What is DNS and how does it work?


The Domain Name System (DNS) is the index of the Internet. When you browse to domain names like facebook.com or twitter.com, your device uses DNS to find the IP addresses (for example it needs to load these resources.

It’s a simple idea, but one that has a huge effect on many areas of your internet life. In this article, we’ll talk more about how DNS works and how important it is to your internet speed, privacy, security, and more.

  • Enjoy security, streaming and more with today’s best VPNs

How does DNS work?

Connect to the Internet and your ISP will normally assign you at least two DNS servers (there is a spare if the primary server fails). Every time you enter a new domain in your browser, your device sends a query to the primary DNS server, which translates it into the IP address you need.

While it sounds simple from your perspective, your ISP’s DNS server (technically, a DNS recursor) has to work with several other servers for this to happen.

The recursor first sends a query to a DNS root server. This examines the domain extension (.com, .net, .org, etc.) and returns the address of a Top Level Domain Name Server (TLD) that manages that type of domain.

Your ISP’s recursor then sends your request to the TLD name server, which returns the authoritative name server for that domain.

Finally, the recursor sends your request to the authoritative name server, the one that holds the actual record for that website.

This final DNS server returns the domain’s IP address to the recursor, which returns it to your device. Finally, your browser can connect to it and start accessing the site.

DNS caching

DNS queries are surprisingly fast, even with so much going on under the hood. Smart optimization and minimal bandwidth usage means that a fast server near you can return an IP address in less than 10 milliseconds.

However, other DNS servers can take over 100 milliseconds, and that’s when DNS speed starts to make a noticeable difference. Especially since a single website can load resources from many domains.

If you go to bigsite.com, for example, it might load images from one server, scripts from another, ads from multiple vendors, social media buttons for various platforms, and who knows what. other. Every new domain requires another DNS query before you can access that resource … and they all add up.

Graphic showing a DNS query converting a domain to an IP address

(Image credit: Surfshark)

Applications and devices reduce the impact of DNS queries by storing IP addresses in a cache and reusing them for future connections.

On PCs, for example, the results of DNS queries are stored by the browser and the operating system. You can wait a full second for DNS queries on your first visit to bigsite.com, but visit another page on the site and your device uses the stored IP addresses for an almost instant response.

DNS caches are normally lost when an app quits or your device restarts, so any DNS query delay will be back in your next session, just for the first visit to a site. But caching is still an interesting scheme that makes websites run faster and more responsive.

What is DNS filtering?

DNS servers are extremely powerful because they have full control over which websites you can access. If a server doesn’t want you to access a domain, it can filter that request: return an error rather than an IP address, and you won’t be able to browse the site.

DNS filtering is often a great idea. It can block malicious or phishing websites, perhaps restrict access to adult sites or other sites hostile to children (so well as part of a parental control setup).

Other uses for DNS filtering range from irritating to very scary. Your school’s Wi-Fi can block access to social media or streaming websites, for example, letting you find ways to unblock YouTube and others. And at the more disturbing end of the scale, repressive governments can use DNS and other network tricks to keep their populations away from information they prefer to hide – it’s no wonder the guides of WhatsApp use in China are so much sought after.

There are also privacy and security concerns. If whoever manages the DNS server knows who you are (your ISP, say), they could log all the sites you visit to create a browsing history. A malicious hotspot operator can even detect users visiting a banking site, then redirect them to a bogus site and steal their details.

Fortunately, there is a way to fight back. Connect to a VPN and your DNS requests are redirected through an encrypted tunnel to the VPN server and processed there. With no way to see what you are doing, the network cannot block you and you are free to browse normally.

A Mac application window showing a blocked website warning

(Image credit: NordVPN)

Best DNS Servers

Changing DNS servers is not restricted to countries where you go to jail for registering thegovernmentsucks.com. Changing DNS provider can bring real benefits to everyone.

Some servers are optimized for speed. As of this writing, for example, benchmarking site DNSPerf lists 10 public DNS resolvers with average query times ranging from 14ms to almost 140ms. If your server is at the bottom of this list, upgrading to something better could make a real difference.

As we mentioned, other DNS servers can filter content to block ads, trackers, malicious, phishing, or unfriendly sites for families, depending on your needs. This can be a really effective idea because it automatically protects all your apps, without the need to install any other software.

Changing DNS is not a good idea for everyone. Some parental controls, antivirus, and internet security apps are already replacing your DNS servers with theirs, and moving on means you’ll lose at least some of their protection.

If you’re interested, however, some of the fastest DNS servers on the market are available for free. Check out our best DNS server guide to learn more.

Read more:


Previous Best VPN for Canada in 2021 for Canadian IPs, Streaming & Security
Next Domain names giving credentials: a phishing lure?