← All posts
6 min read

DNS: Names for Internet Addresses and Other Routing Information

#technology#computer-science#dns#web
📑 On this page

People remember example.com more easily than an IP address, and a service may change servers without asking every user to learn a new location.

The Domain Name System provides the indirection.

DNS is a distributed hierarchical database that answers questions about domain names, including which network addresses and services are associated with them.

DNS does not carry the website itself. It gives the client information needed before or during connection.

Names form a hierarchy

DNS names are read from right to left in a hierarchy:

www.example.com.

The final dot represents the DNS root and is usually omitted.

Levels include:

  • Root
  • Top-level domain such as com
  • Registered domain such as example.com
  • Subdomain or host such as www.example.com

Responsibility can be delegated at each level.

The root does not store every website address. It points toward top-level-domain name servers, which point toward authoritative servers for registered domains.

Stub resolver and recursive resolver

An application usually does not contact the whole DNS hierarchy itself.

The operating system provides a stub resolver that asks a configured recursive resolver.

The recursive resolver may be operated by:

  • Internet provider
  • Company
  • Public DNS service
  • Local router

It takes responsibility for obtaining the final answer and caches results for later clients.

A concrete lookup

Suppose the browser needs www.example.com.

  1. It checks browser and operating-system caches.
  2. The stub resolver asks the recursive resolver.
  3. If uncached, the resolver asks a root server where to find .com.
  4. It asks a .com server where to find example.com.
  5. It asks the domain's authoritative server for www.example.com.
  6. The authoritative server returns an address record or another instruction.
  7. The resolver caches the result.
  8. The browser receives the address and connects.

Later lookups may skip most steps because of caching.

Common record types

DNS stores typed records.

A

Maps a name to an IPv4 address.

AAAA

Maps a name to an IPv6 address.

CNAME

Makes one name an alias for another canonical name.

MX

Identifies mail servers for a domain.

TXT

Stores text used for ownership proof, email security policy, and other metadata.

NS

Identifies authoritative name servers for a zone.

DNS answers many questions beyond web addresses.

Authoritative servers and zones

An authoritative server holds records for a DNS zone.

A zone is an administratively managed portion of the namespace. It can delegate a subdomain to different name servers.

For example:

example.com

can delegate:

research.example.com

to another team.

The registered domain and DNS hosting provider can be separate companies. Domain registration controls delegation; authoritative DNS hosting serves the records.

Caching and TTL

Records include a time to live, or TTL, telling caches how long the answer may be reused.

Caching:

  • Speeds lookups
  • Reduces authoritative-server load
  • Improves resilience during brief outages

It also delays changes.

If an address record has a one-hour TTL, resolvers that cached the old answer may continue using it until expiration.

Before a planned migration, operators often lower TTL in advance, wait for old caches to expire, then change the record.

Negative caching

DNS can also cache the fact that a name or record does not exist.

If you query a new record immediately after previously receiving a nonexistence answer, a resolver may retain that negative result for a configured period.

This explains why creating a record can appear ineffective even when the authoritative server is correct.

Check authoritative and recursive answers separately.

Round-robin and traffic steering

A name can return several addresses.

Clients or resolvers may choose among them, providing basic distribution.

Modern DNS services can answer differently based on:

  • Geography
  • Health checks
  • Network location
  • Policy
  • Latency estimates

DNS-based steering is useful but not instant. Cached answers remain active, and DNS does not know whether a client successfully completed every later request.

Load balancers provide more direct per-connection control.

DNS failures

If DNS fails, a network can appear completely broken even when IP connectivity works.

Symptoms include:

  • Names fail but direct IP tests work
  • Some domains fail
  • Stale addresses
  • Slow first connection

Causes include:

  • Resolver outage
  • Wrong records
  • Expired registration
  • Broken delegation
  • Firewall blocking DNS
  • DNSSEC validation failure

Diagnostic tools such as nslookup, dig, and Resolve-DnsName can query particular record types and servers.

DNS security

Traditional DNS answers can be forged or modified if an attacker controls part of the path.

DNSSEC adds signatures so validating resolvers can verify that records came from the expected DNS hierarchy and were not altered.

DNSSEC does not encrypt queries and does not prove the destination service is trustworthy. It authenticates DNS data.

DNS over HTTPS and DNS over TLS encrypt queries between a client and recursive resolver, improving privacy on that segment.

The recursive resolver still sees queries, and authoritative lookups may remain visible elsewhere.

DNS and the hosts file

Operating systems can consult a local hosts file that manually maps names to addresses.

A hosts-file entry can override DNS for that machine, useful for development and testing.

It does not scale like DNS:

  • Changes are manual
  • No distributed delegation
  • No automatic expiry
  • Easy to become stale

Malware has historically modified hosts files to redirect security or banking names, so unexpected entries deserve investigation.

Common misunderstandings

"DNS stores websites"

DNS stores naming information. Web content is served separately.

"One domain always maps to one server"

It can map to multiple addresses, aliases, load balancers, or distributed services.

"Changing DNS makes every connection faster"

It can improve lookup time or reliability, but later routing and server performance are separate.

"DNSSEC encrypts domain lookups"

DNSSEC authenticates record integrity. Encrypted DNS protocols protect the query path to a resolver.

Knowledge check

1. What does a recursive resolver do?

It obtains DNS answers on behalf of clients, follows delegations where necessary, and caches results.

2. What is an authoritative DNS server?

It serves the official records for a DNS zone delegated to it.

3. Why do DNS changes appear gradually?

Resolvers retain old answers independently until their record TTLs expire.

4. What does DNSSEC protect?

It lets validators verify DNS-record authenticity and integrity; it does not encrypt the query or secure the website.

The one idea to remember

DNS is a delegated, cached directory for names and network-related records.

Resolvers navigate the hierarchy, authoritative servers provide official answers, and TTLs balance speed against how quickly changes become visible.

Next, we will take apart a complete URL and distinguish its scheme, host, path, query, and fragment.