Table of Contents
What is the DNS?What is the primary purpose of the DNS?How does the DNS work?What are the steps involved in a DNS lookup?Types of DNS serversMost common types of DNS queriesTypes of DNS recordsWhat is a DNS cache?Common types of DNS attacksDNS security best practicesFrequently asked questionsWhat is the DNS?
The domain name system (DNS) is a crucial internet service that helps users access websites by translating human-readable domain names (like www.nordvpn.com) into machine-readable IP addresses (like 192.0.2.1).
What is the primary purpose of the DNS?
The main purpose of the domain name system is to help users access the websites they want, without having to type long and complex numerical IP addresses.
How does the DNS work?
Although opening a site takes just a few seconds, several things happen behind the scenes. The process of translating a domain name into an IP address is called DNS lookup or DNS resolution.
When you type a website name, your browser asks a DNS resolver (also known as a DNS recursor) to find the IP address for that site. The resolver checks different servers — including root, TLD, and authoritative servers — to find the right IP address. In larger systems, DNS load balancing is used to distribute these requests across multiple servers so no single server is overloaded. Once the address is found, its information is sent back to the browser, and the website loads.
What are the steps involved in a DNS lookup?
Let’s look at the DNS lookup process in more detail.
01
A user types a domain name into a browser’s URL bar.
02
The browser sends a DNS query to a DNS client, asking which IP address the domain name belongs to.
03
A DNS resolver (also known as a recursive server) receives the query and checks various DNS records (or name servers) for the address.
04
If the recursive server doesn’t have the IP data in a DNS cache, it will send more queries to a root name server or a top-level domain (TLD) name server.
04
The final data point is the authoritative name server, which hosts the exact domain-IP details.
06
The authoritative server provides the IP address to the resolver, which saves it to make finding the website quicker next time.
Types of DNS servers
DNS servers play a key role in translating domain names into IP addresses. DNS servers communicate over a DNS port (typically port 53) to send and receive data, helping your browser find the right website.
The four main types of DNS servers are:
Recursive DNS server
A recursive DNS server is in charge of finding the right DNS records when you make a request. It starts by locating the root nameserver, then moves through other servers, like the TLD and authoritative name servers, until it finds the information you need and sends it back to you.
Root server
If a recursive server cannot resolve a query from its cache, it forwards it to a root server. It then responds with a referral to the appropriate TLD name server by using the domain name extension (such as .com, .net, or .org). The 13 available types of root servers make the process speedy and reliable.
TLD nameservers
TLD (top-level domain) name servers manage information for all domain names, like the part after the last dot in a URL (e.g., .com, .org). When the root server forwards a query, the TLD server directs it to the correct authoritative DNS server for that domain. For example, when looking up "wikipedia.org," the query goes to a .org TLD server, which then sends it to the authoritative server.
Authoritative DNS server
An authoritative DNS server is the final stop in the process of turning a domain name into an IP address. When an authoritative DNS server receives a DNS request, it doesn’t need to communicate with any other servers — it already has the data needed to answer the DNS query. To ensure websites stay online, many authoritative servers use DNS failover, which provides backup IP addresses if an issue occurs during the lookup process. Extra servers are also ready to take over the ones that fail (known as DNS redundancy).
Most common types of DNS queries
A DNS query is the technical term for the request to find an IP address of a website. You may come across three DNS query types:
Recursive query
In this query, the DNS client (like your browser) asks the DNS resolver to find the IP address for a domain. The resolver handles the entire process, querying other DNS servers if needed, and returns the result to the client. A recursive query is sometimes called an iterative DNS query because the client relies on the server to do all the work.
Iterative query
In an iterative query, the DNS client asks the resolver for the IP address, but if the resolver doesn't have the answer, it provides the best answer it has (usually the next DNS server to contact). The client then continues querying other servers until it gets the correct IP address.
Non-recursive query
A non-recursive query is when the DNS server is asked to provide an answer directly from its own cache or records without further querying other servers. It doesn't go through the whole process of looking up the information if it's not already available.
Types of DNS records
The main function of DNS records is to provide information about domains and tell DNS servers how to respond to queries. Let’s look at the main types of DNS records.
A record
The A record (address record) is one of the most common DNS records. It links domain names to their corresponding IPv4 addresses (the numerical address used to identify a website on the internet).
AAAA record
Similar to the A record, the AAAA record (IPv6 address record) maps a domain to an IPv6 address. With IPv6 gradually replacing IPv4, this record is becoming more important for websites and services that support the newer IPv6 standard.
MX record
The MX record (mail exchange record) is used to direct email messages to the correct mail server. It specifies the mail servers responsible for receiving emails on behalf of a domain. Each MX record has a priority value, determining the order in which mail servers should be tried if one fails.
CNAME record (canonical name record)
A CNAME record is used to alias one domain name to another (e.g., blog.example.com could be pointed to example.com). It’s often used to create subdomains or point to a third-party service like a content delivery network (CDN) or a hosted platform.
NS record (name server record)
An NS record specifies the authoritative DNS servers for a domain. It tells other DNS servers which server to query for information about a domain, essentially directing traffic to the correct place when looking up a domain.
PTR record
A PTR record (pointer record) maps an IP address to a domain name for reverse DNS lookups, often used for email verification.
SOA record
The SOA record (start of authority record) provides metadata about a domain's zone, which stores IP addresses. To keep DNS data updated, admins use a process called a “DNS zone transfer” to copy updated records between primary and secondary servers.
SRV record
The SRV record (service record) specifies the location of servers for specific services, such as VoIP, messaging, or other protocols, including the server’s port number.
TXT record
The TXT record (text record) stores plain text information about a domain. It is often used for tasks like verifying domain ownership or improving email security with protocols like SPF and DKIM.
SPF record
The SPF record (sender policy framework record) is a type of TXT record used to verify which mail servers are allowed to send emails on behalf of a domain, helping prevent email spoofing.
Other types
You may also come across some other, less common DNS record types, such as DNAME, CERT, DHCID, HIP, RP, NSEC, LOC, and HINFO. Here’s more on DNS record types.
Protect yourself online
Secure your traffic, boost your privacy, and block cyberthreats.
What is a DNS cache?
A DNS cache is a temporary database on a computer or DNS server that holds DNS query results. DNS caching is the process of saving IP addresses and their matching URLs. The DNS TTL (Time to Live) determines how long these cached records are kept before they must be updated. If a browser has a DNS cache, it can find the right records without asking DNS servers for an IP address, meaning the website can load faster!
Sometimes, it’s useful to clear (or “flush”) your cache, especially if you start seeing errors like “502 bad gateway” or “DNS server not responding.” DNS flushing clears out old or incorrect information and forces your device to ask the DNS server for updated info, which may fix problems like loading the wrong website. If issues persist, you can use the nslookup command to check if the DNS servers are responding correctly and troubleshoot the problem.
It’s worth noting that DNS changes can take time to spread across the internet. This delay, known as DNS propagation, can take anywhere from a few minutes to 48 hours for updates to reach all DNS servers.
Common types of DNS attacks
A DNS attack is an exploit that targets the domain name system and its infrastructure. Here are the main types.
DNS hijacking
DNS hijacking, also called DNS redirection or DNS poisoning, is when DNS queries are resolved incorrectly to redirect users to unsafe sites. Hackers usually carry out DNS hijacking attacks by installing malware on the victim’s computer, taking over routers, or intercepting DNS communication.
DNS reflection attack
A DNS reflection attack, also called a DNS amplification attack, is a type of DDoS attack that uses open DNS servers to flood a target with traffic. Attackers send fake DNS queries with a spoofed IP address, tricking the servers into sending large responses to the victim’s network. This overwhelms the network, causing disruption or denial of service.
DNS spoofing
DNS spoofing is an attack that redirects users to fake or malicious sites by replacing the real IP address with a false one. Hackers use this method to spy on victims, install malware, and steal sensitive data, such as login credentials or banking information. The attack may be difficult to detect because users are unaware of what’s happening in the background while they browse.
DNS rebinding attack
A DNS rebinding attack manipulates domain name resolution to connect a victim's browser to the attacker's server. This allows hackers to exploit browser vulnerabilities and deliver malicious content, potentially infecting devices with malware or viruses. Unlike other attacks, it also hijacks the domain's nameserver for further attacks.
DNS cache poisoning
DNS cache poisoning happens when hackers add fake information to a DNS cache, sending users to harmful websites. This can affect both your device and DNS servers. Once redirected, the fake site can infect your device with malware or ransomware. The attack tricks your device into visiting a bad site, even if you typed the right URL.
DNS tunneling
DNS tunneling is when attackers hide malicious data inside DNS queries to bypass security filters. While DNS tunneling can be used for legitimate purposes, attackers may use it to send requests to their servers, giving them a way to steal your data. It's hard to detect these attacks because DNS traffic is often allowed through firewalls without being closely monitored.
Want to keep learning?
Subscribe to our newsletter for cybersecurity news and online privacy tips.
DNS security best practices
Securing the systems that convert domain names into IP addresses is essential for protecting your network and sensitive data from cyber threats. Let's take a look at some of the best practices for DNS security.
Use DNSSEC
DNSSEC (or DNS security extensions) enhances the security of the domain name system (DNS) and helps prevent attacks like DNS redirection (when users are rerouted to unsafe websites by changing DNS responses).
Implement a DNS allowlist
A DNS allowlist lets you define which domain names or IP addresses are trusted, blocking unauthorized or malicious DNS traffic and ensuring only safe communication.
Use DNS blocking
DNS blocking helps prevent access to harmful websites by filtering out known malicious domains. It’s an effective way to restrict access to phishing sites and malware hosts.
Enable DNS encryption
Encrypting DNS queries with protocols like DNS over HTTPS or DNS over TLS prevents eavesdropping and ensures privacy by securing DNS traffic between users and resolvers.
Use DNS filtering
DNS filtering allows you to block access to harmful websites by stopping DNS requests from resolving unsafe domain names. It helps protect users from threats like phishing or malware.
Use a DNS-based blackhole list
A DNS-based blackhole list (DNSBL) helps identify and block traffic from malicious IPs, preventing unwanted requests from reaching your server. It's a tool to stop spam and other harmful activities.
Test for DNS leaks
Regularly test your DNS for leaks using tools like a DNS leak test. This ensures that your DNS queries are routed securely and that your privacy is not compromised by unintentional exposure.
Choose a reliable provider
Select a reliable DNS hosting provider with strong security measures, such as DDoS protection and DNSSEC. Doing so will keep your domain safe from attacks and downtime.
Set up a DNS sinkhole
A DNS sinkhole redirects any requests for known bad websites to a "black hole," stopping users from landing on harmful pages and preventing attacks like DNS poisoning.
Frequently asked questions
Online security starts with a click.
Stay safe with the world’s leading VPN
