Complete DNS Guide 2024: How DNS Works, Types & Security

Key Takeaways

DNS translates human-readable domain names to IP addresses.
The DNS hierarchy includes root, TLD, and authoritative servers.
Common records: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail).

DNSSEC provides cryptographic authentication of DNS responses.
DNS cache poisoning and hijacking are serious security threats.
Use encrypted DNS (DoH/DoT) for privacy protection.

1. Introduction to DNS
2. How DNS Works
3. DNS Record Types
4. DNS Configuration

5. DNS Security
6. Troubleshooting DNS
7. Best Practices
8. Frequently Asked Questions

1. Introduction to DNS

The Domain Name System (DNS) is one of the most fundamental technologies underlying the internet. Often called "the phone book of the internet," DNS translates human-friendly domain names (like example.com) into IP addresses (like 93.184.216.34) that computers use to communicate with each other.

Without DNS, you would need to memorize numerical IP addresses to visit websites—imagine having to type 142.250.190.14 instead of google.com. DNS makes the internet accessible and user-friendly.

DNS was designed in the early 1980s when the internet was small enough that a single HOSTS.TXT file could contain mappings for all connected computers. As the internet grew, this approach became impractical, leading to the development of the distributed, hierarchical DNS system we use today.

DNS Facts

DNS handles billions of queries every day. There are over 350 million registered domain names worldwide. The entire DNS infrastructure is designed for high availability—if one server fails, others take over seamlessly.

2. How DNS Works

2.1 The DNS Hierarchy

DNS uses a hierarchical distributed database structure:

Root Servers: 13 logical root server systems (hundreds of physical servers) that know where to find TLD servers
TLD Servers: Manage top-level domains like .com, .org, .net, and country codes like .uk, .de
Authoritative Servers: Hold the actual DNS records for specific domains
Recursive Resolvers: Query other servers on behalf of clients and cache responses

2.2 The Resolution Process

When you type a URL in your browser, here's what happens:

Local Cache Check: Browser and OS check their caches for recent lookups
Recursive Resolver: If not cached, query goes to your DNS resolver (usually ISP or configured like 8.8.8.8)
Root Server Query: Resolver asks root server for TLD server location
TLD Server Query: Resolver asks TLD server for authoritative server location
Authoritative Query: Resolver gets the actual IP from the authoritative server
Response Cached: Answer is cached at multiple levels for future queries

# Trace DNS resolution path
dig +trace example.com

# Example output showing hierarchy:
; <<>> DiG 9.16.1-Ubuntu <<>> +trace example.com
.                   518400  IN  NS  a.root-servers.net.
com.                172800  IN  NS  a.gtld-servers.net.
example.com.        86400   IN  NS  ns1.example.com.
example.com.        86400   IN  A   93.184.216.34

2.3 DNS Caching

Caching is essential for DNS performance. Each DNS record has a Time-To-Live (TTL) value that specifies how long it can be cached. Typical TTL values are 300 seconds (5 minutes) to 86400 seconds (24 hours).

3. DNS Record Types

Type	Purpose	Example
A	Maps domain to IPv4 address	example.com → 93.184.216.34
AAAA	Maps domain to IPv6 address	example.com → 2606:2800:...
CNAME	Alias pointing to another domain	www.example.com → example.com
MX	Mail server for domain	Priority 10: mail.example.com
TXT	Text data (SPF, DKIM, verification)	v=spf1 include:_spf.google.com
NS	Authoritative nameservers	ns1.example.com
SOA	Zone authority information	Primary NS, admin email, serials
PTR	Reverse DNS (IP to domain)	34.216.184.93 → example.com
SRV	Service location	_sip._tcp.example.com
CAA	Certificate Authority Authorization	Which CAs can issue SSL certs

3.1 A and AAAA Records

# Query A record
dig example.com A

# Query AAAA record
dig example.com AAAA

# Example zone file entries
example.com.    IN  A       93.184.216.34
example.com.    IN  AAAA    2606:2800:220:1:248:1893:25c8:1946

3.2 CNAME Records

CNAME (Canonical Name) records create aliases. They're useful for pointing subdomains to your main domain or to CDN endpoints.

# www subdomain pointing to main domain
www.example.com.    IN  CNAME   example.com.

# Subdomain pointing to CDN
cdn.example.com.    IN  CNAME   d1234.cloudfront.net.

CNAME Restrictions

CNAME records cannot coexist with other record types for the same name. You cannot have a CNAME at the zone apex (example.com)—use ALIAS or ANAME records if your DNS provider supports them.

3.3 MX Records

MX (Mail Exchanger) records specify mail servers for a domain, with priority values indicating preference (lower = higher priority).

# Multiple MX records with priority
example.com.    IN  MX  10  mail1.example.com.
example.com.    IN  MX  20  mail2.example.com.
example.com.    IN  MX  30  backup.mail.example.com.

3.4 TXT Records

TXT records store arbitrary text, commonly used for email authentication (SPF, DKIM, DMARC) and domain verification.

# SPF record
example.com.    IN  TXT "v=spf1 include:_spf.google.com ~all"

# DKIM record
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGf..."

# DMARC record
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

# Domain verification
example.com.    IN  TXT "google-site-verification=abc123"

4. DNS Configuration

4.1 Setting Up BIND

# Install BIND on Ubuntu
sudo apt install bind9 bind9utils

# Main configuration: /etc/bind/named.conf.options
options {
    directory "/var/cache/bind";
    recursion yes;
    allow-recursion { 192.168.1.0/24; localhost; };
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    dnssec-validation auto;
};

# Zone configuration: /etc/bind/named.conf.local
zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
};

4.2 Zone File Example

; /etc/bind/zones/db.example.com
$TTL    604800
@       IN      SOA     ns1.example.com. admin.example.com. (
                        2024010101      ; Serial
                        604800          ; Refresh
                        86400           ; Retry
                        2419200         ; Expire
                        604800 )        ; Negative Cache TTL

; Name servers
@       IN      NS      ns1.example.com.
@       IN      NS      ns2.example.com.

; A records
@       IN      A       192.168.1.10
ns1     IN      A       192.168.1.11
ns2     IN      A       192.168.1.12
www     IN      A       192.168.1.10
mail    IN      A       192.168.1.20

; MX record
@       IN      MX      10 mail.example.com.

5. DNS Security

5.1 Common DNS Threats

DNS Cache Poisoning: Attacker injects false records into resolver cache
DNS Hijacking: Unauthorized changes to DNS settings or records
DNS Amplification DDoS: Using DNS servers to amplify attack traffic
DNS Tunneling: Exfiltrating data through DNS queries
Typosquatting: Registering misspelled domains to catch users

5.2 DNSSEC

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses haven't been tampered with.

# Check DNSSEC status
dig example.com +dnssec

# Look for RRSIG records in response
# AD flag indicates Authenticated Data

# Verify DNSSEC chain
delv example.com

5.3 Encrypted DNS

Traditional DNS queries are unencrypted, allowing ISPs and network operators to see your browsing activity. Encrypted DNS solves this:

DNS over HTTPS (DoH): DNS queries over HTTPS port 443, looks like normal web traffic
DNS over TLS (DoT): DNS queries encrypted with TLS on port 853

Recommended DNS Providers

Privacy-focused: Cloudflare (1.1.1.1), Quad9 (9.9.9.9), NextDNS
With filtering: Cloudflare for Families, CleanBrowsing, AdGuard DNS
With DoH/DoT: All major providers now support encrypted DNS

6. Troubleshooting DNS

6.1 Common Commands

# Basic DNS lookup
nslookup example.com

# Detailed query with dig
dig example.com

# Query specific record type
dig example.com MX
dig example.com TXT

# Query specific nameserver
dig @8.8.8.8 example.com

# Reverse lookup
dig -x 93.184.216.34

# Check propagation
dig @ns1.example.com example.com
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

6.2 Common Issues

Symptom	Cause	Solution
SERVFAIL	Nameserver misconfiguration	Check zone file syntax, NS records
NXDOMAIN	Domain doesn't exist	Verify domain registration, check spelling
Slow resolution	Resolver issues	Try different DNS server
Old records showing	Caching	Wait for TTL expiration, flush cache

6.3 Flushing DNS Cache

# Windows
ipconfig /flushdns

# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Linux
sudo systemd-resolve --flush-caches
# or
sudo resolvectl flush-caches

# Chrome browser
chrome://net-internals/#dns

7. Best Practices

Use Short TTLs Before Changes: Reduce TTL to 300 seconds before DNS changes, then increase after propagation
Multiple Nameservers: Use at least two geographically distributed nameservers
Enable DNSSEC: Sign your zones if you manage authoritative DNS
Monitor DNS: Set up alerts for DNS failures and anomalies
Lock Domain: Enable registrar lock to prevent unauthorized transfers
Use CAA Records: Specify which CAs can issue certificates for your domain

8. Frequently Asked Questions

How long does DNS propagation take?

DNS changes typically propagate within minutes to a few hours, but can take up to 48 hours in rare cases. The actual time depends on TTL values of old records and caching behavior of resolvers worldwide.

Should I use my registrar's DNS or a separate provider?

Dedicated DNS providers (Cloudflare, Route 53, NS1) typically offer better performance, more features, and better uptime than registrar DNS. Consider separating these services for better security and flexibility.

What DNS server should I use for privacy?

Use a privacy-respecting resolver like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9), and enable encrypted DNS (DoH or DoT). Your ISP's default DNS can log your queries and may be used for censorship.

Conclusion

DNS is the backbone of internet naming and navigation. Understanding how DNS works, the various record types, and security considerations is essential for anyone managing websites, networks, or IT infrastructure.

Continue Learning:
DNSSEC Guide Email Security

The Complete DNS Guide