What Is DNS? Complete Guide to the Domain Name System

DNS as the Internet's Phone Book

DNS (Domain Name System) is one of the most fundamental systems on the internet. Without DNS we would have to remember IP addresses like 93.184.216.34 to visit websites — instead we just type "example.com". DNS translates human-friendly domain names into IP addresses that computers use to find the right server.

The system was developed in the 1980s because it proved impossible to keep track of all IP addresses manually. Today DNS handles billions of requests every day, and almost all internet traffic starts with a DNS lookup. You can use our DNS lookup tool to investigate DNS records for any domain.

How a DNS Lookup Works

When you type a domain name into your browser, a chain of events begins that usually takes just milliseconds. Here are the steps:

Browser — First checks its own cache. If you've visited the site recently, the answer may be there.
Operating system — If not, the OS cache is checked. Windows, macOS, and Linux cache DNS responses.
Recursive resolver — Usually your ISP's DNS server (or Google 8.8.8.8, Cloudflare 1.1.1.1). It takes on the job of finding the answer.
Root server — The resolver asks one of the 13 root servers in the world. They don't respond with the IP address, but with the address of the TLD server (e.g. for .com or .org).
TLD server — The resolver asks the TLD server for the top-level domain. For .com it gets the address of Verisign's server.
Authoritative DNS server — Finally the resolver asks the authoritative server that owns the DNS configuration for the domain. Here it gets the actual IP address.
Response — The IP address is returned to the browser, which can now connect to the web server.

The DNS Hierarchy

DNS is built as a hierarchical, distributed system. No single server has all the information — responsibility is spread across multiple levels:

Root servers — 13 logical root servers (physically hundreds of servers) that know where the TLD servers are. They're the core of the entire system.
TLD servers (Top Level Domain) — Handle .com, .org, .net, .io, etc. Verisign operates .com, PIR operates .org.
Authoritative DNS servers — Own the official DNS information for a domain. These are the servers you configure at your domain registrar or hosting provider.
Recursive resolvers — The "workhorses" that make requests on behalf of users. Your ISP, Google, Cloudflare, and Quad9 offer such services.

DNS Caching

Every time someone looks up "example.com" it would be inefficient to go all the way to the authoritative server. That's why DNS responses are cached at multiple levels:

Browser cache — Chrome, Firefox, and Safari store DNS responses in memory. Often 1–60 minutes.
OS cache — The operating system caches too. On Windows you can check with ipconfig /displaydns.
ISP/Resolver cache — Your DNS resolver caches for all users. Here responses can sit for hours or days.

TTL (Time To Live) is the value that says how long a response can be cached. High TTL (e.g. 86400 = 24 hours) reduces load on DNS servers. Low TTL (300–600 seconds) is used before domain migrations to get changes to propagate faster.

DNS Record Types Explained

DNS stores different types of information. Here are the most common record types:

A: Points to an IPv4 address (e.g. 93.184.216.34)
AAAA: Points to an IPv6 address
MX: Mail Exchange — which server receives email for the domain
CNAME: Alias that points one domain name to another (cannot be used on the root domain)
TXT: Free text — used for SPF, DKIM, DMARC, and verification
NS: Name Server — specifies who is authoritative for the domain
SOA: Start of Authority — metadata about the DNS zone (serial number, refresh interval)
SRV: Service record — for services like VoIP, XMPP
PTR: Reverse DNS — IP to hostname (used in reverse IP lookups)

DNS and Security

Traditional DNS is not encrypted. This opens the door to several threats:

DNS hijacking — Attackers redirect DNS requests to fake sites. Common via malware or compromised routers.
DNS spoofing — Fake responses are injected into the network to get users to visit phishing sites.

DNSSEC cryptographically signs DNS responses so recipients can verify they're authentic. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt the request itself — then your ISP or others on the network can't see which domains you're looking up.

Changing Your DNS Server

You can switch from your ISP's default DNS to a third-party service. Popular options:

Google 8.8.8.8 / 8.8.4.4 — Fast, globally available
Cloudflare 1.1.1.1 / 1.0.0.1 — Focus on speed and privacy
Quad9 9.9.9.9 — Automatically blocks known malware domains

The change is made in network settings on your router or per device. On Windows: Network settings → Adapter → IPv4 → DNS. On macOS: System Settings → Network → Advanced → DNS.

DNS Problems and Troubleshooting

Common problems and solutions:

"Server not found" — Check that A/AAAA records exist. Use DNS lookup to verify.
Old content after migration — Lower TTL before migration, wait for propagation, make the change, then raise TTL again.
Email going to spam — Check MX, SPF, DKIM, and DMARC in TXT records.
Subdomain not working — Add explicit A, AAAA, or CNAME records. CNAME cannot be used on the root domain.

Frequently Asked Questions About DNS

What happens if the DNS lookup returns no results?

This can be because the domain doesn't exist, it's not configured with DNS records yet, or the name servers aren't responding. Try checking if the domain is registered, and wait a few minutes in case of temporary network issues.

How long does it take for DNS changes to take effect?

Typically 15 minutes to 48 hours, depending on the TTL (Time To Live) set on the records. With low TTL (e.g. 300 seconds) changes propagate faster. Global DNS propagation can take up to 24–48 hours.

What is TTL in DNS?

TTL (Time To Live) specifies how many seconds a DNS record can be cached by intermediate servers and clients. Low TTL (300–600) gives faster propagation of changes, but increases load on DNS servers. High TTL (3600+) reduces load but makes changes slower to take effect.

Can I change my DNS server?

Yes. You change NS records at your domain registrar (e.g. GoDaddy, Namecheap) to point to other name servers. This transfers control of the DNS configuration to the new provider. The change can take up to 48 hours to propagate.

What's the difference between authoritative and recursive DNS servers?

Authoritative DNS servers contain the official DNS information for a domain and answer directly for it. Recursive DNS servers (like 8.8.8.8 or 1.1.1.1) ask other servers on behalf of the user and cache the responses.

Why is DNS important for email security?

DNS is used for SPF (Sender Policy Framework), DKIM, and DMARC — all stored as TXT records. SPF specifies which IP addresses can send email for the domain, DKIM cryptographically signs messages, and DMARC tells recipients how to handle failed checks.

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is an extension that cryptographically signs DNS responses. This allows recipients to verify that responses haven't been tampered with in transit.

What's the difference between DoH and DoT?

DNS over HTTPS (DoH) sends DNS requests encrypted over HTTPS (port 443), often via the browser. DNS over TLS (DoT) uses its own port 853. Both protect against eavesdropping on DNS traffic.