DNS in System Design: How Domain Name Resolution Works (Visualized)
The Domain Name System is the internet's phone book โ it translates human-readable hostnames like example.com into the IP addresses computers actually route to. This guide walks through every layer of the resolution chain, record types, caching and TTLs, and how DNS underpins load balancing and CDNs โ with live animations.
DNS (Domain Name System) is the globally distributed, hierarchical naming system that translates human-readable domain names โ such as api.example.com โ into the IP addresses (93.184.216.34) that routers use to move packets across the internet. Without DNS every user would need to memorise numeric addresses; with it, the entire internet hides behind memorable names.
DNS is not a single server โ it is a tree-shaped namespace replicated across hundreds of thousands of servers worldwide. Each lookup climbs that tree, but smart caching means most queries never leave your local network. At massive scale, the same DNS infrastructure that resolves names also drives traffic-routing strategies like GeoDNS and anycast, making DNS a core pillar of reliability engineering.
The DNS Resolution Chain
When your browser visits www.example.com for the first time, it cannot just ask one server โ it walks a chain of four actors, each responsible for one layer of the namespace hierarchy:
1. Recursive Resolver โ operated by your ISP or a public provider like Google (8.8.8.8) or Cloudflare (1.1.1.1). It does the legwork on your behalf, querying other servers and assembling the final answer. Your OS sends the query here first.
2. Root Nameserver โ there are 13 logical root server addresses (AโM) mirrored to thousands of physical locations via anycast. They do not know where www.example.com lives, but they know who manages .com, so they refer the resolver to the right TLD nameserver.
3. TLD Nameserver โ the Top-Level Domain server is authoritative for all names ending in .com, .org, .io, and so on. It refers the resolver to the nameservers that hold the actual zone for example.com.
4. Authoritative Nameserver โ owned by the domain registrant (or their DNS provider like Route 53, Cloudflare DNS, or NS1). It holds the zone file with all records for example.com and returns the final answer: an IP address.
This full walk โ called an iterative resolution โ happens only when neither your OS, browser, nor resolver has a cached answer. In practice, cached results short-circuit most of this work, which is why DNS feels instantaneous despite spanning the globe.
Caching and TTLs
Every DNS answer comes with a TTL (Time to Live) โ a number of seconds the recipient is allowed to cache it. A TTL of 300 means any resolver (or browser) that receives the answer may reuse it for five minutes without asking again. DNS caching is layered: the browser has its own cache, the OS has one, and the recursive resolver has its own much larger cache shared across all its clients.
When you lower a TTL before a planned migration โ say from 86400 (24 h) to 60 โ you shrink the blast radius of an IP change. When the new IP is confirmed healthy you raise the TTL again to reduce resolver load. This dance is standard ops practice for zero-downtime migrations.
Setting TTLs is a tradeoff: short TTLs (60โ300 s) give you fast propagation for changes but increase load on authoritative servers. Long TTLs (3600โ86400 s) reduce resolver load but mean a bad record stays alive in caches for a long time. Most production teams settle on 300 s for dynamic records and 86400 s for static infrastructure that never changes.
DNS Record Types
A DNS zone file is a list of resource records, each associating a name with a value and a type. The type tells the resolver what the value means. The most important record types for system design are:
A record โ maps a hostname to an IPv4 address. The most fundamental record; every hostname you browse to ultimately resolves through one or more A records.
AAAA record โ same as A but for IPv6 addresses (2001:db8::1). Modern dual-stack clients prefer AAAA when available.
CNAME record โ an alias from one name to another. www.example.com CNAME example.com means resolvers look up example.com next. You cannot point a bare apex domain (example.com itself) at a CNAME โ only subdomains. Some providers offer proprietary ALIAS or ANAME records that behave like a CNAME at the apex.
MX record โ identifies the mail server(s) that accept email for the domain. Each MX record has a priority number; lower is preferred. Without correct MX records your domain cannot receive email.
NS record โ delegates a zone to a set of authoritative nameservers. Changing NS records is how you transfer DNS hosting between providers.
TXT record โ arbitrary text attached to a name. Used for SPF (email sender policy), DKIM keys, DMARC policy, domain ownership verification (Google Search Console, AWS Certificate Manager), and more.
| Record Type | Maps | Typical Use |
|---|---|---|
| A | Hostname โ IPv4 address | Point a domain/subdomain to a server |
| AAAA | Hostname โ IPv6 address | IPv6-capable endpoints, dual-stack |
| CNAME | Alias โ canonical hostname | www subdomain, CDN endpoints |
| MX | Domain โ mail server (+ priority) | Email delivery routing |
| NS | Zone โ authoritative nameserver | Delegate DNS hosting to a provider |
| TXT | Name โ arbitrary text | SPF, DKIM, DMARC, domain verification |
| SRV | Service โ host + port + priority | SIP, XMPP, Kubernetes service discovery |
| PTR | IP address โ hostname | Reverse DNS, spam filtering |
DNS in Load Balancing and CDNs
DNS is not just for name resolution โ it is also a powerful traffic-steering layer. Because the authoritative server can return different answers to different resolvers, you can implement sophisticated routing without changing anything on the client.
Round-robin DNS is the simplest form: an A record with multiple IP addresses. Each resolver receives the list in a different rotation, spreading requests across multiple servers. It is stateless, has no health-checking, and is easy to configure. Its major weakness is that a server can go down and DNS will keep sending traffic to it until the TTL expires.
GeoDNS extends this by inspecting the source IP of the resolver (or, with EDNS Client Subnet enabled, the approximate client IP). A query from Europe gets a European data-centre IP; a query from Asia gets an Asian one. This dramatically cuts latency because the client connects to the nearest PoP without any application-level knowledge of geography.
Weighted DNS lets you return IP A 90% of the time and IP B 10%, enabling canary deployments or blue-green traffic shifts at the DNS layer โ no load balancer reconfig needed.
Anycast takes a different approach: the same IP address is announced from multiple locations simultaneously by BGP. Routers naturally direct each packet to the topologically nearest site. Cloudflare and Google Public DNS operate entirely this way โ 1.1.1.1 is not one server; it is hundreds, all sharing the same IP.
| Technique | How it works | Health-aware? | Typical use |
|---|---|---|---|
| Round-robin DNS | Multiple IPs rotated in answer | No | Simple horizontal scaling |
| GeoDNS | Different IPs by resolver geography | Optional | Multi-region latency routing |
| Weighted DNS | IPs returned with probabilistic weights | Optional | Canary / blue-green deploys |
| Anycast | Same IP announced from many sites via BGP | Yes (BGP withdrawal) | Public DNS, DDoS mitigation, CDN PoPs |
| DNS + Health checks | Authoritative removes unhealthy IPs from answer | Yes | High-availability primary DNS |
Practical DNS at Scale: What Engineers Must Know
Propagation delay is not DNS propagation โ the term is misleading. DNS records do not push out to resolvers; resolvers pull them when their cache expires. What you wait for is cached TTLs to drain from every resolver in the world. Lowering your TTL 48 hours before a change is the only reliable way to control this window.
DNSSEC adds cryptographic signatures to DNS responses, so resolvers can verify that an answer was not tampered with in transit. It defends against cache poisoning attacks (the Kaminsky attack) but adds operational complexity. Major registries and resolvers now broadly support it.
DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt the DNS query itself, hiding it from network eavesdroppers and ISPs. Browsers like Chrome and Firefox can bypass the OS resolver entirely and query DoH endpoints directly.
Negative caching โ a NXDOMAIN (non-existent domain) response is also cached, with its own TTL from the SOA record's minimum field. This prevents storms of repeated lookups for typos or deleted records from flooding authoritative servers.
# Query a specific record type
dig A www.example.com @8.8.8.8
# Trace the full resolution chain manually
dig +trace www.example.com
# Check current TTL on a cached record (shows TTL countdown)
dig A www.example.com @1.1.1.1 | grep -E 'ANSWER|IN A'
# Reverse DNS lookup (PTR record)
dig -x 93.184.216.34
# Check MX records for email routing
dig MX example.com
# Verify SPF TXT record
dig TXT example.com | grep spfFrequently Asked Questions
Why does DNS propagation take up to 48 hours?
The 48-hour figure comes from the old convention of setting record TTLs to 86400 seconds (24 hours) or higher. When you change a record, every recursive resolver that has the old answer cached will keep serving it until its locally-stored TTL expires. There is no mechanism to push an invalidation to all resolvers simultaneously โ you can only wait for their caches to drain. If you lower your TTL to 300 s (5 minutes) at least 24 hours before making a change, the propagation window shrinks dramatically. After the change is stable, raise the TTL back to reduce load.
What is the difference between a recursive resolver and an authoritative nameserver?
A recursive resolver (like 8.8.8.8 or 1.1.1.1) is a general-purpose query engine. It accepts questions from clients, does not usually hold zone data, and assembles answers by querying the hierarchy on the client's behalf โ caching results along the way. An authoritative nameserver is the definitive source of truth for a specific domain zone. It holds the actual records (A, MX, etc.) and answers with authority for that zone only, without forwarding or caching. Most domains use a managed authoritative DNS service (Route 53, Cloudflare DNS, NS1) rather than self-hosting their authoritative NS.
Can DNS alone provide high availability?
DNS can contribute significantly to availability but is not sufficient on its own. DNS health-checking (as offered by Route 53, Cloudflare, or NS1) can detect a failed endpoint and remove its IP from answers within seconds โ but only after the TTL of the old answer expires in caches. Anycast helps because a BGP route withdrawal is faster than a TTL drain. In practice, production systems layer DNS-level failover with application-layer load balancers and health checks: DNS routes between data centres or regions, while a load balancer within each region handles individual server failures. DNS alone struggles with fast (<10 s) failover because of TTL propagation delays and because some clients (especially mobile devices and corporate proxies) ignore TTLs.
DNS is the silent first responder of every internet request: it runs before a single byte of your application is touched, and its caching, routing, and security properties determine whether your system is fast, resilient, or compromised. Treat your DNS configuration with the same care as your database schema.
โ alokknight Engineering
