DNS

The Domain Name System (DNS) is a hierarchical, distributed database that translates human-readable domain names (like example.com) into machine-readable IP addresses (like 93.184.216.34). It is one of the most critical components of internet infrastructure, handling billions of queries daily.

DNS was created in 1983 by Paul Mockapetris (RFC 882/883), replacing the earlier HOSTS.TXT system that could not scale beyond a few thousand entries.

For a complete guide covering DNS resolution, record types, caching, security, troubleshooting and public resolvers, see our full DNS guide.

When you type a domain name, a chain of queries resolves it to an IP address:

1. Your device checks its local cache
2. If not cached, the query goes to a recursive resolver (e.g. 8.8.8.8)
3. The resolver queries root servers, then TLD servers, then authoritative servers
4. The authoritative server returns the IP address
5. The resolver caches the answer and returns it to your device

This process typically completes in 20 to 120 milliseconds.

• Root nameservers - 13 logical servers (a-m.root-servers.net) at the top of the hierarchy
• TLD nameservers - manage zones for .com, .org, .net, country codes etc.
• Authoritative nameservers - hold actual DNS records for specific domains
• Recursive resolvers - handle queries from end users (Google 8.8.8.8, Cloudflare 1.1.1.1, Quad9 9.9.9.9)

• A - maps domain to IPv4 address
• AAAA - maps domain to IPv6 address
• CNAME - alias pointing one domain to another
• MX - mail server for the domain
• TXT - text data (SPF, DKIM, verification)
• NS - nameserver delegation
• SOA - zone metadata (serial, refresh, retry)
• PTR - reverse DNS (IP to hostname)
• SRV - service location (port and host)
• CAA - certificate authority authorization

For detailed inspection of DNS records, use the DNS Lookup tool.

When DNS records are changed, the updates do not appear everywhere instantly. Resolvers serve cached copies until the TTL expires. Full propagation takes from minutes to 48 hours depending on the old TTL value.

Monitor propagation in real time with the DNS Propagation Checker, which queries 23 resolvers across 6 continents.

• DNSSEC - cryptographic signatures that validate DNS response authenticity
• DNS over HTTPS (DoH) - encrypts queries inside HTTPS traffic (port 443)
• DNS over TLS (DoT) - encrypts queries using TLS (port 853)

Standard DNS queries are unencrypted plain text. A DNS Leak Test can check whether your queries are properly encrypted through a VPN.

• DNS Lookup - query all record types for any domain
• DNS Propagation Checker - live global propagation map
• DNS Leak Test - check if DNS queries bypass your VPN
• Open DNS Resolver Test - check for vulnerable resolvers

• RFC 1034/1035 - Domain Names Concepts and Facilities
• RFC 4033-4035 - DNSSEC
• RFC 8484 - DNS over HTTPS
• RFC 7858 - DNS over TLS

• DNS on Wikipedia
• Google Public DNS