DNS (Domain Name System) is a hierarchical, distributed naming system that translates human-readable domain names such as www.example.com into IP addresses such as 93.184.216.34 that computers use to route network traffic. DNS resolution typically completes in 20–120 ms.
Without DNS, every Internet request would require the user to know the numeric IP address of the destination server. This guide covers the DNS hierarchy, resolution process, caching, record types, security extensions, and how to flush the DNS cache.
What Is DNS?
DNS is the distributed database that maps domain names to IP addresses across the global Internet. The system is hierarchical — no single server holds all DNS records.
Instead, authority is delegated from the root downward to Top-Level Domain (TLD) servers and then to authoritative nameservers operated by domain registrars and hosting providers. DNS is defined in RFC 1034 and RFC 1035, published in 1987.
DNS uses port 53 for both UDP (standard queries) and TCP (zone transfers and responses larger than 512 bytes or larger than 4,096 bytes with EDNS). The average DNS response is under 512 bytes and fits in a single UDP packet.
DNS Hierarchy
DNS is organized as an inverted tree with 3 main levels below the root.
- Root servers: The top of the DNS hierarchy. There are 13 root server clusters (labeled A through M), operated by 12 organizations. As of 2024, over 1,700 root server instances exist globally via anycast routing. Root servers store the addresses of all TLD nameservers but do not hold individual domain records.
- TLD nameservers: Manage Top-Level Domains such as .com, .org, .net, .uk, and country-code TLDs. Verisign operates the .com and .net TLD servers. Over 1,500 TLDs exist as of 2024.
- Authoritative nameservers: Hold the actual DNS records for specific domains. When a domain is registered, the registrar points to the authoritative nameservers (typically hosted by the web host, CDN, or a DNS provider like Cloudflare or AWS Route 53). Authoritative servers provide the definitive answer — no further lookup is needed once reached.
- Recursive resolvers: The first step in DNS resolution for end users. Recursive resolvers (also called full-service resolvers) are operated by ISPs, Google (8.8.8.8), Cloudflare (1.1.1.1), and others. They query the DNS hierarchy on behalf of the client and cache responses to reduce latency on repeated lookups.
DNS Resolution Process Step by Step
A complete uncached DNS resolution follows these 7 steps, typically completing in 50–100 ms for the first query.
- The browser checks its own DNS cache. If the record is found and not expired, the resolution ends here (sub-millisecond).
- The operating system checks the local DNS cache (and the hosts file at /etc/hosts on Linux/macOS or C:\Windows\System32\drivers\etc\hosts on Windows).
- The OS sends the query to the configured recursive resolver (e.g., 1.1.1.1 or the ISP resolver). If the resolver has the answer cached, it returns it immediately.
- The recursive resolver queries a root server: “Who handles .com?” The root server returns the addresses of the .com TLD nameservers.
- The recursive resolver queries the .com TLD server: “Who handles example.com?” The TLD server returns the authoritative nameserver addresses for example.com.
- The recursive resolver queries the authoritative nameserver for example.com and receives the A record (IP address) for www.example.com.
- The recursive resolver returns the IP address to the client’s OS, which passes it to the browser. The resolver caches the response for the duration specified by the record’s TTL.
DNS Caching and TTL
DNS caching stores query results at the recursive resolver, OS, and browser level to avoid repeating the full resolution process. TTL (Time to Live) is a value in seconds set by the domain owner in each DNS record that defines how long resolvers may cache the record before discarding it and re-querying.
Common TTL values include 3,600 seconds (1 hour) for most records, 300 seconds (5 minutes) for records expected to change soon, and 86,400 seconds (24 hours) for stable records. Low TTLs increase DNS server load and query latency.
High TTLs delay propagation when DNS records are updated. DNS changes do not propagate instantly — propagation can take from minutes (for low TTL records) to 48 hours (for records with 24-hour TTLs that are cached across many resolvers globally).
DNS Record Types
DNS supports dozens of record types. The following are the 6 most commonly encountered in web hosting and email configuration.
| Record Type | Purpose | Example |
|---|---|---|
| A | Maps domain name to IPv4 address | example.com → 93.184.216.34 |
| AAAA | Maps domain name to IPv6 address | example.com → 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME | Alias — points one domain name to another domain name | www.example.com → example.com |
| MX | Specifies mail server for a domain (with priority value) | example.com MX 10 mail.example.com |
| TXT | Stores text data — used for SPF, DKIM, DMARC, domain verification | example.com TXT “v=spf1 include:_spf.google.com ~all” |
| NS | Specifies authoritative nameservers for a domain | example.com NS ns1.cloudflare.com |
| SOA | Start of Authority — defines primary nameserver, admin email, serial number, refresh/retry intervals | Required in every DNS zone |
| PTR | Reverse DNS — maps IP address to domain name (used in email server verification) | 34.216.184.93.in-addr.arpa → example.com |
DNS over HTTPS and DNS over TLS
Standard DNS queries are transmitted in plaintext over UDP port 53, allowing ISPs, network administrators, and attackers on the same network to observe which domains a device queries. DoH and DoT encrypt DNS queries to prevent this.
- DoH (DNS over HTTPS): Sends DNS queries inside encrypted HTTPS traffic on port 443. DoH queries are indistinguishable from regular HTTPS traffic, making them difficult to block or monitor at the network level. Supported by Firefox, Chrome, and Edge.
- DoT (DNS over TLS): Encrypts DNS queries using TLS on port 853. Dedicated DNS port makes DoT easier for network administrators to identify and control compared to DoH. Supported by Android 9+ (Private DNS feature) and many enterprise firewalls.
DNS Cache Poisoning
DNS cache poisoning (also called DNS spoofing) is an attack in which false DNS records are injected into a recursive resolver’s cache, redirecting users who query that resolver to attacker-controlled IP addresses. The attack exploits the fact that DNS uses UDP, which does not verify the source of responses.
DNSSEC (DNS Security Extensions) mitigates cache poisoning by cryptographically signing DNS records. Resolvers verify signatures against the zone’s public key before accepting records.
DNSSEC does not encrypt queries (that is DoH/DoT’s role) — it authenticates responses to prevent tampering. As of 2024, approximately 35% of domain names support DNSSEC globally according to ICANN data.
How to Flush the DNS Cache
Flushing the DNS cache clears all locally stored DNS records, forcing the system to perform fresh lookups. This is required when DNS records for a domain have changed and the cached old values are causing connection errors.
- Windows: Open Command Prompt as Administrator and run
ipconfig /flushdns. The output confirms: “Successfully flushed the DNS Resolver Cache.” - macOS (Ventura / Sonoma): Run
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponderin Terminal. - Linux (systemd-resolved): Run
sudo systemd-resolve --flush-cachesin Terminal. - Google Chrome browser cache: Navigate to
chrome://net-internals/#dnsand click “Clear host cache.”
Key Takeaways
- DNS translates domain names to IP addresses. Resolution traverses recursive resolver → root server → TLD server → authoritative nameserver, typically in 50–100 ms.
- There are 13 root server clusters with over 1,700 anycast instances globally as of 2024.
- TTL controls how long DNS records are cached. Common values are 3,600 seconds (1 hour) to 86,400 seconds (24 hours).
- A records map to IPv4; AAAA records map to IPv6; MX records specify mail servers; TXT records carry SPF/DKIM/DMARC and verification strings.
- DoH encrypts DNS queries within HTTPS on port 443. DoT encrypts on dedicated port 853. Both prevent plaintext DNS surveillance.
- On Windows,
ipconfig /flushdnsclears the local DNS cache when stale records cause connection issues.
What happens when DNS fails?
When DNS fails, domain names cannot be resolved to IP addresses. Browsers display “DNS_PROBE_FINISHED_NXDOMAIN” or “Server not found” errors. Direct IP access still works. Fixing DNS failure involves checking resolver settings, flushing cache, or switching to an alternate resolver like 1.1.1.1 or 8.8.8.8.
What is a DNS resolver?
A DNS resolver (recursive resolver) queries the DNS hierarchy on behalf of a client device. ISPs provide resolvers by default. Public alternatives include Cloudflare (1.1.1.1), Google (8.8.8.8), and OpenDNS (208.67.222.222).
What is the difference between a CNAME and an A record?
An A record maps a domain directly to an IPv4 address. A CNAME record maps one domain name to another domain name (an alias). The resolver follows the CNAME chain until it finds an A or AAAA record with the actual IP address.
What is TTL in DNS?
TTL (Time to Live) is the number of seconds a DNS record may be cached by resolvers before it must be re-queried. A TTL of 3,600 means the record is cached for 1 hour. Lower TTLs reduce propagation time when records change but increase query volume.
How do I flush the DNS cache on Windows?
Open Command Prompt as Administrator and run ipconfig /flushdns. This clears all locally cached DNS records. The command confirms success with “Successfully flushed the DNS Resolver Cache.” Required when DNS changes do not reflect despite records being updated at the registrar.
Last Thoughts on DNS
DNS is the directory service of the Internet. Every web request, email, and API call begins with a DNS lookup. The system’s hierarchical design — root servers, TLD servers, authoritative nameservers, recursive resolvers — distributes billions of daily queries without a central point of failure.
TTL controls propagation speed; DNSSEC authenticates records; DoH and DoT encrypt queries. Understanding DNS resolution, record types, and cache flushing is foundational to web hosting, email deliverability, network troubleshooting, and security configuration.
