How DNS Works
A complete, beginner-friendly guide to the Domain Name System — the technology that makes the internet usable.
What Is DNS?
DNS stands for Domain Name System. It is a globally distributed database that translates human-readable domain names — like getdnsinfo.com — into the numerical IP addresses that computers use to communicate, such as 104.21.45.12. Without DNS, you would need to memorize a different string of numbers for every website you visit.
Think of DNS as the internet's phone book. When you want to call someone, you look up their name to find their phone number. When your browser wants to connect to a website, it asks DNS to translate the domain name into an IP address. This happens automatically, in milliseconds, every single time you open a webpage, send an email, or use any online service.
DNS is not a single server — it is a massive, hierarchical, globally distributed system operated by thousands of organizations including ISPs, cloud providers, domain registrars, and independent operators. This distributed design makes DNS both incredibly resilient and highly scalable. There is no single point of failure and no central authority controlling all DNS — it is a cooperative infrastructure that holds the internet together.
The DNS Resolution Process — Step by Step
When you type a URL into your browser and press Enter, a sequence of events happens behind the scenes to find the IP address you need. Here is exactly what occurs, from the moment you hit Enter to the moment your page starts loading:
Step 1
Browser Cache Check
Your browser first checks its own internal DNS cache. If you visited this website recently and the cached record has not expired yet, the browser reuses the stored IP address immediately. This makes repeat visits to the same site nearly instantaneous. Browser DNS caches typically hold records for 60 seconds to a few minutes.
Step 2
Operating System Cache
If the browser has no cached answer, it asks your operating system's DNS resolver. Your OS maintains its own DNS cache shared across all applications. On Windows, you can view this cache with 'ipconfig /displaydns'. If the OS cache has a valid entry, the IP is returned to the browser without any network query.
Step 3
Recursive Resolver Query
If no cached answer exists, your device sends the DNS query to a recursive resolver — usually operated by your ISP or a public DNS service like Cloudflare (1.1.1.1) or Google (8.8.8.8). The recursive resolver is responsible for doing all the legwork of finding the answer. It checks its own cache first, and if it has the answer, returns it immediately.
Step 4
Root Nameserver
If the recursive resolver has no cached answer, it contacts one of the 13 root nameserver clusters (operated by organizations including ICANN, NASA, and Verisign). Root nameservers do not know the IP address of your domain, but they know which servers are responsible for the top-level domain (.com, .org, .net, etc.). They respond with the address of the TLD nameservers.
Step 5
TLD Nameserver
The recursive resolver asks the TLD nameserver (for .com domains, this is operated by Verisign) which nameservers are authoritative for the specific domain (example.com). The TLD nameserver responds with the addresses of the domain's authoritative nameservers — the servers your domain registrar points to.
Step 6
Authoritative Nameserver
Finally, the recursive resolver queries your domain's authoritative nameservers — the servers operated by your DNS provider (Cloudflare, AWS Route 53, GoDaddy, etc.). These servers hold the actual DNS records you have configured. They return the A record (IP address), the MX record (mail server), or whatever record was requested.
Step 7
Response Delivered & Cached
The resolver returns the IP address to your device, which caches it for the duration of the record's TTL. Your browser then opens a TCP connection to that IP address and loads the website. The entire process — from your Enter key to receiving the IP — typically takes between 20 and 120 milliseconds on the first query.
Key DNS Concepts Every Web Professional Should Know
TTL — Time To Live
Every DNS record has a TTL value measured in seconds. TTL tells caching servers how long they may hold onto a copy of the record before fetching a fresh copy. A TTL of 300 = 5 minutes. A TTL of 86400 = 24 hours. Before making DNS changes, always lower your TTL to 300 at least 24–48 hours in advance. This dramatically speeds up DNS propagation after you make your change.
Authoritative vs. Recursive DNS
These are two fundamentally different types of DNS servers. Authoritative nameservers hold the actual records for a domain — they are the source of truth. Recursive resolvers (like your ISP's DNS or Google's 8.8.8.8) perform queries on behalf of clients by asking authoritative servers. When you configure DNS records in Cloudflare or AWS Route 53, you are editing records on authoritative nameservers.
DNS Zone
A DNS zone is a segment of the DNS namespace managed by a specific organization. Your domain (example.com) and all its subdomains typically form one DNS zone, managed through a zone file containing all the DNS records for that domain. Zone files are stored on authoritative nameservers and define every record — A, MX, TXT, CNAME, NS — for the domain.
DNSSEC — DNS Security
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that a DNS response is authentic and was not tampered with in transit. Without DNSSEC, DNS is vulnerable to cache poisoning attacks where an attacker injects false records to redirect users to malicious sites. Enabling DNSSEC at your domain registrar and DNS provider adds an extra layer of trust to your domain.
DNS Caching and Propagation
DNS records are cached at multiple levels — browser, operating system, ISP recursive resolver, and CDN edge nodes. This caching is what causes DNS propagation delays when you change a record. The entire global DNS network must individually expire cached copies based on TTL before they fetch the updated record from your authoritative nameserver. This is why propagation can take anywhere from minutes to 48 hours depending on TTL settings.
DNS Over HTTPS (DoH) and DNS Over TLS (DoT)
Traditional DNS queries are sent in plain text over UDP port 53, making them visible to anyone who can observe your network traffic. DNS over HTTPS (DoH) and DNS over TLS (DoT) are protocols that encrypt DNS queries to prevent surveillance and manipulation. DoH is now built into Chrome, Firefox, and Edge. Cloudflare's 1.1.1.1 and Google's 8.8.8.8 both support encrypted DNS queries.
Common DNS Problems and How to Diagnose Them
DNS is incredibly reliable but also the first thing to check when something on the internet stops working. Understanding the most common DNS failure modes helps you diagnose problems quickly rather than spending hours troubleshooting elsewhere.
| Symptom | Likely DNS Cause | How to Fix |
|---|---|---|
| Website not loading after hosting change | A record still points to old server IP | Update A record at DNS provider, lower TTL, monitor propagation |
| Email not delivering after provider switch | MX records still point to old mail server | Update MX records, check with MX Lookup tool |
| Site works for some users but not others | DNS propagation still in progress | Check propagation status with our propagation checker |
| NXDOMAIN error (domain not found) | NS records wrong or domain expired | Check NS records with nameserver lookup, verify domain renewal |
| SERVFAIL error on all DNS queries | DNSSEC misconfiguration or zone error | Check DNSSEC configuration at registrar and DNS provider |
| Emails going to spam | Missing SPF, DKIM, or DMARC TXT records | Check TXT records with our TXT Record Lookup tool |
Check Your DNS Right Now
Use our free tools to inspect, verify, and monitor DNS records for any domain.