What Is DNS and How Does it Work?

A comprehensive guide to the domain name system

The Domain Name System (DNS) is an essential component of the internet, playing a critical role in every online interaction. Often quietly operating in the background, DNS is what allows you to access websites by entering domain names like “vercara.com” in your web browser. But how exactly does DNS work?  

This blog post will explain everything you need to know about DNS, its functions, and its significance for your internet experience. We’ll simplify technical concepts into easy-to-understand terms, making it accessible for everyone—from casual users to aspiring IT professionals. 

By reading this article, you’ll learn to: 

• Define what DNS is 
• Explain the DNS hierarchy 
• Understand how DNS functions  
• Explain the difference between authoritative nameservers and recursive DNS resolvers  
• Differentiate between recursive and iterative DNS lookups  
• Discover how DNS caching improves service performance and reduces network traffic  
• Recognize the importance of DNS security and common threats 

Whether you’re seeking to improve your technical knowledge or simply want to understand how the internet works, this guide offers valuable insights into the world of DNS. 

What is DNS?

DNS, or Domain Name System, is a crucial part of the internet that translates easy-to-remember domain names into IP addresses. This decentralized system works like a digital phonebook, allowing computers to identify each other using IP addresses, similar to how we use phone numbers to contact people. Without DNS, we would have to remember long numerical sequences for every website we visit, which would be highly impractical. By linking user-friendly domain names to these computer-readable IP addresses, DNS makes surfing the web easy and efficient. 

For example: 

• Domain name: vercara.com  
• IP address: 156.154.120.112 

DNS is essential for internet browsing, making every online interaction possible. Every time you visit a website, your journey starts with a DNS query. Understanding DNS is crucial for seamless internet navigation. 

How DNS works

The DNS query process, known as DNS resolution, involves converting a domain name into its respective IP address. Here’s a simplified explanation of the steps involved in DNS resolution. 

Key players in DNS resolution  

The DNS is set up as a tree or hierarchy. The top level of this tree is called the root domain, which contains all the top-level domains (TLDs), such as .com, .org, and .net. Below the TLDs are second-level domains (such as vercara.com), followed by subdomains (internal.vercara.com), and so on. 

There are two types of DNS servers in the resolution process: 

• Authoritative DNS Nameservers: These servers provide the definitive answer for a zone or a “tier” on the DNS hierarchy. They hold resource records and answer queries. The DNS tree consists of several tiers of authoritative nameservers:  
• Authoritative Root Nameservers: This set of authoritative servers sits at the top of the DNS hierarchy and provides answers to help the recursive server to find the the Top-Level Domain (TLD) servers. 
• Authoritative TLD Nameservers: These servers are authoritative for one or more top-level domains (e.g., ‘.com’, ‘.org’) and directs queries to the correct authoritative server for the domain. 
• Authoritative Domain Nameservers: These servers are authoritative for a domain name such as “vercara.com”, also known as a second-level domain. These servers provide the definitive answer for a domain or zone, translating the domain name into its IP address based on resource records configured by a DNS administrator. 
• Authoritative Subdomain Nameservers: These optional servers are authoritative for a zone or a subdomain such as “corp.vercara.com” and provide a definitive answer for this zone. Although it is rare, there may be additional zones underneath this zone, all with their own authoritative nameservers. 
• Recursive DNS Server: Sometimes called a “resolver”, this server receives user queries for computers on a network and retrieves the necessary information by interacting with authoritative servers. It usually caches the answer. 
• Forwarding DNS Server: Some recursive DNS servers receive queries from computers on the network and immediately forward the query to another recursive DNS server that navigates the DNS tree. They cache the answer, providing for better performance and offloading for the upstream recursive DNS server. 

The path of a DNS query

Here’s how a typical DNS lookup process flows: 

1. A user enters “www.example.com” into a browser, and the browser initiates a DNS query. 
2. The browser sends a DNS query to a miniature DNS recursive library or utility, called a stub resolver, built into the operating system. 
3. The stub resolver forwards the query to a recursive DNS server provided by the network.  
4. The recursive server queries an authoritative root nameserver for servers authoritative to the TLD (.com).  
5. The root server answers the query with the domain name and IP addresses of the authoritative TLD nameservers, like the `.com` or `.org` server.  
6. The recursive DNS server queries an authoritative TLD nameserver for servers authoritative to the second-level domain (example.com). 
7. The authoritative TLD nameserver answers with the domain name and IP addresses of the authoritative domain nameservers responsible for the domain “example.com”.  
8. The recursive DNS server queries one of the authoritative domain nameservers for a resource record for “www.example.com“. This query could have multiple types such as A (IPv4), AAAA (IPv6), SVCB (Service Binding), or HTTPS (Hypertext Transfer Protocol Secure). 
9. The authoritative domain nameserver answers the recursive DNS server with the IP address of www.example.com. 
10. The recursive DNS server answers the query from the stub resolver with the IP address of www.example.com. 
11. The browser uses the IP address to load the correct website. 

Caching and performance

Most DNS queries are for the most popular websites on the Internet, and the answers do not change very frequently. In order to reduce answer times and save on network and server bandwidth, DNS protocols support a timing value called Time-to-Live (TTL). This TTL is the maximum amount of time, in seconds, that a recursive DNS server can store or cache an answer from an authoritative server. 

Because of TTL values and stored answers, DNS lookups can occur in two primary ways—recursive or iterative. 

A recursive query is when no stored data is available, and the recursive DNS server navigates the DNS tree from the authoritative root nameservers through to the domain authoritative nameserver to find an answer. This usually happens when the recursive DNS server has been newly added to the network and has no cached data, or a DNS administrator has told it to remove all of the data from its cache.  

An iterative query is a query where the recursive DNS server previously performed a recursive query and has a cached answer that it provides to the querying computer without navigating the DNS hierarchy. 

Operating systems and web browsers also have their own caching mechanism to store the answer that was provided to them by the recursive DNS server. Sometimes, this caching can cause problems that are hard to troubleshoot. 

In practice, unless a recursive DNS server has been told to forget all of its cached answers, most queries are either iterative–the answer is stored in cache–or partially recursive–most of the DNS tree is already cached so the recursive server just needs to query the last few rungs to get an answer. 

DNS administrators make tradeoffs when they set TTL values in their zone resource records. A longer TTL means that the zone is more resilient to outages in the authoritative nameserver because the answer will most likely be cached in recursive servers. However, a longer TTL also means that if the resource record changes, it will take a longer time for the recursive servers and the computers that use them to recognize the change. 

Practical applications of DNS

DNS is essential not only for technical operations but also for managing the infrastructure that supports high-demand applications. 

Global Load Balancing: DNS offers several capabilities, such as providing multiple answers to a query, which helps distribute user traffic efficiently across various servers. This is particularly beneficial for load balancing, as it directs users to different servers to optimize performance and prevent any single server from becoming overwhelmed. When combined with a poller that dynamically updates resource records within a domain or zone, this setup can offer important failover capabilities. In the event of server downtime or failure, the DNS can automatically redirect traffic to backup servers, ensuring that a website or service remains highly available to users. This redundancy is crucial for maintaining uninterrupted access and enhancing user experience, particularly for businesses that rely heavily on their online presence. 

Geographic DNS Traffic Direction: Advanced authoritative DNS servers play a crucial role in efficiently directing user traffic to the appropriate application servers. By evaluating the user’s region or country, these DNS servers can determine the closest Point-of-Presence (PoP) and route the traffic accordingly. This process not only ensures faster response times but also improves the overall user experience by supporting localization. As a result, users can enjoy streamlined access to web applications and services, regardless of their geographic location. 

Content Delivery: Large-scale enterprises use DNS to efficiently load-balance across large pools of servers, ensuring that web content or streaming video is delivered smoothly and reliably to users. By distributing the traffic evenly, these companies can prevent server overloads and provide a seamless experience for their audience. This approach also enhances redundancy, as it allows for continuous service availability even if some servers go offline for maintenance or due to technical issues. 

Improved Web Performance and SEO: Every online interaction begins with a DNS query. Fast DNS lookups are crucial because they significantly contribute to reduced page load times, enhancing the overall user experience. When web pages load quickly, visitors are more likely to stay and engage with the content, leading to lower bounce rates. Additionally, search engines prioritize websites with faster load times, helping them rank higher in search results. Consequently, optimizing DNS performance is an essential aspect of maintaining a successful and competitive online presence. 

Authentication and Validation: Some service providers, including email servers, certificate authorities, website monitoring tools, and SaaS providers, utilize DNS resource records with a token value as a mechanism to verify domain ownership. This practice is crucial for ensuring that the organization requesting the service actually owns the domain in question. By embedding a unique token in the DNS records, these providers can confirm authenticity and prevent unauthorized access. This process not only strengthens security by protecting sensitive information but also streamlines the service provisioning, making it more efficient for legitimate organizations to obtain the necessary services. 

Securing DNS

Since DNS is a critical service that every other service depends on, it is incredibly important that the DNS system be available and that DNS answers are unaltered.

Availability and redundancy in DNS

When DNS is unavailable, all other services will fail when their answers expire from the cache on recursive DNS nameservers. As such, every component that is used for DNS lookup should be configured for redundancy.  

For example, every network should provide at least two recursive nameservers to answer queries for the computers on the network. At an Internet Service Provider, this would be a large distributed cluster of recursive nameservers. Inside a large enterprise network, they use local forwarders in each office location and a set of centralized recursive DNS nameservers inside of their data centers. 

Every tier, or zone, on the DNS tree, should have as many authoritative servers as possible. Every recursive DNS nameserver has a “hints file” containing the names and IP addresses of the 13 authoritative root nameservers, which is used to initiate each recursive query. However, each authoritative root nameserver is multiple clusters of redundant servers across multiple Points-of-Presence using DNS anycast for load-balancing across them. TLDs are similarly deployed. For a second-level domain or domain name, the registry sets limits on how many nameservers can be assigned to the domain, usually 4 to 10. 

It’s critical to implement strong defenses against Distributed Denial of Service (DDoS) attacks on authoritative DNS nameservers. These attacks can overwhelm DNS servers with traffic, rendering them unable to respond to legitimate queries. To mitigate these threats, organizations should consider deploying a mix of strategies. Using anycast routing can help distribute traffic across multiple servers, preventing any single server from being overwhelmed. Additionally, integrating advanced traffic filtering and network monitoring solutions can help quickly detect and mitigate suspicious activity. Securing contracts with DDoS protection services and maintaining regular security audits can further strengthen the resilience of authoritative DNS servers against these pervasive threats. 

Integrity of DNS answers

Ensuring the integrity of DNS answers is crucial because it prevents malicious entities from intercepting or altering DNS queries and responses, which could redirect users to harmful sites or intercept sensitive information. A secure DNS infrastructure safeguards the reliability and trustworthiness of the internet by ensuring that the domain names users query point to the correct IP addresses. 

DNS integrity can be provided by several controls: 

DNSSEC Implementation: Deploy DNS Security Extensions (DNSSEC) to ensure the integrity and authenticity of DNS information by verifying that the DNS answers come from the correct authoritative DNS nameserver. DNSSEC introduces cryptographic signatures to DNS data, which help to protect against cache poisoning and machine-in-the-middle attacks by preventing malicious actors from altering the responses or redirecting users to fraudulent websites. By implementing DNSSEC, organizations can enhance their overall network security and maintain user trust. Learn more about DNS security best practices in our blog. 

Use Trusted Recursive Nameservers: Organizations should only use trusted recursive nameservers to ensure the security and integrity of their network communications. Recursive nameservers resolve domain names to IP addresses, playing a crucial role in connecting users to the internet. However, using untrusted or poorly managed nameservers can expose organizations to security risks. A very common attack vector involves malicious actors exploiting the recursive nameservers on public Wi-Fi networks found in locations like coffee shops, hotels, and airports. These public networks often lack adequate security measures, making them prime targets for DNS spoofing or mchine-in-the-middle attacks, where attackers can redirect users to fraudulent websites or intercept sensitive data. Therefore, it is essential for organizations to rely on secure and reputable nameservers to protect their users and data. 

Use DNS over HTTPS on External Networks: This DNS protocol was specifically designed as a countermeasure for hostile networks in authoritative regimes, which are notorious for performing machine-in-the-middle attacks on DNS queries as a mechanism for censorship and surveillance. These regimes often intercept or alter DNS queries to prevent access to certain information or websites, thereby controlling the flow of information. To combat this, the protocol employs Transport-Layer Security (TLS) to provide robust encryption for DNS queries, ensuring that user requests remain confidential and protected from unauthorized interception or tampering. Additionally, it utilizes x509 certificates to validate the recursive DNS, establishing a trustworthy communication channel that can verify the identity of the servers involved. This ensures that the data received is authentic and has not been compromised, thus preserving the integrity and privacy of the DNS resolution process. 

Regular Software Updates: Ensure your DNS server software is always up-to-date by regularly installing the latest security patches. This practice is crucial for preventing vulnerabilities that hackers could exploit to launch cyber attacks. Keeping your software current not only protects against known threats but also enhances overall network stability and performance. Regular updates help mitigate risks such as DNS cache poisoning or denial-of-service attacks, safeguarding both your data and your users. 

Access Control Policies and Change Control: Implementing strict access control policies is crucial to ensure only authorized personnel can make changes to the DNS infrastructure. By doing this, you significantly minimize the risk of unauthorized changes to DNS records, which could lead to security breaches or service disruptions. These policies should include defining clear roles and permissions, using multi-factor authentication for added security, and regularly reviewing access logs for any suspicious activity. Additionally, it’s important to maintain an up-to-date list of individuals with access and ensure that any changes in personnel are promptly reflected in access permissions to further safeguard your DNS environment. 

Monitoring and Logging: Establish robust monitoring and logging practices to quickly detect and respond to unusual patterns that may indicate a security breach or an attempt to manipulate DNS responses. Implementing these practices involves setting up comprehensive logging of DNS queries and responses, which allows for the identification of anomalies or suspicious activity. This can include tracking the frequency of requests, identifying any unexpected spikes in traffic, and monitoring changes in DNS configurations. By leveraging real-time alerts and automated analysis tools, teams can swiftly investigate and mitigate potential threats, ensuring the integrity and reliability of the DNS infrastructure. 

Malware uses DNS

DNS is crucial for online interactions but is often exploited by malicious actors. Malware uses DNS to deliver payloads and communicate with command and control (C&C) servers. Techniques like DNS load-balancing, domain generation algorithms, and fast-flux help malware bypass IP-based blocking and remain undetected. This allows attackers to update domains and IP addresses dynamically, evading detection and extending their activities.

Controlling malware’s use of DNS can be achieved by implementing filtering in the recursive DNS server, a technology called Protective DNS. This approach prevents malware from resolving domain names and communicating with C&C servers, effectively neutralizing its capabilities. Protective DNS also allows for the blocking of known malicious domains and IP addresses, preventing users from unknowingly accessing harmful websites or downloading infected files. Additionally, by leveraging threat intelligence feeds, teams can constantly update their protective DNS policies to stay ahead of emerging threats.

Why understanding DNS matters

DNS might seem like a highly technical topic, but its role in everyday online interactions is undeniable. For businesses, mastering DNS can offer competitive advantages like faster response times, better security, and improved website availability for users.

Whether you’re a seasoned IT professional or just dipping your toes into web infrastructure, understanding DNS is essential in navigating and optimizing the online world.

Mastering the basics of DNS can transform your understanding of how the internet functions, from browsing your favorite websites to running an efficient online business. The next time you watch a webpage load in seconds or experience a domain resolution error, you’ll know exactly what’s happening behind the scenes.

Want to take a deeper dive or solve your DNS-related issues? Bookmark this guide, or explore advanced DNS topics with other resources in our blog.

Vercara is DNS

Our authoritative DNS service, UltraDNS, is designed to provide fast, reliable, and secure DNS resolutions for your domain. By hosting your DNS records, we ensure that users can access your website and services efficiently without delays. Our infrastructure is built to handle high-traffic volumes and offers advanced features like load balancing and geographic routing to optimize the user experience. Additionally, our service includes robust security measures to protect against threats such as DDoS attacks, ensuring your online presence remains uninterrupted and secure. 

Our protective DNS service, UltraDDR, offers a proactive approach to safeguarding your network from various cyber threats. By leveraging a vast data lake of malware infrastructure and cutting-edge threat intelligence techniques, it blocks access to both known and unknown malicious domains and IP addresses, preventing malware and phishing attacks before they can impact your system. This service also includes customizable policies, allowing you to tailor DNS filtering to meet your organization’s specific needs. With constant updates from our threat intelligence feeds, our protective DNS keeps you ahead of evolving threats, ensuring a secure online environment for your users.