DNS Explained — Hierarchy, Resolution Process, Record Types & DNSSEC
The Domain Name System (DNS) translates human-readable domain names like example.com into machine-readable IP addresses — often called the “phone book of the internet.”
What You’ll Learn
In this tutorial, you’ll learn the DNS hierarchy (root servers, TLD servers, authoritative servers), how DNS resolution works step by step, record types (A, AAAA, CNAME, MX, TXT), caching, and DNSSEC security extensions.
Why It Matters
Every time you visit a website, DNS resolution happens in milliseconds — often without you noticing. When DNS breaks, the entire internet feels broken. Understanding DNS helps you diagnose connectivity issues, improve performance, and secure your domains.
Real-World Use
When you type google.com in Doda Browser, the browser checks its cache, queries your ISP’s recursive resolver, which navigates the DNS hierarchy to find the IP address. The whole process takes 20-100 ms. Without DNS, you’d need to remember 142.250.80.14 instead of google.com.
sequenceDiagram participant Client participant Recursive as Recursive Resolver participant Root as Root Server participant TLD as .com TLD participant Auth as Authoritative Client->>Recursive: www.example.com? Recursive->>Root: Where is .com? Root-->>Recursive: .com TLD servers Recursive->>TLD: Where is example.com? TLD-->>Recursive: ns1.example.com Recursive->>Auth: www.example.com? Auth-->>Recursive: 93.184.216.34 Recursive-->>Client: 93.184.216.34 Client->>Auth: HTTP GET / Auth-->>Client: 200 OK
DNS Hierarchy
DNS is organized as a tree:
Root (.)
├── .com TLD
│ ├── example.com
│ │ ├── www → 93.184.216.34
│ │ └── mail → MX mail.example.com
│ └── google.com
│ └── www → 142.250.80.14
├── .org TLD
├── .net TLD
└── Country TLDs (.uk, .de, .jp, .in)| Level | Examples | Responsibility |
|---|---|---|
| Root Servers | a.root-servers.net (198.41.0.4) | Knows where all TLD servers are (13 logical roots) |
| TLD Servers | .com, .org, .net, .gov | Knows authoritative servers for each domain |
| Authoritative | ns1.example.com | Knows the actual DNS records for a specific domain |
| Recursive Resolver | ISP’s DNS (8.8.8.8) | Caches results and resolves on behalf of clients |
DNS Record Types
| Type | Name | Purpose | Example |
|---|---|---|---|
| A | Address | Maps domain to IPv4 address | example.com → 93.184.216.34 |
| AAAA | Quad A | Maps domain to IPv6 address | example.com → 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME | Canonical Name | Points domain to another domain (alias) | www.example.com → example.com |
| MX | Mail Exchange | Specifies mail servers for a domain | example.com → mail.example.com (priority 10) |
| TXT | Text | Arbitrary text (SPF, DKIM, verification) | "v=spf1 include:_spf.google.com ~all" |
| NS | Name Server | Delegates a zone to authoritative servers | example.com → ns1.example.com |
| SOA | Start of Authority | Zone metadata (serial, refresh, retry) | Primary DNS server info |
DNS Resolution Process
import socket
import dns.resolver # pip install dnspython
def resolve_domain(domain, record_type="A"):
"""Resolve a domain name to its DNS records"""
try:
answers = dns.resolver.resolve(domain, record_type)
print(f"{domain} ({record_type}):")
for rdata in answers:
print(f" {rdata}")
return answers
except dns.resolver.NoAnswer:
print(f"No {record_type} records for {domain}")
except dns.resolver.NXDOMAIN:
print(f"Domain {domain} does not exist")
except Exception as e:
print(f"Error: {e}")
# Resolve different record types
resolve_domain("google.com", "A")
resolve_domain("google.com", "AAAA")
resolve_domain("google.com", "MX")
resolve_domain("google.com", "NS")Expected output:
google.com (A):
142.250.80.14
google.com (AAAA):
2607:f8b0:4004:c1b::8a
google.com (MX):
10 smtp.google.com.
google.com (NS):
ns1.google.com.
ns2.google.com.
ns3.google.com.
ns4.google.com.DNS Caching
DNS results are cached at multiple levels to improve performance:
| Cache Location | TTL Respect | Purpose |
|---|---|---|
| Browser cache | Yes | Instant repeat visits |
| OS cache (stub resolver) | Yes | System-wide caching |
| Recursive resolver | Yes | ISP/CDN caching |
| Application-level | Custom | Application-specific |
The TTL (Time To Live) in each DNS record controls how long it can be cached. Common TTLs:
- Standard records: 300-3600 seconds (5-60 minutes)
- Low TTL (for changes): 60-300 seconds
- High TTL (stable records): 86400 seconds (24 hours)
DNSSEC
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, ensuring:
- Authenticity: The response actually came from the authoritative server
- Integrity: The response wasn’t modified in transit
- No spoofing: Prevents DNS cache poisoning attacks
DNSSEC adds these record types:
- RRSIG: Digital signature for a record set
- DNSKEY: Public key used for verification
- DS: Delegation Signer — links parent zone to child zone
- NSEC/NSEC3: Proof that a record doesn’t exist
Common Mistakes
- Setting TTL too high before a migration: Before changing DNS records, lower the TTL to 60-300 seconds. Otherwise, cached records persist for hours.
- Forgetting trailing dots in DNS configurations: Fully qualified domain names in DNS configs need a trailing dot (
.) — e.g.,ns1.example.com. - Creating a CNAME at the zone apex: CNAME records can’t coexist with other records at the same name. Use
ALIASorANAMErecords for apex domains. - Not using SPF/DKIM/DMARC TXT records: Without these, anyone can send email from your domain. Email providers flag your messages as spam.
- Ignoring propagation time: DNS changes take time to propagate (minutes to hours). Plan migrations during low-traffic periods.
Practice Questions
What is the DNS resolution order in the hierarchy? Root servers → TLD servers → Authoritative servers. The recursive resolver caches each step.
What’s the difference between A and CNAME records? An A record maps a domain directly to an IP address. A CNAME maps a domain to another domain name (alias).
What is DNS caching and why is it important? Caching stores resolved DNS results locally to avoid repeated lookups. It reduces latency by 10-100x and reduces load on DNS infrastructure.
How does DNSSEC prevent cache poisoning? It cryptographically signs DNS records. The resolver verifies the signature using the parent zone’s public key chain.
What happens when you query a domain that doesn’t exist? The recursive resolver receives an NXDOMAIN response from the authoritative server and returns an error to the client.
Challenge
Set up a local DNS server (BIND or Unbound) on your machine. Create a zone file for a test domain. Query it with dig and verify the responses.
Real-World Task
Use dig example.com ANY +trace to trace the full DNS resolution path from root servers to authoritative servers. Each step shows which server was queried and how long it took.
Mini Project: DNS Lookup Tool
Build a command-line Python tool that resolves domains for A, AAAA, MX, NS, and TXT records. Display TTL values, measure resolution time, and color-code successful vs failed lookups.
Security angle: DNS is a common attack vector — DNS spoofing, cache poisoning, and DNS tunneling. Understanding DNS security (DNSSEC) helps you build more secure network services.
What’s Next
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
What’s Next
Congratulations on completing this DNS Explained tutorial! Here’s where to go from here:
- Practice daily — Consistency is more important than long study sessions
- Build a project — Apply what you learned by building something real
- Explore related topics — Check out other tutorials in the same category
- Join the community — Discuss with other learners and share your progress
Remember: every expert was once a beginner. Keep coding!
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro