What is DNS and how does it work?

The word DNS on a globe with a question mark underneath
(Image credit: ExpressVPN)

The Domain Name System (DNS) is the index of the internet. When you browse to domain names like facebook.com or twitter.com, your device uses DNS to look up the IP addresses (e.g. it needs to load those resources.

It's a simple idea, but one that has a huge effect on many areas of your internet life. In this article we'll talk more about how DNS works, and why it's important to your internet speeds, privacy, security and more.

  • Get security, streaming and more with today's best VPNs

How does DNS work?

Connect to the internet and your ISP normally assigns you at least two DNS servers (there's a spare in case the primary server fails). Every time you enter a new domain in your browser, your device sends a query to the primary DNS server, which translates it to the IP address you need.

Although this looks simple from your point of view, your ISP's DNS server (technically, a DNS recursor) must work with several other servers to make this happen.

The recursor first sends a request to a DNS root server. This looks at the extension of the domain (.com, .net, .org and so on) and returns the address of a Top Level Domain (TLD) nameserver which handles that domain type.

Your ISP's recursor then sends your query to the TLD nameserver, which passes back the authoritative nameserver for that domain.

Finally, the recursor sends your query to the authoritative nameserver, the one holding the actual record for this website. 

This final DNS server returns the domain IP address to the recursor, which passes it back to your device. Finally, your browser can connect to it and begin accessing the site.

DNS caching

DNS queries are surprisingly fast, even though there's so much happening under the hood. Smart optimization and minimal bandwidth use means that a fast server close to you can return an IP in under 10 milliseconds.

Other DNS servers might take more than 100 milliseconds, though, and that's when DNS speed begins to make a noticeable difference. Especially as a single website might load resources from many domains. 

If you access bigsite.com, for instance, it might load images from one server, scripts from another, adverts from several providers, social networking buttons for various platforms, and who knows what else. Every new domain requires another DNS query before you can access that resource... and they all add up.

Graphic showing a DNS query converting a domain into an IP address

(Image credit: Surfshark)
(opens in new tab)

Apps and devices reduce the impact of DNS queries by storing the IP addresses in a cache, and using them again for future connections.

On PCs, for example, DNS query results are stored by the browser and the operating system. You might wait a whole second for DNS queries on your first visit to bigsite.com, but visit another page on the site and your device uses the logged IP addresses for a near instant response.

DNS caches are normally lost when an app closes or your device restarts, so any DNS query delay will be back in your next session, just for the first visit to a site. But caching is still a worthwhile scheme which makes websites feel snappier and more responsive.

What is DNS filtering?

DNS servers are hugely powerful, as they have full control over the websites you can access. If a server doesn't want you to access a domain, it can filter out that request: return an error rather than an IP address, and you won't be able to browse the site.

DNS filtering is often a very good idea. It can block malicious or phishing websites, maybe restrict access to adult or other child-unfriendly sites (so great as part of a parental controls setup).

Other DNS filtering uses range from irritating to seriously scary. Your school Wi-Fi might block access to social media or streaming websites, for example, leaving you working out ways to unblock YouTube and others. And at the more worrying end of the scale, repressive governments can use DNS and other network trickery to keep their populations away from information they'd prefer to hide - it's no wonder guides to using WhatsApp in China are so well searched.

There are privacy and security concerns, too. If whoever runs the DNS server knows who you are (your ISP, say), it could log all the sites you visit to build a browsing history. A malicious hotspot operator might even detect users visiting a banking site, then redirect them to a fake site and steal their details.

Fortunately, there is a way to fight back. Connect to a VPN and your DNS queries are  redirected through an encrypted tunnel to the VPN server, and handled there. With no way to see what you're doing, the network can't block you, and you're free to browse as normal. 

A Mac app window showing a blocked website warning

(Image credit: NordVPN)
(opens in new tab)

Best DNS servers

Switching DNS servers isn't just for countries where you go to prison for registering thegovernmentsucks.com. Changing to another DNS provider can bring real benefits to everyone.

Some servers are optimized for speed. As we write, for instance, Benchmarking site DNSPerf (opens in new tab) lists 10 public DNS resolvers with average query times ranging from 14ms to almost 140ms. If your server is at the bottom end of that list, switching to something better could make a real difference.

As we've mentioned, other DNS servers can filter content to block ads, trackers, malicious, phishing or family-unfriendly sites, depending on your needs. This can be a really effective idea as it automatically protects all your apps, with no need to install any other software.

Switching DNS isn't a good idea for everyone. Some parental controls, antivirus and internet security apps already replace your DNS servers with their own, and switching to something else means you'll lose at least some of their protection.

If you're interested, though, some of the fastest DNS servers around are available for free. Check our best DNS server guide for more.

Read more:

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.