What is DNS Resolution
How a hostname becomes an IP address — and why it's never as instant as you think
TL;DR
DNS resolution is like asking a chain of librarians for a book's shelf number: you ask your local desk, they ask a floor supervisor, who asks the head archivist, until someone knows the exact location.
The idea
DNS resolution is the process of translating a human-readable hostname (e.g. api.example.com) into a machine-routable IP address. No single server knows every mapping — instead, a hierarchy of authoritative servers delegates answers downward. Your OS, your router, and your ISP each cache pieces of that answer to avoid re-asking the whole chain every time.
Where it shows up
System-design interviews: Interviewers expect you to know that DNS adds latency on cold requests and that TTLs control how fast traffic shifts during failover or blue/green deploys — not instantly.
On-call: A surprising number of incidents trace back to DNS: stale caches after a misconfigured TTL, NXDOMAIN from a typo in a Terraform zone record, or clients that ignore TTL and cache forever. Knowing where to look (dig +trace, /etc/resolv.conf, cloud resolver logs) cuts triage time dramatically.
Real systems: Service meshes (Kubernetes DNS via CoreDNS), CDN routing (Cloudflare Anycast), AWS Route 53 health-check-based failover, and GeoDNS load balancing all live on top of DNS. You cannot reason about any of them without understanding resolution.
Read the detailed breakdown›
The hierarchy, first principles
DNS is a globally distributed, eventually-consistent, read-heavy key-value store. The key is a Fully Qualified Domain Name (FQDN); the value is one or more resource records (A, AAAA, CNAME, MX, TXT, …). The store is sharded by a tree structure: the root zone, then top-level domains (TLDs), then second-level domains, then subdomains — each level delegated to different operators.
The five players in every resolution
- Stub resolver — a tiny library inside your OS (glibc, Windows DNS Client). It has no knowledge of the hierarchy; it just forwards queries to a configured recursive resolver.
- Recursive resolver (a.k.a. full-service resolver) — the heavy lifter. Your ISP, Google (8.8.8.8), Cloudflare (1.1.1.1), or your VPC's resolver. It does the multi-step walk on your behalf and caches results.
- Root nameservers — 13 logical servers (A–M.root-servers.net), anycast-distributed across 1,700+ physical nodes. They don't know your answer; they know which nameservers are authoritative for each TLD.
- TLD nameservers — operated by registries (Verisign for
.com, PIR for.org). They know which nameservers are authoritative for each registered second-level domain. - Authoritative nameserver — the source of truth for a zone. This is where your A records, CNAMEs, and MX entries live. Route 53, Cloudflare DNS, or your own BIND server.
The resolution walk, step by step
Assume cold cache throughout:
- Your browser calls
getaddrinfo("api.example.com"). The OS stub resolver checks/etc/hosts— no match. - Stub resolver sends a recursive query to the configured recursive resolver (say, 1.1.1.1).
- Recursive resolver checks its cache — cold. It starts the iterative walk.
- Recursive resolver queries a root nameserver: "Who handles
.com?" Root responds with NS records pointing to Verisign's TLD nameservers. (i.e. the registry's Name Server) - Recursive resolver queries a
.comTLD nameserver: "Who handlesexample.com?" TLD responds with NS records forexample.com's authoritative nameserver. - Recursive resolver queries that authoritative nameserver: "What is the A record for
api.example.com?" Authoritative server responds with93.184.216.34(this is just an example, and may not be accurate) and a TTL (say, 300 seconds). - Recursive resolver caches the answer for 300 seconds, then returns it to your stub resolver.
- OS caches it (often separately, with its own TTL enforcement), then returns it to your application.
Total round trips: typically 3 UDP exchanges (root → TLD → authoritative), each ~10–100 ms depending on geography. On a warm cache, step 2 returns in <5 ms.
Resource records you must know
- A / AAAA — maps hostname → IPv4 / IPv6.
- CNAME — canonical name alias; chains to another name. A CNAME at a zone apex is forbidden by RFC 1034 (use ALIAS/ANAME or CNAME flattening as workarounds).
- NS — delegates a zone to a nameserver. The glue that makes the whole hierarchy work.
- SOA — Start of Authority; defines the zone's primary nameserver, admin email, serial number, and negative-cache TTL.
- MX, TXT, SRV — mail routing, verification tokens, service discovery.
TTL mechanics and why they matter operationally
TTL (Time To Live) is set by the zone owner on each record. It is a hint to caching resolvers — RFC 1035 says resolvers must respect it, but many clients (browsers, JVMs, some CDNs) apply their own minimums or maximums. When you're planning a migration:
- Lower TTLs to 60–300 seconds before the cutover, not during.
- After cutover, raise them back to hours or days to reduce resolver load.
- Understand that some resolvers ignore TTL floors — a record with TTL 0 may still be cached for 30–60 seconds in practice.
Negative caching
NXDOMAIN (name does not exist) responses are also cached — for the duration specified in the SOA's MINIMUM field (RFC 2308). If you fix a typo in a hostname and DNS propagated the NXDOMAIN, some resolvers will stubbornly return NXDOMAIN until that TTL expires. This bites engineers who fix records and immediately test.
DNSSEC in brief
DNSSEC adds a chain of cryptographic signatures from root → TLD → authoritative zone. It prevents cache poisoning (Kaminsky attack) by letting resolvers verify that answers weren't tampered with in transit. It does not encrypt queries — DNS over HTTPS (DoH) and DNS over TLS (DoT) handle that separately.
Practical tools
# Full iterative walk from root — mirrors what a cold recursive resolver does
dig +trace api.example.com
# Query a specific resolver directly
dig @8.8.8.8 api.example.com A
# Check what your OS stub resolver sees (may differ from dig)
nslookup api.example.com
# Inspect SOA negative TTL
dig SOA example.com