What is DNS and How Does It Work? A Simple Explanation

When you type "google.com" into your browser, your computer does not actually know where Google's servers are. It needs to find the IP address — something like 142.250.80.46 — associated with that domain name. This translation from human-readable names to machine-readable addresses is what DNS does.

DNS stands for Domain Name System, and it is one of the most fundamental technologies powering the internet. Without it, you would need to memorize IP addresses for every website you visit — and those addresses can change without warning.

DNS is also one of the least understood parts of the internet for regular users, despite affecting the speed, privacy, and reliability of every connection you make.

When you visit a website, here is what happens in the background — typically in less than 100 milliseconds:

1. Browser cache check — Your browser checks if it recently looked up this domain and stored the answer. If yes, it uses the cached IP immediately.

2. Operating system cache — If the browser cache misses, your OS checks its own DNS cache (which persists across browser restarts).

3. Router cache — Your home router may have cached the answer from a previous request by any device on your network.

4. ISP's recursive resolver — If none of the caches have the answer, the request goes to your ISP's DNS server, which checks its own large cache. If it has the answer, it returns it. If not, it starts a recursive lookup:

5. Root nameserver — The resolver asks a root nameserver: "Who handles .com domains?" The root server points to the .com TLD servers.

6. TLD nameserver — The resolver asks the .com TLD server: "Who handles google.com?" It responds with the IP addresses of Google's authoritative nameservers.

7. Authoritative nameserver — The resolver asks Google's authoritative nameserver: "What is the IP address for google.com?" It returns 142.250.80.46 (or whichever IP Google is currently using).

The answer travels back through the chain. Each server caches it for a period of time defined by the TTL (Time To Live) value in the DNS record — this is why DNS changes can take hours to fully propagate.

DNS can store many types of records. For everyday understanding, these four matter most:

A Record — Maps a domain name to an IPv4 address. When you visit example.com, the A record tells your browser which server IP to connect to.

AAAA Record — Maps a domain to an IPv6 address. As IPv6 adoption grows, more sites have AAAA records alongside their A records.

MX Record — Specifies mail servers for the domain. When someone sends email to [email protected], their mail server looks up example.com's MX records to know where to deliver it.

CNAME Record — An alias that points one domain to another. For example, www.example.com might be a CNAME pointing to example.com, so you only need to update the A record in one place.

TXT Record — Stores arbitrary text data. Widely used for email authentication (SPF, DKIM, DMARC) and domain ownership verification by services like Google Search Console.

NS Record — Specifies which nameservers are authoritative for a domain. These tell the rest of the internet where to go for definitive DNS information about your domain.

You can check all of these records for any domain using our DNS lookup tool.

This is the part most people do not realize: your ISP can see every website you visit through your DNS queries, even when the website uses HTTPS.

Here is why: HTTPS encrypts the content of your web requests, but the DNS lookup that happens before the connection — the step where your browser asks "what is the IP of this domain?" — is sent in plain text by default. Your ISP's DNS server receives that query and knows exactly which domain you are accessing.

In many countries, ISPs are legally permitted to log and sell this data. Even where they cannot sell it, it can be subpoenaed or accessed by government agencies.

What you can do:

• Switch to a privacy-respecting DNS resolver — Cloudflare's 1.1.1.1 is fast and has a strong no-logs policy. Google's 8.8.8.8 is similarly fast but logs some data. Both are better than your ISP's default resolver.

• Enable DNS over HTTPS (DoH) — This encrypts your DNS queries inside HTTPS, preventing your ISP from reading them. Firefox has had this enabled by default for US users since 2020. In Chrome, go to Settings → Privacy and security → Use secure DNS. In Windows 11, it is available in Network & Internet → DNS server assignment.

• Use a VPN — A VPN routes all your traffic including DNS through the VPN provider's servers. Good VPN providers use their own encrypted DNS resolvers, so your ISP sees only encrypted VPN traffic.

Changing your DNS resolver takes about two minutes and has a meaningful impact on your privacy. It is one of the easiest improvements most people can make.

Sometimes DNS caches cause problems — a website has moved to a new server but your computer is still sending you to the old one. Flushing (clearing) your DNS cache forces a fresh lookup.

Windows: Open Command Prompt as administrator and run: ipconfig /flushdns

macOS (Ventura and later): Open Terminal and run: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

macOS (older versions): sudo killall -HUP mDNSResponder

Linux (systemd-resolved): sudo systemd-resolve --flush-caches

Chrome browser (clears Chrome's own DNS cache, not the OS): Type chrome://net-internals/#dns in the address bar, then click "Clear host cache."

After flushing, the next visit to any website triggers a fresh DNS lookup. This fixes most "site not loading after moving to new hosting" problems.

DNS is so fundamental that when it breaks, large parts of the internet appear to go down — even though the actual websites are running fine.

Some notable real-world DNS failures:

Fastly outage (2021) — A single misconfiguration at Fastly, a CDN and DNS provider, took down major websites including the NY Times, Reddit, Amazon, and Twitch for nearly an hour. The sites themselves were unaffected — only their DNS resolution failed.

Dyn DDoS attack (2016) — A massive DDoS attack against DNS provider Dyn disrupted access to Twitter, Spotify, GitHub, PayPal, Netflix, and dozens of other services across the US and Europe for most of a day.

These outages illustrate that DNS is infrastructure — invisible when it works, catastrophic when it fails.

For individuals, the most common DNS failures are: • NXDOMAIN errors — "DNS_PROBE_FINISHED_NXDOMAIN" — the domain does not exist, or your DNS resolver cannot find it. Usually solved by flushing your cache or switching to a public resolver. • DNS propagation delays — After changing DNS records, it can take 24–48 hours for the change to propagate globally due to TTL caching at every resolver in the chain. • DNS hijacking — Some ISPs redirect failed DNS queries to their own ad-laden search pages. Using DoH or a trusted resolver bypasses this.

You can verify what DNS records are currently live for any domain using our DNS lookup tool — useful for diagnosing propagation delays. To look up who owns a domain, use our WHOIS lookup tool — or read our guide on what WHOIS is and how to use it.

Changing your DNS server is one of the most impactful and simplest improvements you can make to your internet experience. It takes about two minutes and requires no technical expertise.

Which DNS server to choose:

• 1.1.1.1 (Cloudflare) — Fastest in most benchmarks. Strong privacy policy with independent audits. No query logging. • 8.8.8.8 (Google) — Fast and reliable. Google does log some anonymized query data. • 9.9.9.9 (Quad9) — Security-focused. Blocks known malware and phishing domains. • 208.67.222.222 (OpenDNS) — Family-friendly filtering options available.

How to change DNS on Windows: Settings → Network & Internet → your connection → Edit DNS → Manual → enter your preferred DNS IP.

How to change DNS on Mac: System Settings → Network → your connection → Details → DNS → add your preferred DNS IP.

How to change DNS on Android: Settings → Network & internet → Private DNS → enter dns.cloudflare.com (for Cloudflare DoH).

How to change DNS on iPhone: Use a configuration profile from your DNS provider, or change it inside a VPN app that supports custom DNS.

The fastest option is usually changing it on your router, which applies to all devices on your network at once. Log in to your router's admin panel (usually 192.168.1.1 or 192.168.0.1), find DNS settings, and replace the default with your preferred resolver.