Computer NetworksDNS Overview

DNS Overview

LevelBeginner

Duration60 mins

TopicDNS Overview

2 / 5

Name Resolution

From Name to Number

When you type www.example.com into your browser and press Enter, a remarkable distributed computation begins. Within milliseconds, your computer must discover the IP address of a server that could be anywhere on Earth—and it accomplishes this through a process called name resolution.

Name resolution is the core function of DNS—the mechanism by which human-readable domain names are translated into machine-routable IP addresses. This process involves multiple servers, sophisticated caching strategies, and a carefully designed query protocol that handles billions of requests daily.

Understanding name resolution is essential for network engineers, system administrators, and developers alike. It explains why websites sometimes "can't be found," how DNS propagation works, and why changing a domain's IP address isn't instantaneous.

What You Will Learn

By the end of this page, you will understand the complete name resolution process—from the moment your browser needs an IP address to the final answer arriving in your network stack. You'll learn about stub resolvers, recursive resolvers, authoritative servers, and the query protocols that connect them.

The Resolution Concept

Name resolution is the process of determining the IP address (or addresses) associated with a given domain name. This concept encompasses several related ideas:

Forward Resolution: The most common form of DNS resolution, where a domain name is translated into an IP address:

www.google.com → 142.250.185.68
api.github.com → 20.26.156.215

Reverse Resolution: The opposite process, translating an IP address back to a domain name:

8.8.8.8 → dns.google
1.1.1.1 → one.one.one.one

Reverse resolution uses a special domain hierarchy under in-addr.arpa (for IPv4) and ip6.arpa (for IPv6).

The Resolution Chain:

Name resolution is rarely a single query-response pair. Instead, it's typically a chain of queries involving multiple servers, each contributing partial knowledge until the complete answer is assembled.

Resolution vs. Lookup

The terms 'DNS resolution,' 'DNS lookup,' and 'name resolution' are often used interchangeably. Technically, 'resolution' refers to the complete process of finding an answer (which may involve multiple lookups), while 'lookup' can refer to a single query-response interaction. In practice, most people use these terms synonymously.

Why Resolution is Non-Trivial:

A naive approach might suggest a single, central database mapping all domain names to IP addresses. However, this approach fails at internet scale for several reasons:

Volume: Billions of DNS queries occur daily—no single server could handle this load
Latency: A central server (even if powerful enough) would create unacceptable network latency for distant users
Availability: A single point of failure for all DNS is unacceptable risk
Administration: Different organizations manage different domains—centralized control is impractical
Updates: Changes must propagate quickly without requiring global coordination

The solution is a distributed, hierarchical system where resolution involves multiple specialized servers, each responsible for a portion of the namespace.

Components of Resolution

The name resolution process involves several distinct components, each playing a specific role:

1. Stub Resolver (DNS Client)

The stub resolver is the DNS client software built into your operating system. When an application needs to resolve a domain name, it calls the stub resolver (typically through functions like getaddrinfo() or gethostbyname()).

Stub resolver characteristics:

Runs on the end-user device (computer, phone, IoT device)
Maintains a local cache of recent resolutions
Knows the address of one or more recursive resolvers
Sends queries to recursive resolvers and returns answers to applications
Performs minimal processing—delegates most work to recursive resolvers

stub_resolver_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# On most Unix-like systems, stub resolver configuration is in /etc/resolv.conf
 
# Example /etc/resolv.conf configuration:
nameserver 8.8.8.8        # Primary DNS (Google Public DNS)
nameserver 8.8.4.4        # Secondary DNS
nameserver 1.1.1.1        # Tertiary DNS (Cloudflare)
options timeout:2         # Query timeout in seconds
options attempts:3        # Number of retry attempts
 
# The stub resolver will:
# 1. Try 8.8.8.8 first
# 2. Wait up to 2 seconds for response
# 3. Retry up to 3 times if no response
# 4. Fall back to secondary/tertiary servers if primary fails

2. Recursive Resolver (DNS Recursor)

The recursive resolver is the workhorse of DNS resolution. It accepts queries from stub resolvers and does the actual work of traversing the DNS hierarchy to find answers.

Recursive resolver characteristics:

Typically operated by ISPs, organizations, or public DNS providers (Google, Cloudflare, Quad9)
Handles the complexity of walking the DNS tree
Maintains large caches to reduce query volume
May implement security features (DNSSEC validation, malware filtering)
Serves thousands to millions of clients

3. Authoritative Name Servers

Authoritative servers are the ultimate source of truth for DNS records. They hold the actual data for their zones and respond definitively to queries about names in those zones.

Authoritative server types:

Root servers: Answer queries about top-level domains (TLDs)
TLD servers: Answer queries about domains within a TLD (e.g., all .com domains)
Domain authoritative servers: Answer queries about specific domains (e.g., example.com)

Converting Mermaid diagram...

The Resolution Process Step-by-Step

Let's trace the complete resolution of www.engineering.example.com from start to finish, examining every step in detail:

Step 1: Application Request

A user types the URL into their browser. The browser's networking code needs to establish a TCP connection to the web server, which requires an IP address.

Browser: "I need IP address for www.engineering.example.com"

Step 2: Stub Resolver Cache Check

The stub resolver first checks its local cache. If this domain was resolved recently and the cached answer hasn't expired (TTL not exceeded), the cached IP is returned immediately—no network traffic required.

Stub Resolver: Check local cache... Cache miss.

Step 3: Query to Recursive Resolver

The stub resolver sends a query to its configured recursive resolver (e.g., ISP's DNS or public DNS like 8.8.8.8).

Query: Type=A, Name=www.engineering.example.com
From: Client → Recursive Resolver

Step 4: Recursive Resolver Cache Check

The recursive resolver checks its own cache. Since it serves many clients, there's a good chance someone recently queried this or a related domain.

Recursive Resolver: Check cache... No exact match.
Recursive Resolver: Check cache for 'engineering.example.com' NS records... Miss.
Recursive Resolver: Check cache for 'example.com' NS records... Miss.
Recursive Resolver: Check cache for 'com' NS records... Hit! (TLD info cached)

Note: Recursive resolvers cache not just final answers but also intermediate information (NS records for various delegations). This allows them to skip earlier steps in subsequent queries.

Step 5: Query to Root Servers (if needed)

If no cached information exists, the recursive resolver starts at the root. It has a built-in list of root server addresses (the "root hints file").

Recursive Resolver → Root Server:
  Query: "Who handles the .com TLD?"

Root Server Response:
  "I don't know www.engineering.example.com, but .com is handled by
   these TLD servers: a.gtld-servers.net (192.5.6.30), ..."

Step 6: Query to TLD Servers

The recursive resolver queries a .com TLD server:

Recursive Resolver → .com TLD Server:
  Query: "Who handles example.com?"

TLD Server Response:
  "I don't know www.engineering.example.com, but example.com is handled by
   these authoritative servers: ns1.example.com (93.184.216.34), ..."

Step 7: Query to Authoritative Servers

The recursive resolver queries the authoritative server for example.com:

Recursive Resolver → example.com Authoritative Server:
  Query: "What is the IP address for www.engineering.example.com?"

Authoritative Server Response (Type A):
  "www.engineering.example.com has IP address 203.0.113.50"
  "TTL: 3600 seconds (1 hour)"

Step 8: Response Caching and Return

The recursive resolver caches the answer (and all intermediate NS records) according to their TTLs, then returns the answer to the stub resolver:

Recursive Resolver → Stub Resolver:
  Answer: www.engineering.example.com = 203.0.113.50
  TTL: 3600 seconds

Stub Resolver: Cache this answer, return to application.

Application: Connect to 203.0.113.50:443

Resolution Step Timing (Typical)
Step	Operation	Time (Cold Cache)	Time (Warm Cache)
1-2	Application → Stub Resolver	< 1ms	< 1ms
3	Stub → Recursive Resolver	5-50ms	5-50ms
4	Recursive Resolver cache check	< 1ms	< 1ms (HIT)
5	Recursive → Root Server	10-100ms	Skipped (cached)
6	Recursive → TLD Server	10-100ms	Usually skipped
7	Recursive → Authoritative	20-200ms	Sometimes skipped
8	Response to client	5-50ms	5-50ms
Total	End-to-end resolution	50-500ms	10-100ms

Recursive vs. Iterative Resolution

DNS supports two query modes, each with distinct behaviors and use cases:

Recursive Query:

In a recursive query, the client asks the server to provide the complete answer. If the server doesn't have the answer, it must query other servers on the client's behalf and return the final result.

Who uses it: Stub resolvers querying recursive resolvers
Server obligation: Must return either the answer or an error
Processing burden: Server does all the work
Typical use: Client devices with limited capability

Recursive Resolution

•Client asks for complete answer
•Server does all work recursively
•Client receives final answer directly
•Simpler for client implementation
•Higher load on DNS servers
•Used by: stub resolvers → recursive resolvers

Iterative Resolution

•Client asks, server provides best available info
•Server may return referral to other servers
•Client must follow referrals itself
•More complex client implementation
•Distributes load across servers
•Used by: recursive resolvers → authoritative servers

Iterative Query:

In an iterative query, the client asks the server for its best answer. If the server doesn't have the definitive answer, it returns a referral—the address of another server that might know better.

Who uses it: Recursive resolvers querying authoritative servers
Server obligation: Returns answer if known, otherwise returns referral
Processing burden: Client (recursive resolver) does the walking
Typical use: Server-to-server communication

The Hybrid Reality:

In practice, DNS resolution combines both modes:

Stub resolver → Recursive resolver: Recursive query (client expects full answer)
Recursive resolver → Authoritative servers: Iterative queries (resolver follows referrals)

This hybrid approach optimizes the system: lightweight clients make simple recursive requests, while powerful recursive resolvers handle the complexity of iterating through the DNS hierarchy.

Converting Mermaid diagram...

DNS Caching in Resolution

Caching is fundamental to DNS's ability to handle billions of queries daily. Every component in the resolution chain maintains caches that dramatically reduce query volume and latency.

Caching at Multiple Levels:

1. Browser Cache: Modern browsers maintain their own DNS caches, independent of the OS.

Chrome: chrome://net-internals/#dns
Firefox: about:networking#dns
Typical TTL: Minutes (often ignores actual TTL, uses shorter values)

2. Operating System Cache: The OS stub resolver caches resolutions for all applications.

Windows: ipconfig /displaydns
macOS/Linux: Varies by resolver daemon (systemd-resolved, dnsmasq, etc.)
TTL: As specified by DNS responses

3. Recursive Resolver Cache: Large cache shared across all clients of that resolver.

May serve millions of users
Caches both answers and intermediate NS records
TTL: As specified, often with minimum/maximum bounds

4. Authoritative Server Response Cache: Some authoritative servers cache zone data in memory for fast response.

TTL Controls Cache Duration

Every DNS record includes a Time-To-Live (TTL) value specifying how long the record may be cached. When you change a DNS record, the old record may persist in caches worldwide until TTLs expire. This is why DNS 'propagation' takes time—it's really cache expiration, not propagation.

Cache Hit Rates:

Large recursive resolvers often achieve cache hit rates of 80-95%. This means only 5-20% of queries actually require traversing the DNS hierarchy. The implications are significant:

Reduced Latency: Cached answers return in milliseconds
Reduced Load: Root and TLD servers handle far fewer queries
Improved Resilience: Cached data remains available during brief outages
Scalability: The system handles exponential growth efficiently

Typical TTL Values
Record Type	Common TTL	Rationale
Root/TLD NS records	2-7 days	Rarely change, cache aggressively
Domain NS records	1-24 hours	Occasional changes for migrations
A/AAAA records	5 mins - 1 hour	Balance between caching and flexibility
MX records	1-4 hours	Mail routing changes occasionally
TXT records	5-60 minutes	Verification records need quick updates
Load-balanced records	30-300 seconds	Frequent changes for traffic distribution

Negative Caching:

DNS also caches negative results—when a domain doesn't exist (NXDOMAIN response). This prevents repeated queries for typos or non-existent domains.

Negative cache TTL is specified by the SOA record's minimum TTL field
Typically 60 seconds to 1 hour
Important for protecting servers from query floods to bad domains

DNS Query Protocol Details

DNS queries and responses follow a well-defined protocol format, specified in RFC 1035 and extended by numerous subsequent RFCs.

Transport Protocols:

UDP (Port 53):

Primary transport for DNS
Fast, connectionless
Single packet for query, single packet for response (when possible)
512 byte limit traditionally (extended by EDNS0)
Used for most queries

TCP (Port 53):

Used when responses exceed 512 bytes (or EDNS0 negotiated size)
Required for zone transfers (AXFR/IXFR)
Connection overhead but unlimited response size
Increasingly used for reliability

dns_message_format.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
DNS Message Format (simplified)
================================
 
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                      ID                       |   16-bit identifier
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |   Flags
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QDCOUNT                    |   Number of questions
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ANCOUNT                    |   Number of answers
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    NSCOUNT                    |   Number of authority records
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ARCOUNT                    |   Number of additional records
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QUESTION                   |   Query name and type
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ANSWER                     |   Resource records answering query
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                   AUTHORITY                   |   NS records for authoritative servers
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                   ADDITIONAL                  |   Additional helpful records (glue)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
 
Key Flags:
- QR: Query (0) or Response (1)
- AA: Authoritative Answer
- TC: Truncated (response too large for UDP)
- RD: Recursion Desired
- RA: Recursion Available
- RCODE: Response code (0=success, 3=NXDOMAIN, etc.)

Query Types:

DNS supports numerous record types, each serving different purposes:

Type	Name	Purpose
A	Address	IPv4 address for a host
AAAA	IPv6 Address	IPv6 address for a host
NS	Name Server	Authoritative servers for a zone
MX	Mail Exchange	Mail servers for a domain
CNAME	Canonical Name	Alias to another domain name
TXT	Text	Arbitrary text (SPF, DKIM, verification)
SOA	Start of Authority	Zone metadata and parameters
PTR	Pointer	Reverse DNS (IP to name)
SRV	Service	Service location (port, protocol)

EDNS0 (Extension Mechanisms for DNS):

EDNS0 (RFC 6891) extends DNS capabilities beyond the original specification:

Larger UDP responses (up to 4096 bytes or more)
DNSSEC support (additional flags and record types)
Client subnet information (for CDN optimization)
Cookie support (for security)

Resolution Failures and Error Handling

Not every DNS resolution succeeds. Understanding failure modes is crucial for troubleshooting:

Common Resolution Errors:

DNS Response Codes (RCODE)

•NOERROR (0) — Query successful, answer may be in response (or empty for non-existent record type)
•FORMERR (1) — Format error, query was malformed
•SERVFAIL (2) — Server failure, the server couldn't process the query (often due to DNSSEC validation failure or upstream issues)
•NXDOMAIN (3) — Non-Existent Domain, the domain name doesn't exist at all
•NOTIMP (4) — Not implemented, the server doesn't support the requested operation
•REFUSED (5) — Query refused, the server won't answer (policy restriction)

Troubleshooting Resolution Issues:

Timeout/No Response:

Network connectivity issues
Firewall blocking DNS (port 53)
Resolver server down
Packet loss in transit

SERVFAIL:

DNSSEC validation failure
Authoritative server unreachable
Zone misconfiguration
Lame delegation (NS points to non-authoritative server)

NXDOMAIN:

Domain doesn't exist (typo?)
Domain registration expired
Zone not properly delegated

Wrong Answer/Unexpected IP:

DNS hijacking/spoofing
Stale cache (wait for TTL expiry)
Split-horizon DNS (different answers for internal/external)

dns_troubleshooting.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Common DNS troubleshooting commands
 
# Basic resolution test
nslookup example.com
dig example.com
 
# Query specific DNS server
dig @8.8.8.8 example.com
 
# Get detailed response with all sections
dig +noall +answer +authority +additional example.com
 
# Trace resolution path (shows each step)
dig +trace example.com
 
# Check for DNSSEC
dig +dnssec example.com
 
# Reverse lookup
dig -x 93.184.216.34
 
# Check specific record types
dig example.com MX
dig example.com TXT
dig example.com NS
 
# Windows alternative
nslookup -type=MX example.com

Summary: Name Resolution

We've explored the complete name resolution process—from initial query to final answer. Let's consolidate the key concepts:

Key Takeaways

•Name resolution is a distributed process — No single server holds all answers. Resolution involves stub resolvers, recursive resolvers, and multiple authoritative servers.
•Recursive resolvers do the heavy lifting — They traverse the DNS hierarchy on behalf of clients, following referrals from root to TLD to authoritative servers.
•Caching is essential for performance — Multiple caching layers (browser, OS, resolver) reduce query volume and latency dramatically.
•TTL controls cache duration — Record owners specify how long answers may be cached, balancing performance against update speed.
•Two query modes exist — Recursive queries expect full answers; iterative queries accept referrals. Real resolution uses both.
•DNS uses UDP primarily — Fast, connectionless queries on port 53, with TCP fallback for large responses or zone transfers.

What's Next:

Now that we understand how name resolution works, the next page explores the history of DNS—how we went from simple host files to the global distributed system we rely on today. Understanding this history provides context for DNS's design decisions and current architecture.

Page Complete

You now understand the complete name resolution process—from application request to IP address delivery. This knowledge is fundamental for troubleshooting DNS issues, understanding performance implications, and designing systems that interact with DNS infrastructure.

2 / 5

Loading learning content...

Computer NetworksDNS Overview

DNS Overview

LevelBeginner

Duration60 mins

TopicDNS Overview

2 / 5

Name Resolution

From Name to Number

What You Will Learn

The Resolution Concept

Name resolution is the process of determining the IP address (or addresses) associated with a given domain name. This concept encompasses several related ideas:

Forward Resolution: The most common form of DNS resolution, where a domain name is translated into an IP address:

www.google.com → 142.250.185.68
api.github.com → 20.26.156.215

Reverse Resolution: The opposite process, translating an IP address back to a domain name:

8.8.8.8 → dns.google
1.1.1.1 → one.one.one.one

Reverse resolution uses a special domain hierarchy under in-addr.arpa (for IPv4) and ip6.arpa (for IPv6).

The Resolution Chain:

Resolution vs. Lookup

Why Resolution is Non-Trivial:

A naive approach might suggest a single, central database mapping all domain names to IP addresses. However, this approach fails at internet scale for several reasons:

Volume: Billions of DNS queries occur daily—no single server could handle this load
Latency: A central server (even if powerful enough) would create unacceptable network latency for distant users
Availability: A single point of failure for all DNS is unacceptable risk
Administration: Different organizations manage different domains—centralized control is impractical
Updates: Changes must propagate quickly without requiring global coordination

The solution is a distributed, hierarchical system where resolution involves multiple specialized servers, each responsible for a portion of the namespace.

Components of Resolution

The name resolution process involves several distinct components, each playing a specific role:

1. Stub Resolver (DNS Client)

Stub resolver characteristics:

Runs on the end-user device (computer, phone, IoT device)
Maintains a local cache of recent resolutions
Knows the address of one or more recursive resolvers
Sends queries to recursive resolvers and returns answers to applications
Performs minimal processing—delegates most work to recursive resolvers

stub_resolver_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# On most Unix-like systems, stub resolver configuration is in /etc/resolv.conf
 
# Example /etc/resolv.conf configuration:
nameserver 8.8.8.8        # Primary DNS (Google Public DNS)
nameserver 8.8.4.4        # Secondary DNS
nameserver 1.1.1.1        # Tertiary DNS (Cloudflare)
options timeout:2         # Query timeout in seconds
options attempts:3        # Number of retry attempts
 
# The stub resolver will:
# 1. Try 8.8.8.8 first
# 2. Wait up to 2 seconds for response
# 3. Retry up to 3 times if no response
# 4. Fall back to secondary/tertiary servers if primary fails

2. Recursive Resolver (DNS Recursor)

The recursive resolver is the workhorse of DNS resolution. It accepts queries from stub resolvers and does the actual work of traversing the DNS hierarchy to find answers.

Recursive resolver characteristics:

Typically operated by ISPs, organizations, or public DNS providers (Google, Cloudflare, Quad9)
Handles the complexity of walking the DNS tree
Maintains large caches to reduce query volume
May implement security features (DNSSEC validation, malware filtering)
Serves thousands to millions of clients

3. Authoritative Name Servers

Authoritative servers are the ultimate source of truth for DNS records. They hold the actual data for their zones and respond definitively to queries about names in those zones.

Authoritative server types:

Root servers: Answer queries about top-level domains (TLDs)
TLD servers: Answer queries about domains within a TLD (e.g., all .com domains)
Domain authoritative servers: Answer queries about specific domains (e.g., example.com)

Converting Mermaid diagram...

The Resolution Process Step-by-Step

Let's trace the complete resolution of www.engineering.example.com from start to finish, examining every step in detail:

Step 1: Application Request

A user types the URL into their browser. The browser's networking code needs to establish a TCP connection to the web server, which requires an IP address.

Browser: "I need IP address for www.engineering.example.com"

Step 2: Stub Resolver Cache Check

Stub Resolver: Check local cache... Cache miss.

Step 3: Query to Recursive Resolver

The stub resolver sends a query to its configured recursive resolver (e.g., ISP's DNS or public DNS like 8.8.8.8).

Query: Type=A, Name=www.engineering.example.com
From: Client → Recursive Resolver

Step 4: Recursive Resolver Cache Check

The recursive resolver checks its own cache. Since it serves many clients, there's a good chance someone recently queried this or a related domain.

Recursive Resolver: Check cache... No exact match.
Recursive Resolver: Check cache for 'engineering.example.com' NS records... Miss.
Recursive Resolver: Check cache for 'example.com' NS records... Miss.
Recursive Resolver: Check cache for 'com' NS records... Hit! (TLD info cached)

Note: Recursive resolvers cache not just final answers but also intermediate information (NS records for various delegations). This allows them to skip earlier steps in subsequent queries.

Step 5: Query to Root Servers (if needed)

If no cached information exists, the recursive resolver starts at the root. It has a built-in list of root server addresses (the "root hints file").

Recursive Resolver → Root Server:
  Query: "Who handles the .com TLD?"

Root Server Response:
  "I don't know www.engineering.example.com, but .com is handled by
   these TLD servers: a.gtld-servers.net (192.5.6.30), ..."

Step 6: Query to TLD Servers

The recursive resolver queries a .com TLD server:

Recursive Resolver → .com TLD Server:
  Query: "Who handles example.com?"

TLD Server Response:
  "I don't know www.engineering.example.com, but example.com is handled by
   these authoritative servers: ns1.example.com (93.184.216.34), ..."

Step 7: Query to Authoritative Servers

The recursive resolver queries the authoritative server for example.com:

Recursive Resolver → example.com Authoritative Server:
  Query: "What is the IP address for www.engineering.example.com?"

Authoritative Server Response (Type A):
  "www.engineering.example.com has IP address 203.0.113.50"
  "TTL: 3600 seconds (1 hour)"

Step 8: Response Caching and Return

The recursive resolver caches the answer (and all intermediate NS records) according to their TTLs, then returns the answer to the stub resolver:

Recursive Resolver → Stub Resolver:
  Answer: www.engineering.example.com = 203.0.113.50
  TTL: 3600 seconds

Stub Resolver: Cache this answer, return to application.

Application: Connect to 203.0.113.50:443

Resolution Step Timing (Typical)
Step	Operation	Time (Cold Cache)	Time (Warm Cache)
1-2	Application → Stub Resolver	< 1ms	< 1ms
3	Stub → Recursive Resolver	5-50ms	5-50ms
4	Recursive Resolver cache check	< 1ms	< 1ms (HIT)
5	Recursive → Root Server	10-100ms	Skipped (cached)
6	Recursive → TLD Server	10-100ms	Usually skipped
7	Recursive → Authoritative	20-200ms	Sometimes skipped
8	Response to client	5-50ms	5-50ms
Total	End-to-end resolution	50-500ms	10-100ms

Recursive vs. Iterative Resolution

DNS supports two query modes, each with distinct behaviors and use cases:

Recursive Query:

In a recursive query, the client asks the server to provide the complete answer. If the server doesn't have the answer, it must query other servers on the client's behalf and return the final result.

Who uses it: Stub resolvers querying recursive resolvers
Server obligation: Must return either the answer or an error
Processing burden: Server does all the work
Typical use: Client devices with limited capability

Recursive Resolution

•Client asks for complete answer
•Server does all work recursively
•Client receives final answer directly
•Simpler for client implementation
•Higher load on DNS servers
•Used by: stub resolvers → recursive resolvers

Iterative Resolution

•Client asks, server provides best available info
•Server may return referral to other servers
•Client must follow referrals itself
•More complex client implementation
•Distributes load across servers
•Used by: recursive resolvers → authoritative servers

Iterative Query:

In an iterative query, the client asks the server for its best answer. If the server doesn't have the definitive answer, it returns a referral—the address of another server that might know better.

Who uses it: Recursive resolvers querying authoritative servers
Server obligation: Returns answer if known, otherwise returns referral
Processing burden: Client (recursive resolver) does the walking
Typical use: Server-to-server communication

The Hybrid Reality:

In practice, DNS resolution combines both modes:

Stub resolver → Recursive resolver: Recursive query (client expects full answer)
Recursive resolver → Authoritative servers: Iterative queries (resolver follows referrals)

This hybrid approach optimizes the system: lightweight clients make simple recursive requests, while powerful recursive resolvers handle the complexity of iterating through the DNS hierarchy.

Converting Mermaid diagram...

DNS Caching in Resolution

Caching is fundamental to DNS's ability to handle billions of queries daily. Every component in the resolution chain maintains caches that dramatically reduce query volume and latency.

Caching at Multiple Levels:

1. Browser Cache: Modern browsers maintain their own DNS caches, independent of the OS.

Chrome: chrome://net-internals/#dns
Firefox: about:networking#dns
Typical TTL: Minutes (often ignores actual TTL, uses shorter values)

2. Operating System Cache: The OS stub resolver caches resolutions for all applications.

Windows: ipconfig /displaydns
macOS/Linux: Varies by resolver daemon (systemd-resolved, dnsmasq, etc.)
TTL: As specified by DNS responses

3. Recursive Resolver Cache: Large cache shared across all clients of that resolver.

May serve millions of users
Caches both answers and intermediate NS records
TTL: As specified, often with minimum/maximum bounds

4. Authoritative Server Response Cache: Some authoritative servers cache zone data in memory for fast response.

TTL Controls Cache Duration

Cache Hit Rates:

Large recursive resolvers often achieve cache hit rates of 80-95%. This means only 5-20% of queries actually require traversing the DNS hierarchy. The implications are significant:

Reduced Latency: Cached answers return in milliseconds
Reduced Load: Root and TLD servers handle far fewer queries
Improved Resilience: Cached data remains available during brief outages
Scalability: The system handles exponential growth efficiently

Typical TTL Values
Record Type	Common TTL	Rationale
Root/TLD NS records	2-7 days	Rarely change, cache aggressively
Domain NS records	1-24 hours	Occasional changes for migrations
A/AAAA records	5 mins - 1 hour	Balance between caching and flexibility
MX records	1-4 hours	Mail routing changes occasionally
TXT records	5-60 minutes	Verification records need quick updates
Load-balanced records	30-300 seconds	Frequent changes for traffic distribution

Negative Caching:

DNS also caches negative results—when a domain doesn't exist (NXDOMAIN response). This prevents repeated queries for typos or non-existent domains.

Negative cache TTL is specified by the SOA record's minimum TTL field
Typically 60 seconds to 1 hour
Important for protecting servers from query floods to bad domains

DNS Query Protocol Details

DNS queries and responses follow a well-defined protocol format, specified in RFC 1035 and extended by numerous subsequent RFCs.

Transport Protocols:

UDP (Port 53):

Primary transport for DNS
Fast, connectionless
Single packet for query, single packet for response (when possible)
512 byte limit traditionally (extended by EDNS0)
Used for most queries

TCP (Port 53):

Used when responses exceed 512 bytes (or EDNS0 negotiated size)
Required for zone transfers (AXFR/IXFR)
Connection overhead but unlimited response size
Increasingly used for reliability

dns_message_format.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
DNS Message Format (simplified)
================================
 
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                      ID                       |   16-bit identifier
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |   Flags
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QDCOUNT                    |   Number of questions
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ANCOUNT                    |   Number of answers
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    NSCOUNT                    |   Number of authority records
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ARCOUNT                    |   Number of additional records
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QUESTION                   |   Query name and type
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ANSWER                     |   Resource records answering query
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                   AUTHORITY                   |   NS records for authoritative servers
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                   ADDITIONAL                  |   Additional helpful records (glue)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
 
Key Flags:
- QR: Query (0) or Response (1)
- AA: Authoritative Answer
- TC: Truncated (response too large for UDP)
- RD: Recursion Desired
- RA: Recursion Available
- RCODE: Response code (0=success, 3=NXDOMAIN, etc.)

Query Types:

DNS supports numerous record types, each serving different purposes:

Type	Name	Purpose
A	Address	IPv4 address for a host
AAAA	IPv6 Address	IPv6 address for a host
NS	Name Server	Authoritative servers for a zone
MX	Mail Exchange	Mail servers for a domain
CNAME	Canonical Name	Alias to another domain name
TXT	Text	Arbitrary text (SPF, DKIM, verification)
SOA	Start of Authority	Zone metadata and parameters
PTR	Pointer	Reverse DNS (IP to name)
SRV	Service	Service location (port, protocol)

EDNS0 (Extension Mechanisms for DNS):

EDNS0 (RFC 6891) extends DNS capabilities beyond the original specification:

Larger UDP responses (up to 4096 bytes or more)
DNSSEC support (additional flags and record types)
Client subnet information (for CDN optimization)
Cookie support (for security)

Resolution Failures and Error Handling

Not every DNS resolution succeeds. Understanding failure modes is crucial for troubleshooting:

Common Resolution Errors:

DNS Response Codes (RCODE)

•NOERROR (0) — Query successful, answer may be in response (or empty for non-existent record type)
•FORMERR (1) — Format error, query was malformed
•SERVFAIL (2) — Server failure, the server couldn't process the query (often due to DNSSEC validation failure or upstream issues)
•NXDOMAIN (3) — Non-Existent Domain, the domain name doesn't exist at all
•NOTIMP (4) — Not implemented, the server doesn't support the requested operation
•REFUSED (5) — Query refused, the server won't answer (policy restriction)

Troubleshooting Resolution Issues:

Timeout/No Response:

Network connectivity issues
Firewall blocking DNS (port 53)
Resolver server down
Packet loss in transit

SERVFAIL:

DNSSEC validation failure
Authoritative server unreachable
Zone misconfiguration
Lame delegation (NS points to non-authoritative server)

NXDOMAIN:

Domain doesn't exist (typo?)
Domain registration expired
Zone not properly delegated

Wrong Answer/Unexpected IP:

DNS hijacking/spoofing
Stale cache (wait for TTL expiry)
Split-horizon DNS (different answers for internal/external)

dns_troubleshooting.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Common DNS troubleshooting commands
 
# Basic resolution test
nslookup example.com
dig example.com
 
# Query specific DNS server
dig @8.8.8.8 example.com
 
# Get detailed response with all sections
dig +noall +answer +authority +additional example.com
 
# Trace resolution path (shows each step)
dig +trace example.com
 
# Check for DNSSEC
dig +dnssec example.com
 
# Reverse lookup
dig -x 93.184.216.34
 
# Check specific record types
dig example.com MX
dig example.com TXT
dig example.com NS
 
# Windows alternative
nslookup -type=MX example.com

Summary: Name Resolution

We've explored the complete name resolution process—from initial query to final answer. Let's consolidate the key concepts:

Key Takeaways

•Name resolution is a distributed process — No single server holds all answers. Resolution involves stub resolvers, recursive resolvers, and multiple authoritative servers.
•Recursive resolvers do the heavy lifting — They traverse the DNS hierarchy on behalf of clients, following referrals from root to TLD to authoritative servers.
•Caching is essential for performance — Multiple caching layers (browser, OS, resolver) reduce query volume and latency dramatically.
•TTL controls cache duration — Record owners specify how long answers may be cached, balancing performance against update speed.
•Two query modes exist — Recursive queries expect full answers; iterative queries accept referrals. Real resolution uses both.
•DNS uses UDP primarily — Fast, connectionless queries on port 53, with TCP fallback for large responses or zone transfers.

What's Next:

Page Complete

2 / 5