What is DNS and how does it work?

The word DNS on a globe with a question mark underneath
(Image credit: ExpressVPN)

The Domain Name System (DNS) acts like a virtual telephone directory for the Internet. 

When you type in website names into your browser’s address bar, your device uses DNS to look up the unique IP addresses (e.g. 212.100.66.113) of those websites in order to find them on the internet. This saves you the trouble of having to remember the IP address of every website you want to visit. Instead you use a human-readable domain like www.techradar.com.

It's a simple idea, but one that has a huge effect on many areas of your internet life. In this article we'll talk more about how DNS works, and why it's important to your internet speeds, privacy, security and more.

How does DNS work?

Connect to the internet and your ISP normally assigns you at least two DNS servers (there's a spare in case the primary server fails). Every time you enter a new domain in your browser, your device sends a query to the primary DNS server, which translates it to the IP address you need.

Authoritative DNS is the supreme form of domain lookup. Authoritative DNS servers aren’t usually contacted by individual devices like your home computer. They provide the correct IP addresses to other types of DNS servers known as a resolver or recursor DNS service. 

Although this looks simple from your point of view, your ISP's DNS server (technically, a DNS recursor) must work with several other servers to make this happen.

The recursor first sends a request to a DNS root server. This request is also known as a ‘query’. This query is designed to discover the extension of the domain (.com, .net, .org and so on) and returns the address of a Top Level Domain (TLD) nameserver which handles that domain type. These are sometimes known as ‘zones.

One common internet myth is that there are only 13 root DNS servers, all located in the USA. While there are only currently 13 IP addresses for root DNS, these represent clusters of servers located all over the world. As the internet transitions from IPV4 to IPV6, more root DNS IP addresses will become available. 

Your ISP's recursor then sends your query to the TLD nameserver, which passes back the authoritative nameserver for that particular domain.

Finally, the recursor sends your query to the authoritative nameserver, the one holding the actual record for this website. 

This final DNS server then returns the domain IP address to the recursor, which passes it back to your device. Finally, your browser can connect to it and begin accessing the site.

As elaborate as this sounds, this “hierarchical” process is the most efficient way to handle the billions of domain name requests received by the internet every day. Your device also doesn’t always have to make DNS queries to find a website. 

DNS caching

DNS queries are surprisingly fast, even though there's so much happening under the hood. Smart optimization and minimal bandwidth use means that a fast server close to you can return an IP in under 10 milliseconds.

Other DNS servers might take more than 100 milliseconds, though, and that's when DNS speed begins to make a noticeable difference. Especially as a single website might load resources from many domains. 

If you access bigsite.com, for instance, it might load images from one server, scripts from another, adverts from several providers, social networking buttons for various platforms, and who knows what else. 

Naturally you can try to increase your website loading speed by configuring your device to use a different DNS server. Google offers a free Public DNS service. It’s one of the most popular DNS server alternatives, using two IP addresses (8.8.8.8 and 8.8.4.4). These are known as ‘anycast’ address in that they represent DNS servers across the world. 

Still, every new domain you access requires another DNS query before you can access that resource... and they all add up.

Graphic showing a DNS query converting a domain into an IP address

(Image credit: Surfshark)

For this reason, at each stage of the DNS lookup process, the DNS recursor & root servers will try to save or ‘cache’ the IP address of domains for later use, so they can provide it right away next time.

Apps and devices can also reduce the impact of DNS queries by storing the IP addresses in their cache, and using them again for future connections.

On PCs, for example, DNS query results are stored by the browser and the operating system. In Windows you can even view a list of all cached domain names stored by the OS by opening the command prompt and typing ///CODE///ipconfig /displaydns///CODE///.

You might wait a whole second for DNS queries on your first visit to bigsite.com, but visit another page on the site and your device uses the logged IP addresses for a near instant response.

DNS caches are normally lost when an app closes or your device restarts, so any DNS query delay will be back in your next session, just for the first visit to a site.

Some web browsers will store IP addresses in a special cache for later use. This can cause issues if these domains change their IP addresses, as websites will fail to load. Luckily most programs include a feature to let you clear the cache entirely. For more, see our guide on how to clear cache in Chrome, Firefox and Safari.

What is DNS filtering?

DNS servers are hugely powerful, as they have full control over the websites you can access. If a server doesn't want you to access a domain, it can filter out that request: return an error rather than an IP address, and you won't be able to browse the site.

DNS filtering is often a very good idea. It can block malicious or phishing websites, maybe restrict access to adult or other child-unfriendly sites (so great as part of a parental controls setup). One main advantage it has over other forms of restricting websites is that DNS filtering doesn’t rely on software: it will apply to all devices connected to your network.

Other DNS filtering uses range from irritating to seriously scary. Your school Wi-Fi might block access to social media or streaming websites, for example, leaving you working out ways to unblock YouTube and others. And at the more worrying end of the scale, repressive governments can use DNS and other network trickery to keep their populations away from information they'd prefer to hide - it's no wonder guides to using WhatsApp in China are so well searched.

There are privacy and security concerns, too. If whoever runs the DNS server knows who you are (your ISP, say), it could log all the sites you visit to build a browsing history. 

A malicious hotspot operator might even detect users visiting a banking site, then redirect them to a fake site and steal their details. This process is known as ‘DNS spoofing’, ‘DNS hijacking’ or ‘DNS poisoning’. The Chinese government also uses this as a way to prevent loading of forbidden domains or redirect web users to different ones. In 2012 for instance Skype domain fell victim to DNS poisoning whereby Chinese users were redirected to a special version of the software that allowed the government to monitor chats. 

In the same year a number of computers were infected by the ‘DNSChanger’ malware program which modified their DNS settings to point to malicious nameservers, bombarding users with advertising content. The hackers behind it netted around $14 million before they were caught and their servers were shut down. 

There is a way to fight back. Firstly malware like DNSChanger often works through bogus online adverts. You can reduce the chance of clicking the wrong link by installing an ad blocker in your browser. 

Virtual private networks like ExpressVPN are a useful tool. If you connect to a VPN, your DNS queries can be redirected through an encrypted tunnel to the VPN server, and handled there. With no way to see what you're doing, the network can't block you, and you're free to browse as normal.

Not all VPN providers offer this as a service. While they encrypt your connection, they may allow your DNS requests to go through your regular provider. This means it’s still possible for people to know which sites you visit or even redirect you to others. This is known as DNS leak. Luckily some VPN providers do route all your DNS requests through their servers. Find out more in our guide What is DNS Hijacking?

A Mac app window showing a blocked website warning

(Image credit: NordVPN)

Best DNS servers

Switching DNS servers isn't just for countries where you go to prison for registering thegovernmentsucks.com. Changing to another DNS provider can bring real benefits to everyone.

Some servers are optimized for speed. As we write, for instance, Benchmarking site DNSPerf lists 43 public DNS resolvers with average query times ranging from 14ms to almost 140ms. If your server is at the bottom end of that list, switching to something better could make a real difference.

As we've mentioned, other DNS servers can filter content to block ads, trackers, malicious, phishing or family-unfriendly sites, depending on your needs. This can be a really effective idea as it automatically protects all your apps, with no need to install any other software.

Switching DNS isn't a good idea for everyone. Some parental controls, antivirus and internet security apps already replace your DNS servers with their own, and switching to something else means you may lose at least some of their protection.

On the other hand, certain DNS providers also come with security options of their own built-in. OpenDNS for instance allows you to add domains to a ‘blocklist’ & automatically filters out links to ‘phishing’ sites and other harmful domains. You can even create a ‘whitelist’ to restrict access only to certain web domains for all devices connected to your network. 

 DNS Attacks 

One of the downsides to having an IP address that everyone knows is that public DNS servers are vulnerable to ‘DNS attacks’. One of the crudest forms is known as a ‘flood’ or ‘denial of service‘ attack where hackers use computers to overwhelm a DNS server with queries. This means they can’t process legitimate website requests from normal internet users.

On October 21st 2016, DNS provider Dyn was subjected to three dDos (Distributed Denial of Service) attacks using a ‘botnet’ of devices that had been infected with special malware. This effectively made a number of major websites unavailable for most of the day, such as Amazon, HBO & Tumblr.

If hackers can actually gain access to a DNS server, they can also ‘hijack’ domains, meaning that when you enter a legitimate domain name you could be redirected to a different site altogether. 

Even if you don’t manage your own DNS server or network, you can do your part to avoid DNS attacks by keeping your devices free of malware. Use ad blockers to prevent loading of harmful content, and install antivirus software.

Do more with DNS 

Although DNS works ‘under the hood’ on your devices, you’ve now learned there are a few simple steps you can take to improve your website loading times & online security through updating your settings.  

If you’re considering doing this, make sure to note down your existing DNS servers on your device before making any changes. You should also make sure your devices are fully up to date & all your personal data is backed up. If you do want to change DNS providers, remember that you’ll need to do this on each internet device you own. 

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.