seriesOrder: 6 prerequisites: [] resources:
- title: “Cloudflare DNS Learning Center” url: “https://www.cloudflare.com/learning/dns/what-is-dns/” type: “docs”
What if your internet was 10x faster and no website ever failed to load?
Understanding DNS is the first step.
Every time you type google.com, your computer has no idea what that means — it only understands numbers (IP addresses). DNS is the invisible translator that makes the entire internet possible.
And it does this billions of times per second, worldwide.
By the end of this guide, you’ll:
- ✅ Understand exactly what DNS does (and why it matters)
- ✅ See how a DNS lookup works, step-by-step
- ✅ Know how to troubleshoot DNS problems
- ✅ Speed up your browsing with better DNS servers
Let’s decode the internet’s phone book.
The Analogy: The Internet’s Phone Book
Imagine trying to call a friend but only knowing their name, not their number. You’d need a phone book to look up the number.
DNS is that phone book for the internet.
- Domain name = Person’s name (
google.com) - IP address = Phone number (
142.250.185.46) - DNS = The phone book that connects them
Without DNS, you’d have to memorize numbers like 142.250.185.46 instead of just typing google.com. Not fun.
The DNS Lookup Process
When you type a URL in your browser, here’s what happens — in under 100 milliseconds:
Step 0: The hosts File (Checked Before Everything)
Before any DNS query happens, your OS checks a local file called hosts. This file is the original way to map names to IPs:
View your local hosts file — checked before any DNS query
- •Windows path: C:\Windows\System32\drivers\etc\hosts
- •Entries here override DNS globally — used in security testing
- •Malware commonly modifies this file to redirect domains
A typical entry looks like 127.0.0.1 localhost. If a match is found here, the DNS lookup stops immediately. No query leaves your machine.
DNS poisoning attacks often target the hosts file. If a website behaves strangely and points to an unexpected IP, hosts is the first place to check.
Step 1: Browser Cache Check
If no match in hosts, your browser checks its own memory. “Have I looked this up recently?”
View Chrome's DNS cache
- •Clear the cache here if you're having DNS issues
- •Each entry has a TTL (time to live)
If the browser finds a cached record, the lookup ends here. Fast!
Step 2: Operating System Cache
If the browser doesn’t have it, it asks the operating system. Your OS maintains its own DNS cache.
View Windows DNS cache
ipconfig /displaydnsipconfig /displaydns | findstr googleView Linux DNS cache statistics
resolvectl statisticsStep 3: Recursive Resolver Query
If neither cache has the answer, your computer sends a query to a recursive resolver — usually your ISP’s DNS server or a public resolver like Cloudflare (1.1.1.1) or Google (8.8.8.8).
Think of the recursive resolver as a helpful librarian. They don’t know everything, but they know exactly how to find the answer by asking the right sources.
Step 4: Root → TLD → Authoritative
The resolver climbs the DNS hierarchy:
- Root Servers — The 13 root server IP addresses (e.g.
198.41.0.4) anchor the entire DNS system. There are actually 600+ physical servers worldwide distributed via anycast, so “13 root servers” means 13 logical addresses, not 13 machines. They respond to “Who handles.comdomains?” - TLD Servers — The
.comregistry (run by Verisign) answers “Who handlesgoogle.com?” - Authoritative Server — The server Google controls says “Here’s the IP for
www.google.com!”
Step 5: Response & Caching
The IP address travels back through the chain, getting cached at each level for future requests.
Total time: typically 20-120 milliseconds. Your browser now connects to the IP address and loads the website!
DNS Record Types
DNS doesn’t just store IP addresses. Here are the most common record types:
| Record | Purpose | Example |
|---|---|---|
| A | Maps domain to IPv4 address | google.com → 142.250.185.46 |
| AAAA | Maps domain to IPv6 address | google.com → 2607:f8b0:4004:... |
| CNAME | Alias pointing to another domain | www.example.com → example.com |
| MX | Mail server for the domain | gmail.com → alt1.gmail-smtp-in.l.google.com |
| TXT | Text data (verification, SPF) | Used for email security |
| NS | Nameserver for the domain | google.com → ns1.google.com |
| PTR | Reverse lookup: IP → domain name | 142.250.185.46 → google.com |
| SOA | Start of Authority / zone metadata | Name, serial, refresh, retry info |
TTL: The DNS Cache Expiry Clock
Every DNS record has a TTL (Time to Live) — a countdown (in seconds) that tells caches how long to store the answer:
| TTL Value | Duration | Best Used For |
|---|---|---|
300 | 5 minutes | Records you change often (rapid deployment) |
3600 | 1 hour | Standard A/CNAME records |
86400 | 24 hours | Stable records (MX, NS) |
604800 | 7 days | Almost never changes (root NS records) |
Planning to move your site to a new host? Lower your TTL to 300 (5 minutes) at least 48 hours before the switch. Then when you update the A record, all caches expire quickly and traffic switches within minutes instead of days.
The “48-hour propagation” myth: DNS doesn’t take 48 hours to propagate. It takes as long as the previous TTL. If your old A record had TTL=172800 (48h), then yes — it’ll take 48h. With TTL=300, it’s 5 minutes.
Reverse DNS: PTR Records
Forward DNS maps a name to an IP (google.com → 142.250.185.46). Reverse DNS does the opposite: IP to name.
Reverse DNS lookup: find the hostname for an IP address
dig -x 8.8.8.8 +short- •On Windows: nslookup 8.8.8.8
- •Used by email servers to verify sender legitimacy (anti-spam)
- •traceroute uses reverse DNS to show readable hostnames instead of IPs
Reverse DNS matters for:
- Email deliverability — mail servers check PTR records to detect spam
- Security logs — human-readable IPs in auth logs and firewalls
tracerouteoutput — shows hostnames instead of bare IP addresses
Troubleshooting DNS
When websites won’t load, DNS is often the culprit. Here’s how to diagnose:
Query DNS servers directly
nslookup [domain] [dns-server]nslookup google.com 8.8.8.8Server: dns.google Address: 8.8.8.8 Non-authoritative answer: Name: google.com Address: 142.250.185.46
- •Use 8.8.8.8 or 1.1.1.1 to test if your ISP's DNS is the problem
- •Non-authoritative means the answer came from cache
Detailed DNS lookup (Linux/Mac)
dig [domain] [record-type]dig google.com A +short142.250.185.46
- •+short gives just the answer
- •+trace shows the full resolution path
Common DNS Issues
Changed your DNS records? It can take up to 48 hours for changes to propagate worldwide. Each cache has its own TTL (time to live).
Symptoms of DNS problems:
- “Server not found” or “DNS_PROBE_FINISHED_NXDOMAIN”
- Website works on one device but not another
- Can reach sites by IP but not domain name
Quick fixes:
- Flush your DNS cache
- Try a different DNS server (1.1.1.1 or 8.8.8.8)
- Check if the domain is registered and not expired
Clear Windows DNS cache
Clear Linux DNS cache (systemd)
DNS Security: Why it Matters
Standard DNS is unencrypted. Anyone on your network (coffee shop hacker, ISP) can see exactly which websites you visit.
Solution: DoH and DoT
| Protocol | Full Name | How | Port |
|---|---|---|---|
| DoT | DNS over TLS | Dedicated encrypted DNS tunnel | 853 |
| DoH | DNS over HTTPS | DNS queries inside regular HTTPS | 443 |
Both encrypt your DNS, making queries invisible to your ISP and network sniffers.
Enable Secure DNS in Chrome:
- Go to
chrome://settings/security - Scroll to “Advanced” → “Use secure DNS”
- Select “With: Cloudflare (1.1.1.1)” or “Google (8.8.8.8)”
Make a raw DNS-over-HTTPS query to Cloudflare's resolver
- •Returns a JSON response instead of the traditional DNS binary format
- •You can use this to test DoH from the terminal
Public DNS Server Comparison:
| Resolver | Primary IP | Strengths |
|---|---|---|
| Cloudflare | 1.1.1.1 | Fastest globally, strong privacy policy |
8.8.8.8 | Reliable, large anycast network | |
| Quad9 | 9.9.9.9 | Blocks malicious domains automatically |
| OpenDNS | 208.67.222.222 | Parental controls and content filtering |
Even with DoH/DoT, you can’t be certain the answer hasn’t been tampered with upstream. DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, so your resolver can verify that the answer comes from the legitimate domain owner and wasn’t forged. Check if a domain uses DNSSEC:
dig google.com +dnssec | grep -i rrsig
Key Takeaways
- DNS translates domain names to IP addresses — it’s the internet’s phone book
- Step 0 is
/etc/hosts— always checked before any network query leaves your machine - The lookup chain: hosts → browser cache → OS cache → recursive resolver → root → TLD → authoritative
- 13 root server addresses, 600+ physical machines — distributed via anycast worldwide
- TTL controls caching — lower it before migrations; the “48h propagation” myth is just high TTL
- PTR records enable reverse DNS — critical for email and security logs
- DoH/DoT encrypts your DNS — use
1.1.1.1or9.9.9.9for privacy - DNSSEC cryptographically signs records to prevent tampering
💻 Hands-On Challenge
Try these right now to cement your understanding:
- Look up your own site:
dig yourdomain.com A +short - Trace the full resolution path:
dig +trace google.com(watch it query root → TLD → authoritative) - Find who hosts Gmail’s email:
dig gmail.com MX +short - Check who owns an IP:
dig -x 8.8.8.8 +short - Flush your DNS cache and reload a page to see the full lookup time
🧠 Check Your Understanding
DNS Mastery Check
Take a quick 3-question quiz to check your understanding.
What’s Next?
You now understand how DNS works! Ready for the next step?
- How the Internet Works: Follow your data’s complete journey from browser to server
- TCP/IP Explained: Deep dive into the protocols that power the internet
- Network Troubleshooting: Become a debugging expert
Found this helpful? Explore more in the Networking Hub!