Published: 30 January 2024
Contributors: Camilo Quiroz Vazquez, Michael Goodwin
DNS servers translate the website domain names users search in web browsers into corresponding numerical IP addresses. This process is known as DNS resolution.
The Domain Name System (DNS) allows users to access websites using domain names and URLs rather than complex numerical internet protocol (IP) addresses. DNS is made possible by four types of integrated DNS servers—recursive DNS servers, root name servers, top level domain name servers and authoritative name servers.
A user initiates a DNS query by entering a host name, such as www.example.com, into a search browser’s address bar. When this happens, a series of functions called DNS lookup begin to match the domain name with its designated IP address. An IP address is a numerical identification number used to identify every device and network that connects to the internet. IP addresses are either IPv4, such as 93.184.216.34, or IPv6 addresses like 2001:db8:3333:4444:5555:6666:7777:8888.
While complex numbers like these help keep domains organized, users cannot be expected to keep track of these numbers or easily search the internet by using them. DNS allows domain names to be customized for functional purposes like branding and a simplified user experience. DNS servers are designed to make this process seamless for users while accommodating high traffic volume, changing domain names and IP addresses. The process of DNS resolution depends on variables such as load-balancing, server and user location and internet connection strength.
See how DNS and Real User Monitoring (RUM) data provides greater functionality at a lower cost.
Register for the ebook on observability myths
There are four types of DNS servers involved in the process of translating user searches into IP addresses. The servers work interdependently, each taking on a different function, which is intended to keep the process fast and secure.
A DNS query passes through these four servers in the order they are listed:
Also known as a DNS recursor or recursive DNS resolver, this is the first stop for a recursive query—the process of one DNS server communicating with other DNS servers to locate and return an IP address. This server receives a DNS query and can connect a user to the desired site using cached data, or if site data is not cached, send a follow-up request to DNS name servers.
Once it receives the information back from the name server, the recursive resolver connects the user to the correct site. With each search, servers create DNS caches that save data. This accelerates the search and return process and gives users faster access to the correct web page. Most DNS recursors are provided by internet service providers (ISP).
When a recursive DNS server does not have cached data, it sends a DNS query to the DNS root name server. The root name server accepts the query and forwards it to a top level domain (TLD) name server. Which TLD server the query is forwarded to depends on the desired sites extension: .com, .org or .net, for example. There are 13 main DNS root servers operated by the Internet Corporation for Assigned Names and Numbers (ICANN).
TLD name servers contain data related to domain names with the same extension. This means there are designated TLD servers for websites with the extensions .com, .org and .net. Once the query reaches the correct TLD name server, it is then directed to the authoritative name server.
Generally the final step in the process of retrieving an IP address, authoritative DNS servers store information related to specific domain names in DNS resource records. These DNS records contain information about a specific domain and its corresponding IP address. When the correct IP address is found, it is sent back to the recursive resolver. If it is not located, the user will receive an error message.
While each of their functions is complex, properly functioning DNS services should be imperceptible to users and the retrieval process should only take seconds. Having four types of servers helps the process of load-balancing, or distributing network traffic across multiple servers so that no one server is overworked.
DNS is often considered "the phonebook of the internet," holding a record of domain names and their associated IP addresses. DNS servers are the engines that drive IP address retrieval for DNS clients. DNS clients are built into routers and operating systems in smartphones or desktop devices and act as a conduit between local devices and servers. Most routers have primary and secondary DNS servers configured through their internet provider to protect against failures.
When a user searches for a domain, the DNS request initiates a DNS query that is directed to DNS servers. From here, two things can occur. The first is a query return from DNS caching. DNS caching is the temporary storage of DNS records from previous searches on DNS servers or other devices. A DNS cache allows a query to skip a long DNS lookup and provide a faster response by returning a DNS record that is already stored in a temporary DNS cache. Based on DNS settings, web servers cache this information for a specificed amount of time, known as time-to-live (TTL).
If there is no cached information, the DNS query passes through four types of servers (process noted in section above) to find and return the correct IP address.
DNS can be public or private. Public DNS servers are available to anyone using the internet and are generally set up by internet service providers. Public DNS services help manage authoritative name servers by supporting traffic steering and load balancing, which improve network performance.
Private DNS is set up behind a firewall and maintains records on internal websites. These are often connected through a virtual private network (VPN) that only stores internal IP addresses. A private DNS can only be accessed by authorized members of an organization, which limits exposure to external threats, but it must be managed by the organization or a private DNS provider.
DNS servers can be subject to attacks that deny access to domains, overwhelm servers with traffic or take over DNS infrastructure. DNS providers such as IBM® NS1 Connect offer managed DNS services to protect against these types of attacks.
Common types of DNS attacks include:
Flood attack
Distributed denial of service (DDoS) attacks overwhelm authoritative name servers with a flood of traffic. Authoritative servers are unable to fulfill legitimate DNS queries because they are inundated with malicious traffic.
Random subdomain attack
This is a denial of service attack that's also referred to as a NXDomain attack. This attack sends authoritative name servers requests for nonexistence subdomains making them unable to respond to real queries.
DNS amplification attack (DNS flood)
A tool to amplify DDoS attacks, DNS floods can cause disruption by artificially inflating the workload DNS servers must execute to complete a query.
Cache poisoning
In this attack forged DNS data infiltrates the cache of a DNS resolver creating an incorrect IP address for a domain that brings users to an unexpected website. These websites can subject users to malware or phishing attempts.
DNS protocol attacks
An attack that targets DNS servers by causing them to process malformed packets. This makes them unable to process legitimate queries.
BGP hijacking attack
This attack reroutes users through the Boarder Gateway Protocol (BGP) from legitimate domains to ones that are often set up for malicious purposes.
DNS tunneling
In this attack DNS infrastructure becomes a pathway to pass malware or stolen data past a firewall.
DNS hijacking (credential theft)
This is an attack that alters or destroys DNS zone data by gaining unauthorized access the management of DNS servers.
Domain theft
In a domain theft, attackers take ownership of a domain name through unauthorized access to the registrar of a domain.
IBM NS1 Connect provides fast, secure connections to users anywhere in the world with premium DNS and advanced, customizable traffic steering. Always-on, API-first architecture enables your IT teams to more efficiently monitor networks, deploy changes and conduct routine maintenance.
IBM NS1 Connect Managed DNS service delivers resilient, fast, authoritative DNS connections to prevent network outages and keep your business online, all the time.
Quickly identify misconfigurations and security issues with customized, real-time reports based on DNS observability data.
The DNS makes it possible for users to connect to websites using URLs rather than numerical internet protocol addresses.
Learn about how computer networks work, the architecture used to design networks and how to keep them secure.
Cyberattacks are attempts to steal, expose, alter, disable, or destroy another's assets through unauthorized access to computer systems.