What is DNS and how DNS works?

I’ve realized that countless times we’ve mentioned DNS on our blog, and not once have we dedicated an article about it. It’s time to rectify this mistake and explain what is DNS and how DNS works. Obviously, we are no strangers to the Domain Name System. For several years we even managed (and built) a DNS Zone API!

To be honest, it was my favorite API because it was brutally fast and had some interesting data. We even managed to conduct one very interesting domain research on which professional email services and spam protection services are most popular! Sadly, due to low interest from clients, we’ve decided to shut it down. Who knows, maybe one day we will resurrect it.

What is DNS?

The Domain Name System (DNS) is a critical infrastructure component of the internet that translates human-friendly domain names (like www.whoapi.com) into IP addresses (such as that computers use to identify each other on the network. This system is what allows users to access websites using domain names instead of having to remember complex numerical IP addresses.

machine readable dns zone file
Machine-readable DNS zone file

In short, when you type in a domain name in your browser’s address bar, your request needs to find an IP address. This IP address is the location of the server that stores the data (code, text, images), for the website that’s supposed to load on the domain name you entered. DNS functions much like a phone book for the internet.

  • DNS Resolver: This is typically provided by your internet service provider (ISP). When you type a domain name into your browser, the request is sent to a DNS resolver, which acts as the first step in translating the domain name into an IP address.
  • Root Name Servers: The resolver then queries a root name server. The internet has 13 root name servers, labeled A through M. These servers don’t know the IP address for individual domain names, but they can direct the resolver to the top-level domain (TLD) name servers that have more detailed information.
  • TLD Name Servers: These servers manage the domains under a specific top-level domain (all 1500+ of them), such as .com, .net, or ccTLDs like .be, .me and .ca. They don’t have the IP address information themselves but can direct the resolver to the authoritative name servers for the specific domain.
  • Authoritative Name Servers: These servers have the actual IP address information for a domain. The DNS resolver queries the authoritative name server and receives the IP address for the domain name it was looking for. Imagine entering a web hosting company and asking them where they store this particular website of thousands of websites that they are hosting. Just like you would go to a library to ask for a book.
  • Caching: To speed up the process, IP addresses are cached at various stages, so if a domain name’s IP address is already known from a recent lookup, the system can bypass some steps. This is why we need to wait for propagation when we are switching web hosting providers.

DNS is a foundational technology that makes the internet user-friendly and accessible by allowing people to connect to websites using easy-to-remember domain names instead of numerical IP addresses.

Editing a DNS Zone record with cPanel
Editing a DNS Zone record with cPanel

How DNS Works

The Domain Name System (DNS) is essentially the internet’s phonebook. It translates human-friendly domain names (like www.whoapi.com) into IP addresses that computers use to identify each other on the network. Here’s a step-by-step breakdown of how DNS works:

  1. You enter a web address into your browser, such as www.whoapi.com.
  2. Your computer queries a DNS resolver. The resolver is usually provided by your internet service provider (ISP). It acts as the first point of contact in the DNS query.
  3. The resolver queries a root DNS server. The internet has a number of root DNS servers distributed globally. These servers don’t know the IP address for www.whoapi.com, but they can direct the query to a server that knows more about the .com part of the address.
  4. The query moves to a TLD (Top-Level Domain) DNS server. For www.whoapi.com, the TLD server is responsible for .com domains. The TLD server doesn’t know the exact IP address either, but it knows which Name Server is authoritative for example.com domains.
  5. The authoritative DNS server is queried next. This server knows the IP addresses for the whoapi.com domain (it’s and can respond to the query with the IP address of www.example.com.
  6. Your computer receives the IP address for www.whoapi.com from the DNS resolver and can now establish a connection to the website.
How DNS Works

As we’ve already mentioned, throughout this process, DNS caching can occur at multiple points to speed up future requests to the same domain. For example, once the IP address for www.whoapi.com is known, it can be stored in your computer’s DNS cache, your router’s cache, or even the DNS resolver’s cache. This means that if the same address is requested again soon after, the system can refer to the cache, skipping several steps and speeding up the web page loading time. This is why we need to wait for propagation when we are switching web hosting providers.

This entire DNS process happens in milliseconds, making the browsing experience smooth and efficient for users.

Why we care about DNS?

DNS is a critical component of the Internet. It works in the background, and everybody is using it everyday without even noticing it. It’s the unsung hero! DNS is significantly used in cybersecurity, both as a vector for attacks and as a means of defense. Its critical role in the infrastructure of the internet makes it a focal point for cybersecurity efforts.

How DNS works
How DNS works

Here’s how DNS is involved in cybersecurity:

As a Vector for Attacks

  1. DNS Spoofing (Cache Poisoning): Attackers can corrupt the DNS cache by injecting false information, redirecting users to malicious sites instead of the intended destinations. This can lead to phishing attacks, malware distribution, or information theft.
  2. DNS Tunneling: Malware or attackers can use DNS queries and responses to exfiltrate data from a compromised network stealthily or to establish command and control channels, bypassing traditional network security measures that may not inspect DNS traffic as thoroughly.
  3. DDoS Attacks: Distributed Denial of Service (DDoS) attacks can target DNS servers, overwhelming them with traffic to disrupt service for the domain names they resolve. This can make websites and online services inaccessible to users.

As a Means of Defense

  1. DNS Filtering: Organizations use DNS filtering to prevent access to malicious, inappropriate, or unwanted websites by blocking DNS queries for known bad domains. This can protect users from phishing, malware, and other cyber threats.
  2. DNSSEC (DNS Security Extensions): DNSSEC adds a layer of security by enabling DNS responses to be verified with digital signatures, ensuring the integrity and authenticity of the data. This helps protect against DNS spoofing and other attacks where the attacker tries to manipulate DNS data.
  3. Threat Intelligence and Analysis: DNS logs and queries can be analyzed for patterns that may indicate malicious activity, such as contact with known malicious domains or unusual volumes of DNS queries, which can be signs of malware or data exfiltration attempts.
  4. DNS over HTTPS (DoH) and DNS over TLS (DoT): These protocols encrypt DNS queries, protecting them from interception and manipulation by third parties. This can enhance privacy and security, especially in unsecured networks like public Wi-Fi.

Overall, DNS is both a target for cyberattacks and a powerful tool in the cybersecurity arsenal. By understanding and leveraging DNS, cybersecurity professionals can better protect networks, data, and users from a wide range of cyber threats.

What Is a DNS Record, And What It Looks Like

A typical DNS (Domain Name System) record contains several pieces of information that serve to define properties and control the behavior of the domain name. Here are some of the common types of DNS records and the information they typically contain:

Example MX record using Google Workspace (Source WhoAPI DNS Zone API)
  1. A Record (Address Record):
    • Hostname: The domain or subdomain (like my.whoapi.com).
    • IP Address: The IPv4 address that the hostname resolves to.
  2. AAAA Record (IPv6 Address Record):
    • Hostname: The domain or subdomain.
    • IP Address: The IPv6 address that the hostname resolves to.
  3. CNAME Record (Canonical Name Record):
    • Alias: The subdomain alias (like my.example.com).
    • Canonical Name: The actual, authoritative domain name (like my.example.com).
  4. MX Record (Mail Exchange Record):
    • Priority: A preference value that specifies the order of use (lower numbers have higher priority).
    • Mail Server: The domain name of the mail server responsible for accepting email messages.
  5. TXT Record (Text Record):
    • Text: Can contain arbitrary text but often carries machine-readable data such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) etc.
  6. NS Record (Name Server Record):
    • Hostname: The domain that the record is associated with.
    • Target: The domain name of the DNS server that is authoritative for the domain.
  7. SOA Record (Start of Authority):
    • Name Server: The server that supplied the data for the zone.
    • Hostmaster: The administrator of the zone.
    • Serial Number: The revision number of this zone file.
    • Refresh: How often the zone should be refreshed.
    • Retry: The time between retries if the slave fails to contact the master.
    • Expire: The time that should elapse before the zone is no longer authoritative.
    • TTL (Time to Live): The default time-to-live for records in the zone.

Each record type serves a different purpose and is an essential part of managing domain behavior and services in DNS. The records together make up the DNS zone file for a domain, which is stored on a DNS server and referenced whenever there’s a query for that domain or its services.


Goran Duskic has been the Founder and CEO of WhoAPI Inc. since 2011, a company that specializes in developing APIs, including the well-known Whois API. He started his career in internet entrepreneurship in 2006 and has co-founded several online businesses, including a web hosting company that he later sold. Goran's work primarily involves creating practical API solutions to meet technological needs.