DNS Explained: A Complete Guide
The Domain Name System (DNS) is the backbone of the internet, translating human-readable domain names into IP addresses. This guide explains how DNS works and how to configure it for your domains.
📖 18 min read • 🔧 Technical
What is DNS?
DNS stands for Domain Name System, often
called the "phonebook of the internet." When you type example.com into your
browser, DNS translates that into an IP address like 93.184.216.34, which is
the actual address your computer uses to contact the server.
Without DNS, we'd have to memorize long strings of numbers for every website. DNS makes the internet human-friendly while handling the technical routing behind the scenes.
How DNS Resolution Works
When you request a website, here's what happens:
- Browser Cache: Your browser checks if it already knows the IP address from a recent visit.
- OS Cache: If not, it asks your operating system's cache.
- Recursive Resolver: Your ISP's DNS server (or a public one like 1.1.1.1 or 8.8.8.8) is queried.
- Root Nameservers: The resolver asks root servers which point to the TLD servers (e.g., for .com).
- TLD Nameservers: These servers point to the authoritative nameservers for the specific domain.
- Authoritative Nameservers: These hold the actual DNS records and return the IP address.
- Response: The IP is passed back through the chain, cached at each level, and your browser connects.
This entire process typically takes under 100 milliseconds, thanks to aggressive caching at every level.
Common DNS Record Types
Understanding DNS record types is essential for managing your domain:
A Record (Address)
Maps a domain or subdomain to an IPv4 address. This is the most fundamental record type.
example.com. A 93.184.216.34AAAA Record
Same as A record, but for IPv6 addresses.
example.com. AAAA 2606:2800:220:1:248:1893:25c8:1946CNAME Record (Canonical Name)
Creates an alias from one domain to another. Used for subdomains that should point to the same server as another domain.
www.example.com. CNAME example.com.example.com)—only on subdomains. For root domains, use an A record or
ALIAS/ANAME if your DNS provider supports it.
MX Record (Mail Exchange)
Directs email to your mail server. Includes a priority number (lower = higher priority).
example.com. MX 10 mail.example.com.
example.com. MX 20 backup.example.com.TXT Record
Stores arbitrary text. Commonly used for SPF, DKIM, DMARC (email authentication), and domain verification.
example.com. TXT "v=spf1 include:_spf.google.com ~all"NS Record (Nameserver)
Specifies which DNS servers are authoritative for your domain.
example.com. NS ns1.cloudflare.com.
example.com. NS ns2.cloudflare.com.TTL (Time to Live)
Every DNS record has a TTL value—the number of seconds that record can be cached. Common values:
- 300 seconds (5 min): For records that might change soon (e.g., during migrations).
- 3600 seconds (1 hour): Standard for most records.
- 86400 seconds (24 hours): For stable records that rarely change.
Lower TTLs mean faster propagation of changes but more DNS queries. Before making DNS changes, consider lowering TTL temporarily, then raising it after changes are confirmed.
DNS Propagation
When you update DNS records, the changes don't appear instantly everywhere. DNS propagation—the time it takes for changes to spread across all DNS servers globally—can take minutes to 48 hours, depending on TTL settings and caching.
Tools like whatsmydns.net let you check propagation status from multiple locations worldwide.
Common DNS Issues and Fixes
- Website not loading after DNS change: Wait for propagation or try flushing your local DNS cache.
- Email not working: Check MX records and ensure they point to valid mail servers.
- SSL certificate errors: Ensure your A/CNAME records point to the correct server where SSL is configured.
- Subdomain not resolving: Verify you've added the correct A or CNAME record for the subdomain.
DNSSEC
DNS was designed without security in mind, making it vulnerable to spoofing attacks. DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify authenticity. While not universally adopted, enabling DNSSEC adds an important layer of protection.