Purpose of DNS – Domain Name System Explained

1. What Is DNS?

DNS (Domain Name System) is the internet's distributed naming system — a global database that translates human-readable domain names (like google.com) into machine-readable IP addresses (like 142.250.190.46) that computers use to route traffic across the internet.

Without DNS, you would have to memorise a unique numeric IP address for every website, email server, and internet service you use. DNS makes the internet usable for humans by creating a consistent, globally accessible layer of naming on top of the underlying numeric addressing system.

  Without DNS:                      With DNS:
  To visit Google, type:            To visit Google, type:
  142.250.190.46                    google.com
  (or 2a00:1450:4009:82c::200e)     ↓ DNS resolves it
  Hard to remember ❌               142.250.190.46 ✅

DNS uses UDP port 53 for standard queries and responses. It switches to TCP port 53 for responses larger than 512 bytes (zone transfers, large DNSSEC responses) and for zone transfers (AXFR). Both UDP and TCP port 53 must be allowed through firewalls for DNS to function correctly. See Common Port Numbers for the full port reference.

2. Why the Internet Needs DNS

DNS solves several fundamental problems that would make the internet unworkable without it:

Problem Without DNS	How DNS Solves It
Humans cannot reliably memorise numeric IP addresses (e.g., 172.217.3.110)	DNS maps memorable names (google.com) to IPs — users never need to know the number
IP addresses can change when servers migrate to new hardware or cloud providers	The domain name stays constant — only the DNS record needs updating, invisibly to users
A single server cannot handle global traffic reliably	DNS enables load balancing — one domain can map to dozens of IPs distributed worldwide
Different services (web, email, FTP) on the same domain need separate routing	Different DNS record types (A, MX, CNAME) route each service to the right server
Centralising all name records in one database would not scale globally	DNS is distributed and hierarchical — billions of queries handled through delegation
Repeatedly looking up the same domain wastes bandwidth and adds latency	DNS caching stores recent answers for their TTL duration — dramatically reducing lookups

3. The DNS Hierarchy — How It Is Structured

DNS is organised as an inverted tree with the root zone at the top. Every domain name is read right-to-left through the hierarchy — from the most general (root) to the most specific (hostname).

                           . (root)
                           │
               ┌───────────┼───────────┐
             .com         .org        .uk   ← Top-Level Domains (TLDs)
               │
        ┌──────┼──────┐
    google   example  cisco             ← Second-Level Domains
        │
    ┌───┼────┐
   www mail  api                        ← Subdomains (hostnames)

  Full name: www.google.com.
  Read right-to-left: root(.) → com → google → www

Domain Name Anatomy

Part	Example	Description
Root label	`.` (trailing dot)	The invisible root of all domain names. Technically every FQDN ends with a dot (e.g., `www.example.com.`) — usually omitted in everyday use
Top-Level Domain (TLD)	`com`, `org`, `uk`	Generic TLDs (gTLD: .com, .net, .org) or country codes (ccTLD: .uk, .de, .jp). Managed by ICANN-accredited registries
Second-Level Domain (SLD)	`example` in example.com	The name registered by the domain owner with a registrar
Subdomain	`www`, `mail`, `api`	Created by the domain owner in their DNS zone — unlimited nesting allowed
FQDN	`www.example.com.`	Fully Qualified Domain Name — the complete unambiguous name including all labels

4. Types of DNS Servers — Their Roles

Server Type	Role	Location in Hierarchy	Examples
Root Nameserver	Answers queries about TLD server locations. Does not know specific domain IPs — only knows which servers handle each TLD	Top of hierarchy	13 root server clusters: a.root-servers.net through m.root-servers.net (actually hundreds of anycast nodes globally)
TLD Nameserver	Manages a top-level domain — knows which authoritative servers handle each registered domain within the TLD	Second level	Verisign runs .com/.net TLDs (a.gtld-servers.net). Nominet runs .uk
Authoritative Nameserver	Holds the actual DNS zone records — the definitive source for a domain's A, MX, CNAME, TXT records etc. Returns the aa (authoritative answer) flag	Bottom of hierarchy	ns1.example.com, Cloudflare DNS, AWS Route 53, GoDaddy nameservers
Recursive Resolver	The "workhorse" — receives client queries, walks the entire hierarchy (root → TLD → authoritative) on the client's behalf, caches results	Between client and hierarchy	8.8.8.8 (Google), 1.1.1.1 (Cloudflare), 9.9.9.9 (Quad9), ISP DNS
Forwarding Resolver	Passes all queries upstream to another resolver rather than doing its own recursive resolution. Common in home routers and corporate networks	Between client and recursive resolver	Home router at 192.168.1.1 forwarding to 8.8.8.8

The 13 root servers explained: There are only 13 root server addresses (a through m), but these are served by hundreds of physical servers worldwide using anycast routing — your query is automatically routed to the nearest instance. The root zone is not a single server; it is a globally distributed system.

5. How DNS Works — Complete Step-by-Step Resolution

Every time a device needs to connect to a hostname it hasn't recently looked up, the following sequence occurs. Modern systems are optimised to short-circuit this at the earliest cache hit — only uncached, fresh queries go all the way to the authoritative server.

  User types: www.example.com

  ┌─────────────────────────────────────────────────────────────┐
  │ 1. OS checks local hosts file                               │
  │    /etc/hosts (Linux/Mac) or                                │
  │    C:\Windows\System32\drivers\etc\hosts (Windows)          │
  │    → Match? Use it immediately. Done.                       │
  └──────────────────────┬──────────────────────────────────────┘
                         │ No match
  ┌──────────────────────▼──────────────────────────────────────┐
  │ 2. OS checks local DNS resolver cache                       │
  │    Previous lookup still within TTL? Use cached IP. Done.  │
  └──────────────────────┬──────────────────────────────────────┘
                         │ Cache miss / expired
  ┌──────────────────────▼──────────────────────────────────────┐
  │ 3. Query sent to Recursive Resolver (e.g., 8.8.8.8)        │
  │    Resolver checks its own cache first                      │
  │    Cache hit? Return immediately to client. Done.           │
  └──────────────────────┬──────────────────────────────────────┘
                         │ Resolver cache miss
  ┌──────────────────────▼──────────────────────────────────────┐
  │ 4. Resolver queries a Root Server                           │
  │    "Who handles .com?"                                      │
  │    Root returns: a.gtld-servers.net (the .com TLD server)   │
  └──────────────────────┬──────────────────────────────────────┘
                         │
  ┌──────────────────────▼──────────────────────────────────────┐
  │ 5. Resolver queries the .com TLD Server                     │
  │    "Who handles example.com?"                               │
  │    TLD returns: ns1.example.com (authoritative NS)          │
  └──────────────────────┬──────────────────────────────────────┘
                         │
  ┌──────────────────────▼──────────────────────────────────────┐
  │ 6. Resolver queries ns1.example.com (Authoritative Server)  │
  │    "What is the A record for www.example.com?"              │
  │    Authoritative returns: 93.184.216.34 (aa flag set)       │
  └──────────────────────┬──────────────────────────────────────┘
                         │
  ┌──────────────────────▼──────────────────────────────────────┐
  │ 7. Resolver caches answer for TTL seconds                   │
  │    Returns 93.184.216.34 to client                          │
  │    Client OS caches it                                      │
  │    Browser connects to 93.184.216.34:443 (HTTPS)           │
  └─────────────────────────────────────────────────────────────┘

  Total time: typically 20–100ms for uncached queries,
              under 1ms for cached responses

6. DNS Record Types — Complete Reference

Record	Full Name	Purpose	Example
A	Address	Maps hostname to IPv4 address — the most fundamental record type	`example.com. A 93.184.216.34`
AAAA	IPv6 Address	Maps hostname to IPv6 address — the 128-bit equivalent of A records	`example.com. AAAA 2606:2800:220:1:248:1893:25c8:1946`
CNAME	Canonical Name	Creates an alias — maps one hostname to another hostname (not IP directly)	`www.example.com. CNAME example.com.`
MX	Mail Exchange	Specifies mail servers for a domain with priority values (lower = preferred)	`example.com. MX 10 mail.example.com.`
TXT	Text	Arbitrary text — used for SPF (sender policy), DKIM (email signing), DMARC, domain ownership verification	`example.com. TXT "v=spf1 include:_spf.google.com ~all"`
NS	Name Server	Specifies which authoritative nameservers hold the DNS zone for this domain	`example.com. NS ns1.example.com.`
PTR	Pointer	Reverse DNS — maps an IP address back to a hostname (used for email, logging)	`34.216.184.93.in-addr.arpa. PTR example.com.`
SOA	Start of Authority	Zone metadata — primary NS, admin email, serial number, refresh/retry/expire timers	`example.com. SOA ns1.example.com. admin.example.com. 2024041544 7200 3600 1209600 3600`
SRV	Service Locator	Locates services (SIP, XMPP, Microsoft AD) by protocol and port number	`_sip._tcp.example.com. SRV 10 20 5060 sip.example.com.`
CAA	Certification Authority Authorisation	Restricts which Certificate Authorities can issue SSL certificates for the domain	`example.com. CAA 0 issue "letsencrypt.org"`

7. DNS Caching — Why It Matters

Every DNS answer includes a TTL (Time To Live) value in seconds. Resolvers and client operating systems cache the answer for the duration of the TTL before querying again. Caching is fundamental to DNS scalability — without it, every single web request would require 3+ lookups across multiple servers worldwide.

! dig shows TTL in the ANSWER section:
$ dig google.com

;; ANSWER SECTION:
google.com.   52    IN   A   142.250.190.46
              ↑
              TTL = 52 seconds remaining until this cache entry expires
              (Google uses 60-second TTL for load balancing flexibility)

Levels of DNS Caching

Cache Location	Who Controls It	How to Clear
Browser DNS cache	Browser itself (Chrome, Firefox keep their own cache)	Chrome: `chrome://net-internals/#dns` → Clear host cache
OS resolver cache	Operating system	Windows: `ipconfig /flushdns` \| Linux: `sudo systemd-resolve --flush-caches` \| macOS: `sudo dscacheutil -flushcache`
Recursive resolver cache	ISP / public DNS provider (8.8.8.8, 1.1.1.1)	Cannot flush externally — must wait for TTL to expire
Authoritative server cache	Domain owner / DNS hosting provider	Update the record — cached copies expire when TTL expires

DNS change not propagating? If you update an A record and some users still see the old IP, their recursive resolver still has the old record cached. You cannot force external resolvers to flush their cache — you must wait for the TTL to expire. This is why lowering TTL well before a planned IP change (ideally 24–48 hours ahead) is best practice.

8. Real-World DNS Examples

Example 1 — Browsing a Website

You type https://www.netflix.com in a browser:

OS queries resolver → resolver walks DNS hierarchy
Authoritative server returns: www.netflix.com CNAME www.netflix.com.edgesuite.net.
Resolver follows CNAME to Akamai CDN → returns closest edge server IP
Browser connects to nearest Netflix CDN node — video streams from geographically close infrastructure

DNS here enables global CDN routing — without DNS, all users would connect to a single origin server.

Example 2 — Sending Email

You send an email to [email protected]:

Your mail server asks DNS: "What are the MX records for gmail.com?"

DNS returns five MX records with priorities:

gmail.com.  IN MX  5   gmail-smtp-in.l.google.com.
gmail.com.  IN MX  10  alt1.gmail-smtp-in.l.google.com.
gmail.com.  IN MX  20  alt2.gmail-smtp-in.l.google.com.
gmail.com.  IN MX  30  alt3.gmail-smtp-in.l.google.com.
gmail.com.  IN MX  40  alt4.gmail-smtp-in.l.google.com.

Your mail server connects to priority 5 server first (lowest = highest preference)
If that server is unavailable, it falls back to priority 10, then 20, etc.

MX records provide automatic mail server failover — DNS enables email redundancy.

Example 3 — Internal Corporate DNS

A company runs an internal DNS server for corp.local:

sharepoint.corp.local.   A    192.168.10.50
hr-portal.corp.local.    A    192.168.10.60
mail.corp.local.         A    192.168.10.70
printers.corp.local.     A    192.168.10.80

Employees access internal resources by name (sharepoint.corp.local) instead of IP. The corporate DNS server handles .corp.local queries locally and forwards all other queries to a public resolver (8.8.8.8) for internet names.

9. DNSSEC — DNS Security Extensions

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and have not been tampered with in transit. It protects against DNS cache poisoning attacks.

The Problem DNSSEC Solves — Cache Poisoning

In a DNS cache poisoning attack, an attacker injects a forged DNS response into a resolver's cache before the legitimate response arrives. The resolver caches the attacker's IP for the domain — redirecting all queries to a malicious server (phishing site, man-in-the-middle) for the duration of the TTL.

  Without DNSSEC (cache poisoning attack):
  Client → Resolver → [attacker intercepts]
  Attacker sends forged: "bank.com = 198.51.100.1" (malicious IP)
  Resolver caches the fake IP → All clients redirected to phishing site

  With DNSSEC (protected):
  bank.com's DNS records are signed with a private key
  Resolver verifies signature using the published public key (DNSKEY record)
  If signature invalid → query rejected → client not redirected
  If signature valid   → ad (Authenticated Data) flag set in response

DNSSEC Components

Record Type	Purpose
`DNSKEY`	Published public key used to verify signatures
`RRSIG`	Cryptographic signature over each DNS record set
`DS`	Delegation Signer — links parent zone (TLD) to child zone's DNSKEY
`NSEC/NSEC3`	Authenticated denial of existence — proves a record does not exist (prevents zone enumeration)

DNSSEC does not encrypt DNS traffic — it only provides authentication and integrity. Queries and responses are still visible to observers. For encryption, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are used — these encrypt the entire DNS query, hiding it from ISPs and network observers.

10. DNS vs. DHCP — Key Differences

DNS and DHCP are both fundamental infrastructure protocols but serve completely different purposes. They are often confused because both are configured on the same router or server in small networks.

Feature	DNS	DHCP
Primary purpose	Translates domain names to IP addresses (name resolution)	Assigns IP addresses and network configuration to devices (address management)
Transport & ports	UDP/TCP port 53	UDP port 67 (server), port 68 (client)
Protocol standard	RFC 1034/1035 (and many extensions)	RFC 2131
What it gives a client	IP address for a hostname (e.g., google.com → 142.250.190.46)	The client's own IP address, subnet mask, default gateway, and DNS server IPs
Direction of query	Name → IP (and IP → Name for reverse DNS)	Client broadcasts, server assigns from a pool
Scope	Global — resolves names across the entire internet	Local — assigns addresses within a subnet
Relationship	DHCP delivers the DNS server address to clients (DHCP Option 6)	DHCP relies on DNS for clients to use network services by name — see DHCP Server Configuration
Typical example	Resolving `youtube.com` → IP	Your laptop being assigned 192.168.1.15 when it joins a network

11. Why DNS Is Critical Infrastructure

DNS is one of the most critical pieces of internet infrastructure — a global DNS outage would effectively take the internet offline for most users (even if all servers remained running). Several properties make DNS uniquely important:

Universal dependency: Nearly every internet connection — web browsing, email, APIs, streaming, cloud services, IoT — starts with a DNS lookup. Services that are "up" become unreachable if DNS fails.
Massive scale: The DNS system processes over a trillion queries per day globally. Google Public DNS alone handles over 400 billion queries daily. This scale is managed through the distributed, cached, hierarchical architecture.
High availability by design: Every domain must have at least two authoritative nameservers (primary and secondary). The 13 root server clusters each have hundreds of anycast instances. There is no single point of failure in a properly configured DNS system.
Flexibility and abstraction: DNS decouples domain names from IP addresses. Entire data centre migrations, cloud provider changes, CDN updates, and load balancing changes can happen invisibly to users by simply updating DNS records.
Security enforcement point: DNS is increasingly used as a security control — DNS-based threat intelligence can block malicious domains, C2 servers, and phishing sites at the network level before any connection is established. This complements ACLs and firewall rules for layered defence.

12. Common DNS Issues and Troubleshooting

For a broader network connectivity diagnostic workflow that includes DNS checks, see Troubleshooting Connectivity.

Problem	Likely Cause	Diagnostic Command & Fix
Website not loading — "can't find server"	DNS resolution failing: resolver unreachable, wrong DNS server configured, or domain issue	`nslookup example.com` — check if it resolves. Try `nslookup example.com 8.8.8.8` — if this works, your configured DNS server is the problem
Website loads for some users but not others	DNS propagation delay — different resolvers still have the old cached IP	Compare: `dig @8.8.8.8 example.com` vs `dig @1.1.1.1 example.com`. Wait for TTL to expire globally.
Slow DNS resolution (pages feel sluggish)	High-latency DNS resolver (e.g., distant ISP DNS server)	Switch to faster public resolver: `8.8.8.8` (Google) or `1.1.1.1` (Cloudflare — typically fastest). Test with: `dig example.com +stats` (check query time)
Old IP still being returned after DNS change	Stale TTL cache in resolver or local OS	Windows: `ipconfig /flushdns` \| Linux: `sudo systemd-resolve --flush-caches`. External resolvers: wait for TTL to expire
Emails bouncing or going to spam	Missing or mismatched PTR record, missing SPF/DKIM TXT records	`dig -x <mail-server-IP>` (check PTR exists), `dig example.com TXT` (check SPF/DKIM records)
DNS cache poisoning suspected	Resolver returning unexpected IPs for known domains	Compare `dig @8.8.8.8 domain.com` against your resolver result. Enable DNSSEC on your resolver. Use encrypted DNS (DoH/DoT)
SERVFAIL returned for a domain	Authoritative server unreachable, DNSSEC validation failure, or lame delegation	`dig example.com +trace` — follow the delegation chain to find where it fails

Quick Troubleshooting Commands

! Basic DNS resolution test
nslookup example.com           ! Windows/Linux/macOS
dig example.com                ! Linux/macOS — full detailed output

! Test with a specific DNS server (bypass your configured resolver)
nslookup example.com 8.8.8.8
dig @8.8.8.8 example.com

! Check current DNS configuration
ipconfig /all                  ! Windows — shows DNS servers
cat /etc/resolv.conf           ! Linux — shows configured DNS servers

! Flush DNS cache
ipconfig /flushdns             ! Windows
sudo systemd-resolve --flush-caches  ! Linux (systemd)
sudo dscacheutil -flushcache   ! macOS

! Trace full DNS resolution path
dig example.com +trace         ! Follows root → TLD → authoritative

! Quick IP lookup (script-friendly)
dig example.com +short

13. Common Misconceptions About DNS

"DNS is only used for website browsing."
DNS is used for every internet communication involving a hostname — email delivery (MX record lookup), API calls, cloud services, VoIP (SRV records), streaming services, IoT devices, and internal corporate resources. The internet would be nearly unusable without DNS, not just for web browsing.
"Changing a DNS record takes effect immediately."
DNS changes take effect immediately on the authoritative server, but resolvers worldwide cache the old answer for its TTL duration. If a record has a 24-hour TTL, some users worldwide will see the old IP for up to 24 hours. Pre-lower TTL before planned changes to minimise this window.
"There are only 13 DNS root servers."
There are 13 root server addresses (labeled a through m), but each is served by many physical servers distributed globally via anycast routing. As of 2025, there are over 1,500 root server instances worldwide. The "13 servers" is a simplification based on the original IPv4 constraint of fitting all root NS records in a single 512-byte UDP response.
"DNSSEC encrypts DNS traffic."
DNSSEC provides authentication and integrity — it proves responses haven't been tampered with using cryptographic signatures. It does not encrypt queries or responses — your ISP and network observers can still see what domains you query. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) provide actual encryption.
"Flushing your local DNS cache fixes all DNS issues."
Flushing your local OS cache only affects your machine. If a recursive resolver (8.8.8.8, ISP DNS) has cached a stale entry, it continues to return the old answer to all its clients until the TTL expires — you have no control over external resolver caches.

14. Key Points & Exam Tips

DNS = Domain Name System — translates domain names to IP addresses and vice versa. Called the "phonebook of the internet."
DNS uses UDP port 53 (queries) and TCP port 53 (large responses, zone transfers).
DNS hierarchy: Root (.) → TLD (.com) → Authoritative (ns1.example.com). Always root first.
Recursive resolver (8.8.8.8): fetches DNS on client's behalf, caches results. Authoritative server: holds the official zone records, returns aa flag.
Key record types: A (name→IPv4), AAAA (name→IPv6), MX (mail servers), CNAME (alias), TXT (SPF/DKIM), PTR (IP→name), NS (nameservers), SOA (zone metadata).
TTL: how long resolvers cache a DNS answer. Low TTL = fast changes but more queries. High TTL = efficient but slow propagation.
Resolution order: hosts file → local cache → recursive resolver → root → TLD → authoritative.
DNSSEC: adds cryptographic signatures to DNS records to prevent cache poisoning. Does NOT encrypt traffic — use DoH/DoT for encryption.
DNS ≠ DHCP: DNS resolves names to IPs; DHCP assigns IPs to devices. DHCP delivers the DNS server IP to clients via Option 6.
Troubleshooting: nslookup / dig for resolution testing; ipconfig /flushdns (Windows) to clear local cache; dig +trace to follow the full delegation path.

15. DNS Purpose Quiz

1. A user updates their website's A record to point to a new IP address. Three hours later, half their visitors still reach the old server. The A record TTL was 86400 seconds. What is the cause, and what should be done differently next time?

A. The authoritative server did not save the change — reapply it B. Recursive resolvers must be manually notified — contact Google and Cloudflare to flush their caches C. The website server is rejecting connections from some visitors — check firewall rules D. Resolvers worldwide cached the old IP at TTL 86400 (24 hours) — they won't re-query until their cache expires. Next time, lower TTL to 300 seconds 24+ hours before the change so caches expire quickly

Correct answer is D. This is DNS propagation lag — one of the most common DNS operational problems. When resolvers (ISP DNS, 8.8.8.8, corporate proxies) cached the old A record with TTL 86400, they will keep using that cached answer for up to 24 hours after the change, regardless of what the authoritative server now says. There is no way to force external resolvers to flush their caches. The standard prevention is pre-emptive TTL reduction: lower the TTL to 300 seconds at least 24 hours before the planned change. After confirming the new IP is propagating correctly, restore the TTL to a higher value.

2. Which property of DNS makes it "distributed" and prevents a single point of failure for global name resolution?

A. All DNS records are stored in one master database replicated to all servers simultaneously B. DNSSEC protects each server from being taken down by attackers C. Authority for different parts of the namespace is delegated to different organisations — .com TLD servers, individual domain nameservers, and root servers are all independently operated and replicated D. DNS uses UDP which prevents a single server from becoming a bottleneck

Correct answer is C. DNS is distributed through delegation: the root zone is authoritative for TLD delegation but has no knowledge of individual domains. .com TLD servers know which nameservers handle each .com domain but don't hold their records. Individual domain nameservers hold only their own zone. Each level is managed by a different organisation (ICANN, Verisign, individual domain owners), each independently replicated. This means there is no single entity whose failure takes down global DNS — unlike centralised systems.

3. A network administrator configures a Cisco router DHCP pool: `dns-server 8.8.8.8 8.8.4.4`. What does this accomplish, and what DHCP option number carries this information to clients?

A. It configures the router itself to use 8.8.8.8 for DNS — DHCP option 3 B. It tells the DHCP server to push 8.8.8.8 and 8.8.4.4 as the DNS server addresses to every DHCP client on that pool — DHCP option 6 C. It configures the router to forward DNS queries to Google — DHCP option 43 D. It adds 8.8.8.8 as a static DNS record in the router's zone file — DHCP option 15

Correct answer is B. The dns-server sub-command under a Cisco DHCP pool configures the DNS server IPs that the DHCP server sends to clients in their DHCP Offer/ACK. This is carried as DHCP Option 6 (Domain Name Server option). When a client receives a DHCP lease, it configures its network interface to use the Option 6 DNS addresses for name resolution. This is the primary mechanism by which DNS and DHCP are integrated: DHCP delivers the DNS server address, then DNS resolves names for the client.

4. What is the fundamental difference between DNSSEC and DNS-over-HTTPS (DoH)?

A. DNSSEC authenticates DNS responses (proves they haven't been tampered with) but does not encrypt them — ISPs can still see your queries. DoH encrypts the entire DNS query in HTTPS so the query is invisible to the network path, but does not authenticate individual DNS records B. DNSSEC encrypts DNS queries; DoH authenticates DNS responses C. Both DNSSEC and DoH provide the same security — they are alternative implementations of the same protection D. DoH is only used for email DNS security; DNSSEC is for web browsing DNS

Correct answer is A. These are complementary technologies protecting different attack surfaces. DNSSEC adds cryptographic signatures (RRSIG) to DNS records so resolvers can verify responses are authentic and unmodified — protecting against cache poisoning. However, DNS queries and responses are still transmitted in plaintext, visible to ISPs and network observers. DoH wraps DNS queries inside HTTPS (port 443), making the query content encrypted and indistinguishable from regular web traffic — protecting privacy from network-level surveillance. In ideal deployments, both are used together: DoH for privacy, DNSSEC for record integrity.

5. A company's email is being rejected by receiving servers with the error "550 Host not found" or messages being flagged as spam. The mail server has an A record but investigation reveals no PTR record for its IP. Why does this cause email rejection?

A. Email servers require A records but not PTR records — the issue must be elsewhere B. PTR records are the same as A records — they need to add a PTR in their own DNS zone C. Receiving mail servers perform reverse DNS lookups on connecting IPs — an IP with no PTR record is a strong spam indicator since legitimate mail servers should have matching forward and reverse DNS D. The company needs to add an MX record pointing to their mail server's IP address directly

Correct answer is C. Email authentication relies heavily on reverse DNS. When Gmail, Outlook, or any receiving mail server gets an SMTP connection from an IP (e.g., 198.51.100.25), it performs a reverse DNS lookup (PTR query). For a legitimate mail server, this should return the mail server's hostname, and that hostname should forward-resolve back to the same IP (FCrDNS check). An IP with no PTR record is flagged as suspicious because legitimate sending infrastructure almost always has matching PTR records. The PTR record must be created by the ISP/hosting provider who owns the IP block — not the domain owner.

6. An organisation has a single mail server but wants email delivery to continue automatically if that server goes offline. How does DNS enable this resilience, and what record type is used?

A. Configure two A records for the same IP — the second activates when the first fails B. Configure multiple MX records with different priority values — sending servers try the lowest priority number first, automatically falling back to higher numbers if lower-priority servers are unreachable C. Configure CNAME records pointing to backup mail servers D. Configure TXT records listing all backup server IPs

Correct answer is B. MX (Mail Exchange) records include a priority value — sending mail servers always try the lowest priority number first (highest preference). If that server doesn't respond or returns a temporary failure, the sending server automatically retries using the next MX record with a higher priority number. For example: MX 10 mail1.example.com. (primary) and MX 20 mail2.example.com. (backup) — if mail1 is down, mail is automatically delivered to mail2. This failover is built into the SMTP protocol and requires no client-side configuration — the MX priority system handles it purely through DNS.

7. Which statement correctly explains why "there are 13 DNS root servers" is a simplification, and what actually underlies global root DNS availability?

A. There are 13 physical servers, each hosted in different countries for geographic distribution B. There are 13 root server organisations but only one physical server per organisation C. 13 was chosen because there are 13 types of DNS record and each server handles one type D. There are 13 root server addresses (a–m .root-servers.net), but each is served by hundreds of physical servers globally via anycast routing. The "13" limit came from fitting NS records in a 512-byte UDP packet — there are actually 1,500+ root instances worldwide

Correct answer is D. The "13 root servers" limitation originates from the early DNS design constraint: all 13 root NS records had to fit in a single 512-byte UDP packet (the original DNS limit). There are 13 addresses labeled a through m (a.root-servers.net through m.root-servers.net), each operated by a different organisation (ICANN, Verisign, Cloudflare, NASA, etc.). Each of these 13 addresses is actually served by hundreds of physical server instances deployed worldwide using anycast routing — your root DNS query goes to the nearest instance automatically. As of 2025, there are over 1,500 root server instances globally, making the root zone one of the most resilient and distributed services on the internet.

8. A recursive resolver at 8.8.8.8 has cached the A record for example.com with a TTL of 3600. If a user queries 8.8.8.8 for example.com 45 minutes after the first query, what happens and what TTL will the response show?

A. The resolver returns the cached answer immediately with a decremented TTL of approximately 900 seconds (3600 − 2700 = 900) — no new query to the authoritative server is made B. The resolver refreshes the TTL to the original 3600 each time it serves a cached response C. The resolver re-queries the authoritative server after every 30 minutes regardless of TTL D. The TTL shown to the client is always the original TTL from the authoritative server, never decremented

Correct answer is A. Recursive resolvers cache DNS answers for the full TTL duration from the moment they first retrieve the answer. The cached TTL counts down in real time. 45 minutes = 2700 seconds have elapsed, so the remaining TTL is 3600 − 2700 = 900 seconds. The resolver returns the cached answer to the client with the decremented TTL (900) — the client knows it can use this answer for 900 more seconds. No new query to the authoritative server occurs. Only when the TTL reaches zero does the resolver re-query. This countdown behaviour is why dig example.com often shows TTLs less than the record's configured value.

9. In a DNS cache poisoning attack, what does the attacker inject and what is the immediate consequence for affected users?

A. The attacker overwrites the authoritative DNS zone file — all users worldwide are permanently redirected B. The attacker floods the DNS server with queries until it crashes — causing a denial of service C. The attacker injects a forged DNS response into a recursive resolver's cache — associating a legitimate domain with a malicious IP. All users of that resolver are then directed to the attacker's server until the poisoned cache entry expires D. The attacker modifies the client's hosts file to override DNS resolution

Correct answer is C. In a DNS cache poisoning (Kaminsky-style) attack, the attacker races to send a forged DNS response to a recursive resolver before the legitimate authoritative response arrives. The forged response contains a malicious IP for a legitimate domain (e.g., bank.com → 198.51.100.99). If the resolver accepts the forged response (because the attacker guessed the correct transaction ID), it caches the malicious mapping. Every user of that resolver who queries bank.com will be silently redirected to the attacker's server for the duration of the TTL in the forged response — typically to a phishing site designed to steal credentials. DNSSEC prevents this by requiring cryptographic proof that responses come from the legitimate authoritative server.

10. A company's website uses a CDN. Their DNS zone has: `www.company.com CNAME www.company.com.cdn-provider.net.` When a user in Australia and a user in Germany both query www.company.com, they receive different IP addresses. How does DNS enable this geographic load distribution?

A. The CNAME record contains a list of IPs and DNS randomly assigns one per query B. The CDN's authoritative DNS uses the querying resolver's IP (via EDNS Client Subnet or anycast) to detect the user's geographic location and return the nearest CDN edge server IP — each region gets a different A record C. The CNAME record itself contains geographic routing instructions embedded in the hostname D. Users are assigned different domains by their ISP before the DNS query is made

Correct answer is B. This is GeoDNS (geographic DNS routing) — a fundamental capability of CDN architectures. When the resolver in Australia queries the CDN's authoritative DNS for the CNAME target, the CDN's DNS system identifies the resolver's location (via its IP address or EDNS Client Subnet extension which passes along the client's approximate location). It returns the IP of the nearest Australian CDN edge node. The resolver in Germany receives the IP of the nearest European edge node. The same domain name resolves to different IPs based on geography — entirely through DNS. This is how services like Netflix, Cloudflare, and Akamai deliver content from servers geographically close to each user.

← Back to Home

Purpose of DNS – Domain Name System Explained

1. What Is DNS?

2. Why the Internet Needs DNS

3. The DNS Hierarchy — How It Is Structured

Domain Name Anatomy

4. Types of DNS Servers — Their Roles

5. How DNS Works — Complete Step-by-Step Resolution

6. DNS Record Types — Complete Reference

7. DNS Caching — Why It Matters

Levels of DNS Caching

8. Real-World DNS Examples

Example 1 — Browsing a Website

Example 2 — Sending Email

Example 3 — Internal Corporate DNS

9. DNSSEC — DNS Security Extensions

The Problem DNSSEC Solves — Cache Poisoning

DNSSEC Components

10. DNS vs. DHCP — Key Differences

11. Why DNS Is Critical Infrastructure

12. Common DNS Issues and Troubleshooting

Quick Troubleshooting Commands

13. Common Misconceptions About DNS

14. Key Points & Exam Tips

15. DNS Purpose Quiz

1. A user updates their website's A record to point to a new IP address. Three hours later, half their visitors still reach the old server. The A record TTL was 86400 seconds. What is the cause, and what should be done differently next time?

2. Which property of DNS makes it "distributed" and prevents a single point of failure for global name resolution?

3. A network administrator configures a Cisco router DHCP pool: dns-server 8.8.8.8 8.8.4.4. What does this accomplish, and what DHCP option number carries this information to clients?

4. What is the fundamental difference between DNSSEC and DNS-over-HTTPS (DoH)?

5. A company's email is being rejected by receiving servers with the error "550 Host not found" or messages being flagged as spam. The mail server has an A record but investigation reveals no PTR record for its IP. Why does this cause email rejection?

6. An organisation has a single mail server but wants email delivery to continue automatically if that server goes offline. How does DNS enable this resilience, and what record type is used?

7. Which statement correctly explains why "there are 13 DNS root servers" is a simplification, and what actually underlies global root DNS availability?

8. A recursive resolver at 8.8.8.8 has cached the A record for example.com with a TTL of 3600. If a user queries 8.8.8.8 for example.com 45 minutes after the first query, what happens and what TTL will the response show?

9. In a DNS cache poisoning attack, what does the attacker inject and what is the immediate consequence for affected users?

10. A company's website uses a CDN. Their DNS zone has: www.company.com CNAME www.company.com.cdn-provider.net. When a user in Australia and a user in Germany both query www.company.com, they receive different IP addresses. How does DNS enable this geographic load distribution?

3. A network administrator configures a Cisco router DHCP pool: `dns-server 8.8.8.8 8.8.4.4`. What does this accomplish, and what DHCP option number carries this information to clients?

10. A company's website uses a CDN. Their DNS zone has: `www.company.com CNAME www.company.com.cdn-provider.net.` When a user in Australia and a user in Germany both query www.company.com, they receive different IP addresses. How does DNS enable this geographic load distribution?