Interactive Guide
Understanding DNS
How your browser turns a domain name into an IP address — explained step by step, with live simulations and a quiz.
01 What is DNS?
The Phone Book of the Internet
The Domain Name System (DNS) translates human-readable domain names like
example.com into machine-readable IP addresses like 93.184.216.34. Without DNS, you'd have to memorize numeric addresses for every website you visit.Why It Matters
Every time you type a URL, send an email, or use any internet service, DNS is working behind the scenes. It's one of the most critical — and most invisible — pieces of internet infrastructure. A DNS outage can take entire platforms offline.
02 How DNS Resolution Works
Browser Cache & OS Resolver
Your browser first checks its own cache. If it recently looked up the same domain, the answer is already stored locally. If not, it asks the operating system's stub resolver, which also has its own cache and may check the
/etc/hosts file.Recursive Resolver
If no local cache has the answer, the query goes to a recursive resolver (often run by your ISP, or services like
8.8.8.8 or 1.1.1.1). This server does the heavy lifting — it will chase the answer through the DNS hierarchy on your behalf.Root → TLD → Authoritative
The recursive resolver queries the root name servers (there are 13 clusters worldwide), which point it to the TLD server (e.g., the
.com server). The TLD server then directs it to the domain's authoritative name server, which finally returns the actual IP address.Caching & TTL
Once the IP is found, every server along the chain caches the result according to the record's TTL (Time To Live) value. A TTL of 3600 means the answer is cached for one hour. Lower TTLs mean fresher data but more queries; higher TTLs reduce load but slow down changes.
⚡ Simulate a DNS Lookup
03 DNS Record Types
| Type | Purpose | Example |
|---|---|---|
| A | Maps a domain to an IPv4 address | 93.184.216.34 |
| AAAA | Maps a domain to an IPv6 address | 2606:2800:220:1:: |
| CNAME | Alias — points one domain to another | www → example.com |
| MX | Directs email to a mail server | mail.example.com |
| TXT | Stores arbitrary text (SPF, DKIM, verification) | v=spf1 include:... |
| NS | Delegates a zone to specific name servers | ns1.example.com |
| SOA | Zone metadata: primary NS, admin email, serial | ns1.ex... admin... |
| PTR | Reverse DNS — maps IP back to a domain | 34.216.184.93 → |
| SRV | Specifies host/port for services (SIP, XMPP) | _sip._tcp 5060 |
🔎 Explore Record Types
04 DNS Security
DNS Spoofing / Cache Poisoning
An attacker injects forged DNS responses into a resolver's cache, redirecting users to malicious sites. This was a major vulnerability before DNSSEC. The Kaminsky attack (2008) showed how easily caches could be poisoned.
DNSSEC
DNS Security Extensions add cryptographic signatures to DNS records. Resolvers can verify that responses haven't been tampered with. DNSSEC doesn't encrypt queries — it only ensures authenticity and integrity using a chain of trust from the root zone.
DoH & DoT
DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries so your ISP or network operator can't see which domains you're resolving. DoH runs on port 443 (blends with HTTPS traffic), DoT uses port 853. Both are supported by major resolvers like Cloudflare and Google.