DNS Protocol
The Domain Name System translates human-readable domain names into IP addresses. It’s a distributed, hierarchical database running primarily over UDP port 53. Every internet connection starts with a DNS lookup.
Why It Matters
DNS is the first thing that happens when you connect to anything by name. Slow DNS = slow everything. DNS misconfigurations cause outages. Understanding DNS helps you debug connectivity issues, configure domains, and understand how CDNs, load balancers, and email delivery work.
Resolution Process
Browser: "What's the IP for docs.example.com?"
1. Check local cache (browser, OS)
2. Ask recursive resolver (ISP, 8.8.8.8, 1.1.1.1)
↓ if not cached:
3. Ask root nameserver (. zone)
→ "Ask .com nameserver at 192.5.6.30"
4. Ask .com TLD nameserver
→ "Ask example.com NS at ns1.example.com (198.51.100.1)"
5. Ask authoritative nameserver for example.com
→ "docs.example.com A 93.184.216.34"
6. Resolver caches result (respects TTL), returns to client
Recursive vs Iterative
- Recursive: client asks resolver, resolver does all the work and returns the final answer
- Iterative: each server returns a referral (“ask them instead”), client follows the chain
Your system’s resolver (e.g., 8.8.8.8) is recursive. Root/TLD nameservers respond iteratively.
Record Types
| Type | Purpose | Example |
|---|---|---|
| A | IPv4 address | example.com → 93.184.216.34 |
| AAAA | IPv6 address | example.com → 2606:2800:220:1:... |
| CNAME | Alias to another name | www.example.com → example.com |
| MX | Mail server (with priority) | example.com → 10 mail.example.com |
| NS | Nameserver delegation | example.com → ns1.example.com |
| TXT | Text data (SPF, DKIM, verification) | v=spf1 include:_spf.google.com ~all |
| SOA | Zone authority + serial number | Zone metadata, TTL defaults |
| SRV | Service location (host + port) | _sip._tcp.example.com → 5060 sip.example.com |
| PTR | Reverse lookup (IP → name) | 34.216.184.93.in-addr.arpa → example.com |
DNS Caching and TTL
Every record has a TTL (Time To Live) in seconds. Resolvers cache records until TTL expires.
- Short TTL (60-300s): fast failover, higher query load
- Long TTL (3600-86400s): fewer queries, slow propagation of changes
When you change a DNS record, it propagates globally within the old TTL period. This is why DNS changes aren’t instant.
Practical: dig
dig example.com # A record (default)
dig example.com AAAA # IPv6
dig example.com MX # mail servers
dig example.com ANY # all records
dig @8.8.8.8 example.com # query specific resolver
dig +trace example.com # show full resolution chain
dig +short example.com # just the IP
# Key output fields:
# ;; ANSWER SECTION:
# example.com. 3600 IN A 93.184.216.34
# ↑TTL ↑type ↑valuenslookup example.com # simpler alternative
host example.com # even simpler
resolvectl status # systemd-resolved configWire Protocol
DNS messages use a compact binary format (not text like HTTP):
Header: ID, flags (QR, opcode, rcode), counts
Question: name (length-prefixed labels), type, class
Answer: name, type, class, TTL, rdata
Name encoding: \x07example\x03com\x00
(7 bytes "example", 3 bytes "com", null terminator)
Messages fit in a single UDP packet (max 512 bytes, or 4096 with EDNS0). If the response is too large, the server sets the TC (truncated) bit and the client retries over TCP.
DNS Security
- DNS over HTTPS (DoH): encrypts DNS queries in HTTPS (privacy from ISP)
- DNS over TLS (DoT): encrypts DNS on port 853
- DNSSEC: cryptographic signatures on records (prevents spoofing, but not encrypted)
- DNS cache poisoning: attacker injects fake records — DNSSEC prevents this
Related
- IP and Routing — DNS resolves names to IP addresses for routing
- UDP Protocol — DNS uses UDP port 53 (TCP for large responses)
- TLS and Encryption — DoH/DoT encrypt DNS queries
- OSI and TCP IP Model — DNS is an application-layer protocol