Technology March 11, 2026

How DNS Works

A 8-minute read

By Maya Chen

The internet has a phone book, and without it, nothing works. Here's what happens when you type a URL.

Your browser needs an IP address to find a server. But you typed google.com, not 142.250.80.46. DNS is the phone book that translates one into the other, and every single thing you do on the internet depends on this translation happening correctly, thousands of times per day.

The short answer

DNS (Domain Name System) is a distributed database that translates human-readable domain names like google.com into numeric IP addresses that computers use to communicate. It’s one of the foundational building blocks of how the internet works. When you type a website address, your computer asks a DNS resolver to look up the corresponding IP address. That resolver queries a chain of servers, finds the answer, and sends it back. The whole process typically takes milliseconds.

The full picture

The problem DNS solves

Computers don’t think in words. Every server on the internet is identified by an IP address, a string of numbers like 192.168.1.1 or the longer IPv6 format. Your computer needs one of these numbers to connect to any website or service.

Memorizing strings of numbers is impossible for humans. That’s why we use domain names instead. DNS exists as the translation layer between what humans type and what computers need.

Think of it like a contact list on your phone. You don’t memorize your friend’s phone number anymore. You tap their name, and your phone looks up the number. DNS does the same thing for the internet, except it’s doing it billions of times per day across the entire web.

The DNS resolver: your browser’s translator

When you type google.com in your browser, the first stop is a DNS resolver. This is usually provided by your internet service provider (ISP), though you can change it to alternatives like Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1).

The resolver is the starting point of every DNS query. It doesn’t have every domain name memorized; no single server could hold that much data. Instead, it knows how to ask the right servers to find the answer.

The hierarchical lookup process

DNS lookup follows a chain from your resolver to increasingly specific servers:

  1. Root server: The resolver first asks a root server, which knows where the top-level domain (TLD) servers are. If you’re looking for google.com, the root server points to the .com TLD server.

  2. TLD server: The .com TLD server doesn’t know google.com’s IP address either, but it knows which authoritative server is responsible for google.com.

  3. Authoritative nameserver: This is the server that actually holds the DNS records for a specific domain. It has the final answer: the IP address your computer needs.

This chain sounds slow, but it’s optimized. DNS resolvers cache results aggressively. If someone in your neighborhood already looked up google.com in the last few minutes, your resolver already has the answer saved. No need to query the chain again.

DNS records: the different types

DNS isn’t just a phone book for IP addresses. It stores several types of records:

  • A record: Maps a domain to an IPv4 address (the basic one).
  • AAAA record: Maps a domain to an IPv6 address.
  • CNAME record: Creates an alias, pointing one domain to another. For example, www.example.com might CNAME to example.com.
  • MX record: Specifies which mail servers handle email for a domain.
  • TXT record: Holds arbitrary text data, often used for email verification and domain ownership proofs.

The most common is the A record, which is what your browser is really looking for when it wants to load a website.

Caching: why DNS is fast

The hierarchical lookup sounds like it would be slow, but DNS is one of the fastest systems on the internet. The secret is caching at every level.

Your computer caches DNS results. Your router caches them. Your ISP’s resolver caches them. Even the authoritative nameservers cache them.

When you visit a website, the IP address gets stored temporarily, typically for anywhere from a few minutes to a few days, depending on the domain’s settings. This means most DNS queries never reach the full chain. The answer is already nearby.

This also explains why DNS changes can feel slow. If you switch your website to a new server, the old IP address might still be cached in resolvers around the world. That’s why DNS propagation, the time it takes for changes to spread, can take up to 48 hours, even though the actual lookup process is measured in milliseconds.

What happens when DNS breaks

DNS failures are among the most disruptive internet problems because everything depends on it. When DNS fails, no one can reach any website by name, even though the servers themselves are still running fine.

The most common DNS failure is when a popular DNS resolver goes down. In 2021, Fastly, a major web infrastructure company, had a bug that took down millions of websites for about an hour. Users who manually changed their DNS to an alternative provider (like Google’s 8.8.8.8) could access the sites again while everyone else saw error messages.

DNS can also be hijacked. In 2019, DNS attacks temporarily redirected traffic from banking websites in Oman and the UAE to malicious servers. Attackers compromised the DNS records at the registrar level, so users typing the correct domain name ended up at the wrong IP address.

This is why DNSSEC (DNS Security Extensions) exists: it’s a set of cryptographic signatures that verify DNS responses haven’t been tampered with. Most major domains have it enabled, but not all.

DNS as a surveillance tool, and the encrypted alternative

Here’s something that surprises most people: every DNS lookup you make is sent in plain text by default. Not encrypted. Not private.

That means your ISP can see every domain you visit, even when the websites themselves are encrypted with HTTPS. The padlock icon in your browser protects the content of your connection, but it doesn’t hide which sites you’re connecting to. The DNS query goes out in the open, before the encrypted connection even begins.

This isn’t hypothetical surveillance. ISPs in many countries are legally required to log DNS queries. In the US, internet providers have been permitted to sell aggregated browsing data to advertisers. In the UK and Australia, ISPs must retain metadata (which includes DNS records) for law enforcement access. In some authoritarian states, ISPs use DNS logging to identify dissidents.

The fix is DNS over HTTPS (DoH) or DNS over TLS (DoT). Both protocols encrypt your DNS lookups so they’re indistinguishable from regular web traffic. Instead of a plaintext query going to your ISP’s resolver, an encrypted query goes to a privacy-respecting resolver like Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8.

Firefox enabled DoH by default for US users in 2020. Chrome supports it. Major phone operating systems now support it. Enabling it is usually a single toggle in your browser or network settings.

One important caveat: DoH shifts trust from your ISP to your chosen DNS resolver. Cloudflare and Google promise not to log individual queries, but you’re still trusting a company. The privacy improvement is real: you’ve gone from an ISP with a financial incentive to sell data to a provider with a stated policy against it. But it’s not the same as anonymity.

Who actually controls the internet’s phone book

The DNS hierarchy bottoms out in 13 root server clusters that know the authoritative location of every top-level domain (.com, .org, .uk, and so on). These root servers are the ultimate source of truth for the entire internet’s naming system.

For most of the internet’s history, those root servers were controlled under a contract with the US government’s National Telecommunications and Information Administration (NTIA). The NTIA delegated day-to-day management to ICANN (the Internet Corporation for Assigned Names and Numbers), but retained oversight, meaning any change to the root zone, like adding a new top-level domain, had to be approved by a US government agency.

This was politically explosive. Other governments argued that no single country should have a veto over the global internet’s naming system. After years of pressure from the international community, the US transferred that oversight to a broader international structure in October 2016. ICANN now answers to a “multistakeholder community” (a coalition of governments, industry, civil society, and technical experts) rather than solely to the US Department of Commerce.

The change was largely procedural, and the root servers themselves still sit mostly in the US and Europe. But the governance question hasn’t gone away. Countries like Russia and China have invested in building parallel DNS infrastructures that could, in theory, allow them to operate a “sovereign internet” disconnected from the global root. For most users, this is invisible infrastructure. But the question of who can add or remove domains from the root zone is, ultimately, a question of political power, one that the technical community is still working out.

Why it matters

DNS is invisible until it breaks. Most people never think about it until something goes wrong. But understanding DNS helps you troubleshoot connectivity problems, choose faster DNS providers, and recognize when something more serious is happening.

For businesses, DNS management is critical. Switching DNS providers, moving websites between servers, or setting up email requires understanding how DNS records work. A single typo in a DNS record can take down email for an entire company.

For privacy, the DNS resolver you use sees every domain you visit. Your ISP’s default resolver logs every website you go to. Switching to a privacy-focused resolver like 1.1.1.1 (which promises not to log browsing data) and enabling DoH is one of the simplest ways to reduce your digital footprint. And for Wi-Fi networks, where DNS traffic travels over the air, encryption matters even more.

Common misconceptions

“DNS is the same as a website host.” It’s not. Your domain registrar manages your domain name. Your web host manages the server where your website files live. DNS connects the two. You can change one without the other.

“DNS only affects websites.” It affects everything. Every app on your phone that connects to a server uses DNS to find it. Every email you send goes through DNS lookups to find the receiving mail server. Every online game, every streaming service, every IoT device, all of them need DNS to function.

“Changing DNS makes you completely private.” It helps, but it’s not a complete solution. The websites you visit still know your IP address. Your ISP can still see the IP addresses you connect to (just not the domain names, if DNS is encrypted). For full privacy, you’d need DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to encrypt the lookup itself, and even then, you’re trusting whoever runs your resolver.

More in Technology

Technology A 8-minute read

How the Internet Works

You use it every day. But what actually happens when you type a URL and hit enter?

Read more
Technology A 9-minute read

How Encryption Works

Every time you buy something online, your card number travels across dozens of servers. Here's why that's safe.

Read more
Technology A 6-minute read

How Wi-Fi Works

Your laptop talks to a router dozens of feet away through solid walls using invisible waves, and it does so without ever physically touching anything. Here's the surprisingly elegant system behind it.

Read more