Reference notes.
DNS (Domain Name System) translates human-readable domain names to IP addresses. It’s the phonebook of the internet.
How DNS Resolution Works
- Local cache - Browser/OS checks local cache
- Recursive resolver - Query sent to ISP or configured resolver (e.g., 8.8.8.8)
- Root servers - Resolver queries root (
.) for TLD location - TLD servers - Returns authoritative nameserver for domain
- Authoritative server - Returns the actual record
- Response cached - Result cached based on TTL
User -> Resolver -> Root -> TLD (.com) -> Authoritative (example.com) -> IP
Record Types
| Type | Purpose | Example |
|---|---|---|
| A | IPv4 address | example.com. 300 IN A 93.184.216.34 |
| AAAA | IPv6 address | example.com. 300 IN AAAA 2606:2800:220:1:: |
| CNAME | Alias to another name | www.example.com. CNAME example.com. |
| MX | Mail server | example.com. MX 10 mail.example.com. |
| TXT | Text data (SPF, DKIM, verification) | example.com. TXT "v=spf1 ..." |
| NS | Nameserver delegation | example.com. NS ns1.example.com. |
| SOA | Start of Authority (zone metadata) | Serial, refresh, retry, expire, TTL |
| PTR | Reverse DNS (IP to name) | 34.216.184.93.in-addr.arpa. PTR example.com. |
| SRV | Service location | _sip._tcp.example.com. SRV 10 5 5060 sip.example.com. |
| CAA | Certificate Authority authorisation | example.com. CAA 0 issue "letsencrypt.org" |
| HTTPS | Service binding and parameters (HTTPS) | example.com. HTTPS 1 . alpn="h2,h3" |
TTL (Time To Live)
- Duration (seconds) a record can be cached
- Lower TTL = faster propagation, more queries
- Higher TTL = better performance, slower changes
- Common values: 300 (5 min), 3600 (1 hour), 86400 (1 day)
Tip: Lower TTL before making changes, then raise it after.
CLI Tools
dig- Recommended, full-featured DNS lookupnslookup- Cross-platform, simpler outputhost- Quick lookups
Key dig options: +short (brief output), +trace (show resolution path), -x (reverse lookup), @server (query specific nameserver)
Public DNS Resolvers
| Provider | Primary | Secondary |
|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 |
| 8.8.8.8 | 8.8.4.4 | |
| Quad9 | 9.9.9.9 | 149.112.112.112 |
Encrypted DNS
Traditional DNS queries are sent in plaintext over UDP port 53. Modern encrypted DNS protocols prevent eavesdropping and tampering.
| Protocol | Transport | Port | Notes |
|---|---|---|---|
| DoH (DNS over HTTPS) | HTTPS | 443 | Blends with web traffic, hard to block. Widely supported in browsers. |
| DoT (DNS over TLS) | TLS | 853 | Dedicated port, easier to identify and block. |
| DoQ (DNS over QUIC) | QUIC | 853 | Combines DoT’s dedicated port with QUIC’s performance benefits (0-RTT, no head-of-line blocking). RFC 9250. |
All three major public resolvers (Cloudflare, Google, Quad9) support DoH and DoT. DoQ support is growing — AdGuard DNS and Cloudflare both offer it.
Self-Hosted DNS Options
- Pi-hole - Network-wide ad blocking via DNS sinkholing
- Unbound - Validating, recursive, caching resolver
- dnsmasq - Lightweight DNS forwarder and DHCP server
Common Issues
- Propagation delay - TTL-based caching, wait for expiry
- NXDOMAIN - Domain doesn’t exist
- SERVFAIL - Server error (often DNSSEC issues)
- Cached stale records - Flush local DNS cache
See Also
- HTTP — HTTPS records advertise HTTP/3 (
alpn="h2,h3") via DNS - TLS — CAA records authorise CAs; certificates are validated against domains
- DHCP — DHCP distributes resolver addresses to clients
- Container Networking — Kubernetes uses CoreDNS for internal service discovery
- VPNs — DNS leaks bypass the tunnel and reveal browsing activity