DNS (Domain Name System) — learn.surkar.in

01 / Resolution

How DNS Resolution Works

When you type example.com into a browser, a chain of lookups begins. Your machine doesn't know the IP address, so it asks a recursive resolver (usually run by your ISP or a public provider like 8.8.8.8). The resolver then walks the DNS hierarchy on your behalf.

DNS Resolution Flow

Client

→

Recursive Resolver

→

Root Server (.)

→

TLD Server (.com)

→

Authoritative NS

IP address returned

←

Answer cached at each layer

Step by Step

1. Local cache check — The OS checks its own DNS cache and the /etc/hosts file before making any network request.

2. Recursive resolver — If not cached, the stub resolver sends a query to the configured recursive resolver. This server does the heavy lifting.

3. Root servers — The resolver asks a root server "where is .com?" The root responds with the address of the TLD nameservers for .com.

4. TLD nameservers — The resolver asks the .com TLD server "where is example.com?" and gets back the authoritative nameservers for that domain.

5. Authoritative nameserver — The resolver queries the authoritative NS, which returns the actual A/AAAA record with the IP address.

Caching and TTL

Every DNS record has a TTL (Time to Live) value in seconds. The resolver caches the answer for that duration. Typical TTLs range from 300s (5 min) to 86400s (24 hours). Lower TTLs mean faster propagation of changes but higher query load on authoritative servers.

Key Insight

DNS resolution is iterative from the resolver's perspective: it walks the hierarchy step by step. From the client's perspective, it's recursive: the client sends one query and gets back the final answer.

02 / Record Types

DNS Record Types

DNS stores far more than just IP addresses. Each record type serves a specific purpose in the ecosystem.

Type	Purpose	Example Value
`A`	Maps domain to IPv4 address	`93.184.216.34`
`AAAA`	Maps domain to IPv6 address	`2606:2800:220:1::`
`CNAME`	Alias pointing to another domain	`www.example.com → example.com`
`MX`	Mail server for the domain (with priority)	`10 mail.example.com`
`TXT`	Arbitrary text (SPF, DKIM, DMARC, verification)	`v=spf1 include:_spf.google.com ~all`
`NS`	Authoritative nameservers for a zone	`ns1.example.com`
`SOA`	Start of Authority — zone metadata, serial number	`ns1.example.com admin.example.com 2024010101`
`SRV`	Service location (port, priority, weight)	`_sip._tcp 10 60 5060 sip.example.com`
`PTR`	Reverse DNS — IP to domain name	`34.216.184.93.in-addr.arpa → example.com`
`CAA`	Certificate Authority Authorization — which CAs can issue certs	`0 issue "letsencrypt.org"`

TXT Records for Email Security

SPF (Sender Policy Framework) declares which mail servers are allowed to send email for your domain. DKIM (DomainKeys Identified Mail) publishes a public key that recipients use to verify email signatures. DMARC ties SPF and DKIM together with a policy for handling failures.

# SPF record
v=spf1 include:_spf.google.com ~all

# DKIM record (selector: google)
google._domainkey  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjAN..."

# DMARC record
_dmarc  IN  TXT  "v=DMARC1; p=reject; rua=mailto:reports@example.com"

CNAME Restrictions

A CNAME record cannot coexist with other record types at the same name. You cannot put a CNAME at the zone apex (e.g., example.com) if you also need MX or TXT records there. Many DNS providers offer "ALIAS" or "ANAME" as a workaround.

03 / Infrastructure

DNS Infrastructure

The DNS ecosystem is built on distinct server roles and clever networking techniques that keep it fast and resilient.

Authoritative NS

Holds the actual DNS records for a zone. It's the source of truth. Returns answers with the "aa" (authoritative answer) flag set.

Recursive Resolver

Does the work of walking the hierarchy on behalf of clients. Caches results. Examples: 8.8.8.8 (Google), 1.1.1.1 (Cloudflare), your ISP's resolver.

Root Servers

13 logical root server clusters (A through M), operated by different organizations. They use anycast so each "server" is actually hundreds of instances worldwide.

Anycast

Multiple servers share the same IP address. BGP routing sends each query to the nearest instance. This is how root servers and CDN DNS handle global traffic with low latency.

Why 13 Root Servers?

The original DNS packet size limit of 512 bytes (for UDP) could fit exactly 13 nameserver records with their IPv4 addresses. Today these 13 logical servers span 1,700+ physical instances via anycast.

04 / Features

Advanced DNS Features

DNS Load Balancing

DNS can distribute traffic by returning multiple A records (round-robin) or by using weighted responses. The client typically uses the first IP returned. More sophisticated setups use health checks and geographic routing at the DNS level (GeoDNS).

# Multiple A records for round-robin
example.com.  300  IN  A  192.0.2.1
example.com.  300  IN  A  192.0.2.2
example.com.  300  IN  A  192.0.2.3

Split-Horizon DNS

Returns different answers depending on who is asking. Internal users on the corporate network get private IPs pointing to internal servers, while external users get public IPs. This is common in enterprise environments and is implemented by configuring DNS views based on the source IP of the query.

Split-Horizon DNS

Internal Client (10.0.x.x)

→

DNS Server

→

10.0.1.5 (private)

External Client (public IP)

→

DNS Server

→

203.0.113.10 (public)

Service Discovery with DNS

Tools like Consul and Kubernetes CoreDNS use DNS as a service discovery mechanism. Services register themselves, and clients find them via SRV records (e.g., _web._tcp.service.consul). This avoids hardcoding IPs and makes infrastructure dynamic.

05 / Security

DNS Security

DNS was designed in the 1980s without authentication or encryption. Several extensions have been added to address this.

Mechanism	What It Does	Layer
DNSSEC	Adds cryptographic signatures to DNS responses. Resolvers can verify that records haven't been tampered with. Uses a chain of trust from root to zone.	Data integrity
DoH (DNS over HTTPS)	Encrypts DNS queries inside HTTPS. Prevents ISPs and middleboxes from seeing or modifying queries. Runs on port 443.	Transport encryption
DoT (DNS over TLS)	Encrypts DNS queries with TLS on a dedicated port (853). Easier for network admins to manage than DoH since it uses a distinct port.	Transport encryption

DNS Amplification Attacks

An attacker sends DNS queries with a spoofed source IP (the victim's IP) to open resolvers. The resolver sends the (much larger) response to the victim. Because DNS responses can be 50-70x larger than queries (especially with DNSSEC or ANY queries), this amplifies the attack traffic massively.

Mitigation

Open resolvers should implement response rate limiting (RRL). Networks should deploy BCP38/ingress filtering to prevent IP spoofing. Many resolvers now refuse ANY queries to reduce amplification factor.

06 / Practice

Operational Practices

DNS Propagation

When you change a DNS record, the old value may remain in caches worldwide until its TTL expires. "Propagation" is just caches expiring at different times. There's no push mechanism — each resolver refreshes independently.

Low TTL for Migrations

Before a migration (changing hosting provider, IP address, etc.), lower the TTL to 60-300 seconds a few days in advance. This ensures that when you flip the record, caches expire quickly and traffic moves to the new destination. After the migration stabilizes, raise the TTL back up to reduce query load.

# Days before migration: lower TTL
example.com.  300  IN  A  old-ip

# Migration day: flip the record
example.com.  300  IN  A  new-ip

# After stabilization: raise TTL
example.com.  86400  IN  A  new-ip

Useful Diagnostic Commands

# Query specific record type
dig example.com A
dig example.com MX +short

# Trace the full resolution path
dig +trace example.com

# Query a specific nameserver
dig @8.8.8.8 example.com

# Reverse DNS lookup
dig -x 93.184.216.34

# Check DNSSEC
dig +dnssec example.com

Pro Tip

Use dig +trace to see every step of the resolution process from root to authoritative. It bypasses your local cache and shows you exactly what the hierarchy returns at each level.

Test Yourself

Score: 0 / 9

Question 01

In a typical DNS resolution, what is the correct order of servers queried by the recursive resolver?

The resolver walks top-down: root servers point to TLD servers, which point to the authoritative nameservers for the domain.

Question 02

Which DNS record type is used for reverse lookups (IP to domain name)?

PTR (Pointer) records map IP addresses back to domain names. They live under the in-addr.arpa (IPv4) or ip6.arpa (IPv6) zones.

Question 03

Why can't you place a CNAME record at the zone apex (e.g., example.com)?

Per RFC 1034, a CNAME record means "this name is an alias; use the canonical name instead." It cannot coexist with any other record type at the same name. Since the zone apex must have SOA and NS records, a CNAME is forbidden there.

Question 04

What does DNSSEC provide?

DNSSEC adds cryptographic signatures to DNS records so resolvers can verify authenticity and integrity. It does not encrypt queries — that's what DoH and DoT are for.

Question 05

What networking technique allows all 13 root server addresses to serve from hundreds of physical locations worldwide?

Anycast allows multiple servers to share the same IP address. BGP routing directs each query to the nearest instance, providing low latency and resilience.

Question 06

Before migrating to a new server, you should:

Lowering the TTL before a migration ensures that when you change the IP, resolvers worldwide will pick up the new value quickly. You need to lower it before the change, because existing caches will hold the old TTL value until it expires.

Question 07

What makes DNS amplification attacks effective?

DNS uses UDP, which has no handshake, so the source IP can be spoofed. A 40-byte query can produce a 3000+ byte response (especially with DNSSEC or ANY queries), amplifying the traffic aimed at the victim.

Question 08

What is split-horizon DNS used for?

Split-horizon DNS returns different records depending on where the query comes from. Internal users get private IPs while external users get public IPs, commonly used in enterprise networks.

Question 09

Which TXT record mechanism declares which mail servers are authorized to send email on behalf of a domain?

SPF (Sender Policy Framework) specifies which IP addresses and servers are authorized to send email for a domain. DKIM handles message signing, DMARC ties them together with policy, and CAA is for certificate authority authorization (unrelated to email).