Here is a complete breakdown of DNS - what it is, how it works, and how to use it.
DNS (Domain Name System) - Full Guide
What is DNS?
DNS is the internet's distributed naming system that translates human-readable domain names (like www.google.com) into IP addresses (like 142.250.80.46) that computers use to communicate. It is hierarchical, decentralized, and operates across thousands of servers worldwide.
Without DNS, you would need to memorize IP addresses for every website you visit. DNS automates this mapping invisibly in milliseconds.
DNS Hierarchy
DNS is organized as a tree structure with multiple levels:
. (Root)
├── .com
│ ├── google.com
│ │ └── www.google.com
│ └── example.com
├── .org
├── .net
├── .in
└── .uk
| Level | Name | Example |
|---|
| Level 0 | Root zone | . (invisible dot) |
| Level 1 | Top-Level Domain (TLD) | .com, .org, .net, .in |
| Level 2 | Second-Level Domain | google, amazon |
| Level 3 | Subdomain | www, mail, api |
Key Components of DNS
1. DNS Resolver (Recursive Resolver)
- Your computer or ISP's first point of contact
- Acts as a middleman between your device and DNS servers
- Does the full lookup work on your behalf
- Usually operated by your ISP, or public providers like Cloudflare (
1.1.1.1) or Google (8.8.8.8)
2. Root Name Servers
- 13 logical root server clusters (labeled A through M), operated by ICANN and others
- They do NOT know IP addresses - they point to the correct TLD server
- Example: "I don't know google.com, but here's the
.com TLD server"
3. TLD (Top-Level Domain) Name Servers
- Managed by registries (e.g., Verisign manages
.com)
- Point to the authoritative name server for a specific domain
4. Authoritative Name Server
- The final authority for a domain
- Actually stores the DNS records (A, MX, CNAME, etc.)
- Returns the definitive answer: "google.com = 142.250.80.46"
How DNS Resolution Works (Step by Step)
You type: www.google.com
|
v
1. Browser Cache - Already know it? Use it.
|
v
2. OS Cache (/etc/hosts or Windows host file)
|
v
3. DNS Resolver (your ISP or 8.8.8.8)
|
v
4. Root Server → "Go ask .com TLD"
|
v
5. TLD Server (.com) → "Go ask google's nameserver"
|
v
6. Authoritative Server (ns1.google.com)
→ Returns: 142.250.80.46
|
v
7. Resolver caches the result (TTL applied)
|
v
8. Browser connects to 142.250.80.46
This entire process typically takes 20-120 milliseconds.
DNS Record Types
These are the actual data entries stored in DNS:
| Record | Full Name | Purpose | Example |
|---|
| A | Address | Maps domain to IPv4 | google.com → 142.250.80.46 |
| AAAA | IPv6 Address | Maps domain to IPv6 | google.com → 2607:f8b0::200e |
| CNAME | Canonical Name | Alias pointing to another domain | www → google.com |
| MX | Mail Exchange | Directs email to mail servers | Priority 10 → mail.google.com |
| TXT | Text | Arbitrary text; used for SPF, DKIM, verification | "v=spf1 include:..." |
| NS | Name Server | Delegates zone to authoritative servers | ns1.google.com |
| PTR | Pointer | Reverse lookup (IP → domain) | 46.80.250.142.in-addr.arpa |
| SOA | Start of Authority | Zone metadata (serial, refresh, TTL) | Primary NS info |
| SRV | Service | Service location (used by VoIP, SIP, etc.) | _sip._tcp.example.com |
| CAA | Cert Authority Auth | Restricts which CAs can issue SSL certs | 0 issue "letsencrypt.org" |
DNS Query Types
| Type | Behavior |
|---|
| Recursive Query | Client asks resolver to do ALL the work and return a final answer |
| Iterative Query | Resolver asks each server in turn; each gives a referral |
| Non-recursive | Resolver already has the answer cached; responds immediately |
TTL (Time to Live)
Every DNS record has a TTL value (in seconds) that controls how long it's cached:
TTL = 300 means cache this record for 5 minutes
- Low TTL = faster propagation of changes, more DNS queries
- High TTL = fewer queries, longer to update (good for stable records)
- Typical values:
300 (5 min), 3600 (1 hr), 86400 (1 day)
DNS in Practice - How to Use It
Check DNS Records (command line)
Linux / macOS:
# Lookup A record
nslookup google.com
# Detailed lookup with dig
dig google.com
dig google.com A
dig google.com MX
dig google.com TXT
dig google.com NS
# Reverse lookup
dig -x 142.250.80.46
# Trace the full resolution path
dig +trace google.com
# Check specific DNS server
dig @8.8.8.8 google.com
Windows (Command Prompt):
nslookup google.com
nslookup -type=MX gmail.com
nslookup -type=TXT google.com
Check DNS on Web Tools
- dnschecker.org - global propagation check
- mxtoolbox.com - email/MX record diagnostics
- dig.jsondns.org - web-based dig
Setting Up Your Own DNS Records
When you own a domain (e.g., via Namecheap, GoDaddy, Cloudflare), you manage records in your registrar's DNS panel:
| Task | Record to Add |
|---|
| Point domain to web host | A record: @ → your server IP |
| Point www to domain | CNAME: www → yourdomain.com |
| Set up email (Gmail, etc.) | MX records provided by your mail provider |
| Verify domain ownership | TXT record with verification code |
| Prevent email spoofing (SPF) | TXT record: v=spf1 include:... ~all |
| DKIM email signing | TXT record with public key |
Public DNS Servers You Can Use
You can change your device's DNS resolver for speed, privacy, or content filtering:
| Provider | Primary | Secondary | Feature |
|---|
| Google | 8.8.8.8 | 8.8.4.4 | Fast, reliable |
| Cloudflare | 1.1.1.1 | 1.0.0.1 | Privacy-focused, fastest |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | Content filtering |
| Quad9 | 9.9.9.9 | 149.112.112.112 | Malware blocking |
| AdGuard | 94.140.14.14 | 94.140.15.15 | Ad blocking |
Change DNS on Linux:
# Edit /etc/resolv.conf
nameserver 1.1.1.1
nameserver 8.8.8.8
Change DNS on Windows:
Network Settings > Adapter Properties > IPv4 > DNS Server
DNS Security
| Technology | What it Does |
|---|
| DNSSEC | Digitally signs DNS records to prevent spoofing/tampering |
| DoH (DNS over HTTPS) | Encrypts DNS queries over HTTPS (port 443) - prevents snooping |
| DoT (DNS over TLS) | Encrypts DNS over TLS (port 853) |
| DNS Firewall | Blocks malicious domains at the DNS level |
| Split-horizon DNS | Returns different results for internal vs external queries |
Common DNS Issues and Fixes
| Problem | Cause | Fix |
|---|
| "DNS_PROBE_FINISHED_NXDOMAIN" | Domain doesn't exist or wrong DNS | Check spelling; flush DNS cache |
| Slow resolution | Far/slow DNS server | Switch to 1.1.1.1 or 8.8.8.8 |
| DNS not propagating | Old TTL still cached | Wait for TTL expiry; use low TTL before changes |
| Email not delivered | Missing/wrong MX records | Verify with dig gmail.com MX |
| Site unreachable after IP change | Old A record cached | Flush: ipconfig /flushdns (Windows) or sudo systemd-resolve --flush-caches (Linux) |
DNS Ports
| Port | Protocol | Use |
|---|
| 53 | UDP/TCP | Standard DNS queries |
| 853 | TCP | DNS over TLS (DoT) |
| 443 | TCP | DNS over HTTPS (DoH) |
UDP port 53 is used for queries under 512 bytes; TCP port 53 is used for larger responses (zone transfers, DNSSEC).
DNS vs. HOSTS File
Before DNS, computers used a local /etc/hosts file (still exists today):
# /etc/hosts (Linux/macOS) or C:\Windows\System32\drivers\etc\hosts (Windows)
127.0.0.1 localhost
192.168.1.10 myserver.local
The hosts file always takes priority over DNS - useful for local development, testing, or blocking sites.
Summary
- DNS translates domain names to IPs through a hierarchical chain: Resolver → Root → TLD → Authoritative
- Records (A, AAAA, CNAME, MX, TXT, NS) define what a domain points to
- TTL controls caching duration
- Use
dig or nslookup to query DNS from the command line
- Use
1.1.1.1 or 8.8.8.8 as fast, reliable public resolvers
- DNSSEC, DoH, and DoT add security layers to prevent eavesdropping and spoofing