What is DNS? How Does DNS Work?

What is DNS? How Does DNS Work?

DNS is an integral part of computers and IP addresses. Anytime you use the web, you use a DNS. But what is a DNS for regular people? How does it help? To learn more about DNS and how it works, check out this article below.

What is a DNS?

A Domain Name System (DNS) is a system that transforms domain names (e.g., www.something.com) into IP addresses. With this system, your text-based URL translates into something machine-readable. 

Computers don’t understand a combination of letters as they are. Instead, machines recognize any letter you type as a combination of numbers. With DNS, this set of numbers is a location. Similar to how longitude and latitude work together to make a point on a map. 

How does DNS work?

Once you type in a URL, the DNS process starts. Your computer gathers data from a nameserver based on information from your URL. 

What is a nameserver? A server with information related to domain names. The DNS process works by making use of four different nameserver types:

  • Authoritative
  • Root
  • TLD
  • Recursor

Each DNS server has different purposes, enabling the process to go off smoothly. But without a DNS server, none of this can happen.

These nameservers also handle different DNS zones. These zones help servers navigate the nameserver with greater ease. You’ll see more on the different zones later, but here’s more information on servers for now.

What is a DNS server?

DNS servers contain a database relating to IP addresses and website names. These servers are the phonebook of the internet. 

When you type in your URL (Uniform Resource Locator), your DNS first finds the related IP address. When DNS does, you head toward the website that owns the IP address. 

Websites use Content Delivery Networks (CDNs) to send data to the site user. Part of a CDN’s process involves going through those four nameservers.

What is an authoritative nameserver?

Authoritative nameservers are responsible for connecting IPs and site names. You can consider it the actual answer to where the DNS should lead.

There are two layers to an authoritative nameserver: master and slave. Master servers keep original copies of what you need, while slave servers act as the backup. 

One zone an authoritative nameserver handle is the region. Your IP address includes your location. So when users type in the URL, the area is stored in the background. Sometimes, this regional information boosts local area recognition. 

What is a recursive DNS server?

A recursive (or precursor) DNS server looks through a browser’s cache memory for the IP address. If you’ve accessed a website before, you can save time reaching the website. 

When the recursive server cannot find the IP, it retrieves it. It does this by handing off duties to the authoritative nameserver. Once the authoritative server does its job, the recursive server can take over and save resources. 

The domain owner can set limitations on how long this IP address remains in a computer’s cache. The Time To Live (TTL) is the setting’s name, removing unnecessary storage. 

What is a TLD nameserver?

A TLD nameserver stores information on domain names that share common extensions. For example, the “.com” extension contains the highest number of entries for these nameservers.

TLD stands for top-level domain, which refers to anything to the right of the second dot (.com). By comparison, a second-level domain (SLD) is everything to the left of that dot (www.google).

TLD nameservers exist to narrow your DNS server’s search time. Even when searching under the “.com” TLD, you can save time by eliminating other options.

What is a root nameserver?

Root nameservers combine the authoritative nameservers and TLD nameservers. It’s the root’s job to create a response when the two servers combine and find the correct IP address.

These root servers are the catalyst for connecting IP addresses and hostnames. There are currently 13 root name servers under the control of 12 organizations. That might seem small, but the use of Anycast makes it huge. 

Anycast is a tool used by CDNs where devices can share a single IP in numerous locations. So it might route data and DNS requests to the nearest server location for efficiency’s sake. With Anycast, you don’t have to worry as much about the distance of a DNS server. 

How do nameservers help with the DNS process?

As a reminder, nameservers store different elements of your domain name. The four servers combine to handle those elements, working together to find the correct IP address. 

A standard DNS process might look like this:

  1. You type in a URL and hit enter
  2. The recursive DNS server checks to see if the IP address is cached 
  3. If the IP address is not cached, they send a request to the next nameserver. 
  4. The authoritative nameserver takes over to find the related IP
  5. The TLD nameserver directs you towards the right top-level domain
  6. The root nameserver responds by providing the related second-level domain 
  7. The IP address is found from combined efforts of the nameservers 
  8. The results are sent back to your computer 

Finding your website takes forever without the current setup of how nameservers work. Thanks to the effort of DNS, you don’t have to wait as long. This brings us to our next topic: DNS Zones. 

What is a DNS zone?

A DNS zone is part of the DNS namespace. Zones break down namespaces into manageable chunks. So a zone helps the DNS system become more efficient. 

The DNS namespace is a hierarchy that sorts different domain name elements. These elements include the previously discussed TLD, SLD, and any subdomains. 

The root server works heavily in namespaces, acting as the “dot” between text elements. Any period in your domain name (something “.” com) signifies that the root needs to switch to a different domain level. 

Zones work within these different domain levels to help find information. There are five different DNS zones:

  • Primary
  • Secondary
  • Stub
  • Reverse lookup
  • Active directory-integrated

You can find out more about each of these zones below: 

What is a primary zone?

The primary DNS zone works directly with the authoritative as the original read-write DNS source. It is also known as the master layer of the authoritative server. 

As the primary source of information, this zone is what all other zones rely on. However, the secondary zone works as a backup in some cases. 

When using the primary zone, you can only change information in one area at a time. So in cases where the primary server is down, it might cause some issues.

What is a secondary zone?

The secondary zone is interchangeable with the slave nameserver mentioned earlier. Being a read-only copy of the primary server, it changes when the central server does.

Being the backup, secondary zones rely on regular backups from the primary zone. If that zone goes down, errors can occur if backups haven’t been processed.

What is the stub zone?

The stub zone has partial data from other zones. It often uses the primary zone, keeping those records to produce quicker results. It can also rely on the secondary zone if the primary zone is unavailable. 

Because they are so small, stub zones typically rely on fast responses. You’ll find that these zones automatically update records, which makes it easier to manage for server administrators.

What is the reverse-lookup zone? 

As the name suggests, the reverse-lookup zone is ideal if you need to do some backward research. So if you have an IP address, you can send it to the DNS zone to find the domain name. 

When using a web browser, this zone is unused. Instead, you’ll find this more often used on the backend of web servers. By using reverse-lookup functions, you’ll be able to confirm that the IP address and domains match up. 

What is the active-directory zone?

The active-directory zone is an alternative to your standard primary zone. In this, your zone is installed on an active directory, allowing changes across multiple servers simultaneously. 

With this alternative option, dynamic updates across the entirety of your servers is a possibility. This provides immediate results, regardless of what DNS server you make the changes on. 

How zones apply to different DNS queries

A DNS query happens anytime you type in a site’s URL and hit the enter key. Doing this spurs a process we’ve already established, but how do zones help? The answer brings us to zone authority and the point of DNS namespaces. 

When you make a typical query, forward DNS zones are the first to respond. These zones respond in order of what is the most important: top-level domains, secondary-level domains, and any related subdomains. A DNS resolution happens when you address all of them. 

Zones ensure that each section of a domain is managed independently. For example, the URL for “www.thing.something.com” has three levels:

  • The “thing” is a subdomain operated under the SLD.
  • The “something” is a secondary-level domain under the “.com” TLD
  • The “.com” is a top-level domain

These three segments are all different zones. The resolution process connects all three of them, indicating a successful finding and management of the domain name system.  

The client that answers DNS queries is known as a resolver. 

What are DNS resolvers? 

DNS resolvers are another way to refer to a DNS server. The client-side that handles this is the one who answers the “what is this DNS” question. 

There are three types of resolvers related to servers:

  • Recursive resolver 
  • Stub resolver 
  • The authoritative server 

There are over 10 million resolvers on the internet today. Resolvers speak with the authoritative server to navigate the systems. 

In this way, the term “nameserver” doesn’t imply there is a separate server. Most recursive and stub resolvers are built as part of the authoritative servers. Backups (on the secondary zone) will be found on a secondary server, but only as a temporary replacement should the primary server fail. 

DNS recursors are an alternative term for DNS resolvers. Both act as a line of communication that receives instructions from the client and makes necessary queries. 

What are DNS resource records?

A DNS resource record (sometimes called an RR) is the reference. This is the information that zone files and nameservers leverage to find what they need. When you reach DNS resolution and get to your website, this indicates that the RR is accurate.

DNS RRs make use of a host label (or hostname). The hostname is another term that refers to the URL, so your standard “www.something.com” website. 

There are numerous resource record types you can reference. Below is a table containing some of them:

Record typePurpose
A (Address record)Returns IPv4 addresses not used on the public internet. 
AAAA (IPv6 address record)Provides an IPv6 address (commonly used to identify standard hostnames)
AFSDB (ASF database record)Returns data from an AFS (Andrew File System) client when accessed outside the domain. The AFS is a file system. 
CNAME (Canonical Name Record)CNAME contains information on the alias of a DNS name. This spurs the DNS system to look for the “true name.”
IPSECKEYA record used with the IPSec security platform. 
TKEY (Transaction Signature)TKEY is a method of sharing an encrypted key used with TSIG (a networking protocol used to authenticate DNS updates).
URI (Uniform Resource Identifier)A system that publishes public mappings from hostnames 
CAA (certification authority authorization)Certifies domain name holders to authorize certificates to some entities 
SOA (Start of Authority)Directs how and when a DNS zone goes to secondary name servers

There are many types of DNS records you might come across. It’s unlikely you’ll come across all of them in your online activities. 

Like the zones and nameservers, each type is meant to sort through multiple situations. Having a wide range of resource record types enables administrators to locate essential information quickly. 

DNS attacks – How hackers take advantage of the system

The creators first made DNS with convenience in mind. The halting of DNS services and stealing of data is not uncommon. 

What is a DNS attack? It is when hackers use the weaknesses of the DNS process to cause these activities:

  • Data theft
  • Leading users to fraudulent websites
  • Taking down servers 
  • Performing Distributed Denial of Service (DDoS) attacks

Below are the different types of DNS attacks:

DNS Flood Attacks

A DNS flood attack occurs when people use the User Datagram Protocol (UDP) to overload a server. The high rate of spoofed DNS packet requests looks valid. A DNS server will do its best to respond to these requests. Ultimately, the server will go down.

A DNS flood attack is a DDoS attack, often meant to target specific businesses. Removing services will shut down their operation, forcing them to waste time and resources solving the matter.

DNS Tunneling

A DNS Tunneling attack happens when a hacker attempts to gain control over remote servers. Hackers rely on the vulnerabilities of an extra access point. This gives unwanted entities access to network hosts full of data.

A corporate network is an excellent target for hackers in this case. The exploit can result in a lot of user data being leaked to the darknet

DNS Amplification

DNS amplification attacks are another DDoS attack that spoofs a source address. This spoofing takes advantage of publically available DNS resolvers. These open DNS resolvers enable hackers to send fake requests to target hosts.

In this way, you can take down almost any website you need with relative ease. Hackers can do this without drawing attention because of their anonymous use of these open services.

You might also see these under DNS Reflection/Amplification attacks. Regardless of the name, the process for committing the attack stays the same. 

DNS NXDOMAIN Attack

NXDOMAIN attacks are another form of DDoS attack. The difference between this DDoS attack and others is that these attacks delve into invalid or non-existent resource records. Much like with other DDoS attacks, servers are overwhelmed until they stop. 

How do you prevent DNS attacks?

If you own a website and need it to stay up, it helps to know how to prevent these attacks. Below, you’ll find out how to avoid the most common situations.

Protect DNS resolver usage

A DNS resolver requires extra security to access. By hiding details of your DNS through your domain website, you can prevent unwanted usage. Be sure to check your domain website’s system to ensure this access. 

Use a domain registrar

A domain registrar is a third-party service provider with the technical ability to prevent domain poisoning. Unless you have specialized experience handling your host, please don’t do it. Instead, outsource it to specialists who secure your domain. 

Configure your DNS to avoid cache poisoning 

Your DNS likely makes use of UDP port 53. By using the same port, your website becomes easier to take down. By configuring your DNS to vary the port used, you can avoid cache poisoning and some of the more common DDoS attacks.

Test new site systems for vulnerabilities

Install a new app on your WordPress site or have a new server-side web application? Testing it for backdoor vulnerabilities and leaks can help you avoid some attacks. DNS security issues can be a significant cause of lost site data. 

Can site users prevent themselves from running into DNS issues? 

If you aren’t the site owner and worry about DNS leaks, you can avoid these issues by downloading a VPN. The Fast VPN prevents potential data leaks by encrypting your data. 

Even if you own a site, The Fast VPN can prevent data leaks when you use other sites. Device fingerprinting from most websites can enable hackers to emulate your computer specs. Your domain provider might think you are accessing it by spoofing your credentials and locations. 

You can also install antivirus software to prevent adware, spyware, and viruses from taking your server details. The general safety tips for using the internet regularly can help you avoid any future problems. 

The history of DNS

DNS was created in 1983, becoming a standard after the creation of the Internet Engineering Task Force three years after. Paul Mockapetris is credited with the original design of the system. 

The organization behind DNS’s management is ICANN, the Internet Corporation for Assigned Names and Numbers. The organization provides many free resources if you want a bit more education on the topic. 

A lot has changed in the 40 years since its creation, as DNS has gone through numerous upgrades. Below is a shortlist of those upgrades:

Incremental Zone Transfer (IXFR)

The IXFR system enables DNS to hold more slave nameservers and limit changes between the zone to master. This differs from the AXFR in that it doesn’t require a complete transfer each time, only to the essential zones. This upgrade saves time by limiting the size of transfers. 

DNSSec (DNS Security)

The DNS Security extensions were seen as a way to make DNS lookups more secure. DNSSec enabled the creation of both public and private keys. 

Public keys contained information you were willing to share. For domain owners, this was often limited to the bare minimum (like company names and locations).

Private keys contained the complete set of data associated with a DNS. It might have the current name, address, phone number, and other pertinent details related to the domain owner. In this way, people who owned websites didn’t have to put everything out there.

From free to paid domains

Back in the day, (before 1995), domain names were entirely free. However, the concept of paid domain names came out during the mid-90s. Mainly because making money was a priority.

A few years later (1998), the National Science Foundation and Network Solutions made a joint announcement to remove an Internet Intellectual Infrastructure Fund fee.

It came as a result of a class-action lawsuit due to the overpriced nature of URLs at the time. These days, paying more than $100+ for a domain means some popularity behind it. Some domain names cost less than $1 per month. 

ICANN takes over

ICANN didn’t take over until the late 90s (November.25, 1998). The Department of Commerce signed a memorandum of Understanding naming them the “newco” (new company). Basically, ICANN took over the management of the system as we see it today. 

With ICANN’s takeover, educational resources have become abundant. But the last security update for DNS was in 2005. Even then, the requests made in DNS are entirely plain-text. There is no attempt at encryption, as Paul Mockapetris did not create DNS with security in mind. 

How will DNS look in the future?

With 40 years of DNS usage under our belts, it’s time to retire it. Thankfully, the same Internet Engineering Task Force from before is on the case. The future looks like DNS over HTTPS (DoH), a system for encrypting DNS requests. 

HTTPS is a sign of an internet browser’s using the Secure Socket Layer security system. By using this system, it encrypts direct communications from the client to the server. So when you access a website, hackers cannot retrieve the data halfway through. 

DoH promises to wrap DNS server requests through a layer of encryption. This way, the more exposed forms of DNS requests are hidden, providing greater security. 

Firefox, our preferred private internet browser, has already adopted DoH. Mozilla recognizes there is a problem with our current system. 

Can you blame the original creators of DNS for being shortsighted? No. At the time, it was predicted that DNS would include about 50 million domains. However, that number was heavily underestimated, as we are well over 300 million on the DNS system. 

Can regular users use DNS systems?

Yes. Your internet service provider will provide you with a DNS system. If you look in your network settings, you’ll be able to see two IP addresses related to your ISP’s server. One is for v4, and the other is for v6. 

Most times, your ISP’s server goes through general data gathering activities. Of course, having a virtual private network prevents your internet provider from getting this info. There are also third-party DNS servers.

Google also offers free DNS services under the IP address “8.8.8.8.” But I wouldn’t recommend you pursue using it, as the most prominent data collecting company in the world likely has ulterior motives for hosting a free DNS server. 

You can also find alternative DNS servers through these websites:

These DNS servers are publically vetted and known to be pretty safe. But if you decide to use a DNS server not made available on this list, be aware of the risks.

Like selecting the right VPN, a good DNS server has an established privacy policy and a good security record. By using these servers, you are trusting them with your data. So it would be best if you were picky; it is your data.

Wrap Up

DNS servers find the IP addresses for you when entering domain names. Your ISP also has a DNS server, routing you as you connect to specific domains. DNS servers are a substantial part of the internet as we know it today. 

A DNS goes through an authoritative DNS server, multiple nameservers, and select zones to connect you to the correct location. But because the system is 40 years old, it is in dire need of updates. DoH seeks to solve this problem. 

Regardless, if the security of your DNS server is a concern, consider The Fast VPN. This eliminates much of the data gathering concern that comes with your DNS. After all, if it is already encrypted through your VPN client, your chosen DNS server can’t collect your vital information. 

Give us a shot with a 7-day free trial

Try The Fast VPN for free for 7 days on iOS, macOS, and Android with 30-day money-back guarantee

Get free trial

Download FastVPN mobile app for iOS & Android platforms.