2026
DNS: How Domain Name Resolution Works
Every connection on the internet starts with a name lookup. Here is how DNS resolves a hostname to an IP address, what the record types actually do and why changes take time to take effect.
Type a domain into a browser and something happens before the page starts loading. Your computer asks the network a question. The question is: what is the IP address for this name? DNS answers it.
Most people who work with networks long enough eventually run into a DNS problem. It tends to look like something else at first. A site that loads on one network but not another. A deployment that updated the code but users are still hitting the old server. A certificate that validates in one region but fails somewhere else. In most of these situations, something in the DNS resolution path is the actual cause.
Why DNS exists
Machines route traffic using IP addresses. A server sits at a number like 192.0.2.1. Human memory is not built for remembering hundreds of those numbers, so a translation layer was needed between names that people use and addresses that routers forward to.
The original solution was a single text file called hosts.txt, maintained at Stanford Research Institute and distributed to every machine on the network. When the internet was small this worked. By the early 1980s the network had grown enough that a centrally maintained file was no longer viable. DNS replaced it in 1983 with a distributed hierarchical system. The same design has scaled to handle billions of records without any central bottleneck.
The hierarchy
DNS is not a single database. It is a tree of delegated authority. No single server knows every record. Each level of the tree knows which servers to ask next.
At the top sit the root servers. There are thirteen root server authorities, labelled A through M, each operated independently and distributed globally through anycast. A root server does not hold records for individual domains. It holds the locations of the nameservers responsible for each top-level domain.
Below the root are the TLD nameservers. These handle top-level domains: .com, .net, .org, .io and every country code. They hold delegation records pointing to the authoritative nameservers for individual domains. Below those sit the authoritative nameservers themselves, which hold the actual zone records.
DNS hierarchy
Root servers (13 authorities, globally distributed)
↓ know the TLD nameservers
TLD nameservers (.com, .net, .org …)
↓ know the authoritative nameservers per domain
Authoritative nameservers (example.com)
↓ hold the actual zone records
A records, MX records, TXT records …
How resolution works
When your browser needs to reach docs.example.com, the resolution process moves through several stages. Each stage can short-circuit if the answer is already cached.
Resolution path for docs.example.com
Browser
↓ check local OS cache
Recursive resolver (ISP / 8.8.8.8 / 1.1.1.1)
↓ check resolver cache → if miss, walk the tree
Root server
↓ returns .com TLD nameservers
.com TLD nameserver
↓ returns authoritative NS for example.com
Authoritative nameserver for example.com
↓ returns A record for docs.example.com
Browser receives IP address → connects
The recursive resolver does the actual walking of the tree. The client makes one request. The resolver makes several, caches everything it learns along the way, then returns the final answer. Most queries never reach the root servers because the resolver already has the TLD nameserver addresses cached from a previous lookup.
This type of resolution is called recursive. The resolver takes responsibility for the full chain of lookups on behalf of the client. The alternative, iterative resolution, has the client perform each step itself. In practice, clients delegate to recursive resolvers rather than doing iterative lookups directly.
Record types
A zone file is a collection of records. Each record type serves a specific purpose. Configuring the wrong type in the right place does nothing useful.
Maps a hostname to an IPv4 address. The most common record type. When a resolver asks for a domain, it is usually looking for this.
Maps a hostname to an IPv6 address. Same purpose as an A record but for 128-bit addresses.
Alias from one hostname to another. The resolver follows the chain until it reaches an A record. Cannot be placed at the zone apex.
Points to the mail server that accepts messages for a domain. Includes a priority value so multiple servers can be ranked. Lower numbers are tried first.
Holds arbitrary text data. Used for SPF, DKIM and DMARC records. Also used by external services to verify domain ownership.
Lists the authoritative nameservers for a zone. These are the delegation records that let the rest of the DNS tree know where to send queries.
Start of Authority. Contains zone metadata including the primary nameserver, an admin email address, the zone serial number and refresh intervals. Every zone has exactly one.
Reverse DNS. Maps an IP address back to a hostname. Used in logging, spam filtering and some authentication checks.
Specifies which certificate authorities may issue TLS certificates for the domain. Checked by CAs before issuing a certificate.
TTL and caching
Every DNS record carries a TTL value measured in seconds. It tells resolvers how long they are allowed to cache the answer before they need to ask again.
Common TTL values
300Five minutes. Set this before planned changes to reduce propagation delay.3600One hour. A reasonable default for records that change occasionally.86400Twenty-four hours. Suitable for stable records like NS entries.The practical effect of TTL is that DNS changes do not take effect everywhere at once. Once a resolver has cached a record it will keep serving the old answer until the cached value expires. This is what people mean when they say DNS changes take time to propagate. Nothing is being pushed outward from a central location. Old cached values are expiring at different rates across thousands of resolvers around the world.
If you are about to change an IP address, dropping the TTL to 300 several hours beforehand shortens the window during which old and new answers coexist. Once the change is made, resolvers that query after the TTL expires will pick up the new record. Resolvers that cached the old answer shortly before the TTL drop will hold it for at most five minutes.
Querying DNS with dig
dig is the standard tool for inspecting DNS directly. It sends a query to a nameserver of your choice and shows the full response including TTL values, the answering server and query timing.
Query an A record
$ dig example.com A
; <<>> DiG 9.18.24 <<>> example.com A
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31740
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 3512 IN A 93.184.216.34
;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; MSG SIZE rcvd: 56
The number between the name and IN A in the answer section is the remaining TTL in seconds. Here it shows 3512, meaning this cached answer expires in just under an hour. The server line shows which resolver actually answered the query.
Query a specific nameserver directly
$ dig @8.8.8.8 example.com MX
;; ANSWER SECTION:
example.com. 3600 IN MX 10 mail.example.com.
The @ flag sends the query to a specific resolver. Useful for checking whether a particular server has picked up a recent change while other resolvers still hold the old cached value.
Trace the full resolution chain
$ dig +trace example.com A
# Shows each step: root → TLD → authoritative nameserver
The +trace flag makes dig walk the full resolution chain from the root servers. It shows exactly which servers were contacted at each stage and what they returned. Useful for diagnosing delegation issues where the zone is configured correctly but the parent TLD is still pointing at old nameservers.
Common failure points
DNS failures tend to surface far from where the problem actually lives. Placing the failure somewhere in the resolution chain is usually faster than guessing at the application layer.
NXDOMAIN
The resolver found the authoritative server but the record does not exist. The hostname may be typed incorrectly. The record type may be wrong. The zone may simply not have that entry configured.
Stale cached record
A resolver cached the old answer and the TTL has not expired yet. Changes made to the zone are not visible until the cached record expires. Lowering the TTL before a planned change reduces this window.
Wrong nameservers
The domain registrar is pointing at nameservers that do not have the current zone records. Changes made to a zone file have no effect if queries are being routed to a different server.
Missing MX record
Mail sent to the domain bounces because there is no record telling senders where to deliver it. The sending server looks up the MX record before attempting delivery.
CNAME at zone apex
A CNAME cannot coexist with other records at the root of a zone. Setting a CNAME on the bare domain breaks MX and NS records. Use an A record at the apex and CNAME on subdomains.
DNS as infrastructure
DNS runs underneath almost everything on a network. Every HTTP request, every email delivery, every TLS certificate check starts with a name resolution. When it works, which is nearly all of the time, it is invisible. When it does not, the symptom appears at the application layer where the root cause is harder to spot.
Understanding the resolution path makes diagnosis faster. A query returning NXDOMAIN has a different cause than one that times out. A stale cached record behaves differently from a missing zone entry. Once you can place the failure somewhere in the chain from resolver to root to TLD to authoritative server, the fix is usually straightforward.
The record types are worth knowing beyond just passing familiarity. Getting the wrong type configured in the right place wastes time. Setting a TTL that is too high before a migration extends an outage window that did not need to exist. DNS is the kind of infrastructure that rewards knowing even a small amount about how it actually works.