DNS (Domain Name System) translates human-readable domain names to IP addresses. It’s the phonebook of the internet.
How DNS Resolution Works
- Local cache - Browser/OS checks local cache
- Recursive resolver - Query sent to ISP or configured resolver (e.g., 8.8.8.8)
- Root servers - Resolver queries root (
.) for TLD location - TLD servers - Returns authoritative nameserver for domain
- Authoritative server - Returns the actual record
- Response cached - Result cached based on TTL
User -> Resolver -> Root -> TLD (.com) -> Authoritative (example.com) -> IP
Record Types
| Type | Purpose | Example |
|---|---|---|
| A | IPv4 address | example.com. 300 IN A 93.184.216.34 |
| AAAA | IPv6 address | example.com. 300 IN AAAA 2606:2800:220:1:: |
| CNAME | Alias to another name | www.example.com. CNAME example.com. |
| MX | Mail server | example.com. MX 10 mail.example.com. |
| TXT | Text data (SPF, DKIM, verification) | example.com. TXT "v=spf1 ..." |
| NS | Nameserver delegation | example.com. NS ns1.example.com. |
| SOA | Start of Authority (zone metadata) | Serial, refresh, retry, expire, TTL |
| PTR | Reverse DNS (IP to name) | 34.216.184.93.in-addr.arpa. PTR example.com. |
| SRV | Service location | _sip._tcp.example.com. SRV 10 5 5060 sip.example.com. |
| CAA | Certificate Authority authorisation | example.com. CAA 0 issue "letsencrypt.org" |
TTL (Time To Live)
- Duration (seconds) a record can be cached
- Lower TTL = faster propagation, more queries
- Higher TTL = better performance, slower changes
- Common values: 300 (5 min), 3600 (1 hour), 86400 (1 day)
Tip: Lower TTL before making changes, then raise it after.
CLI Tools
dig- Recommended, full-featured DNS lookupnslookup- Cross-platform, simpler outputhost- Quick lookups
Key dig options: +short (brief output), +trace (show resolution path), -x (reverse lookup), @server (query specific nameserver)
Public DNS Resolvers
| Provider | Primary | Secondary |
|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 |
| 8.8.8.8 | 8.8.4.4 | |
| Quad9 | 9.9.9.9 | 149.112.112.112 |
DoH (DNS over HTTPS) and DoT (DNS over TLS) encrypt DNS queries.
Self-Hosted DNS Options
- Pi-hole - Network-wide ad blocking via DNS sinkholing
- Unbound - Validating, recursive, caching resolver
- dnsmasq - Lightweight DNS forwarder and DHCP server
Common Issues
- Propagation delay - TTL-based caching, wait for expiry
- NXDOMAIN - Domain doesn’t exist
- SERVFAIL - Server error (often DNSSEC issues)
- Cached stale records - Flush local DNS cache