What DNS Does
You type example.com. Your browser needs to know which IP address to connect to. DNS is the system that translates the human-friendly name into the machine-readable address.
It's also the source of about 30% of all serious internet outages. Understanding it makes you a better engineer.
The Hierarchy
DNS is a tree. Each level has different servers responsible for it:
Root servers (.) — 13 logical servers (anycasted to hundreds). They know about TLDs.
TLD servers (.com, .org, .io, .uk) — operated by registries. They know about second-level domains.
Authoritative nameservers for a domain — operated by you (or your provider). They have the actual records.
To resolve example.com, you ask:
1. A root server: "where do I find .com info?" → "Ask the .com TLD servers."
2. A .com TLD server: "where do I find example.com info?" → "Ask these specific nameservers."
3. The authoritative nameserver: "what's the A record for example.com?" → "93.184.216.34."
The Resolver
You don't actually do those three lookups yourself. You ask a recursive resolver (your ISP's, or 1.1.1.1, or 8.8.8.8). It does the recursive work for you. It also caches results for the duration of the TTL.
Most queries hit the resolver's cache and never reach the authoritative servers.
Record Types
The DNS database has many record types. The common ones:
A: IPv4 address. example.com -> 93.184.216.34.
AAAA: IPv6 address.
CNAME: alias to another name. www.example.com -> example.com.
MX: mail server for the domain.
TXT: arbitrary text. Used for SPF, DKIM, domain ownership verification, all sorts of things.
NS: which servers are authoritative for this domain.
SOA: "start of authority" metadata about the zone.
CAA: which certificate authorities can issue certs for this domain.
SRV: service records. Used by SIP, XMPP, Kerberos.
TTL and Caching
Every DNS record has a Time To Live in seconds. Resolvers cache the answer for that duration. Setting it right is a balance:
Short TTL (60-300s): changes propagate fast. Bad for performance and cost (more queries).
Long TTL (24h+): changes take forever to roll out. But fast and cheap normally.
Best practice: long TTL by default; lower it for a few hours before a planned change so the change can roll out quickly, then raise it again.
The "DNS Propagation" Confusion
People say "DNS is propagating" when they change a record. Technically, DNS doesn't push changes anywhere. The change takes effect immediately at your authoritative server. What "propagation" means is: caches around the world still have the old value until their TTL expires.
So if your TTL was 24 hours, the change can take up to 24 hours to be seen by users whose resolver cached the old value just before you changed it.
DNS Over UDP (Mostly)
DNS queries are tiny. Over UDP, no handshake needed. One packet out, one packet in. Sub-millisecond if the resolver's cache has it.
For larger responses (DNSSEC, big TXT records), DNS falls back to TCP.
Modern alternatives: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt DNS queries to prevent eavesdropping. Increasingly the default in browsers.
Common Patterns
GeoDNS
The authoritative server returns different IPs based on the resolver's geographic location. example.com might resolve to a US server for US users and an EU server for EU users. CDNs use this heavily.
Round-robin DNS
Multiple A records for the same name. Resolvers see the list, often pick randomly. Crude load balancing.
Health-checked DNS
The authoritative server only returns IPs of currently-healthy backends. Failed servers get pulled out of rotation automatically.
Why DNS Causes Outages
Misconfiguration: a wrong record (or pointing nameservers wrong) can make your site disappear globally for hours.
TTL miscalculation: long TTLs mean errors propagate slowly.
Provider issues: Cloudflare's, AWS Route 53's, or Dyn's outages cascade. October 2016 Dyn outage took down half the internet.
DDoS: flooding DNS servers with queries can knock entire domains offline.
Domain expiration: forget to renew, your domain stops working. Companies have lost millions this way.
Best Practices
Use multiple DNS providers. Different sets of nameservers in your NS records. If one provider goes down, the others answer.
Enable DNSSEC if you can. Cryptographic signatures prevent tampering.
Monitor your DNS. Alert if records change unexpectedly or queries fail.
Set sane TTLs. Default 1-24 hours, lower briefly before planned changes.
Auto-renew domains. The cost of forgetting is enormous.
The One Thing to Remember
DNS is older than HTTP, simpler than it looks, and more central to internet reliability than you'd think. Most "is the site down?" questions are actually "is DNS resolving correctly?" Understanding the hierarchy (root, TLD, authoritative), TTLs, and the most common record types makes you a better debugger of internet problems. And makes you appreciate how much could go wrong.