Back to DAG

DNS (resolution, records)

networking

How DNS Resolution Works

Prerequisites(2)
UDPIP Packet (IPv4 / IPv6)
Builds on to(1)
HTTP/1.1

The Domain Name System (DNS) translates human-readable domain names (like example.com) into IP addresses (like 93.184.216.34). It is a distributed, hierarchical database — no single server holds all the data. DNS is sometimes called the "phone book of the Internet."

The DNS Hierarchy

DNS is organized as an inverted tree:

  1. Root servers (.) — 13 logical root server clusters (A through M), operated by organizations like ICANN, Verisign, and NASA. They know which servers are authoritative for each top-level domain.
  2. TLD servers (.com, .org, .io, etc.) — each TLD has its own set of authoritative nameservers. Verisign operates the .com and .net TLD servers.
  3. Authoritative nameservers — the servers that hold the actual DNS records for a domain. When you register example.com, you configure its authoritative nameservers (often your hosting provider's).

Recursive vs Iterative Resolution

When your browser needs to resolve www.example.com:

Recursive resolution: your computer sends the query to a recursive resolver (typically your ISP's DNS server or a public resolver like 8.8.8.8 or 1.1.1.1). The resolver takes full responsibility for finding the answer — it queries root servers, TLD servers, and authoritative servers on your behalf, then returns the final answer.

Iterative resolution: this is what happens inside the recursive resolver. It asks each server in turn, and each server responds with a referral (not the answer, but who to ask next). The resolver asks the root: "Where is www.example.com?" Root says: "I don't know, but here are the .com TLD servers." The resolver asks the .com TLD server, which says: "Here are example.com's authoritative nameservers." Finally, the resolver asks the authoritative server and gets the actual IP address.

DNS Record Types

RecordPurposeExample
AMaps domain to IPv4 addressexample.com → 93.184.216.34
AAAAMaps domain to IPv6 addressexample.com → 2606:2800:220:1:...
CNAMEAlias — points to another domain namewww.example.com → example.com
MXMail exchange server (with priority)example.com → mail.example.com (pri 10)
NSDelegates a zone to nameserversexample.com → ns1.example.com
TXTArbitrary text (SPF, DKIM, verification)example.com → "v=spf1 include:..."
SRVService location with port and weight_sip._tcp.example.com → sipserver:5060

TTL and Caching

Every DNS record has a Time To Live (TTL) value in seconds. When a resolver fetches a record, it caches the result for TTL seconds. A TTL of 3600 means the record is cached for one hour. Low TTLs (60s) allow fast updates but increase query load. High TTLs (86400s) reduce load but delay propagation of changes. DNS propagation delays are mostly due to caches honoring old TTLs.

DNS Security

DNS over HTTPS (DoH) wraps DNS queries in HTTPS to port 443, preventing ISPs and network operators from seeing or tampering with DNS queries. DNS over TLS (DoT) encrypts DNS queries using TLS on port 853. Both prevent eavesdropping and man-in-the-middle attacks on DNS. Major browsers and operating systems now support DoH.

DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that a response has not been tampered with. It uses a chain of trust from the root zone down to individual domains.

Tracing a DNS Lookup

Real-World Example

Resolving www.github.com step by step:

  1. Your laptop checks its local DNS cache. Cache miss.
  2. Your laptop sends a recursive query to the configured resolver (say, 1.1.1.1 — Cloudflare's public DNS).
  3. The resolver checks its cache. Cache miss. It starts iterative resolution:
    • Asks a root server: "Where is www.github.com?" → Referral to .com TLD servers.
    • Asks the .com TLD server: "Where is www.github.com?" → Referral to GitHub's authoritative nameservers (dns1.p08.nsone.net).
    • Asks GitHub's authoritative server: "What is www.github.com?" → Response: CNAME to github.com, then A record 140.82.121.3 (TTL: 60).
  4. The resolver caches the result (for 60 seconds) and returns it to your laptop.
  5. Your laptop caches it locally and connects to 140.82.121.3.

Why GitHub uses a short TTL of 60 seconds: GitHub serves traffic from multiple data centers and uses DNS-based load balancing. Short TTLs let them redirect traffic quickly during outages or failovers. The cost is higher query volume to their authoritative servers.

Common debugging tools:

  • dig www.github.com — shows the full DNS response with record type, TTL, and answer section
  • dig +trace www.github.com — shows each step of iterative resolution from root to authoritative
  • nslookup www.github.com — simpler query tool, shows the resolver used and the answer

DNS Resolution: Recursive Resolver with Iterative Queries

Your Laptop Recursive Resolver 1.1.1.1 Root (.) 13 clusters TLD (.com) Verisign Authoritative example.com A: 93.184.216.34 1. Query 2 3 ".com NS" 4 5 "NS refs" 6 7 A record 8. Answer Resolver caches answer for TTL seconds. Next query for same name returns cached result instantly.
Step 1 of 2