What is the Domain Name System?
The Domain Name System (DNS) is a hierarchical, decentralized naming system that translates domain names like "example.com" into IP addresses like "192.168.1.1." Paul Mockapetris created it in the 1980s to give users a readable way to navigate the internet without memorizing numerical addresses.
How DNS works
When a user types a domain name into a browser, the browser initiates a DNS query to find the corresponding IP address. That query passes through several DNS servers in sequence before the correct IP address is returned and the page loads.
DNS structure
DNS is organized as a hierarchy. At the top sits the root, followed by top-level domains (TLDs) like .com or .org, then second-level domains (the actual domain name), and finally optional subdomains. This structure distributes management across many entities so no single party controls the entire system.
Types of DNS servers
Authoritative DNS servers hold the final IP address records for specific domains and respond to queries from recursive resolvers.
Recursive DNS resolvers act as intermediaries between users and authoritative servers, either returning cached data or forwarding queries up the hierarchy.
Root nameservers are 13 servers (labeled A through M) that direct queries to the appropriate TLD nameserver.
TLD nameservers manage top-level domains and point queries toward the correct authoritative nameserver.
Types of DNS queries
Recursive queries have the resolver search the entire hierarchy until an authoritative server returns the answer.
Iterative queries have each server return a referral to the next server rather than completing the search itself.
Non-recursive queries are used between DNS servers that already know the answer or where to find it.
Steps in a DNS lookup
User enters a domain name in the browser
Browser checks its local cache for the IP address
If not cached, the operating system checks its own cache and hosts file
A query goes to the recursive DNS resolver, typically run by the ISP
The resolver contacts root nameservers to find the right TLD nameserver
The TLD nameserver points the resolver to the authoritative nameserver
The authoritative nameserver returns the IP address
The resolver caches the result and passes the IP to the browser
DNS caching
DNS caching stores records temporarily at the browser, operating system, and ISP resolver levels to speed up repeat lookups. Each cached record carries a Time to Live (TTL) value that determines when the entry expires and must be refreshed.
Common DNS record types
A records map a domain to an IPv4 address. AAAA records map a domain to an IPv6 address. CNAME records create an alias pointing one domain to another. MX records specify which mail servers handle email for a domain. TXT records store text data used for things like SPF verification and domain ownership confirmation. SPF records define which mail servers are authorized to send email from a domain. SRV records identify specific services like VoIP provided by a domain. NS records name the authoritative nameservers responsible for a domain.
IP addressing and assignment
DNS uses two address formats: IPv4 addresses use four octets separated by periods, while IPv6 addresses use eight groups of four hexadecimal digits separated by colons. ICANN assigns IP address blocks to regional internet registries (RIRs), which distribute them to ISPs and organizations within their regions.
DNS over HTTPS
DNS over HTTPS (DoH) encrypts DNS queries to improve privacy and reduce exposure to eavesdropping and DNS-based attacks. Its adoption remains debated because it can bypass traditional DNS infrastructure and shift query visibility away from network administrators.
DNS attacks and threats
DNS cache poisoning corrupts cached DNS data to redirect users to malicious sites. DNS tunneling abuses DNS infrastructure to bypass firewalls or exfiltrate data covertly.
Protecting DNS infrastructure
Effective DNS security combines traffic monitoring for anomalies, DNSSEC implementation, and firewall and intrusion detection coverage. DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS records, verifying their authenticity and blocking cache poisoning attempts.
