Module 10 of 21 · Applied

How DNS resolution works in practice

18 min read 3 outcomes Scenario quiz

By the end of this module you will be able to:

  • Trace a DNS query from stub resolver through recursive resolver to authoritative server
  • Name the common DNS record types and explain what each one does
  • Explain why TTL and caching cause DNS changes to propagate unevenly across the internet
Browser address bar showing a domain name being typed, illustrating the start of DNS resolution

Real-world incident · October 21, 2016

The Dyn DDoS attack: when the internet lost its phone book

On October 21, 2016, a botnet of compromised Internet of Things (IoT) devices called Mirai launched a massive distributed denial-of-service (DDoS) attack against Dyn, a DNS provider based in Manchester, New Hampshire. Dyn provided managed DNS services for a large portion of the internet's major platforms.

The attack flooded Dyn's infrastructure with tens of millions of DNS lookup requests per second. Their authoritative nameservers became unable to respond. When the authoritative nameservers go silent, recursive resolvers cannot get answers. When recursive resolvers have no answers, stub resolvers on client machines return NXDOMAIN (no such domain) or SERVFAIL. Applications cannot connect to services they cannot resolve.

The platforms themselves were fine. Twitter's servers were running. Netflix's servers were running. The routing was fine. The failure was entirely at the DNS naming layer. Without working name resolution, none of the downstream infrastructure mattered.

Twitter, Netflix, Spotify, Reddit, and PayPal all stopped working at the same time. They are unrelated companies with separate infrastructure. What single point connected them all?

10.1 The DNS hierarchy: stub, recursive, and authoritative

DNS (Domain Name System) is a distributed, hierarchical, cached naming system. RFC 9499 is the current DNS terminology reference. Understanding where each role sits is essential for diagnosing DNS failures correctly.

The stub resolver runs on your machine. It is not a full DNS implementation. It takes a question from the application (what is the IP for example.com?), forwards it to a configured recursive resolver, and returns the answer. Most operating systems have a stub resolver built into their networking stack.

The recursive resolver (also called a full-service resolver or caching resolver) does the actual work. It either answers from its cache or walks the DNS hierarchy to find the authoritative answer. ISP resolvers, Google's 8.8.8.8, and Cloudflare's 1.1.1.1 are all recursive resolvers.

Authoritative nameservers hold the final, definitive records for a zone. When you update your domain's A record, you update it at the authoritative server. The recursive resolver fetches the answer from there and caches it for the duration of the TTL (time to live).

The domain name space is a tree structure. Each node and leaf on the tree corresponds to a resource set. The tree structure is used to define the name space.

RFC 1034 - Section 3.1, Name Space Specifications and Terminology

The hierarchy matters for fault isolation. Root servers direct queries to TLD (top-level domain) servers. TLD servers direct to authoritative servers. Each level can fail independently. When you know which tier failed, you know where to look.

The resolution path for `api.example.com` works like this. The stub resolver asks the recursive resolver. If the recursive resolver has no cache entry, it asks a root server which TLD server handles `.com`. The root server responds. The recursive resolver asks the `.com` TLD server which nameserver handles `example.com`. The TLD server responds. The recursive resolver asks the `example.com` authoritative server for the IP of `api.example.com`. It gets an A record back, caches it for the TTL, and returns it to the stub resolver.

10.2 DNS record types

DNS records are not just IP address lookups. Each record type has a specific purpose. Confusing them is one of the most common sources of DNS misconfiguration.

A record. Maps a hostname to an IPv4 address. Example: `api.example.com → 93.184.216.34`

AAAA record. Maps a hostname to an IPv6 address. The name comes from IPv6 being four times larger than IPv4.

CNAME (canonical name) record. Creates an alias pointing to another hostname. `www.example.com CNAME example.com` means "look up example.com and use that answer for www.example.com." CNAME chains are valid but add resolution steps and latency.

MX (mail exchanger) record. Specifies the mail server for a domain. Points to a hostname (not an IP), with a priority number. Lower priority numbers are tried first.

NS (nameserver) record. Identifies the authoritative nameservers for a zone. These are the servers the TLD delegate queries to.

SOA (start of authority) record. Contains zone metadata: the primary nameserver, the zone administrator's email address, zone serial number, and timing parameters for secondary nameserver synchronisation.

TXT (text) record. Stores arbitrary text. Used for SPF (Sender Policy Framework) email anti-spoofing, DKIM (DomainKeys Identified Mail) public keys, domain ownership verification, and various application tokens.

10.3 TTL, caching, and why DNS changes are slow

Every DNS record has a TTL value measured in seconds. When a recursive resolver caches an answer, it keeps it until the TTL expires. This is why a change you made to your DNS record may not be immediately visible to everyone on the internet.

A user whose resolver cached the old A record an hour ago with a 24-hour TTL will continue seeing the old IP for up to 23 more hours. A user whose resolver just looked up the record will get the new one. This is not a bug; it is the design. Caching is what makes DNS scale to billions of queries per day without the authoritative servers handling every single request.

If you are preparing for a DNS migration, reduce the TTL to 300 seconds (five minutes) a day or two before the change. After the change, you can increase it again. This limits how long stale records persist while keeping normal load on the authoritative servers manageable.

"DNS is propagating" usually means "some recursive resolvers are still serving the old TTL." There is no central broadcast. Each resolver serves its cached answer until the TTL expires and fetches fresh data.

10.4 DNSSEC, DoH, and DoT

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. It allows resolvers to verify that a response was actually signed by the zone owner and has not been tampered with in transit. DNSSEC prevents cache poisoning attacks where a malicious actor injects false DNS answers.

DNSSEC does not encrypt DNS traffic. Queries and responses are still visible to network observers. What it adds is integrity: you know the answer came from the real zone and has not been modified.

DNS over HTTPS (DoH), defined in RFC 8484, and DNS over TLS (DoT), defined in RFC 7858, encrypt the DNS exchange. Queries go over an encrypted channel, hiding the question from network intermediaries. DoH uses port 443 and looks like normal HTTPS traffic. DoT uses port 853. Both are increasingly common in modern browsers and operating systems.

This document defines a protocol for sending DNS messages over HTTPS, referred to here as DNS over HTTPS (DoH).

RFC 8484 - Section 1, Introduction

DoH was standardised in 2018. Its use of port 443 means DNS queries blend into regular HTTPS traffic, making them harder to block or monitor at the network level. This has privacy benefits but complicates traditional network-level DNS filtering.

Common misconception

DNS is just a phone book.

DNS is a distributed, hierarchical, cached system with multiple server roles, transport options (UDP, TCP, TLS, HTTPS), security extensions, and record types that do far more than IP lookup. The phone book analogy breaks when you need to explain cache TTLs, recursive vs authoritative roles, DNSSEC validation chains, or why different users see different answers after a DNS change.

10.5 Check your understanding

Your website works on some ISPs but not others after a DNS change you made two hours ago. What is the most likely cause?

A recursive resolver asks a root server for help resolving api.example.com. What does the root server return?

You set a DNS A record with a TTL of 86400 seconds (24 hours). You then need to change the IP urgently. What happens?

What does DNSSEC add that DNS over TLS (DoT) does not?

Key takeaways

  • DNS resolution is a multi-step hierarchy: stub resolver contacts recursive resolver, which walks root, TLD, and authoritative servers, then caches the answer for the TTL.
  • Record types have specific purposes: A for IPv4, AAAA for IPv6, CNAME for aliases, MX for mail, NS for nameserver delegation, TXT for text metadata.
  • TTL caching means DNS changes propagate unevenly. Reduce TTL before planned changes; increase it afterwards.
  • DNSSEC adds integrity (cryptographic signing). DoH and DoT add privacy (encryption of the query). They solve different problems.

Standards and sources cited in this module

  1. RFC 1035, Domain Names: Implementation and Specification

    Section 3.2, RR Definitions; Section 4, Messages

    Defines the DNS message format, record types (A, CNAME, MX, NS, SOA, TXT), and the wire protocol. The record type descriptions in Section 10.2 reference this specification.

  2. RFC 1034, Domain Concepts and Facilities

    Section 3.1, Name Space Specifications; Section 5, Resolvers

    Defines the DNS name space hierarchy and resolver roles. Quoted in Section 10.1 to distinguish stub, recursive, and authoritative roles.

  3. RFC 8484, DNS Queries over HTTPS (DoH)

    Section 1, Introduction

    Defines the DNS over HTTPS protocol. Quoted in Section 10.4 for the DoH definition.

  4. RFC 9499, DNS Terminology (BCP 219)

    Throughout

    Current authoritative terminology reference for DNS roles and concepts. Referenced for stub resolver and recursive resolver definitions in Section 10.1.

  5. Dyn Blog: DDoS Attack Against Dyn Managed DNS

    Published October 22, 2016

    Post-incident analysis of the Mirai botnet attack on Dyn's DNS infrastructure. Used as the opening case study to demonstrate the impact of authoritative DNS infrastructure failure.

DNS converts names to addresses. Module 11 asks when you should skip TCP entirely: what UDP provides, why real-time applications choose it, and how QUIC rebuilds reliability on top of UDP while solving TCP\u2019s head-of-line blocking problem.

Previous: TCP reliability and flow controlNext: When UDP is the right choice

Module 10 of 21 · Applied stage