DNS Explained: The Internet's Phone Book (Sort Of)

Every time you type a domain name into your browser, a lookup happens. In under 100 milliseconds, a distributed global system finds the IP address that name corresponds to, hands it to your browser, and lets the connection proceed. You never see it. It works billions of times per day. And it's one of the most manipulated layers of the internet.

How a DNS Query Actually Resolves

Your computer first checks its local cache — if it's looked up this domain recently, the answer is already stored. If not, it asks a recursive resolver, usually operated by your ISP or a third-party service like Google (8.8.8.8) or Cloudflare (1.1.1.1). The recursive resolver does the actual work.

The recursive resolver starts at the root servers — 13 logical root name servers that know who's responsible for each top-level domain (.com, .org, .uk, etc.). From there it queries the authoritative nameserver for the top-level domain, which points it to the domain's own authoritative nameserver, which finally has the actual IP address. This whole chain typically completes in 20 to 120 milliseconds.

TTL: The Caching Problem

Every DNS record has a TTL — Time to Live — measured in seconds. It tells resolvers how long to cache the answer before asking again. A TTL of 3600 means the answer is good for one hour. This is why DNS changes take time to propagate: every resolver that cached the old record has to wait for its TTL to expire before fetching the new one.

Before a major DNS change — like moving your website to a new server — you should lower the TTL days in advance to something like 300 seconds. Then make the change. Then raise the TTL back. Most people don't do this and wonder why half their users still hit the old server for twelve hours.

Who Controls DNS and Why That Matters

Your ISP controls the recursive resolver your devices use by default. That means your ISP sees every domain you look up — not the full URL, just the domain, but that's enough to build a detailed picture of your browsing. Governments have ordered ISPs to block domains at the DNS level. Countries with heavy internet censorship do this constantly.

Switching to a privacy-respecting resolver like Cloudflare's 1.1.1.1 or NextDNS helps. DNS-over-HTTPS (DoH) encrypts the query so even your ISP can't see which domains you're looking up. It's increasingly the default in modern browsers, which has upset ISPs and governments in roughly equal measure.

DNS as an Attack Vector

DNS cache poisoning is an attack where a malicious resolver stores a fake record, redirecting traffic for a legitimate domain to an attacker's server. It's how phishing attacks get sophisticated — instead of a lookalike URL, you type the real URL and land on a fake site. DNSSEC was designed to prevent this by cryptographically signing DNS records. It works. Adoption is still too slow.