensure SPF, DKIM, and DMARC records are properly configured
- Verify PTR (reverse DNS) records for your mail server's IP address
- Test email deliverability with mail-tester.com
Pro tip: When troubleshooting DNS, always test from multiple locations and networks. What works on your office network might fail on mobile networks or in different geographic regions.
Advanced Troubleshooting Techniques
Trace the full DNS resolution path:
dig +trace example.comThis shows every step from root servers to authoritative nameservers, helping identify where resolution breaks down.
Check specific nameservers:
dig @8.8.8.8 example.com
dig @1.1.1.1 example.comCompare responses from different DNS servers to identify caching or propagation issues.
Query specific record types:
dig example.com A
dig example.com AAAA
dig example.com MX
dig example.com TXTThis helps isolate problems to specific record types.
DNS Security: Threats and Protection
DNS was designed in the 1980s without security in mind. As a critical internet infrastructure component, it's become a prime target for various attacks. Understanding DNS security threats and implementing protections is essential for any online presence.
Common DNS Security Threats
DNS Spoofing (Cache Poisoning)
Attackers inject false DNS data into a resolver's cache, redirecting users to malicious sites. When successful, all users of that resolver get the wrong IP address for a domain until the cache expires.
Protection: Use DNSSEC (DNS Security Extensions) to cryptographically sign DNS records, making spoofing detectable.
DNS Hijacking
Attackers gain access to your domain registrar account or DNS provider and change your nameservers or DNS records, redirecting your traffic to their servers.
Protection:
- Enable two-factor authentication on registrar and DNS provider accounts
- Use registrar lock to prevent unauthorized transfers
- Monitor DNS records for unexpected changes
- Use CAA records to restrict which certificate authorities can issue certificates for your domain
DDoS Attacks on DNS Infrastructure
Overwhelming DNS servers with massive query volumes to make domains unreachable. DNS amplification attacks use DNS servers to multiply attack traffic.
Protection:
- Use DNS providers with DDoS protection (Cloudflare, AWS Route 53, etc.)
- Implement rate limiting on authoritative nameservers
- Use anycast routing to distribute traffic across multiple locations
- Configure proper firewall rules
DNS Tunneling
Attackers encode data in DNS queries to exfiltrate information or establish command-and-control channels, bypassing firewalls that allow DNS traffic.
Protection: Monitor DNS query patterns for anomalies, implement DNS filtering, and use intrusion detection systems.
Implementing DNS Security Best Practices
1. Enable DNSSEC
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that responses haven't been tampered with. While not universally adopted, it's becoming increasingly important.
To implement DNSSEC:
- Check if your DNS provider supports DNSSEC
- Generate key pairs (KSK and ZSK)
- Sign your zone
- Upload DS records to your domain registrar
- Regularly rotate keys and monitor for validation failures
2. Configure CAA Records
CAA (Certification Authority Authorization) records specify which certificate authorities are allowed to issue SSL/TLS certificates for your domain. This prevents unauthorized certificate issuance.
Example CAA record:
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"
example.com. CAA 0 iodef "mailto:[email protected]"3. Implement Email Security Records
Protect your domain from email spoofing with SPF, DKIM, and DMARC records:
- SPF:
v=spf1 include:_spf.google.com ~all - DKIM: Public key published in DNS for email signature verification
- DMARC:
v=DMARC1; p=quarantine; rua=mailto:[email protected]
4. Use DNS Filtering
DNS filtering blocks access to known malicious domains, protecting users from phishing, malware, and other threats. Services like Cloudflare for Teams, Cisco Umbrella, and Quad9 provide DNS-level security.
5. Monitor DNS Activity
Regularly review DNS logs for:
- Unusual query patterns or volumes
- Queries for non-existent subdomains (potential DNS tunneling)
- Changes to critical DNS records
- Failed DNSSEC validations
Quick tip: Set up alerts for DNS record changes. Many DNS providers offer webhook notifications or email alerts when records are modified, helping you detect unauthorized changes immediately.
Choosing the Right DNS Provider
Your DNS provider significantly impacts your website's performance, reliability, and security. While domain registrars typically include basic DNS hosting, dedicated DNS providers offer superior features and performance.
Key Factors to Consider
Performance and Speed
DNS resolution speed directly affects your website's load time. Look for providers with:
- Global anycast networks for low latency worldwide
- High query capacity and fast response times
- Multiple points of presence (PoPs) across continents
Reliability and Uptime
DNS downtime means your entire online presence disapp