How does DNS work ? A big picture


  • DNS Requests
  • DNS Zone file records
  • DNS Security
  • Useful commands / tool

DNS Main architecture

Figure 1: DNS in a nutshell
Figure 2: The 13 root servers

Root Servers

Root ‘servers’ are owned by different companies:

  • Verisign (x2)
  • Cogent
  • US Army Research Lab

The root servers are supervised by the ICANN.
Useful informations regarding these root ‘servers’ can be found here:

TLDs ?

TLDs are owned by companies / governments / universities.

  • “.fr” belongs to “Association Française pour le Nommage Internet en Coopération” (A.F.N.I.C.)
  • “.apple” belongs to the company Apple

Different types of TLDs:
gTLD — Generic Top-Level Domain (.com, .net, .org, …)
sTLD — Sponsored Top-Level Domain (.edu, .gov, .museum, …)
ccTLD — Country Code Top-Level Domain (.fr, .de, .cd, …)
→ Infrastructure Top-Level Domain (only .arpa)

Lot of useful informations regarding TLDs can be found here:

Figure3: DNS Architecture

DNS Requests

Figure 4: DNS request steps

DNS public zone records

  • AAA = IPv6
  • NS = identifies the authoritative DNS server for a zone (whenever changed, the registrar will have to update the parent TLD registry)
  • MX = specifies a mail server for the zone
  • CNAME (canonical name) = specifies an alias for another name (doesn’t work for root though)
  • ALIAS record (virtual DNS record type) is akin to CNAME except it accepts root (so use it when you can)
  • PTR (pointer) = A reverse DNS record, resolving an IP to a fully qualified hostname. How to use PTR ? “dig -x [IP]” → it will return one of the authoritative NameServer
  • SPF = related to email to avoid being classified as SPAM
  • SOA (Start of authority): stores informations about DNS zones and zone records: TTL, Expiry, Retry, Refresh, Last update time
    Used for domain transfers.

DNS security


DNSSEC does not provide confidentiality of data, only authentification (“informations come from the right place and has not been modified”).

DNS confidentiality

3 options:

  • Use a VPN
  • DoT — DNS over TLS (2016): TCP port 853. A firewall may block this traffic 😭
  • DoH — DNS over HTTPS (2018): hard to block as it uses the 443 TCP port

“As both DoT and DoH are relatively new, they are not universally deployed yet. On the server side, major public resolvers including Cloudflare’s and Google DNS support it.”

Useful commands / tools

How to check the DNS local cache on a computer ?
→ On Windows: “ipconfig /displaydns”
→ On Linux: depends on version and system used (systemd ?)

How to create my own DNS server ?
→ use BIND (Berkley Internet Domain Name)
It’s freely available under the BSD License.
BIND DNS servers are believed to be providing about 80 percent of all DNS services.
Include Primary and secondary NS (aka master and slave) and caching
On Ubuntu: “sudo apt-get install -y bind9”

Alternatives to BIND: “PowerDNS”, “dnsmasq” (used by PiHole), “djbdns”
Once installed, the domain name administrator has to manage the different zones.

Important DNS related files on Ubuntu
/etc/hosts = contains default hosts (such as localhost to It has the highest priority.

/etc/resolv.conf = contains a list of recursive DNS resolvers (such as Google, Cloudflare, ISP servers) which will be used by the kernel to make DNS queries.

Using DIG
Installing dig on Ubuntu: “sudo apt-get install dnsutils”

DIG will use the default resolver (/etc/resolv.conf)
However, it is possible to explicitly tell dig to use another one by adding “@[IP]” in any command.

dig = returns the A record
dig +short = shorten the output
dig +noall +answer = gives more details
dig ANY = returns all records
dig +trace = lists each different server
dig -x = Search PTR record


Iterative vs recursive DNS
DNS anatomy
Dig command for DNSSEC
BIND definition



This is my personal blog where I post (in my spare time) computer science “cheatsheets”. I mainly do it for myself but it may benefit others.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

This is my personal blog where I post (in my spare time) computer science “cheatsheets”. I mainly do it for myself but it may benefit others.