The internet's phone book — how domain names like "example.com" get translated into IP addresses your computer can actually use.
The Domain Name System (DNS) is often called
the "phonebook of the internet." It translates human-readable domain names (like www.example.com) into IP addresses (like 93.184.216.34) that computers use to route traffic
across networks. Every time you type a URL in your browser, send an email, or make an API call — DNS is
working behind the scenes.
Without DNS, you'd have to memorize IP addresses for every website you want to
visit. Imagine typing 142.250.80.46 instead of
google.com. DNS makes the internet usable for
humans.
DNS is hierarchical (organized in a tree structure), distributed (no single server holds all records), and cached at multiple levels for performance. Critically for security, traditional DNS queries are largely unencrypted — anyone on the network path can see which domains you're resolving.
DNS uses UDP port 53 for most queries (fast, small responses) and falls back to TCP port 53 for larger responses (zone transfers, responses > 512 bytes).
example.com) that maps to one or more IP
addresses.www.example.com.).example.com).DNS is organized as an inverted tree. At the very top is the root zone (represented by a dot .), managed by 13 sets of root server clusters
worldwide. Below that are the Top-Level Domains (TLDs) like .com, .org, .net, and country-code TLDs like .uk, .de. Each TLD delegates
authority to individual domain registrars and their authoritative
nameservers.
DNS doesn't just store IP addresses — it stores many types of records. Each record type serves a different purpose. Here are the most important ones:
Maps a domain to an IPv4 address. The most common record type.
example.com → 93.184.216.34
Maps a domain to an IPv6 address (128-bit). Increasingly important as IPv4 addresses run out.
example.com → 2606:2800:220:1:248:1893:25c8:1946
Canonical Name — an alias that points to another domain. Used for subdomains and CDNs.
www.example.com → example.com
Mail Exchanger — specifies which server handles email for the domain. Has a priority value (lower = preferred).
example.com MX 10 mail.example.com
Stores arbitrary text. Used for SPF (email sender verification), DKIM (email signing), domain verification (Google, Let's Encrypt), and more.
example.com TXT "v=spf1 include:_spf.google.com ~all"
Nameserver — identifies which DNS servers are authoritative for the domain.
example.com NS ns1.examplehost.com
Start of Authority — contains zone metadata: primary NS, admin email, serial number, refresh/retry/expire timers.
Pointer — reverse DNS: maps an IP address back to a domain name. Used in email verification and logging.
34.216.184.93.in-addr.arpa → example.com
Imagine you're migrating your website to a new server with a different IP address. If your A record has a TTL of 86400 (24 hours), ISP resolvers worldwide will keep sending users to the old IP for up to 24 hours after you make the change. That's why before a migration, you lower the TTL to 300 (5 minutes) a day in advance — so the old long-TTL entries expire, and when you switch, the change propagates within minutes.
Conversely, CDN providers like Cloudflare often use very low TTLs (auto = ~5 min) so they can dynamically route traffic, while stable services use high TTLs (3600+) to reduce DNS lookup overhead and improve performance.
When you type www.example.com in your browser and press Enter,
a complex chain of lookups occurs — usually in under 100 milliseconds. Here's exactly what happens:
systemd-resolved or nsswitch.conf. On Windows, the DNS Client
service./etc/hosts (Linux/Mac) or C:\Windows\System32\drivers\etc\hosts
(Windows). Entries here override DNS — useful for development and testing, but also exploited by
malware.8.8.8.8 (Google) or 1.1.1.1 (Cloudflare)).www.example.com, but it knows who manages .com and responds with a referral to the .com TLD
servers.example.com are ns1.example.com and ns2.example.com."example.com.DNS was designed in the 1980s without security in mind. Traditional DNS queries travel in plaintext UDP, making them visible to anyone on the network path. This creates numerous attack vectors:
The attacker races to send a forged DNS response to a resolver before the legitimate response arrives. If successful, the fake answer (pointing to an attacker-controlled IP) gets cached and served to all users who query that domain.
Impact: Users are silently redirected to phishing sites that look identical to the real ones. The Kaminsky Attack (2008) demonstrated this could be done at massive scale.
Defense: DNSSEC (cryptographic verification), randomized source ports, 0x20 encoding (random case in queries).
Attackers encode data within DNS queries and responses to create a covert communication channel. Since DNS traffic is rarely blocked by firewalls, it can be used to exfiltrate stolen data or establish command-and-control (C2) channels with malware.
How it works: Data is encoded as subdomains:
dGhpcyBpcyBzZWNyZXQ.evil.com — the authoritative server for
evil.com decodes the base64 subdomain.
Defense: Monitor for unusually long domain queries, high query volume to single domains, and high-entropy subdomains.
The attacker sends DNS queries with the victim's spoofed source IP to open recursive resolvers. The resolvers send their (much larger) responses to the victim. A 60-byte query can produce a 4,000+ byte response — a 70x amplification factor.
Impact: The victim is overwhelmed with traffic they never requested, causing denial of service.
Defense: BCP38 ingress filtering, disable open resolvers, response rate limiting (RRL).
An attacker gains unauthorized access to a domain's registrar account and changes the DNS records (NS records, A records) to point to their own servers. This gives them complete control over the domain.
Impact: All traffic, including email, is redirected to attacker infrastructure. Used in high-profile attacks against banks and governments.
Defense: Registrar lock, 2FA on registrar accounts, registry lock (expensive but secure).
Adds cryptographic signatures to DNS records. Resolvers can verify that a response truly came from the authoritative server and wasn't tampered with. Doesn't encrypt queries — only validates authenticity.
Encrypts DNS queries inside HTTPS connections (port 443). Makes DNS queries indistinguishable from regular web traffic. Supported by Firefox, Chrome, and public resolvers like Cloudflare (1.1.1.1).
Encrypts DNS queries using TLS on a dedicated port (853). Unlike DoH, it uses a separate port which makes it easier to manage/block at the network level. Supported by Android 9+ ("Private DNS").
Organizations use DNS filtering (Pi-hole, OpenDNS, Cisco Umbrella) to block queries to known malicious domains. Sinkholing redirects malware C2 domains to a controlled server for analysis.
DNS enumeration is one of the first steps in any penetration test or bug bounty engagement. Here are the essential commands:
subfinder, amass, and dnsrecon automate the process
and can discover hidden subdomains that may expose sensitive services (staging servers, admin
panels, forgotten APIs).
Enter a domain and watch the step-by-step DNS resolution process unfold in real-time.
All certification names are referenced for educational purposes only. This project is not affiliated with any certification body.