What is DNS?#
DNS (Domain Name System) translates human-readable domain names like example.com into IP addresses like 93.184.216.34. It’s often called the “phone book of the internet.”
Without DNS, you’d need to memorize IP addresses for every website you visit.
How DNS Resolution Works#
When you type example.com in your browser, this happens:
- Browser cache — checks if it already knows the IP
- OS resolver — checks
/etc/hostsand the local stub resolver - Recursive resolver — your ISP or configured DNS server (e.g.,
1.1.1.1) - Root nameservers — directs the query to the correct TLD server
- TLD nameservers —
.com,.org, etc. point to the authoritative server - Authoritative nameserver — returns the actual IP address
You → Recursive Resolver → Root → TLD (.com) → Authoritative → IP returnedDNS Record Types#
A Record#
Maps a domain to an IPv4 address:
example.com. A 93.184.216.34AAAA Record#
Maps a domain to an IPv6 address:
example.com. AAAA 2606:2800:220:1:248:1893:25c8:1946CNAME Record#
An alias pointing one domain to another:
www.example.com. CNAME example.com.A CNAME cannot coexist with other record types for the same name.
MX Record#
Specifies mail servers for a domain. The number is priority (lower = preferred):
example.com. MX 10 mail1.example.com.
example.com. MX 20 mail2.example.com.TXT Record#
Stores arbitrary text. Commonly used for verification and email security:
example.com. TXT "v=spf1 include:_spf.google.com ~all"NS Record#
Delegates a domain to specific nameservers:
example.com. NS ns1.example.com.
example.com. NS ns2.example.com.SOA Record#
Start of Authority — contains metadata about the zone:
example.com. SOA ns1.example.com. admin.example.com. (
2026060201 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
86400 ) ; minimum TTLSummary Table#
| Type | Purpose | Example Value |
|---|---|---|
| A | IPv4 address | 93.184.216.34 |
| AAAA | IPv6 address | 2606:2800:220:1:... |
| CNAME | Alias to another name | example.com. |
| MX | Mail server | 10 mail.example.com. |
| TXT | Text data (SPF, DKIM, etc.) | "v=spf1 ..." |
| NS | Nameserver delegation | ns1.example.com. |
| SOA | Zone authority metadata | serial, refresh, etc. |
| SRV | Service location | _sip._tcp.example.com. |
| PTR | Reverse lookup (IP → name) | 34.216.184.93.in-addr.arpa. |
TTL (Time to Live)#
Every DNS record has a TTL value in seconds. This tells resolvers how long to cache the result:
example.com. 300 A 93.184.216.34This record is cached for 5 minutes. After that, resolvers must query again.
Common TTL values:
| TTL | Duration | Use Case |
|---|---|---|
| 60 | 1 minute | During migrations or failover |
| 300 | 5 minutes | Frequently changing records |
| 3600 | 1 hour | Standard for most records |
| 86400 | 24 hours | Stable records that rarely change |
Tip: Lower TTL before making changes, wait for the old TTL to expire, then make the change. This minimizes downtime.
DNS Caching Layers#
DNS responses are cached at multiple levels:
- Browser — Chrome, Firefox each maintain their own cache
- Operating system —
systemd-resolved,nscd, or the OS stub resolver - Router — many home routers cache DNS
- Recursive resolver — your ISP or public resolver (Cloudflare, Google)
To flush local cache on Linux:
# systemd-resolved
sudo resolvectl flush-caches
# Verify it was flushed
resolvectl statisticsQuerying DNS with dig#
dig is the standard tool for DNS troubleshooting.
Basic query#
dig example.comQuery a specific record type#
dig example.com MX
dig example.com TXT
dig example.com AAAAQuery a specific nameserver#
dig @1.1.1.1 example.com
dig @8.8.8.8 example.com AShort output#
dig +short example.com
# 93.184.216.34Trace the full resolution path#
dig +trace example.comThis shows every step from root servers to the final answer — invaluable for debugging propagation issues.
Check a specific authoritative server#
dig @ns1.example.com example.com A +norecurseQuerying DNS with nslookup#
A simpler alternative to dig:
nslookup example.com
nslookup -type=MX example.com
nslookup example.com 1.1.1.1Querying DNS with host#
Even more concise:
host example.com
host -t MX example.com
host 93.184.216.34 # reverse lookupReverse DNS (PTR Records)#
Maps an IP address back to a domain name:
dig -x 93.184.216.34PTR records are managed by whoever owns the IP block (usually your hosting provider). They’re important for email deliverability — mail servers check that the sending IP resolves back to the domain.
DNS Propagation#
When you change a DNS record, the update doesn’t happen instantly worldwide. Caches at every level must expire based on the old TTL.
Checking propagation:
# Query multiple public resolvers
dig @1.1.1.1 example.com A +short
dig @8.8.8.8 example.com A +short
dig @9.9.9.9 example.com A +shortPropagation typically completes within the old TTL duration, but can take up to 48 hours in edge cases.
Local DNS Configuration#
/etc/resolv.conf#
Defines which resolver your system uses:
nameserver 1.1.1.1
nameserver 8.8.8.8On systems using systemd-resolved, this file is managed automatically. Check the actual config with:
resolvectl status/etc/hosts#
Local overrides that bypass DNS entirely:
127.0.0.1 myapp.local
192.168.1.50 devserverUseful for local development and testing.
Common Public DNS Resolvers#
| Provider | Primary | Secondary |
|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 |
8.8.8.8 | 8.8.4.4 | |
| Quad9 | 9.9.9.9 | 149.112.112.112 |
Best Practices#
- Use short TTLs (60–300s) before making DNS changes
- Always set up both A and AAAA records if you support IPv6
- Use multiple NS records for redundancy
- Don’t use CNAMEs at the zone apex (use A/AAAA or your provider’s ALIAS/ANAME feature)
- Set up SPF, DKIM, and DMARC TXT records for email security
- Monitor records with
dig +tracewhen troubleshooting - Document your DNS records outside your provider’s dashboard