← Back to Networking

What is DNS and How Does it Work? A Complete Guide

5 min read
Beginner DNS Networking Infrastructure

Every time you type a website address into your browser, something invisible happens before the page loads. Your computer needs to figure out which server to talk to, and it does that by looking up the domain name in the Domain Name System — DNS.

DNS is often called the "phonebook of the internet." Instead of memorizing IP addresses like 142.250.80.46, you just type google.com and DNS figures out the rest. This guide explains exactly how that process works, what the different record types mean, and how to troubleshoot when things go wrong.

How a DNS Query Works

When you type www.samnet.dev into your browser, here is what happens in roughly 10-50 milliseconds:

Step 1: Browser Cache Your browser checks its own cache first. If you visited this site recently, it already knows the IP address and skips everything below.

Step 2: OS Cache If the browser does not have it, it asks the operating system. Your OS maintains its own DNS cache.

Step 3: Recursive Resolver If the OS does not have it either, it sends a query to your configured DNS resolver — usually your ISP's DNS server, or a public one like Cloudflare (1.1.1.1) or Google (8.8.8.8). This resolver does the heavy lifting.

Step 4: Root Nameservers The resolver asks one of the 13 root nameserver clusters: "Who handles .dev domains?" The root server responds with the address of the .dev TLD nameservers.

Step 5: TLD Nameservers The resolver asks the .dev TLD server: "Who handles samnet.dev?" The TLD server responds with the authoritative nameservers for samnet.dev.

Step 6: Authoritative Nameserver The resolver asks the authoritative nameserver: "What is the IP for www.samnet.dev?" The authoritative server responds with the actual IP address.

Step 7: Response The resolver caches the result and sends it back to your computer. Your browser connects to the IP address and loads the page.

This entire chain happens every time you visit a new website, but caching at every level means most lookups are nearly instant.

DNS Record Types

DNS does not just map names to IP addresses. There are many record types, each serving a different purpose.

A Record

Maps a domain name to an IPv4 address. This is the most fundamental DNS record. 

samnet.dev.    A    203.0.113.50

When someone visits samnet.dev, the A record tells their browser which IPv4 address to connect to.

AAAA Record

Same as an A record, but for IPv6 addresses. 

samnet.dev.    AAAA    2607:f8b0:4004:800::200e

CNAME Record

Creates an alias from one domain name to another. The browser follows the chain until it finds an A/AAAA record. 

www.samnet.dev.    CNAME    samnet.dev.

This means www.samnet.dev is an alias for samnet.dev. Whatever IP samnet.dev resolves to, www will use the same one.

Important: You cannot put a CNAME on the root domain (samnet.dev itself) if you also have MX or TXT records there. This is why many DNS providers offer "CNAME flattening" or "ALIAS" records as a workaround.

MX Record

Specifies which mail servers handle email for a domain. The priority number determines the order — lower numbers are tried first. 

samnet.dev.    MX    10    mx1.improvmx.com.
samnet.dev.    MX    20    mx2.improvmx.com.

When someone sends an email to [email protected], the sending server looks up the MX records to find where to deliver it.

TXT Record

Stores arbitrary text. Used for email authentication (SPF, DKIM, DMARC), domain verification (Google Search Console, SSL certificates), and other metadata. 

samnet.dev.    TXT    "v=spf1 include:_spf.google.com ~all"
samnet.dev.    TXT    "google-site-verification=abc123..."

NS Record

Specifies which nameservers are authoritative for a domain. 

samnet.dev.    NS    ns1.cloudflare.com.
samnet.dev.    NS    ns2.cloudflare.com.

SOA Record

Start of Authority — contains administrative information about the zone: primary nameserver, admin email, serial number, and refresh/retry/expire timers.

CAA Record

Certificate Authority Authorization — specifies which certificate authorities are allowed to issue SSL certificates for the domain. Helps prevent unauthorized certificate issuance. 

samnet.dev.    CAA    0 issue "letsencrypt.org"

PTR Record

The reverse of an A record — maps an IP address back to a domain name. Used for reverse DNS lookups, which email servers use to verify senders.

TTL and Caching

Every DNS record has a TTL (Time To Live) value in seconds. This tells resolvers how long to cache the record before asking again.

TTL Duration Use Case
300 5 minutes Frequently changing records, failover
3600 1 hour Standard for most records
86400 24 hours Stable records that rarely change
604800 1 week Very stable records (NS, MX)

Before changing DNS records (like migrating servers), lower the TTL to 300 a day in advance. This ensures the old cached records expire quickly so the change takes effect faster.

DNS Propagation

When you change a DNS record, the change does not take effect instantly worldwide. Different resolvers cached the old record at different times, so they will hold onto it until their cached copy expires (based on the TTL).

This is "DNS propagation." It typically takes:

  • 5 minutes to 1 hour for records with low TTL
  • Up to 48 hours for records with high TTL or stubborn resolvers

You can check propagation status by querying different DNS servers: 

# Query Google's DNS
dig @8.8.8.8 samnet.dev A

# Query Cloudflare's DNS
dig @1.1.1.1 samnet.dev A

# Query your ISP's DNS
dig samnet.dev A

Common DNS Problems and Fixes

"DNS_PROBE_FINISHED_NXDOMAIN"

The domain does not exist in DNS. Causes:

  • Domain expired or not registered
  • Nameservers not configured
  • Typo in the domain name

"Server IP address could not be found"

DNS resolved but returned no A/AAAA record. Causes:

  • A record not created yet
  • A record pointing to wrong IP
  • DNS zone not properly set up

Slow DNS Resolution

If websites take a long time to start loading:

  • Switch to a faster DNS resolver: 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google)
  • Check for DNS leaks if using a VPN (use our VPN Leak Test)
  • Flush your local DNS cache:
  • Windows: ipconfig /flushdns
  • macOS: sudo dscacheutil -flushcache
  • Linux: sudo resolvectl flush-caches

Email Not Working

Usually a misconfigured MX or SPF record:

  • Check MX records point to your email provider
  • Verify SPF record includes your email service
  • Check DMARC policy with our SPF/DMARC Tool

DNS Security

DNSSEC

DNS Security Extensions add cryptographic signatures to DNS records, preventing attackers from spoofing DNS responses. When enabled, resolvers can verify that the response actually came from the authoritative nameserver.

DNS over HTTPS (DoH) and DNS over TLS (DoT)

Traditional DNS queries are sent in plaintext — anyone on the network can see which domains you are looking up. DoH and DoT encrypt DNS queries:

  • DoH: Sends DNS queries over HTTPS (port 443). Used by Firefox, Chrome.
  • DoT: Sends DNS queries over TLS (port 853). Used by Android, some resolvers.

Look Up DNS Records

Use our free DNS Toolbox to query any domain's DNS records — A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, and DNSSEC status — with plain-English explanations for each record.

See Also