03
16 min read · 5 briefings

DNS: The Internet's Phonebook

The system that turns names into numbers — and one of the internet's favorite things to attack.

01 The phonebook problem

Computers route to numbers — IP addresses like 93.184.216.34. Humans remember names like example.com. The Domain Name System (DNS) is the massive, distributed directory that translates between the two. It's often called the internet's phonebook, though "phonebook the size of the planet, updated constantly, with no central copy" is closer.

Domain names are read right to left as a hierarchy. In mail.google.com. the trailing dot is the root; com is the top-level domain (TLD); google is the second-level domain; and mail is a subdomain. This hierarchy is exactly what lets DNS be distributed — no single machine holds every name; responsibility is delegated down the tree.

At the top sit the root servers: 13 named identities (A through M) that, thanks to a technique called anycast, are actually served by hundreds of physical instances scattered worldwide. They don't know where google.com is — they just know who runs .com, and point you further down.

02 Recursive vs. authoritative resolvers

Two very different kinds of DNS server do the work, and telling them apart is essential.

An authoritative server holds the real, official records for a zone. The authoritative server for example.com is the source of truth for that domain's addresses. It answers only for zones it's responsible for.

A recursive resolver (like the one your ISP runs, or public ones such as 8.8.8.8 and 1.1.1.1) does the legwork on your behalf. When you ask it for www.example.com, and it hasn't cached the answer, it walks the hierarchy:

  1. Ask a root server → "I don't know, but here's the authoritative server for .com."
  2. Ask the .com TLD server → "Here's the authoritative server for example.com."
  3. Ask example.com's authoritative server → "It's 93.184.216.34."

The resolver hands you the answer and caches it. Your device only ever spoke to the recursive resolver; it did the recursion so you didn't have to.

Insight This is why a query for a fresh, uncached domain can take noticeably longer than a repeat visit — the first lookup may involve three or four round trips across the world.

03 Record types you must know

A DNS zone isn't just names-to-IPs. It's a set of resource records, each a type with a purpose:

TypePurpose
AMaps a name to an IPv4 address
AAAAMaps a name to an IPv6 address
CNAMEAlias — points one name at another canonical name
MXMail exchanger — where email for the domain is delivered (with priority values)
TXTArbitrary text — used for SPF, DKIM, DMARC, and domain-ownership proofs
NSDelegates a zone to its authoritative name servers
SOAStart of authority — administrative metadata and timers for the zone

TXT records quietly run email security: SPF lists who may send mail for your domain, DKIM publishes a signing key, and DMARC tells receivers what to do when SPF/DKIM fail. Misconfigure them and either your legitimate mail lands in spam, or spoofers send mail as you.

Pro tip Use dig (or nslookup) to query specific record types directly — e.g. dig example.com MX. It's the fastest way to see what a domain has actually published.

04 TTL, caching, and DNS over encryption

Every DNS record carries a TTL (time to live) in seconds — how long a resolver may cache it before asking again. A short TTL (say 300s) means changes propagate fast but generates more queries; a long TTL (say 86400s) means efficient caching but slow propagation. This is why you plan a TTL down before migrating a server: lower it hours ahead so the cutover propagates quickly.

Caching happens at every level — your browser, your OS, your recursive resolver — which is what makes DNS fast at planetary scale. It also means a wrong or malicious cached record can stick around until its TTL expires.

Classic DNS is sent in cleartext over UDP port 53: anyone on the path can see (and tamper with) your lookups. Two encryptions fix the privacy problem:

  • DoT — DNS over TLS (port 853): wraps DNS in a dedicated TLS connection.
  • DoH — DNS over HTTPS (port 443): tunnels DNS inside normal HTTPS, making it indistinguishable from web traffic.
Watch out Encryption cuts both ways. DoH hides lookups from eavesdroppers and from network defenders and content filters, which is why some enterprises try to force DNS back through their own resolvers.

05 How DNS gets attacked

Because DNS is trusted, unauthenticated by default, and sits in front of everything, it's a favorite target. The major attack families:

  • Cache poisoning: tricking a recursive resolver into caching a forged record, so users are silently sent to the attacker's server. The 2008 Kaminsky attack showed how weak query randomization made this frighteningly easy, prompting emergency patching across the industry.
  • Domain hijacking: taking control of a domain's registration or its NS records — often via a compromised registrar account — to redirect the entire domain.
  • DNS-based DDoS: two flavors — flooding a DNS provider to knock names offline, and DNS amplification, where spoofed small queries trigger huge responses aimed at a victim.
  • DGA (Domain Generation Algorithms): malware that algorithmically generates thousands of pseudo-random domain names to find its command-and-control server, making takedown a whack-a-mole.

The defensive counterweight is DNSSEC, which cryptographically signs records so resolvers can verify they weren't forged. It defeats poisoning but is unevenly deployed and doesn't provide confidentiality — that's DoT/DoH's job.

Field Glossary

Recursive resolver
A DNS server that does the full lookup on a client's behalf, walking from root to TLD to authoritative server, then caching and returning the answer.
Authoritative server
The DNS server holding the official, source-of-truth records for a specific zone or domain.
TTL
Time to live — the number of seconds a DNS record may be cached before a resolver must ask again. It trades propagation speed against query efficiency.
DoH / DoT
DNS over HTTPS (port 443) and DNS over TLS (port 853) — encrypted transports that protect DNS queries from eavesdropping and tampering.
Cache poisoning
An attack that inserts a forged DNS record into a resolver's cache, silently redirecting users; the 2008 Kaminsky attack was the landmark example.
DGA
Domain Generation Algorithm — malware technique that generates many pseudo-random domain names to reach command-and-control servers and resist takedown.
DNSSEC
A set of extensions that cryptographically sign DNS records so resolvers can verify authenticity, defeating cache poisoning (but not providing privacy).

Knowledge Check

Field Assessment

0 / 3

01 What is the difference between a recursive resolver and an authoritative server?

02 Before migrating a website to a new server, why do admins lower the DNS record's TTL hours in advance?

03 Which DNS record type is used to publish SPF, DKIM, and DMARC email-security policies?

ESC
↑↓ navigate jack in