DigiMetrics Hub

How DNS Works

Every time you type a website address into your browser, something remarkable happens behind the scenes in a fraction of a second. Your browser doesn't actually know what "google.com" means — computers communicate using numerical IP addresses like 142.250.80.46. The Domain Name System (DNS) is the translation layer that converts human-friendly domain names into the IP addresses that computers need to find each other. It's been called the phonebook of the internet, and it handles trillions of queries every single day.

What Happens When You Visit a Website

Let's walk through a real example. You type "example.com" into your browser and hit Enter. Before your browser can load anything, it needs to find the IP address behind that domain name. First, it checks its own internal cache — maybe you visited this site recently and the answer is still stored locally. If not, it asks your operating system's DNS cache. If that's empty too, the query goes out to a DNS resolver.

Most people use their ISP's DNS resolver by default, but you can configure your device to use alternatives like Cloudflare's 1.1.1.1 or Google's 8.8.8.8. The resolver is the workhorse of the DNS system — it's the one that actually tracks down the answer on your behalf, querying a chain of servers until it finds the IP address you need.

The DNS Hierarchy: Root, TLD, and Authoritative Servers

DNS is structured as a hierarchy, and a full lookup walks down through three levels. At the top sit the root nameservers — 13 clusters (labeled A through M) distributed across hundreds of physical servers worldwide using anycast routing. They don't know the IP of every website, but they know where to find the servers responsible for each top-level domain.

Next come the TLD (Top-Level Domain) nameservers. There's one set for .com, another for .org, another for .uk, and so on. The TLD server doesn't know the final IP either, but it knows which server is the authority for the specific domain. Finally, the authoritative nameserver for that domain holds the actual records — and it returns the IP address to the resolver, which caches it and sends it back to your browser. Total time for this entire chain: usually under 100 milliseconds.

DNS Record Types You Should Know

A records are the most basic — they map a domain name to an IPv4 address. AAAA records do the same for IPv6 addresses. CNAME records create aliases, pointing one domain name to another (like www.example.com pointing to example.com). MX records tell the internet which mail servers handle email for a domain, with priority numbers that determine failover order.

TXT records store arbitrary text and are commonly used for email authentication (SPF, DKIM, and DMARC records that help prevent email spoofing). NS records declare which nameservers are authoritative for a domain. PTR records enable reverse DNS — looking up a domain name from an IP address — and are commonly used to verify email server legitimacy. You can look up all of these record types using DigiMetrics Hub's DNS Lookup tool on our homepage.

DNS Caching: Why Changes Don't Happen Instantly

To avoid repeating the same lookups millions of times, DNS responses are cached at every level — your browser, your OS, your router, and your ISP's resolver all store recent results. Each DNS record comes with a TTL (Time-To-Live) value that says how long the cached answer is valid. A TTL of 300 means "cache this for 5 minutes." A TTL of 86400 means "cache this for 24 hours."

This is why DNS changes don't propagate instantly. When you update your domain's DNS records (say, after migrating to a new server), the old IP will continue to be served from caches around the world until their TTL expires. This "DNS propagation" can take anywhere from minutes to 48 hours, depending on the previous TTL settings. If you're planning a migration, it helps to lower your TTL to 300 seconds a day or two beforehand.

DNS and Your Privacy

Here's something most people don't realize: traditional DNS queries are sent in plain text. Your ISP — and anyone monitoring your network — can see every domain name you look up, even if the website itself uses HTTPS. This is a significant privacy hole that's only recently started to be addressed.

DNS-over-HTTPS (DoH) wraps DNS queries inside encrypted HTTPS traffic, making them invisible to network observers and indistinguishable from regular web traffic. DNS-over-TLS (DoT) encrypts DNS queries using TLS on a dedicated port (853). Both Firefox and Chrome now support DoH natively. Cloudflare's 1.1.1.1, Google's 8.8.8.8, and Quad9's 9.9.9.9 all support encrypted DNS.

DNSSEC adds cryptographic signatures to DNS records to prevent tampering — ensuring that the IP address you receive is the one the domain owner intended. Without DNSSEC, attackers can potentially poison DNS caches with false records that redirect you to malicious sites. Combining encrypted DNS with DNSSEC gives you both privacy and integrity.

Troubleshooting DNS Problems

If a website won't load but your internet connection seems fine, DNS is often the culprit. Start by flushing your local DNS cache: on Windows run ipconfig /flushdns, on macOS run sudo dscacheutil -flushcache. If that doesn't help, try switching to a public DNS resolver like Cloudflare (1.1.1.1) or Google (8.8.8.8) to bypass your ISP's potentially slow or misconfigured DNS servers.

You can use DigiMetrics Hub's DNS Lookup tool to check whether a domain's records are resolving correctly. If A records return the expected IP address, DNS is working and the problem is elsewhere (the web server, a firewall, or a CDN issue). If no records are returned, the domain may have expired, or its nameserver configuration is broken.

Key Takeaways

  • DNS translates domain names into IP addresses — it's the internet's address book
  • A full DNS lookup walks through root, TLD, and authoritative nameservers in under 100ms
  • DNS caching speeds up browsing but can delay propagation of DNS changes
  • Traditional DNS is unencrypted — use DNS-over-HTTPS for privacy
  • DNSSEC prevents DNS spoofing by cryptographically signing records
  • Use DigiMetrics Hub's DNS Lookup to diagnose domain resolution issues