developmentnetworkingweb

How DNS Works: The Internet's Phone Book Explained Step by Step

Every time you type a URL, DNS translates it into an IP address. Understanding the full lookup chain — and the types of DNS records — demystifies a huge amount of networking, debugging, and security.

·7 min read

What DNS Does

Domain Name System (DNS) is the distributed database that translates human-readable domain names (example.com) into IP addresses (93.184.216.34). Without DNS, you'd need to remember the IP address of every website you visit.

The Full Lookup Chain

When your browser navigates to api.example.com for the first time:

**1. Local cache check** — your browser checks if it already has a cached answer from a previous lookup.

**2. Recursive resolver** — if not cached, your computer asks a recursive DNS resolver (usually provided by your ISP or a public resolver like 8.8.8.8). The resolver will do the work of finding the answer.

**3. Root nameservers** — if the resolver doesn't have the answer cached, it asks one of the 13 root nameserver clusters. The root servers don't know the answer but they know where to find information about .com domains — they point to the .com TLD nameservers.

**4. TLD nameservers** — the resolver asks the .com TLD nameservers. They know which nameservers are authoritative for example.com and point there.

**5. Authoritative nameserver** — the resolver asks the nameserver that's authoritative for example.com. This nameserver has the actual DNS records and returns the A record (IP address) for api.example.com.

**6. Response and caching** — the IP address travels back to your browser. Every step in the chain caches the result for the duration of the record's TTL (Time To Live).

The whole process typically takes 20–120ms on first lookup, and effectively zero for cached lookups.

DNS Record Types

**A record** — maps a domain to an IPv4 address. The most common record type. example.com → 93.184.216.34

**AAAA record** — maps a domain to an IPv6 address. example.com → 2606:2800:220:1:248:1893:25c8:1946

**CNAME record** — creates an alias from one domain to another. A CNAME points to another domain name, not an IP address. www.example.com → example.com

**MX record** — specifies mail servers for a domain. Email sent to @example.com is routed to the server(s) listed in MX records.

**TXT record** — stores arbitrary text. Used for domain verification (Google Search Console, SSL certificate issuance), SPF email authentication, and DKIM public keys.

**NS record** — specifies which nameservers are authoritative for a domain.

**SOA record** — Start of Authority. Contains administrative information about the zone, including the primary nameserver and the email address of the zone administrator.

**SRV record** — specifies a host and port for a specific service. Used by services like SIP (voice over IP) and XMPP.

**CAA record** — Certificate Authority Authorization. Specifies which certificate authorities are allowed to issue SSL certificates for a domain — reduces the risk of rogue certificate issuance.

TTL: Why DNS Changes Take Time

Every DNS record has a Time To Live (TTL) — the number of seconds that resolvers should cache the record. A TTL of 3600 means resolvers cache the answer for 1 hour before asking again.

When you change a DNS record, the old record stays cached at resolvers around the world until its TTL expires. This is why "DNS propagation" can take up to 48 hours (if TTL is set high). To migrate a domain with minimal downtime, lower the TTL to 300–600 seconds 24 hours before the change, make the change, then raise the TTL back after the migration is stable.

DNS Security Concerns

**DNS spoofing / cache poisoning** — an attacker injects false DNS records into a resolver's cache, redirecting users to malicious servers. DNSSEC prevents this by cryptographically signing DNS records.

**DNS over HTTPS (DoH)** and **DNS over TLS (DoT)** encrypt DNS queries, preventing ISPs and network attackers from monitoring which domains you're looking up.

**Authoritative nameserver compromise** — if an attacker gains access to your domain registrar or DNS host, they can modify your DNS records directly. Use strong credentials and registrar lock.

Debugging DNS

dig example.com A — query a domain's A records (Linux/macOS) nslookup example.com — Windows equivalent dig @8.8.8.8 example.com — query a specific resolver dig +trace example.com — show the full lookup chain from root to authoritative

NoxaKit's DNS Record Formatter helps you structure and validate DNS zone file syntax before deploying changes to your nameserver.

Try These Free Tools

DNS Record FormatterSSL Certificate DecoderHTTP Security Headers CheckerCertificate Transparency Checker

More Articles

JWT Tokens Explained: How to Decode and Read Them Without Code

6 min read

Regex Cheat Sheet: 20 Patterns Every Developer Uses

8 min read

JSON vs YAML: When to Use Each and How to Convert Between Them

5 min read

Back to all articles