What is DNS (Domain Name System)?
DNS translates domain names like google.com into IP addresses that computers use. Learn how DNS resolution works, the hierarchy of root servers, TLD servers, and authoritative servers, plus caching and common DNS providers.
The Domain Name System (DNS) is the infrastructure that translates domain names into IP addresses. Every time you type a URL into your browser, send an email, or open an app that connects to the internet, DNS is the first step. It runs a lookup that converts the name you typed into the numerical address that routers and servers actually use to deliver data.
Without it, the internet would still work, but you would need to type 142.250.80.46 instead of google.com, 157.240.1.35 instead of facebook.com, and maintain a personal notebook of addresses for every site you visit. The system makes the internet usable by humans.
How DNS Resolution Works
Name resolution is the process of converting a domain name into an IP address. When you type example.com into your browser, a sequence of lookups takes place, often completing in under 50 milliseconds.
Your device first checks its local cache. If you visited example.com recently, the IP address is already stored and the lookup ends immediately. If not, the query goes to your configured name server, which is usually provided by your router via DHCP. The router either answers from its own cache or forwards the query to an upstream resolver (typically your ISP’s server or a public resolver like 8.8.8.8).
The resolver is called a recursive resolver because it does the work of tracking down the answer on your behalf. If it does not have the answer cached, it starts a chain of queries through the hierarchy:
- The resolver asks a root name server: “Where can I find information about .com domains?”
- The root server responds with the address of the .com TLD (Top-Level Domain) server.
- The resolver asks the .com TLD server: “Where can I find information about example.com?”
- The TLD server responds with the address of the authoritative name server for example.com.
- The resolver asks the authoritative name server: “What is the IP address of example.com?”
- The authoritative server responds with the answer:
93.184.216.34.
The resolver caches this result and sends it back to your device. Your browser then connects to that IP address to load the page.
The DNS Hierarchy
The system operates as a distributed, hierarchical database. No single server knows every domain name. Instead, authority is delegated downward through layers, each responsible for a specific portion of the namespace.
Root name servers sit at the top of the hierarchy. There are 13 root server addresses (labelled A through M), operated by organizations including ICANN, Verisign, NASA, and the U.S. Department of Defense. Through anycast routing, these 13 addresses actually represent hundreds of physical servers spread across the globe. Root servers do not know the IP address of any website. They only know which servers are authoritative for each top-level domain (.com, .org, .net, .uk, and so on).
TLD (Top-Level Domain) servers handle queries for specific domain extensions. The .com TLD servers know which authoritative name servers handle every .com domain. The .org servers handle .org domains. Country-code TLDs like .uk, .de, and .jp have their own servers. Verisign operates the .com and .net TLD servers, handling over 100 billion queries daily.
Authoritative name servers hold the actual records for a domain. When you register a domain, you specify authoritative name servers (either your registrar’s or a third-party provider). These servers hold A records (IPv4 addresses), AAAA records (IPv6 addresses), MX records (mail servers), CNAME records (aliases), and other record types. They are the final authority on what IP address a domain resolves to.
This three-layer structure means no single point of failure can bring down the entire system. If one root server is unreachable, twelve others respond. If a TLD server is slow, the resolver retries.
DNS Caching
Caching is what makes name resolution fast enough for daily use. Without caching, every single web request would require multiple round trips through the hierarchy, adding hundreds of milliseconds of latency.
Caching happens at four levels:
Browser cache. Your browser stores recent lookups in memory. Chrome, Firefox, and Safari all maintain internal caches for resolved domains. This is the fastest layer because it avoids any network traffic.
Operating system cache. Your computer’s OS maintains a system-wide cache that serves all applications. On Windows, the system’s Client service handles this. On macOS and Linux, the systemd-resolved service or dnsmasq provides caching.
Router cache. Your home router caches responses for all devices on your network. When one device looks up a domain, the result is available to other devices without sending a new query upstream.
Resolver cache. Your ISP’s recursive resolver (or whatever server you use) caches results from millions of queries across all its users. Popular domains like google.com and facebook.com are almost always cached, so the resolver rarely needs to contact the hierarchy for common lookups.
Every record includes a TTL (Time to Live) value, specified in seconds, that controls how long it can be cached. A TTL of 3600 means the record can be cached for one hour. After that, the cache entry expires and a fresh lookup is required. Domain owners set the TTL based on how often their IP address changes. CDNs often use short TTLs (60 to 300 seconds) to enable rapid failover between servers.
Common DNS Providers
Most home users rely on their ISP’s servers by default because the router receives name resolution settings automatically during the connection setup. However, several public DNS providers offer free alternatives that may be faster, more private, or more secure. The following table compares the most popular public providers.
| Provider | Primary | Secondary | Features |
|---|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 | Fastest, privacy-focused |
| 8.8.8.8 | 8.8.4.4 | Reliable, global coverage | |
| Quad9 | 9.9.9.9 | 149.112.112.112 | Malware blocking |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | Content filtering, Cisco |
Cloudflare commits to purging query logs within 24 hours and also offers 1.1.1.2 for malware blocking and 1.1.1.3 for malware plus adult content filtering. Google Public DNS is the most widely used public name resolution service, logging query data for diagnostics but anonymizing it after 24 to 48 hours. Quad9 is a nonprofit service that uses threat intelligence from over 25 security partners to block phishing, malware, and botnet command servers. OpenDNS lets you create an account and configure which categories of websites to block, making it useful for parental controls and small business content filtering.
To change your provider, you can update the setting in your router’s admin panel (which applies to all devices on the network) or in individual device network settings (which only affects that device). Most routers have a name server field under the WAN or Internet settings section.
DNS Security Concerns
The protocol was designed in the 1980s without encryption. Traditional queries travel over UDP port 53 in plain text, visible to anyone monitoring the network. This creates several security and privacy concerns.
Spoofing (cache poisoning) is an attack where a malicious actor injects fake records into a resolver’s cache. Victims querying the poisoned resolver receive incorrect IP addresses, directing them to phishing sites or malware. DNSSEC (Security Extensions) addresses this by adding cryptographic signatures to records, allowing resolvers to verify their authenticity.
Snooping allows ISPs, network administrators, and attackers on the same network to see every domain you look up. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt queries, preventing this surveillance. Most modern browsers support DoH, and public resolvers including Cloudflare and Google accept encrypted queries.
Hijacking occurs when attackers or even some ISPs redirect queries to their own servers, either to serve ads, block content, or steal credentials. Using a third-party encrypted provider bypasses this.
For home users, the most practical security step is switching to an encrypted provider. Configuring your router or device to use Cloudflare’s 1.1.1.1 with DoH or DoT enabled protects all your name resolution traffic from interception with minimal setup effort.
Frequently Asked Questions
What happens when DNS goes down?
When DNS fails, your browser cannot resolve domain names to IP addresses. Websites appear unreachable even though the servers themselves are online. You can still reach sites by typing their IP address directly. Switching to a public DNS provider like 8.8.8.8 or 1.1.1.1 often resolves the issue if only your default DNS server is down.
Should I change my DNS server?
Changing your DNS server can improve speed, privacy, and security. ISP-provided DNS servers are sometimes slow or unreliable. Public DNS providers like Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) often deliver faster responses and additional features like malware blocking.
Does DNS affect internet speed?
DNS affects how quickly websites start loading but not the download speed itself. A slow DNS server adds delay before the first byte of a webpage arrives. Once the domain is resolved and the connection is established, your download speed depends on your ISP's bandwidth and the server's capacity.
What is a DNS cache?
A DNS cache is a temporary store of recent domain-to-IP lookups. Your browser, operating system, and router all maintain DNS caches. Cached results are served instantly without querying external DNS servers. Cache entries expire based on the TTL (Time to Live) value set by the domain owner.
What is DNS over HTTPS (DoH)?
DNS over HTTPS encrypts DNS queries by sending them through an HTTPS connection instead of plain UDP. This prevents your ISP, network administrator, or attackers from seeing which domains you are looking up. Modern browsers like Chrome and Firefox support DoH natively.