How DNS Works
The Domain Name System (DNS) translates human-readable domain names like example.com into numeric IP addresses that computers use to find each other. Every time you visit a website, a chain of DNS queries runs behind the scenes to turn the name you typed into an address your browser can connect to.
The DNS Hierarchy
DNS is organized as an inverted tree. Each level delegates authority to the level below it:
- Root zone — the top of the tree, represented by a dot (
.). Operated by 13 root server clusters distributed worldwide - TLD nameservers — each top-level domain (
.com,.de,.org) has its own set of nameservers maintained by the registry - Authoritative nameservers — the nameservers that hold the actual DNS records for a specific domain. When you register a domain and configure DNS through Sitequest, our nameservers become the authoritative source for your domain
The Resolution Process
When your browser needs to reach example.com, the following steps happen:
- Local cache check — your operating system checks whether it already knows the IP address from a recent lookup. If so, it uses the cached result immediately
- Recursive resolver — if the address is not cached, the request goes to a recursive resolver (usually provided by your ISP or a public service like
1.1.1.1or8.8.8.8). The resolver's job is to chase down the answer - Root server query — the resolver asks a root server: "Where can I find nameservers for
.com?" The root server responds with a referral to the.comTLD nameservers - TLD query — the resolver asks the
.comTLD nameserver: "Where can I find nameservers forexample.com?" The TLD responds with the authoritative nameservers for that domain - Authoritative query — the resolver asks the authoritative nameserver: "What is the A record for
example.com?" The nameserver replies with the IP address (e.g.,93.184.216.34) - Response — the resolver sends the IP address back to your browser. Your browser opens a connection to that IP and loads the page
Most of this chain is skipped in practice because resolvers cache answers aggressively. A domain that gets frequent traffic will usually be resolved from cache in under a millisecond.
Record Types
DNS supports many record types, each serving a different purpose:
| Type | Purpose | Example |
|---|---|---|
| A | Maps a domain to an IPv4 address | example.com -> 93.184.216.34 |
| AAAA | Maps a domain to an IPv6 address | example.com -> 2606:2800:... |
| CNAME | Alias that points to another domain name | www -> example.com |
| MX | Directs email to a mail server | mail.example.com priority 10 |
| TXT | Arbitrary text, used for verification and SPF | v=spf1 include:... |
| NS | Delegates a zone to specific nameservers | ns1.example.com |
| SOA | Start of authority — zone metadata | Serial, refresh, retry, expire |
For a hands-on guide to managing these records, see DNS Records.
TTL (Time to Live)
Every DNS record has a TTL value — the number of seconds that a resolver is allowed to cache that record before it must check again. Common values:
- 300 seconds (5 minutes) — good for records that change frequently, like during a migration
- 3600 seconds (1 hour) — a reasonable default for most records
- 86400 seconds (24 hours) — appropriate for stable records that rarely change
Lower TTL means faster propagation when you make changes, but generates more DNS queries. Higher TTL reduces query load but means changes take longer to propagate.
Tip: Before migrating a domain to a new server, lower the TTL to 300 seconds a day in advance. After the migration is complete and verified, raise it back to 3600 or higher.
DNS Propagation
When you update a DNS record, the change does not take effect everywhere simultaneously. Resolvers around the world have cached the old record and will continue serving it until the TTL expires. This gradual rollout is called propagation.
Propagation time depends on the previous TTL value. If the old record had a TTL of 86400 (24 hours), some resolvers may serve the old IP for up to 24 hours after the change. This is why lowering TTL before planned changes is important.
In practice, most users see the new record within minutes to a few hours.
Caching Layers
DNS answers are cached at multiple levels:
- Browser cache — browsers cache DNS results for a short time (often 60 seconds)
- Operating system cache — the OS maintains its own DNS cache
- Recursive resolver cache — your ISP's resolver caches answers according to TTL
- Authoritative server cache — some authoritative servers cache results from upstream sources
Each layer reduces load on the next and speeds up resolution for repeated lookups.
DNS Security
Standard DNS queries are sent in plain text and are vulnerable to interception and tampering. Several technologies address this:
- DNSSEC — digitally signs DNS records so resolvers can verify they have not been tampered with. See DNSSEC Explained for details
- DNS over HTTPS (DoH) — encrypts DNS queries inside HTTPS connections
- DNS over TLS (DoT) — encrypts DNS queries using TLS
DNSSEC protects data integrity (records have not been altered). DoH and DoT protect privacy (queries cannot be read in transit). They address different threats and can be used together.
Next Steps
- Manage DNS records for your domains in the Sitequest dashboard
- Learn about DNSSEC and how it protects your domain
- Register a domain and configure its DNS