Skip to main content
Explainer · the fundamentals

How DNS works

Type a domain, the page loads — and in the 50 milliseconds between, a distributed directory designed in 1983 has walked a tree of servers around the world. Here is the whole journey, from the keystroke to the answer.

The directory that holds the internet together

Computers talk to each other using numeric IP addresses. People remember names — example.com, github.com, your bank's hostname. The Domain Name System is the global translation layer between the two, and almost every interaction with the internet starts with a DNS lookup.

DNS was designed by Paul Mockapetris in 1983 (RFC 882 / 883, later refined as RFC 1034 / 1035), replacing a flat HOSTS.TXT file that ARPANET sites had been downloading periodically from SRI. The original design — a tree of authority rooted at "." with delegations downward — has aged extraordinarily well. The same structure handles 14 trillion queries a day across hundreds of millions of domains in 2026.

The cast of characters

The walk, step by step

You type example.com in your address bar. Here's what happens in sequence, assuming nothing is cached anywhere:

  1. Browser asks the stub resolver. The stub probably hasexample.com cached already; assume it doesn't this time.
  2. Stub asks the configured recursive resolver. This is the1.1.1.1 / 8.8.8.8 / ISP resolver. Same — probably cached; assume not.
  3. Recursive resolver asks a root server: "Who handles .com?" The root server replies with the addresses of the .com TLD name servers (these are cached for hours anyway, but in principle this is where it starts).
  4. Recursive resolver asks a .com TLD server: "Who is authoritative for example.com?" The TLD server replies with the NS records — typically two to four name-server hostnames, plus their IPs (the "glue" records).
  5. Recursive resolver asks an authoritative server: "What's the A record for example.com?" The authoritative server consults its zone file and replies with the IP address (and a TTL).
  6. Recursive resolver caches the answer for the TTL the authoritative server set and returns it to the stub. The stub returns it to the browser.
  7. The browser finally opens a TCP connection to the IP.

In practice, steps 3–5 happen on a cold lookup once a day at most. Steps 3 and 4 have answers cached for hours; step 5's TTL is the most variable but typically minutes to hours. After the first lookup in a cache window, subsequent users get step 6 results from cache in single-digit milliseconds.

Order of magnitude: a fully cold lookup across continents takes 150–250 ms (mostly round-trip time); a typical lookup with intermediate caching takes 10–30 ms; a stub-cache hit is under 1 ms.

The record types you actually care about

The same hierarchy serves dozens of record types. The ones worth knowing:

IPFerret's DNS lookup tool queries any of these against Cloudflare's DoH endpoint, so you get the authoritative-side answer without going through your ISP's resolver.

Caching, TTLs, and the bite that comes with them

Every DNS answer carries a TTL — the number of seconds a downstream resolver should consider it valid before re-querying. Low TTLs (60–300 seconds) let you flip records fast for blue-green deployments. High TTLs (hours to days) reduce upstream load and speed up repeat lookups. The trade-offs:

The mitigation for the high-TTL trap is to drop the TTL before you make a change: 24 hours before a planned migration, drop to 300 seconds. During the migration, all resolvers stay within 5 minutes of the truth. After the dust settles, raise the TTL back to whatever you want.

Modern privacy and security: DoH, DoT, DNSSEC, ECH

When DNS quietly misbehaves

Related reading