eastbaycyber

DNS (Domain Name System): Definition, How It Works, and Where You’ll See It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

DNS (Domain Name System) is the Internet’s distributed “phone book,” mapping domain names (like www.example.com) to IP addresses and other records needed to reach services. It’s critical infrastructure: if DNS fails or is tampered with, users can’t reliably find your apps—even if those apps are healthy.

How DNS works (step by step)

At a practical level, DNS is a lookup workflow that answers questions like: “What IP should I connect to for api.example.com?” The process involves multiple actors and layers of caching.

1) The client asks a recursive resolver

Your device (or application) typically sends DNS queries to a recursive resolver—often provided by:

  • Your ISP
  • Your enterprise network (e.g., Active Directory DNS)
  • A dedicated recursive service you configure

The client asks for a record type (commonly A for IPv4, AAAA for IPv6). The resolver then does the heavy lifting.

2) The resolver walks the DNS hierarchy

If the resolver doesn’t already have the answer cached, it performs a sequence of queries:

  1. Root servers: “Who handles .com?”
  2. TLD (Top-Level Domain) servers: “Who is authoritative for example.com?”
  3. Authoritative name servers for example.com: “What is the A/AAAA record for api.example.com?”

The authoritative server returns the final answer (or a referral to another name server if delegation is involved).

3) Caching and TTL control performance (and change propagation)

DNS is designed for scale, so caching is everywhere:

  • On endpoints (OS cache)
  • In browsers and applications
  • At recursive resolvers
  • On intermediate infrastructure

Most DNS records include a TTL (Time To Live) in seconds. TTL tells caches how long they can reuse an answer before re-checking with authoritative servers.

  • Long TTL: better performance and resilience, slower change propagation
  • Short TTL: faster migrations/rollbacks, higher query volume

4) DNS record types do more than point to an IP

DNS stores multiple kinds of service metadata. Common DNS record types include:

  • A: Name → IPv4 address
  • AAAA: Name → IPv6 address
  • CNAME: Alias name → canonical name (points to another hostname, not an IP)
  • MX: Mail routing for a domain
  • TXT: Arbitrary text (often used for SPF, DKIM, DMARC, and domain verification)
  • NS: Which name servers are authoritative for a zone
  • SOA: Zone “start of authority,” includes serial and timing parameters

5) DNS security: what it does (and doesn’t) guarantee

Plain DNS is not encrypted and not authenticated by default. Two major security considerations:

  • On-path visibility and manipulation: without encrypted transport, DNS queries can be observed (and sometimes altered) between client and resolver.
  • Response authenticity: without cryptographic validation, clients can be tricked by spoofed responses under certain conditions.

DNSSEC (DNS Security Extensions) adds authenticity to DNS data via signatures, allowing validating resolvers to detect tampering for signed zones. DNSSEC does not encrypt DNS; it helps ensure answers haven’t been forged.

Transport encryption is provided by:

  • DoH (DNS over HTTPS)
  • DoT (DNS over TLS)

These protect queries from passive monitoring on the network path between the client and the recursive resolver. If you frequently use untrusted Wi‑Fi, a reputable VPN can also help reduce network-level snooping; for example, NordVPN (Check NordVPN pricing →) or Surfshark (Try Proton VPN →) are commonly used options.

Basic DNS troubleshooting (commands + what results mean)

Use these to confirm what the world sees versus what a specific resolver returns.

# Query A record using your default resolver
dig A example.com

# Query authoritative name servers directly (bypasses recursive caches)
dig +trace example.com

# Query a specific resolver (useful to compare corp vs public)
dig @1.1.1.1 A example.com
dig @8.8.8.8 AAAA example.com

# See TTL and answer section clearly
dig +noall +answer +ttlid example.com A

Typical signals:

  • NOERROR: successful lookup
  • NXDOMAIN: name does not exist (often a typo or missing record)
  • SERVFAIL: resolver failed (DNSSEC issues, upstream failure, misconfigured authoritative)

Where you’ll encounter DNS (real-world scenarios)

DNS shows up constantly in operations, security, and troubleshooting. These are common touchpoints.

Website and app availability troubleshooting

Symptoms often blamed on “the site is down” can actually be DNS:

  • A record points to the wrong IP after a migration
  • TTL is too long, so users hit old infrastructure
  • IPv6 (AAAA) exists but the service doesn’t actually listen on IPv6
  • CDN/proxy changes introduce new CNAME targets that weren’t allowed or propagated

What to do:

  • Confirm resolution from multiple networks and resolvers
  • Compare authoritative answers vs cached recursive answers
  • Check both A and AAAA paths

Email delivery and anti-spoofing

DNS drives email routing and authentication:

  • MX records decide where mail should be delivered
  • SPF is commonly published in TXT records
  • DKIM uses DNS (TXT) to publish signing keys
  • DMARC is published in DNS and governs policy/reporting

Misconfigured DNS here can cause mail rejection, spoofing exposure, or deliverability issues.

Cloud, containers, and service discovery

In modern environments, DNS is used for:

  • Load balancer hostnames in cloud (CNAME chains)
  • Internal service discovery (e.g., service.namespace patterns)
  • Dynamic endpoints where IPs change frequently

Operational reality: your “backend IPs” may not be stable, so DNS becomes part of your dependency chain.

Enterprise networks and Active Directory

In Windows environments, DNS is tightly coupled with Active Directory:

  • Clients rely on DNS for locating domain controllers and services
  • Incorrect DNS settings on endpoints cause login and policy failures
  • Split-brain or misconfigured conditional forwarding can break internal name resolution

If you’re hardening endpoint security alongside availability, also see our Windows endpoint protection comparison:
/internal link: best antivirus for windows business endpoints 2026

Incident response and security monitoring

DNS is a high-signal telemetry source:

  • Malware often uses DNS for command-and-control discovery
  • Data exfiltration can occur over DNS (e.g., encoded queries)
  • Typosquatting and lookalike domains show up first as odd query patterns

For detection and triage, it helps to track Indicators of Compromise found in DNS logs (domains, subdomains, resolver IPs). Related reading:
/internal link: what is an ioc

If you suspect a device is compromised, a reputable anti-malware tool can help with initial investigation and cleanup; Malwarebytes is a commonly used option (Get Malwarebytes →).

DNS log patterns worth recognizing

Common patterns you’ll see in resolver logs, endpoint telemetry, or a SIEM:

  • NXDOMAIN spikes: typo domains, DGA (domain generation algorithms), misconfigured clients
  • High TXT volume: legitimate (email auth, verification) or suspicious (tunneling/exfil)
  • Unusual TLDs: may indicate newly registered or risky infrastructure
  • Long, random subdomains: can be tracking, CDNs, or exfil

Example query patterns to flag for review:

# High-entropy subdomains (potential tunneling)
aj3k9s8d7f6g5h4j3k2l.example.com

# Repeated NXDOMAIN for pseudo-random domains (possible DGA)
xjvqpzltmda.com -> NXDOMAIN
qmnzvpksthe.com -> NXDOMAIN
  • Recursive resolver: a DNS server that resolves names on behalf of clients by querying other DNS servers and caching results.
  • Authoritative name server: the DNS server that holds the source-of-truth records for a domain/zone and answers definitively.
  • Zone: an administrative portion of the DNS namespace managed as a unit (e.g., example.com).
  • DNS record: a specific mapping or piece of data in DNS (A, AAAA, CNAME, MX, TXT, NS, SOA, etc.).
  • TTL (Time To Live): cache duration for a DNS answer; controls how fast changes propagate.
  • Propagation: the real-world delay as caches expire and resolvers refresh records—DNS changes are not instantly global.
  • NXDOMAIN: response code meaning the name does not exist in DNS.
  • CNAME chain: multiple CNAMEs pointing to other names; common with CDNs but can complicate debugging and add latency.
  • Split-horizon (split-brain) DNS: different DNS answers depending on where the query comes from (internal vs external), used for internal services but easy to misconfigure.
  • DNSSEC: adds cryptographic signatures to DNS data so validating resolvers can detect forged or tampered answers.
  • DoH / DoT: encrypted DNS transports (HTTPS/TLS) protecting query privacy between client and resolver.

Next steps if you suspect a DNS problem

Start with:

  1. Check A/AAAA/CNAME/TXT records for the hostname in question
  2. Verify authoritative answers with dig +trace
  3. Compare results across resolvers and networks
  4. Factor in TTL-based caching before assuming a change “didn’t work”

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.