DNS resolution end to end

DNS turns api.example.com into 192.0.2.42. The resolver walks a chain: browser cache, OS cache, local resolver, root, TLD, authoritative. Each hop has a TTL cache.

The chain on a cold lookup

Once cached, subsequent lookups hit the resolver or OS cache and skip the walk.

Record types you must know

• A: name to IPv4.
• AAAA: name to IPv6.
• CNAME: alias to another name.
• MX: mail server for the domain.
• TXT: arbitrary text (SPF, DKIM, domain verification).
• NS: nameservers for the zone.
• SOA: zone metadata, including default TTLs.
• HTTPS / SVCB: modern record advertising protocol and connection hints (h3, ALPN, ECH).

TTLs and caching

Each record has a TTL in seconds. Resolvers must not serve past the TTL but may serve before. Default TTL for new records is whatever the zone's SOA says, often 300-3600 seconds.

When you change a DNS record, propagation takes up to the old TTL globally. Lower your TTL hours before a migration.

Recursive vs authoritative

• Recursive resolver: 1.1.1.1, 8.8.8.8, your ISP. Does the walk for you.
• Authoritative server: the source of truth for a zone. Cloudflare, Route 53, AWS, your registrar's DNS.

Your client only ever talks to a recursive resolver. The resolver talks to the authority chain.

UDP, then TCP

DNS queries default to UDP port 53. If the response is over 512 bytes (or EDNS0 negotiates a larger limit), the resolver retries over TCP.

DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt the query. Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 all support both. Browsers (Firefox, Chrome) increasingly default to DoH.

Numbers worth knowing

• Cold cross-continent lookup: 50-200 ms.
• Cached lookup: under 1 ms.
• Typical TTL: 300 seconds (5 min) for fast-changing records, 86400 (1 day) for stable ones.
• DNS over UDP limit: 512 bytes (without EDNS0).
• EDNS0 limit: typically 4096 bytes.