The Complete DNS Guide: How DNS Works, Troubleshooting, and Security

8 min read
Intermediate DNS Networking Security Troubleshooting Guide

Quick Answer: DNS translates domain names (google.com) to IP addresses (142.250.80.46). Your device asks a DNS resolver, which asks root servers, which point to the right nameserver. Common fix: change DNS to 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google). Check DNS: use our DNS Toolbox.

What Is DNS?

DNS (Domain Name System) is the internet's phone book. When you type google.com in your browser, DNS translates that into an IP address your computer can connect to.

Without DNS, you'd have to remember 142.250.80.46 instead of google.com.


Part 1: How DNS Resolution Works

When you visit www.example.com, here's what happens in ~50 milliseconds:

1. Browser checks its cache → Not found
2. OS checks its cache → Not found
3. OS asks the configured DNS resolver (e.g., 1.1.1.1)
4. Resolver checks its cache → Not found
5. Resolver asks a Root Server: "Where is .com?"
   → Root: "Ask the .com TLD server at 192.5.6.30"
6. Resolver asks the .com TLD server: "Where is example.com?"
   → TLD: "Ask example.com's nameserver at 93.184.216.34"
7. Resolver asks example.com's nameserver: "What is www.example.com?"
   → Nameserver: "It's 93.184.216.34"
8. Resolver caches the result and returns it to your browser
9. Browser connects to 93.184.216.34

The DNS Hierarchy

Root Servers (.)
  ├── .com TLD servers
  │     ├── google.com nameservers
  │     ├── example.com nameservers
  │     └── samnet.dev nameservers
  ├── .org TLD servers
  ├── .dev TLD servers
  └── .io TLD servers

There are 13 root server groups (A through M), operated by organizations like ICANN, Verisign, and NASA. They're replicated across thousands of physical servers worldwide using anycast.

Recursive vs Authoritative

Type What It Does Examples
Recursive Resolver Finds the answer by querying multiple servers 1.1.1.1, 8.8.8.8, your ISP's DNS
Authoritative Nameserver Holds the actual DNS records for a domain Cloudflare NS, AWS Route 53

When you "change your DNS server," you're changing your recursive resolver — the first server your device asks.


Part 2: DNS Record Types

Record What It Does Example
A Maps domain to IPv4 address example.com → 93.184.216.34
AAAA Maps domain to IPv6 address example.com → 2606:2800:220:1:...
CNAME Alias — points to another domain www.example.com → example.com
MX Mail server for the domain example.com → mail.example.com (priority 10)
TXT Arbitrary text (SPF, DKIM, verification) v=spf1 include:_spf.google.com ~all
NS Nameservers for the domain example.com → ns1.cloudflare.com
SOA Start of authority (primary NS, admin, serial) Zone metadata
SRV Service locator (host + port) _sip._tcp.example.com → sip.example.com:5060
PTR Reverse DNS (IP to domain) 34.216.184.93 → example.com
CAA Which CAs can issue certificates example.com → letsencrypt.org

Look Up Records

# A record
dig example.com A +short

# MX records
dig example.com MX +short

# Request all records (many servers return partial results)
dig example.com ANY +short

# Use specific DNS server
dig @1.1.1.1 example.com

# Reverse lookup
dig -x 93.184.216.34

# Trace the full resolution path
dig +trace example.com

Use our DNS Toolbox for a web-based lookup.


Part 3: DNS Caching

DNS responses are cached at multiple levels to speed up future lookups:

Cache Levels

Level Where TTL Control
Browser cache Chrome, Firefox Browser-managed (~1 minute)
OS cache systemd-resolved, mDNSResponder TTL from DNS response
Router cache Your home router TTL from DNS response
Resolver cache 1.1.1.1, 8.8.8.8 TTL set in DNS record

TTL (Time to Live)

TTL tells caches how long to keep the record (in seconds):

TTL How Long When to Use
300 (5 min) Short During migrations, frequent changes
3600 (1 hr) Standard Most websites
86400 (24 hr) Long Stable records that rarely change

Flush DNS Cache

When you need caches to refresh immediately:

# Windows
ipconfig /flushdns

# Mac
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Linux
sudo resolvectl flush-caches

# Chrome
# Navigate to chrome://net-internals/#dns → Clear host cache

Full guide: How to Flush DNS Cache


Part 4: Changing Your DNS Server

Your ISP's DNS servers are often slow, unreliable, and log your browsing history. Switching to a public DNS improves speed and privacy.

Recommended DNS Providers

Provider Primary Secondary Speed Privacy
Cloudflare 1.1.1.1 1.0.0.1 Fastest No logging
Google 8.8.8.8 8.8.4.4 Fast Some logging
Quad9 9.9.9.9 149.112.112.112 Fast Blocks malware
OpenDNS 208.67.222.222 208.67.220.220 Good Parental controls

How to Change

  • Windows: Settings → Network → DNS → Manual → enter addresses
  • Mac: System Settings → Network → WiFi → Details → DNS
  • Linux: Edit /etc/systemd/resolved.conf or /etc/resolv.conf
  • Android: Settings → Network → Private DNS → one.one.one.one
  • iPhone: Settings → WiFi → (i) → Configure DNS → Manual
  • Router: Change DNS in WAN/DHCP settings (applies to all devices)

Full guide: How to Change DNS Server


Part 5: DNS Troubleshooting

Common DNS Errors

Error Meaning Fix
DNS_PROBE_FINISHED_NXDOMAIN Domain doesn't exist (or DNS failure) Flush cache, change DNS, check URL spelling
DNS_PROBE_FINISHED_NO_INTERNET Can't reach DNS server Check internet connection, restart router
Server not responding DNS server is down or blocked Change to 1.1.1.1 or 8.8.8.8
Slow resolution DNS server overloaded Switch to faster DNS

Diagnostic Commands

# Check what DNS server you're using
cat /etc/resolv.conf | grep nameserver         # Linux
nslookup google.com                            # Shows DNS server used

# Test if DNS is working
dig google.com +short                          # Should return IP
nslookup google.com 1.1.1.1                    # Test specific server

# Check propagation (did changes spread?)
dig @1.1.1.1 example.com                       # Cloudflare's view
dig @8.8.8.8 example.com                       # Google's view
dig @ns1.example.com example.com               # Authoritative answer

# Trace the resolution path
dig +trace example.com

# Check response time
dig example.com | grep "Query time"

Full guides:


Part 6: DNS Security

DNS-over-HTTPS (DoH)

Encrypts DNS queries in HTTPS. Your ISP can't see which domains you're looking up.

Normal DNS:  Your device → [plain text query] → DNS server
DNS over HTTPS: Your device → [encrypted HTTPS] → DNS server

Enable in browsers:

  • Chrome: Settings → Privacy → Use Secure DNS → Cloudflare or Google
  • Firefox: Settings → Privacy → Enable DNS over HTTPS
  • Edge: Settings → Privacy → Use Secure DNS

System-wide (Linux):

Note: systemd-resolved supports DNS-over-TLS (DoT), not DoH. For DoH, use a browser or a dedicated client like cloudflared.

DNS-over-TLS (DoT)

Similar to DoH but uses a dedicated TLS connection instead of HTTPS. Supported by Android 9+ (Settings → Network → Private DNS → one.one.one.one).

DNSSEC

DNSSEC adds cryptographic signatures to DNS responses, proving they haven't been tampered with. The domain owner signs records, and resolvers verify signatures.

# Check if a domain uses DNSSEC
dig example.com +dnssec

# Check DNSSEC validation
dig @1.1.1.1 example.com +dnssec +short

DNS Poisoning / Spoofing

Attackers can inject fake DNS responses to redirect you to malicious sites. Protections:

  1. Use DoH/DoT — encrypted queries can't be intercepted
  2. Use DNSSEC-validating resolver — Cloudflare and Google validate DNSSEC
  3. Don't use ISP DNS — ISPs in some countries intentionally poison DNS

Part 7: DNS for Domain Owners

Setting Up DNS Records

If you own a domain, you manage DNS records through your registrar or Cloudflare:

Basic website setup:

A     @       → 93.184.216.34          (root domain to server IP)
A     www     → 93.184.216.34          (www to server IP)
AAAA  @       → 2606:2800:220:1:...    (IPv6, if available)

Email setup:

MX    @       → mail.example.com (priority 10)
TXT   @       → v=spf1 include:_spf.google.com ~all
TXT   _dmarc  → v=DMARC1; p=reject; rua=mailto:[email protected]

Verification records:

TXT   @       → google-site-verification=abc123...
TXT   @       → v=spf1 ...
CNAME _acme   → validation.letsencrypt.org (SSL verification)

Full guide: SPF/DKIM/DMARC Guide

DNS Propagation

After changing records, the new values spread gradually:

  • Your resolver: Refreshes after old TTL expires
  • Worldwide: 5 minutes to 48 hours depending on TTL
  • Tip: Lower TTL to 300 (5 min) before making changes, wait for old TTL to expire, make the change, then raise TTL back

Part 8: DNS Tunneling

DNS tunneling encodes data inside DNS queries. Since DNS traffic is rarely completely blocked (it would break the internet), this can work when all other methods fail.

How It Works

Your Device → DNS query (data encoded in subdomain) → DNS server → Tunnel endpoint

Example query: aGVsbG8.tunnel.example.com
               ↑ base64-encoded data

The tunnel endpoint extracts the data from the DNS query, forwards it to the internet, and sends the response back encoded in DNS responses.

Limitations

  • Extremely slow: 5-50 Kbps typically
  • High latency: Each packet requires a DNS query-response cycle
  • Detectable: Unusual query patterns can be flagged

Use Case

Last resort when VPN, proxy, and direct connections are all blocked. Useful for basic communication but not for streaming or downloads.

findns scans for DNS resolvers that support the record types needed for DNS tunneling tools like dnstt.


Part 9: DNS and VPNs

DNS Leaks

When using a VPN, your DNS queries should go through the VPN tunnel. A DNS leak means queries bypass the tunnel and go to your ISP's DNS — revealing which sites you visit.

Expected:  You → VPN tunnel → VPN's DNS → Internet
DNS Leak:  You → ISP's DNS → Internet (VPN bypassed!)

Test for leaks: VPN Leak Test

Fix DNS leaks:

  • Set DNS manually to 1.1.1.1 on your device
  • Use a VPN that forces its own DNS
  • Disable "Smart Multi-Homed Name Resolution" on Windows
  • Disable DNS over HTTPS in browser (if VPN doesn't handle it)

Full guide: VPN Leak Guide


Related Tools

Related Guides

SamNet Tools

Tool Purpose
findns DNS tunnel resolver scanner