How DNS Works — Complete Guide to Domain Name System
Learn how DNS works step by step — from typing a URL to loading a website. Covers DNS records, resolution process, caching, DNS security, and troubleshooting. Beginner-friendly guide.
What Is DNS?
The Domain Name System (DNS) is the phonebook of the internet. Every time you type a website address like example.com into your browser, DNS translates that human-readable name into a machine-readable IP address like 93.184.216.34.
Humans are good at remembering names. Computers communicate using numbers. DNS bridges that gap.
Without DNS, you would need to memorize the IP address of every website you visit. Imagine typing 142.250.80.46 instead of google.com — every single time.
How big is DNS? There are over 350 million registered domain names worldwide, and DNS handles trillions of queries every day. It is one of the most critical — and most invisible — systems powering the internet.
How DNS Resolution Works — Step by Step
When you type example.com into your browser and press Enter, a chain of lookups happens behind the scenes. The entire process typically takes less than 100 milliseconds.
Here is the full journey of a DNS query:
Step 1: Browser Cache
Your browser checks its own internal DNS cache first. If you visited example.com recently, the browser already knows the IP address and skips the rest of the process.
Step 2: Operating System Cache
If the browser cache misses, the request goes to the operating system. Your OS maintains its own DNS cache (called the stub resolver). It also checks the local hosts file (/etc/hosts on Linux/Mac, C:\Windows\System32\drivers\etc\hosts on Windows).
Step 3: Recursive Resolver
If the OS cache also misses, the query is sent to a recursive resolver — usually operated by your ISP or a public DNS provider like Cloudflare (1.1.1.1) or Google (8.8.8.8). The recursive resolver does the heavy lifting. It will query other DNS servers on your behalf and follow the chain until it gets an answer.
Step 4: Root Nameserver
The recursive resolver first contacts a root nameserver. There are 13 logical root server clusters (labeled A through M), operated by organizations like ICANN, Verisign, and NASA. They are distributed across hundreds of physical servers worldwide using anycast routing.
The root server does not know the IP of example.com. But it knows where to find information about .com domains. It responds with a referral to the TLD nameserver for .com.
Step 5: TLD Nameserver
The recursive resolver now queries the Top-Level Domain (TLD) nameserver for .com. This server manages all domains ending in .com. It does not know the final IP either, but it knows which authoritative nameserver is responsible for example.com. It returns that referral.
Step 6: Authoritative Nameserver
The recursive resolver queries the authoritative nameserver for example.com. This server has the definitive answer. It looks up its DNS zone file and returns the A record — the IP address 93.184.216.34.
Step 7: Response Back to Browser
The recursive resolver caches the result (respecting the TTL value) and sends the IP address back to your OS, which caches it too. Your browser then opens a TCP connection to 93.184.216.34 and loads the website.
The Full Flow — ASCII Diagram
You type: example.com
│
▼
┌─────────────────┐
│ Browser Cache │ ── Hit? → Use cached IP
└────────┬────────┘
│ Miss
▼
┌─────────────────┐
│ OS Cache / │ ── Hit? → Use cached IP
│ hosts file │
└────────┬────────┘
│ Miss
▼
┌─────────────────┐ ┌──────────────────┐
│ Recursive │───▶│ Root Nameserver │
│ Resolver │◀───│ (13 clusters) │
│ (ISP / Public) │ └──────────────────┘
│ │ "Ask .com TLD"
│ │
│ │ ┌──────────────────┐
│ │───▶│ TLD Nameserver │
│ │◀───│ (.com) │
│ │ └──────────────────┘
│ │ "Ask ns1.example.com"
│ │
│ │ ┌──────────────────┐
│ │───▶│ Authoritative │
│ │◀───│ Nameserver │
└────────┬────────┘ └──────────────────┘
│ "IP: 93.184.216.34"
▼
┌─────────────────┐
│ Browser loads │
│ the website │
└─────────────────┘
This entire process is called DNS resolution or a DNS lookup. After the first lookup, caching makes subsequent visits nearly instant.
Types of DNS Servers
There are four types of DNS servers involved in resolving a domain name. Each plays a distinct role.
Recursive Resolver
The recursive resolver (also called a DNS recursor) is the middleman between your computer and the rest of the DNS infrastructure. When your device sends a DNS query, the recursive resolver receives it and does all the work — contacting root servers, TLD servers, and authoritative servers as needed.
Think of it as a librarian who takes your request, walks through the library, and brings back the book.
Most people use the recursive resolver provided by their ISP, but you can switch to public resolvers like Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9) for better speed, privacy, or security.
Root Nameserver
The root nameserver is the first stop when a recursive resolver needs to look up a domain. It does not know the answer, but it knows which TLD server to ask next.
There are 13 root server addresses (A.root-servers.net through M.root-servers.net), but thanks to anycast, there are over 1,500 physical instances worldwide. They are managed by 12 different organizations.
TLD Nameserver
The TLD (Top-Level Domain) nameserver manages all domains under a specific extension — .com, .org, .net, .io, country codes like .uk and .de, and newer TLDs like .dev and .app.
When the root server says "ask the .com TLD," the TLD nameserver responds with the authoritative nameserver for the specific domain being queried.
Authoritative Nameserver
The authoritative nameserver is the final authority for a domain. It holds the actual DNS records (A, AAAA, MX, CNAME, etc.) and returns the definitive answer.
When you register a domain and configure your DNS records at a provider like Cloudflare, Namecheap, or Route 53, you are configuring the authoritative nameserver.
DNS Record Types
DNS records are instructions stored on authoritative nameservers. Each record type serves a different purpose.
| Record | Name | Purpose | Example |
|--------|------|---------|---------|
| A | Address | Maps domain to an IPv4 address | example.com → 93.184.216.34 |
| AAAA | IPv6 Address | Maps domain to an IPv6 address | example.com → 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME | Canonical Name | Alias that points to another domain | www.example.com → example.com |
| MX | Mail Exchange | Directs email to a mail server | example.com → mail.example.com (priority 10) |
| TXT | Text | Stores arbitrary text — used for SPF, DKIM, domain verification | "v=spf1 include:_spf.google.com ~all" |
| NS | Nameserver | Specifies authoritative nameservers for the domain | example.com → ns1.cloudflare.com |
| SOA | Start of Authority | Contains admin info, serial number, refresh intervals | Zone metadata for the domain |
| PTR | Pointer | Reverse DNS — maps an IP back to a domain | 34.216.184.93.in-addr.arpa → example.com |
| SRV | Service | Specifies host and port for specific services | _sip._tcp.example.com → sipserver.example.com:5060 |
| CAA | Certificate Authority Authorization | Controls which CAs can issue SSL certificates for the domain | example.com CAA 0 issue "letsencrypt.org" |
Most Common Records You Will Work With
- A and AAAA — Point your domain to a server.
- CNAME — Point a subdomain to another domain (e.g.,
wwwto your root domain, or a subdomain to a hosting provider). - MX — Set up email delivery. Without MX records, email to your domain will not work.
- TXT — Verify domain ownership (Google Search Console, SSL providers) and configure email security (SPF, DKIM, DMARC).
DNS Caching and TTL
Caching is what makes DNS fast. Without caching, every single website visit would require a full chain of queries to root, TLD, and authoritative servers.
Where DNS Is Cached
DNS responses are cached at multiple levels:
- Browser cache — Chrome, Firefox, and other browsers maintain their own DNS cache. Chrome stores entries for about 60 seconds by default.
- Operating system cache — Your OS caches DNS responses in memory. On Windows, the DNS Client service handles this. On Linux,
systemd-resolvedornscdmay cache responses. - Recursive resolver cache — Your ISP or public DNS provider caches responses. This is the most impactful cache layer since it serves many users.
- CDN/proxy cache — If you use Cloudflare or a similar service, they may cache DNS at the edge.
What Is TTL?
TTL (Time To Live) is a value in every DNS record that tells resolvers how long to cache the response, measured in seconds.
| TTL Value | Duration | Typical Use | |-----------|----------|-------------| | 300 | 5 minutes | Frequent changes, failover setups | | 3600 | 1 hour | Standard for most records | | 14400 | 4 hours | Stable records that rarely change | | 86400 | 24 hours | Very stable records (NS, MX) |
Lower TTL means changes propagate faster, but increases query load on your nameservers. Higher TTL means better performance and lower server load, but changes take longer to reach all users.
Pro tip: Before making a DNS change, lower the TTL to 300 seconds a day in advance. Make the change. Then raise the TTL back after confirming everything works.
DNS Propagation
When you update a DNS record — say you change the A record to point to a new server — the change does not take effect everywhere instantly. This delay is called DNS propagation.
Why Propagation Takes Time
Every DNS resolver that cached the old record will continue using it until the TTL expires. If your old record had a TTL of 86400 (24 hours), some resolvers may serve the old IP for up to 24 hours.
The change is immediate on the authoritative nameserver. The delay is in all the caches around the world catching up.
Typical Propagation Times
- Short TTL records (300s): 5–15 minutes globally
- Standard TTL records (3600s): 1–4 hours
- Long TTL records (86400s): Up to 24–48 hours
How to Check Propagation
You can verify DNS propagation using online tools or the command line:
# Check from a specific DNS server
dig example.com @8.8.8.8
dig example.com @1.1.1.1
# Compare results from multiple resolvers
nslookup example.com 8.8.8.8
nslookup example.com 1.1.1.1Online tools like dnschecker.org and whatsmydns.net let you check DNS resolution from servers in dozens of countries simultaneously.
DNS Security
DNS was designed in the 1980s without security in mind. Queries and responses are sent in plaintext by default, making them vulnerable to interception and manipulation.
DNS Spoofing / Cache Poisoning
In a DNS spoofing attack (also called cache poisoning), an attacker injects a forged DNS response into a resolver's cache. When users query that resolver, they receive the fake IP address and are redirected to a malicious server — without knowing anything is wrong.
This can be used for:
- Phishing — redirecting users to fake banking or login pages
- Malware distribution — serving malicious downloads
- Surveillance — intercepting traffic
The famous Kaminsky attack (2008) exposed a fundamental weakness in DNS that made cache poisoning much easier than previously thought, prompting widespread security upgrades.
DNSSEC — Domain Name System Security Extensions
DNSSEC adds cryptographic signatures to DNS records. When a resolver receives a DNS response, it can verify the signature to confirm the record has not been tampered with.
How DNSSEC works:
- The authoritative nameserver signs DNS records with a private key.
- The corresponding public key is published as a DNSKEY record.
- A hash of the public key (the DS record) is stored at the parent zone (e.g., the
.comTLD). - Resolvers validate the chain of signatures from root to the authoritative server — this is called the chain of trust.
DNSSEC prevents cache poisoning and man-in-the-middle attacks on DNS responses. However, it does not encrypt the queries themselves — it only ensures integrity and authenticity.
# Check if a domain has DNSSEC enabled
dig example.com +dnssec
dig example.com DNSKEYDNS over HTTPS (DoH)
DNS over HTTPS sends DNS queries inside encrypted HTTPS connections (port 443). This prevents ISPs, network administrators, and attackers from seeing or modifying your DNS queries.
DoH is supported by:
- Firefox (built-in, uses Cloudflare by default)
- Chrome and Edge (configurable in settings)
- Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9)
DNS over TLS (DoT)
DNS over TLS encrypts DNS queries using the TLS protocol on a dedicated port (853). It provides the same privacy benefits as DoH but is easier to identify and block at the network level.
Android 9+ supports DoT natively under Settings > Network > Private DNS.
Why Encrypted DNS Matters
Without encryption, your DNS queries reveal every website you visit to your ISP and anyone on the network. Encrypted DNS (DoH or DoT) ensures:
- Privacy — Your browsing history is not visible to network operators.
- Integrity — Queries cannot be modified in transit.
- Censorship resistance — Harder for networks to block specific domains by intercepting DNS.
Troubleshooting DNS
When a website is not loading, DNS is often the first thing to check. Here are practical commands and techniques.
Using nslookup
nslookup is available on Windows, macOS, and Linux. It queries DNS servers directly.
# Basic lookup
nslookup example.com
# Query a specific DNS server
nslookup example.com 8.8.8.8
# Look up a specific record type
nslookup -type=MX example.com
nslookup -type=TXT example.com
nslookup -type=NS example.com
# Reverse DNS lookup
nslookup 93.184.216.34Using dig
dig (Domain Information Groper) is the preferred tool on Linux and macOS. It provides more detailed output than nslookup.
# Basic lookup
dig example.com
# Query specific record types
dig example.com A
dig example.com AAAA
dig example.com MX
dig example.com TXT
dig example.com NS
# Short answer only
dig example.com +short
# Query a specific DNS server
dig @8.8.8.8 example.com
# Trace the full resolution path
dig example.com +trace
# Check DNSSEC
dig example.com +dnssec
# Reverse lookup
dig -x 93.184.216.34The +trace flag is especially useful — it shows every step of the resolution process from root servers to the authoritative nameserver.
Using ping and traceroute
# Verify DNS resolution and check connectivity
ping example.com
# Trace the network path to a domain
traceroute example.com # Linux/macOS
tracert example.com # WindowsIf ping resolves the domain but the website still does not load, the issue is likely not DNS — it could be a firewall, web server, or application problem.
Flushing the DNS Cache
If you have changed DNS records and your machine still shows the old IP, flush the local DNS cache:
# Windows
ipconfig /flushdns
# macOS
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches
# Linux (nscd)
sudo systemctl restart nscd
# Chrome browser (visit this URL)
# chrome://net-internals/#dns → Clear host cacheCommon DNS Issues and Fixes
| Problem | Possible Cause | Fix |
|---------|---------------|-----|
| NXDOMAIN (domain not found) | Domain does not exist or NS records are wrong | Verify domain registration and NS records |
| SERVFAIL | Authoritative server is down or DNSSEC validation failed | Check nameserver status, verify DNSSEC config |
| REFUSED | DNS server refuses to answer | Try a different resolver (8.8.8.8 or 1.1.1.1) |
| Slow resolution | High TTL on old records, resolver congestion | Flush cache, switch to a faster public resolver |
| Incorrect IP returned | Stale cache or DNS poisoning | Flush cache, verify with dig @8.8.8.8 domain.com |
| Works on one device, not another | Different DNS servers or cached records | Compare DNS settings, flush cache on both |
Popular Public DNS Servers
You are not limited to your ISP's DNS. Public DNS servers often offer better speed, reliability, and privacy.
| Provider | Primary | Secondary | Privacy | DNSSEC | DoH | DoT | Notable Feature | |----------|---------|-----------|---------|--------|-----|-----|-----------------| | Cloudflare | 1.1.1.1 | 1.0.0.1 | Strong (no-log policy, audited) | Yes | Yes | Yes | Fastest global response times | | Google | 8.8.8.8 | 8.8.4.4 | Moderate (logs for 24–48h) | Yes | Yes | Yes | Most widely used public DNS | | Quad9 | 9.9.9.9 | 149.112.112.112 | Strong (Swiss privacy laws) | Yes | Yes | Yes | Blocks known malicious domains | | OpenDNS | 208.67.222.222 | 208.67.220.220 | Moderate | Yes | Yes | No | Content filtering options |
How to Change Your DNS Server
On your router (affects all devices on the network):
- Log into your router admin panel (usually
192.168.1.1) - Find DNS settings under WAN or Internet settings
- Set primary and secondary DNS to your preferred provider
On Windows:
- Open Settings > Network & Internet > Change adapter options
- Right-click your connection > Properties
- Select Internet Protocol Version 4 (TCP/IPv4) > Properties
- Choose "Use the following DNS server addresses" and enter your preferred DNS
On macOS:
- System Settings > Network > Your connection > Details > DNS
- Add your preferred DNS servers
On Linux:
# Temporary (until reboot)
sudo nano /etc/resolv.conf
# Add: nameserver 1.1.1.1
# Permanent (systemd-resolved)
sudo nano /etc/systemd/resolved.conf
# Set DNS=1.1.1.1 1.0.0.1
sudo systemctl restart systemd-resolvedSummary
DNS is a foundational internet protocol that translates human-friendly domain names into IP addresses. Here is what we covered:
- DNS resolution follows a chain: browser cache, OS cache, recursive resolver, root server, TLD server, authoritative server.
- DNS record types (A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA) each serve a specific purpose.
- TTL and caching make DNS fast but also cause propagation delays when records change.
- DNS security (DNSSEC, DoH, DoT) protects against spoofing and surveillance.
- Troubleshooting tools like
dig,nslookup, and cache flushing help diagnose DNS issues quickly.
Understanding DNS gives you a clearer picture of how the internet works and helps you diagnose problems faster — whether you are deploying a website, setting up email, or debugging network issues.
Try our free DNS Lookup Tool to query DNS records for any domain instantly.