DNS: The Internet's Phonebook
The system that turns names into numbers — and one of the internet's favorite things to attack.
01 The phonebook problem
Computers route to numbers — IP addresses like 93.184.216.34. Humans remember names like example.com. The Domain Name System (DNS) is the massive, distributed directory that translates between the two. It's often called the internet's phonebook, though "phonebook the size of the planet, updated constantly, with no central copy" is closer.
Domain names are read right to left as a hierarchy. In mail.google.com. the trailing dot is the root; com is the top-level domain (TLD); google is the second-level domain; and mail is a subdomain. This hierarchy is exactly what lets DNS be distributed — no single machine holds every name; responsibility is delegated down the tree.
At the top sit the root servers: 13 named identities (A through M) that, thanks to a technique called anycast, are actually served by hundreds of physical instances scattered worldwide. They don't know where google.com is — they just know who runs .com, and point you further down.
02 Recursive vs. authoritative resolvers
Two very different kinds of DNS server do the work, and telling them apart is essential.
An authoritative server holds the real, official records for a zone. The authoritative server for example.com is the source of truth for that domain's addresses. It answers only for zones it's responsible for.
A recursive resolver (like the one your ISP runs, or public ones such as 8.8.8.8 and 1.1.1.1) does the legwork on your behalf. When you ask it for www.example.com, and it hasn't cached the answer, it walks the hierarchy:
- Ask a root server → "I don't know, but here's the authoritative server for
.com." - Ask the .com TLD server → "Here's the authoritative server for
example.com." - Ask
example.com's authoritative server → "It's93.184.216.34."
The resolver hands you the answer and caches it. Your device only ever spoke to the recursive resolver; it did the recursion so you didn't have to.
03 Record types you must know
A DNS zone isn't just names-to-IPs. It's a set of resource records, each a type with a purpose:
| Type | Purpose |
|---|---|
A | Maps a name to an IPv4 address |
AAAA | Maps a name to an IPv6 address |
CNAME | Alias — points one name at another canonical name |
MX | Mail exchanger — where email for the domain is delivered (with priority values) |
TXT | Arbitrary text — used for SPF, DKIM, DMARC, and domain-ownership proofs |
NS | Delegates a zone to its authoritative name servers |
SOA | Start of authority — administrative metadata and timers for the zone |
TXT records quietly run email security: SPF lists who may send mail for your domain, DKIM publishes a signing key, and DMARC tells receivers what to do when SPF/DKIM fail. Misconfigure them and either your legitimate mail lands in spam, or spoofers send mail as you.
dig (or nslookup) to query specific record types directly — e.g. dig example.com MX. It's the fastest way to see what a domain has actually published.04 TTL, caching, and DNS over encryption
Every DNS record carries a TTL (time to live) in seconds — how long a resolver may cache it before asking again. A short TTL (say 300s) means changes propagate fast but generates more queries; a long TTL (say 86400s) means efficient caching but slow propagation. This is why you plan a TTL down before migrating a server: lower it hours ahead so the cutover propagates quickly.
Caching happens at every level — your browser, your OS, your recursive resolver — which is what makes DNS fast at planetary scale. It also means a wrong or malicious cached record can stick around until its TTL expires.
Classic DNS is sent in cleartext over UDP port 53: anyone on the path can see (and tamper with) your lookups. Two encryptions fix the privacy problem:
- DoT — DNS over TLS (port 853): wraps DNS in a dedicated TLS connection.
- DoH — DNS over HTTPS (port 443): tunnels DNS inside normal HTTPS, making it indistinguishable from web traffic.
05 How DNS gets attacked
Because DNS is trusted, unauthenticated by default, and sits in front of everything, it's a favorite target. The major attack families:
- Cache poisoning: tricking a recursive resolver into caching a forged record, so users are silently sent to the attacker's server. The 2008 Kaminsky attack showed how weak query randomization made this frighteningly easy, prompting emergency patching across the industry.
- Domain hijacking: taking control of a domain's registration or its NS records — often via a compromised registrar account — to redirect the entire domain.
- DNS-based DDoS: two flavors — flooding a DNS provider to knock names offline, and DNS amplification, where spoofed small queries trigger huge responses aimed at a victim.
- DGA (Domain Generation Algorithms): malware that algorithmically generates thousands of pseudo-random domain names to find its command-and-control server, making takedown a whack-a-mole.
The defensive counterweight is DNSSEC, which cryptographically signs records so resolvers can verify they weren't forged. It defeats poisoning but is unevenly deployed and doesn't provide confidentiality — that's DoT/DoH's job.
⌘ Field Glossary
- Recursive resolver
- A DNS server that does the full lookup on a client's behalf, walking from root to TLD to authoritative server, then caching and returning the answer.
- Authoritative server
- The DNS server holding the official, source-of-truth records for a specific zone or domain.
- TTL
- Time to live — the number of seconds a DNS record may be cached before a resolver must ask again. It trades propagation speed against query efficiency.
- DoH / DoT
- DNS over HTTPS (port 443) and DNS over TLS (port 853) — encrypted transports that protect DNS queries from eavesdropping and tampering.
- Cache poisoning
- An attack that inserts a forged DNS record into a resolver's cache, silently redirecting users; the 2008 Kaminsky attack was the landmark example.
- DGA
- Domain Generation Algorithm — malware technique that generates many pseudo-random domain names to reach command-and-control servers and resist takedown.
- DNSSEC
- A set of extensions that cryptographically sign DNS records so resolvers can verify authenticity, defeating cache poisoning (but not providing privacy).
Knowledge Check
Field Assessment
01 What is the difference between a recursive resolver and an authoritative server?
02 Before migrating a website to a new server, why do admins lower the DNS record's TTL hours in advance?
03 Which DNS record type is used to publish SPF, DKIM, and DMARC email-security policies?