Every time you open a website, send an email, or connect to an API, DNS is quietly working behind the scenes.
The Domain Name System (DNS) acts like the internet’s phonebook, translating human-friendly domain names like google.com into machine-readable IP addresses like 142.250.190.14.
Without DNS, we’d have to memorize IP addresses for every website we use.
In this guide, we’ll break down:
- What DNS is
- How DNS resolution works
- Recursive vs authoritative DNS servers
- DNS caching and propagation
- Common DNS record types
- DNS troubleshooting techniques
- Security concepts like DNSSEC
What is DNS?
DNS stands for Domain Name System.
It is a distributed and hierarchical system responsible for converting domain names into IP addresses.
For example:
salilkayastha.com.np -> 104.21.32.1Your browser cannot directly understand domain names. It needs an IP address to establish a connection.
DNS bridges that gap.
How DNS Works
When you type a domain into your browser, several steps happen behind the scenes.
Let’s say you visit:
https://example.comDNS Resolution Flow
Browser
↓
OS Cache
↓
Recursive Resolver (ISP / Cloudflare / Google DNS)
↓
Root Nameserver
↓
TLD Nameserver (.com)
↓
Authoritative Nameserver
↓
IP Address ReturnedStep-by-Step DNS Lookup
1. Browser Cache Check
Your browser first checks whether it already knows the IP address.
If cached:
example.com -> 93.184.216.34No external lookup is needed.
2. Operating System Cache
If the browser doesn’t know the answer, your operating system checks its DNS cache.
On Linux:
systemd-resolve --statisticsOn macOS:
sudo dscacheutil -flushcache3. Recursive Resolver
If the answer still isn’t found, the request goes to a recursive DNS resolver.
This is usually provided by:
- Your ISP
- Cloudflare (
1.1.1.1) - Google DNS (
8.8.8.8) - Quad9 (
9.9.9.9)
The recursive resolver performs the heavy lifting.
4. Root Nameserver
The resolver asks a root DNS server:
Where can I find .com?The root server responds with the address of the .com TLD nameservers.
5. TLD Nameserver
The resolver then asks the .com nameserver:
Where can I find example.com?The TLD server responds with the authoritative nameserver.
6. Authoritative Nameserver
Finally, the resolver asks the authoritative server:
What is the IP address for example.com?The authoritative server responds:
example.com -> 93.184.216.34The resolver caches this result and returns it to your browser.
Recursive vs Authoritative DNS
Understanding this difference is important.
| Type | Purpose |
|---|---|
| Recursive Resolver | Finds the answer on behalf of the client |
| Authoritative Server | Stores the actual DNS records |
Examples
Recursive DNS:
1.1.1.1
8.8.8.8
9.9.9.9Authoritative DNS Providers:
- Cloudflare DNS
- AWS Route53
- DigitalOcean DNS
- Namecheap DNS
DNS Caching
DNS responses are cached to reduce lookup time and improve performance.
Each DNS record contains a:
TTL (Time To Live)Example:
example.com 300 IN A 93.184.216.34Here:
300means 300 seconds- DNS resolvers can cache the record for 5 minutes
Why TTL Matters
Lower TTL:
- Faster DNS changes
- More DNS queries
Higher TTL:
- Better performance
- Slower propagation during updates
DNS Propagation
When you change DNS records, the changes are not instantly visible everywhere.
This delay is called:
DNS propagationIn reality, propagation mostly means:
cached records have not expired yetPropagation time depends on:
- TTL values
- ISP caching behavior
- Resolver refresh intervals
Common DNS Record Types
DNS supports many record types.
Here are the most important ones.
A Record
Maps a domain to an IPv4 address.
example.com -> 93.184.216.34Example:
example.com. IN A 93.184.216.34Used for:
- Websites
- APIs
- Servers
AAAA Record
Maps a domain to an IPv6 address.
Example:
example.com. IN AAAA 2606:2800:220:1:248:1893:25c8:1946IPv6 adoption is increasing rapidly.
Modern infrastructure should support both:
- IPv4
- IPv6
CNAME Record
Creates an alias from one domain to another.
Example:
www.example.com. IN CNAME example.com.Meaning:
www.example.com points to example.comImportant Limitation
A CNAME cannot coexist with other records at the same hostname.
For example, this is invalid:
example.com. IN CNAME app.example.com.
example.com. IN MX mail.example.com.MX Record
Defines mail servers for a domain.
Example:
example.com. IN MX 10 mail.example.com.Lower priority number means:
higher preferenceUsed for:
- Email delivery
- SMTP routing
TXT Record
Stores arbitrary text data.
Very commonly used for:
- SPF
- DKIM
- Domain verification
- Security policies
Example:
example.com. IN TXT "v=spf1 include:_spf.google.com ~all"NS Record
Specifies authoritative nameservers for a domain.
Example:
example.com. IN NS ns1.cloudflare.com.
example.com. IN NS ns2.cloudflare.com.These records tell the internet:
who is responsible for this domainPTR Record
Used for reverse DNS lookups.
Instead of:
Domain -> IPPTR performs:
IP -> DomainVery important for:
- Email servers
- Spam prevention
- Network verification
SRV Record
Defines services available on a domain.
Example:
_sip._tcp.example.com. IN SRV 10 5 5060 sipserver.example.com.Commonly used in:
- VoIP
- Microsoft Active Directory
- XMPP
SOA Record
SOA stands for:
Start of AuthorityContains administrative information about the DNS zone.
Example:
example.com. IN SOA ns1.example.com. admin.example.com. (
2026050601 ; serial
3600 ; refresh
1800 ; retry
1209600 ; expire
86400 ; minimum TTL
)DNS Zones
A DNS zone is a portion of the DNS namespace managed by a specific administrator.
Example:
example.comThe zone contains:
- A records
- MX records
- TXT records
- Other DNS entries
Zone files are often stored in BIND format.
DNS Over HTTPS (DoH)
Traditional DNS queries are unencrypted.
This means:
- ISPs can see requests
- DNS traffic can be intercepted
- DNS spoofing becomes easier
DNS over HTTPS encrypts DNS requests using HTTPS.
Examples:
- Cloudflare DoH
- Google DoH
- NextDNS
DNSSEC
DNSSEC adds cryptographic signatures to DNS records.
Its purpose is to prevent:
- DNS spoofing
- Cache poisoning
- Man-in-the-middle attacks
Without DNSSEC:
attackers may fake DNS responsesDNSSEC helps clients verify authenticity.
Common DNS Tools
dig
The most popular DNS debugging tool.
dig example.comQuery a specific resolver:
dig @1.1.1.1 example.comGet MX records:
dig example.com MXnslookup
Simple DNS query utility.
nslookup example.comhost
Another lightweight DNS lookup tool.
host example.comTroubleshooting DNS Issues
DNS problems are extremely common in production environments.
Verify Resolution
dig example.comCheck:
- IP address
- TTL
- Resolver used
Verify Nameservers
dig NS example.comVerify Mail Records
dig MX example.comTrace Full Resolution Path
dig +trace example.comThis shows:
- Root lookup
- TLD lookup
- Authoritative lookup
Real-World Example
Suppose your infrastructure looks like this:
Frontend -> Vercel
API -> AWS EC2
Email -> Google WorkspaceYour DNS records may look like:
example.com. IN A 44.201.10.20
www.example.com. IN CNAME cname.vercel-dns.com.
example.com. IN MX 1 aspmx.l.google.com.
example.com. IN TXT "v=spf1 include:_spf.google.com ~all"Best Practices
Use Multiple Nameservers
Avoid single points of failure.
Enable DNSSEC
Protect against spoofing attacks.
Set Reasonable TTLs
Recommended:
300 seconds during migrations
3600+ seconds for stable systemsMonitor DNS Expiry
Expired domains can cause major outages.
Use monitoring tools like:
- Uptime Kuma
- Better Stack
- Cron jobs with WHOIS checks
Use Reliable DNS Providers
Popular choices:
- Cloudflare
- AWS Route53
- Google Cloud DNS
- NS1
Final Thoughts
DNS is one of the foundational technologies of the internet.
Even though it usually works silently in the background, understanding how DNS operates is essential for:
- DevOps engineers
- Backend developers
- Site reliability engineers
- Security engineers
- System administrators
Whether you’re deploying Kubernetes clusters, managing production APIs, or troubleshooting email delivery, DNS knowledge becomes incredibly valuable.
The better you understand DNS, the easier infrastructure debugging becomes.