What is DNS? | How Does DNS Work?

DNS translates domain names into IP addresses playing a vital role in internet connectivity.

DNS is a globally distributed database and protocol that resolves domain names into IP addresses (and other records) used to locate services on the internet.

A DNS lookup returns records (e.g., A/AAAA/CNAME) from caches or authoritative name servers, usually within milliseconds.

In other words, DNS, which stands for Domain Name System, is a distributed database system that converts domain names into IP addresses. At its heart, DNS solves a simple but crucial problem: humans prefer memorable names, while computers need numbers. Without DNS, you’d need to memorize strings of numbers like 192.168.1.1 instead of simple website names.

The system works like a massive, distributed directory that’s constantly updating and evolving. DNS creates a bridge between human language and machine language. Every time you click a link or type a URL, DNS servers worldwide spring into action, working together to get you to your destination. This process happens so quickly that most users don’t notice it’s occurring.

Key Concepts

  • DNS translates domain names (e.g., [www.example.com]) into IP addresses (e.g., 192.0.2.1)
  • It operates as a distributed database implemented across a hierarchy of DNS servers
  • DNS functions as an application layer protocol enabling hosts to query this distributed database

When to use DNS

  • When you need users to reach a service by a stable name even if IPs change.
  • When you operate websites, APIs, email, or any internet-facing service.
  • When you need routing flexibility (CDN/edge, multi-region, failover) via DNS answers.
  • When you want performance improvements via caching and anycast resolvers.
  • When you need verifiable authenticity of DNS data using DNSSEC.

When not to use DNS (or when DNS alone isn’t enough)

  • When you need per-request routing decisions based on application-layer data (use load balancers, reverse proxies, or edge routing).
  • When you need immediate changes everywhere (DNS propagation is bounded by TTL and caches).
  • When you need to secure application traffic end-to-end (DNS doesn’t replace TLS, WAF, or authentication).
  • When you need to hide an origin IP completely (DNS can reveal endpoints unless combined with network controls/edge shielding).

Signals you need DNS improvements (symptoms)

  • Users in some regions experience slow first-byte times due to slow DNS resolution.
  • Intermittent “site not found” or resolution failures (SERVFAIL/NXDOMAIN spikes).
  • Outages take too long to recover because clients keep using cached old answers.
  • You see DNS-based attacks (spoofing, cache poisoning, amplification).
  • You can’t confidently validate that users are reaching the right endpoint (need DNSSEC).

How DNS Works

The DNS resolution process involves several steps and components.

When you type a website address into your browser, you begin a fascinating journey through the internet’s addressing system. DNS acts as a translator, converting human-readable website names into computer-friendly IP addresses and vice versa.

Phase 1 - Local Memory Check

The process starts with checking the device’s local DNS cache. This first step queries temporarily stored DNS records in memory, significantly reducing response time and network traffic for recently accessed domains.

Phase 2 - The Local Guide (DNS Resolver)

If the address is not found in the local cache, the query is forwarded to a DNS resolver. This specialized server maintains an extensive cache of DNS records and is configured to perform recursive queries on behalf of clients. The resolver checks its own cache before initiating a complete query through the DNS hierarchy.

Phase 3 - The Global Directory (Root Servers)

When the resolver needs assistance, it contacts one of the 13 unique root server names (A to M) distributed worldwide. Each name corresponds to a shared IP address, supported by multiple anycast instances. These servers are strategically positioned to ensure global availability and low latency.

Today, it is also possible to configure a DNS resolver to operate with a local copy of the root zone, as described in RFC 8806. This eliminates the need to query external root servers directly, improving efficiency and privacy.

Phase 4 - The Specialized Directories (TLD Servers)

The root servers direct the query to TLD (Top-Level Domain) servers. These are like specialized departments that handle specific types of addresses. For example One department handles all .com addresses Another manages .org addresses A different one takes care of .net addresses

Phase 5 - The Final Answer (Authoritative Server)

The last stop is the authoritative server, which is like the ultimate expert for the specific website you’re looking for. This server knows everything about the domain, including its exact IP address.

Phase 6 - The Return Journey

Once the authoritative server provides the address, the information travels back through the same path Authoritative server → TLD server TLD server → Root server Root server → DNS resolver DNS resolver → Your device

Remember: This entire journey typically happens in milliseconds, making your internet browsing experience smooth and seamless.

This systematic approach to DNS resolution ensures that billions of internet users can reliably access websites worldwide, making it one of the most crucial systems in modern internet infrastructure.

DNS System Architecture

The DNS system is structured hierarchically

  • Root Servers: 13 sets of root servers globally distributed
  • Top-Level Domain (TLD) Servers: Manage domains like .com, .org, .net
  • Authoritative Name Servers: Store and provide the actual IP addresses for specific domains

In short, this is a basic example of how DNS works

  1. The client asks the local server for name resolution (for example, [www.azion.com.br]);
  2. The local server asks [www.azion.com.br] to a root server;
  3. The root server responds: who is responsible for .br is 2xx.2xx.1xx.10;
  4. The local server asks the server responsible for .com.br for [www.azion.com.br];
  5. The server responsible for .com.br responds: who is responsible for .com.br is this one 179.191.xxx.2;
  6. The local server asks [www.azion.com.br] to the authoritative server responsible for azion.com.br;
  7. The authoritative server responsible for azion.com.br responds to the local server [www.azion.com.br] = 2xx.2xx.2xx.4;
  8. The local server sends the response [www.azion.com.br] = 2xx.2xx.2xx.4 to the user.

The following image shows the architecture and the flow of the DNS system mentioned earlier

Architecture and the flow of the DNS system

This hierarchical structure allows for efficient management and distribution of domain information across the Internet.

Important DNS Components

IP Addresses

IP addresses are unique numerical identifiers for devices connected to the internet. DNS links these addresses to human-readable domain names, facilitating easier internet navigation.

Domain Name Space

The Domain Name Space, also known as the domain hierarchy, has a hierarchical structure in an inverted tree format, and contains specifications of domain names and data associated with those names. This name space is divided into domains, and the responsibility for managing names within each domain is delegated to systems within each domain. That is, the naming structure is divided into small, manageable zones. Each DNS server maintains a specific database file and is only responsible for managing the name-to-IP mappings for that small part of the DNS structure. When a DNS server receives a request for name translation that is not part of the DNS zone, the DNS server forwards the request to another DNS server in the appropriate zone for translation.

Check the domain hierarchy in the following image:

Domain hierarchy

About this structure:

  • each intersection (in this case, the rectangle with a name inside) is called a node;
  • each node represents a domain;
  • each domain has a name, so each node in this structure is called a domain name;
  • the domain name identifies each one’s position in the DNS logical hierarchy relative to its primary domain. Each domain name consists of a few names separated by dots;
  • each domain can contain subdomains;
  • a subdomain is part of a larger domain. For example, documentation.azion.com and blog.azion.com are subdomains of the azion.com domain;
  • domains and subdomains are grouped into zones to allow for distributed administration of the namespace.

DNS Servers

DNS (Domain Name System) servers play a crucial role in the functioning of the internet. They act as the internet’s phonebook, translating human-readable domain names into IP addresses that computers use to identify each other. Let’s explore the key aspects of DNS servers.

Core Functions of DNS Servers

DNS servers perform three essential tasks:

  1. External Query Resolution: They respond to queries from external clients or servers on the internet about names registered in their local domain.
  2. Local Name Resolution: DNS servers perform internet domain name resolutions for their local customers (machines within their domain).
  3. Caching: To expedite future queries, these servers cache the name resolutions requested by their clients in a local cache.

Types of DNS Servers

Based on their functionality, DNS servers can be classified into three main categories:

Primary (Master) Servers

  • Responsible for a specific domain.
  • Handle the addition, alteration, or deletion of records for that domain.
  • Serve as the authoritative source for domain information.

Secondary (Slave) Servers

  • Function as backups to the primary server.
  • Receive domain records from the primary server through a process called zone transfer.
  • Respond to customer requests when needed.
  • Enhance reliability and load distribution.

Caching-only Servers

  • Focus solely on querying and returning results.
  • Maintain a local cache of recent queries.
  • Not responsible for any specific domain.
  • Primary function is to improve the performance of name resolutions for local clients by utilizing their cache.

The Importance of DNS Server Types

Understanding these different types of DNS servers is crucial for:

  • Network Administration: Proper setup and management of DNS infrastructure.
  • Performance Optimization: Utilizing caching servers to reduce network load and speed up resolutions.
  • Reliability: Implementing secondary servers for redundancy and load balancing.
  • Security: Maintaining control over domain information with primary servers.

By leveraging the strengths of each type of DNS server, it’s possible to create a robust, efficient, and reliable DNS infrastructure that forms the backbone of Internet communication.

Security and Reliability

Modern DNS incorporates dynamic answers and various security measures to protect users. DNSSEC, for example, adds digital signatures to DNS records, ensuring you reach legitimate websites rather than fraudulent copies. This security layer acts like a virtual bouncer, checking IDs before letting anyone through.

DNS stands as one of the internet’s most crucial yet often overlooked systems. It combines simplicity in concept with sophistication in execution, enabling seamless browsing. Additionally, Edge DNS enhances the resolution process by dynamically responding with IP addresses from servers that are actively serving requests in the best possible locations, ensuring optimal speed and reliability. This dynamic approach ensures that users are directed to the nearest and fastest available servers, improving both performance and fault tolerance in real-time.

Common DNS mistakes (and fixes)

  1. TTL too high during migrations
    • Problem: changes take too long to take effect.
    • Fix: lower TTL (e.g., 60–300s) before the change window, then raise after stabilization.
  2. Using CNAME at the zone apex incorrectly
    • Problem: some DNS providers don’t allow CNAME at example.com.
    • Fix: use ALIAS/ANAME (provider feature) or point apex with A/AAAA where appropriate.
  3. Missing IPv6 support
    • Problem: IPv6 users may get suboptimal paths or failures.
    • Fix: publish AAAA records when your stack supports IPv6.
  4. No DNSSEC where integrity matters
    • Problem: higher risk of spoofing/cache poisoning on validating resolvers.
    • Fix: sign zones with DNSSEC and maintain key rotation practices.
  5. Too many chained lookups (CNAME chains)
    • Problem: extra round trips increase latency and failure probability.
    • Fix: reduce chains; keep aliasing minimal.

Security and reliability (what DNS can and can’t protect)

  • DNSSEC helps ensure DNS answers haven’t been tampered with by adding cryptographic signatures to DNS records.
  • DNS does not encrypt queries by default; privacy typically requires encrypted DNS transports (e.g., DoH/DoT) and proper client/resolver support.
  • DNS is a common target for DDoS amplification and cache poisoning, so resilient authoritative infrastructure and security controls matter.

Mini FAQ

“What is DNS in simple terms?”

DNS is the system that translates a website name into the IP address computers use to connect.

“What happens when I type a URL into my browser?”

Your device asks a resolver to find the domain’s IP using cached data or by querying root → TLD → authoritative servers, then connects to that IP.

“Why is my site slow only for first-time visitors?”

Often the first visit includes a DNS lookup (cache miss). Subsequent visits may be faster due to caching until TTL expires.

“How long does DNS propagation take?”

It depends on TTL and resolver caching behavior; changes are not instantaneous and may persist until caches expire.

“Does DNSSEC encrypt DNS?”

No. DNSSEC verifies integrity/authenticity of DNS data; encryption requires DoH/DoT.

How this applies in practice

Use DNS configuration as a control plane for:

  • Availability: steer traffic away from unhealthy endpoints (with health-aware routing where supported).
  • Performance: route users to nearby infrastructure (anycast/geo-aware answers).
  • Change management: reduce TTL ahead of migrations and incident response.
  • Security posture: deploy DNSSEC for integrity and monitor DNS errors and anomalies.

How to implement on Azion

  • Edge-aware DNS routing and resiliency: configure Edge DNS to return optimal endpoints based on service availability and location.
  • Observe DNS impact end-to-end: correlate DNS changes with user experience and availability using Edge Pulse(latency, errors, regional breakdown).

Glossary (quick reference)

  • Resolver (recursive): server that performs lookups and caches answers for clients.
  • Authoritative server: source-of-truth DNS server for a zone.
  • Zone: administrative portion of the DNS namespace managed together.
  • Anycast: routing technique where multiple servers share the same IP, improving latency and resilience.
  • TTL: cache lifetime for a record.

Related Content

Community

stay up to date

Subscribe to our Newsletter

Get the latest product updates, event highlights, and tech industry insights delivered to your inbox.