>
Back to Articles

DNS: The Internet's Phone Book Is More Like a Global Distributed Database

Scott MorrisonNovember 15, 2025 0 views
DNS domain name system DNSSEC DNS over HTTPS DNS over TLS EDNS0 DNS security DNS privacy internet protocols protocol history
From Paul Mockapetris's 1983 design to modern extensions like DoH and DNSSEC, DNS has evolved from a simple name lookup protocol to critical Internet infrastructure. This deep dive explores how DNS really works, the business ecosystem of registries and registrars, security and privacy extensions, and why the 2016 Dyn attack demonstrated that when DNS breaks, the Internet breaks.

Every time you type a URL into your browser, send an email, or launch an app, there's a good chance DNS is working behind the scenes. It's one of those technologies that's so fundamental to the Internet's operation that when it breaks, entire chunks of the Internet become unreachable. Yet DNS is often misunderstood, and its evolution from a simple lookup system to a complex, security-enhanced, privacy-aware distributed database is a fascinating story of engineering adaptation.

Let's explore how DNS actually works, who runs it, how it's evolved to address modern security and privacy concerns, and why a DDoS attack on a single company once took down a significant portion of the Internet.

The Problem DNS Solved

In the early ARPANET days of the 1970s, there were so few hosts that everyone used a single file, HOSTS.TXT, maintained by the Stanford Research Institute (SRI). Network administrators would periodically download this file via FTP to get the latest mappings of hostnames to IP addresses. You can still find a hosts file on your computer today, though it's now used mainly for local overrides.

This system worked fine when there were dozens or even hundreds of hosts, but it was clearly unsustainable. The file was growing rapidly, updates were slow to propagate, and name collisions were becoming problematic. The Internet needed a scalable, distributed solution.

Enter Paul Mockapetris, who in 1983 published RFC 882 and 883, introducing the Domain Name System. The brilliance of DNS was its hierarchical structure, no single entity needed to know about all the names in the system. Instead, authority would be distributed, with each level responsible for its own piece of the namespace.

By 1987, the protocol was refined and updated in RFC 1034 and 1035, which remain the core DNS specifications to this day.

The DNS Hierarchy: A Tree of Delegation

DNS is organized as an inverted tree, with the root at the top. When you request "www.example.com", DNS reads it from right to left, treating each dot as a level in the hierarchy:

The Root: Represented by a trailing dot (usually omitted), the root is the top of the DNS tree. There are 13 root server addresses (though through anycast, these represent hundreds of actual servers worldwide), named A through M. These servers don't know about every domain they just know who to ask about each top-level domain.

Top-Level Domains (TLDs): These are the rightmost labels .com, .org, .uk, .io, and hundreds more. The root servers respond with the nameservers responsible for each TLD.

Second-Level Domains: Your "example" in "example.com". These are registered through registrars and managed by registries (more on the business side shortly).

Subdomains: Everything to the left, "www", "mail", "api", etc. The owner of the second-level domain can create and manage these freely.

This delegation model is DNS's superpower. The root servers don't need to know about your blog subdomain. The .com servers don't need to know either. Only your authoritative nameservers need that information, and they're updated instantly when you make changes.

The Players: Clients, Resolvers, and Nameservers

A DNS query involves several distinct roles:

The Client (Stub Resolver): This is your application, your web browser, email client, or any program that needs to resolve names. It makes recursive queries to a resolver, expecting complete answers.

The Recursive Resolver: This is the workhorse of DNS, often provided by your ISP or a public service like Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1). When you query "www.example.com", the recursive resolver:

  1. Checks its cache. If it has a recent answer, it returns it immediately.
  2. If not cached, queries a root server: "Who handles .com?"
  3. Queries the .com nameserver: "Who handles example.com?"
  4. Queries example.com's nameserver: "What's the IP for www.example.com?"
  5. Returns the answer to you and caches it for future queries.

This process can involve a dozen or more queries behind the scenes, but from your perspective, you made one query and got one answer.

Authoritative Nameservers: These are the servers that hold the actual DNS records for a domain. When you register a domain and set up DNS records, you're configuring authoritative nameservers. They answer with authority, this is the definitive answer for this domain.

The distinction is crucial: recursive resolvers ask questions on behalf of clients; authoritative nameservers answer questions about domains they manage.

The Business Ecosystem: Registries, Registrars, and Resellers

DNS has an interesting business structure that often confuses people:

ICANN (Internet Corporation for Assigned Names and Numbers): The non-profit organization that coordinates the global DNS, IP address allocation, and other Internet protocols. Think of ICANN as the governing body that sets the rules.

Registries: These operate TLDs. VeriSign operates .com and .net. Public Interest Registry operates .org. Each country has its own registry for its ccTLD (.uk, .de, .jp, etc.). The registry maintains the master database of all domains under their TLD and operates the TLD's authoritative nameservers.

Registrars: These are the companies you actually interact with to register a domain, AWS Route 53, GoDaddy, Namecheap, Cloudflare, etc. Registrars must be accredited by ICANN and have agreements with registries. They handle customer interfaces, billing, and DNS management tools, then submit registration data to the appropriate registry.

Resellers: Many smaller hosting companies are resellers, they don't have direct registry relationships but work through larger registrars, adding their own markup and interface.

When you register "mysite.com" through a registrar:

  1. The registrar checks with the .com registry (VeriSign) if the name is available
  2. You pay the registrar (typically $10-15/year for .com)
  3. The registrar pays the registry (around $8/year for .com)
  4. The registry updates the .com zone file with your nameserver records
  5. Your domain is now resolvable worldwide

This tiered system allows for competition at the registrar level while maintaining centralized control of the TLD zone files at the registry level.

The DNS Protocol: UDP, TCP, and the 512-Byte Limitation

DNS was designed for efficiency. The original protocol used UDP on port 53, chosen because:

  • UDP has lower overhead than TCP (no connection establishment)
  • DNS queries are typically small and fit in a single packet
  • If a packet is lost, the client can simply retry

But UDP had a practical limitation: the safe maximum size for a DNS message was 512 bytes. This was chosen as a conservative value that should work across diverse networks without fragmentation. For most queries, 512 bytes was plenty. A typical query might be 50 bytes, and a simple response with a few A records fits comfortably.

However, 512 bytes became problematic as DNS evolved:

  • DNSSEC signatures can be several hundred bytes each
  • Some domains have many nameservers or IP addresses
  • Modern security features add overhead

When a response exceeds 512 bytes, the original DNS specification said to set a "truncation" bit (TC=1) in the response, signaling the client to retry the query over TCP. TCP on port 53 doesn't have the size limitation, but it requires a full three-way handshake, adding latency and server load.

This "UDP with TCP fallback" model worked but was inefficient. Enter EDNS0.

EDNS0: Extending DNS for the Modern Era

RFC 2671 (1999), updated by RFC 6891 (2013), introduced the Extension Mechanisms for DNS, version 0, known as EDNS0. Despite being version 0, it's the only version defined, and it's now nearly universal.

EDNS0 added a pseudo-resource record (OPT) that allows:

Larger UDP Messages: Clients can advertise they support UDP messages larger than 512 bytes, typically 4096 bytes, though some support up to the maximum UDP datagram size of 65,535 bytes. This dramatically reduces the need for TCP fallback.

Extended Return Codes: The original DNS header had only 4 bits for return codes (16 possibilities). EDNS0 adds 8 more bits, enabling new error conditions.

Flags: Additional signaling capability, used for features like DNSSEC OK (DO bit) indicating the client wants DNSSEC validation data.

Options: A TLV (Type-Length-Value) structure for adding new features without changing the core protocol. This is where things get really interesting.

EDNS0 Client Subnet: Geolocation for DNS

One EDNS0 option with significant implications is Client Subnet (ECS), defined in RFC 7871. Here's the problem it solves:

When you query your recursive resolver for www.example.com, the authoritative nameserver only sees the resolver's IP address, not yours. If example.com uses a CDN and wants to return the IP of a geographically nearby server, it can only geolocate based on the resolver.

This works poorly when:

  • Users are far from their resolver (using a public DNS service in another country)
  • A single resolver serves a large geographic area
  • Precise geolocation is needed for content licensing or performance

ECS allows the recursive resolver to include a truncated version of the client's IP address in the query (like 192.0.2.0/24 instead of the full address). The authoritative nameserver can use this for better geolocation.

But ECS is controversial. Privacy advocates argue it leaks user location information. The truncated address provides some privacy (the exact IP isn't sent), but it's still more information than would otherwise leave the user's ISP. Some privacy-focused DNS services (like Cloudflare's 1.1.1.1) specifically refuse to send ECS.

Content providers and CDNs love ECS for improved performance and compliance with geographic restrictions. Privacy advocates hate it for the same reasons. It's a perfect example of the tension between performance and privacy in DNS.

DNSSEC: Signing the Phone Book

DNS was designed in a more trusting era. There's no authentication in the base protocol; anyone who can intercept or spoof DNS responses can redirect traffic, creating perfect conditions for phishing and man-in-the-middle attacks.

DNSSEC, introduced in RFCs 4033-4035 (2005), adds cryptographic signatures to DNS records. Here's how it works:

Zone Signing: Each DNS zone is signed with a private key. For every DNS record (A, AAAA, MX, etc.), a corresponding RRSIG (resource record signature) is published, containing a cryptographic signature of that record.

Chain of Trust: The key insight is that DNSSEC builds a chain of trust from the root down. The .com zone's public key is signed by the root zone. Your domain's public key is signed by .com. Your actual DNS records are signed by your domain key.

DNSKEY and DS Records: Each zone publishes a DNSKEY record containing its public key. The parent zone publishes a DS (Delegation Signer) record, which is a hash of the child's public key. This links the chain.

Validation: When a DNSSEC-aware resolver receives a response, it:

  1. Verifies the RRSIG signature matches the data
  2. Retrieves the DNSKEY and verifies it chains up to a trusted root key
  3. If everything validates, the resolver knows the response is authentic and unmodified

NSEC/NSEC3: Proving something doesn't exist is tricky in cryptography. DNSSEC uses NSEC records that essentially say "there's nothing between example.com and zebra.example.com." NSEC3 does the same but with hashed names to prevent zone enumeration.

Sounds great, right? Why isn't DNSSEC universal?

Complexity: Deploying DNSSEC requires careful key management, regular re-signing, and proper interaction between parent and child zones. Many DNS providers didn't support it initially.

Brittleness: DNSSEC validation failures cause hard failures, the domain becomes unreachable. Clock skew, expired signatures, or configuration errors can break resolution entirely.

Key Rollovers: Cryptographic keys should be rotated periodically, but coordinating this between parent and child zones is operationally complex.

Resolver Support: While most major DNS services now validate DNSSEC, many ISP resolvers still don't.

Despite these challenges, DNSSEC adoption is growing, especially in government, financial, and high-security environments. Major TLDs like .com and .org are signed, and the root zone has been signed since 2010.

DNS Privacy: DoH and DoT

DNSSEC provides authenticity but not privacy, anyone on the network path can still see your DNS queries. For decades, this was considered acceptable. After all, you're about to connect to the resolved IP address anyway, potentially revealing your intent.

But DNS queries leak significant information:

  • They happen before encrypted connections (HTTPS) are established
  • They reveal browsing patterns and interests
  • ISPs and network operators can log, analyze, and potentially sell this data
  • Governments can use DNS monitoring for surveillance or censorship

Two standards emerged to encrypt DNS queries:

DNS over TLS (DoT)

RFC 7858 (2016) defined DNS over TLS, which is straightforward: establish a TLS connection to a DNS resolver on port 853, then send standard DNS queries over that encrypted channel.

DoT has clean separation, it uses its own port, so network operators can easily distinguish DNS traffic (even if they can't read it). This makes it easy to monitor, support in enterprise networks, and, controversially, easy to block.

DNS over HTTPS (DoH)

RFC 8484 (2018) defined DNS over HTTPS, which encapsulates DNS queries in HTTPS requests to a resolver's web server (typically port 443).

DoH has significant advantages:

  • Uses standard HTTPS port, so it looks like web traffic
  • Harder to block without blocking all HTTPS
  • Can leverage existing HTTP infrastructure (CDNs, load balancers)
  • Can be implemented in applications without OS support

But DoH is more controversial:

Network Management: IT administrators can't easily identify or policy-control DoH traffic. Some enterprises want to intercept or log DNS for security.

Application Bypass: Browsers implementing DoH can bypass the system DNS resolver, potentially circumventing parental controls, enterprise policies, or malware filtering.

Centralization Concerns: If major browsers hardcode a default DoH provider (as Firefox did with Cloudflare in the US), it shifts DNS resolution from many diverse ISP resolvers to a few large providers.

The Great DoH Debate

The Internet community remains divided on DoH. Privacy advocates love it. Finally, true DNS privacy. Network operators and some security professionals worry it reduces visibility and control.

Both DoT and DoH achieve the same goal (encrypted DNS), but their different trade-offs reflect deeper philosophical questions about the balance between privacy, security, and network management.

Dynamic DNS: When IP Addresses Won't Stay Put

Most DNS records are relatively static, but what if you're running a server at home on a residential ISP connection that changes your IP address periodically? Enter Dynamic DNS (DDNS).

DDNS services like Dyn (before it was acquired), No-IP, and DuckDNS provide:

  1. A hostname (yourname.ddns.net)
  2. Client software that runs on your network and detects IP changes
  3. When your IP changes, the client updates the DNS record via an API
  4. Anyone resolving your hostname gets your current IP

This enabled countless home labs, security cameras, game servers, and IoT devices to be accessible remotely despite changing IPs.

The original DNS UPDATE mechanism (RFC 2136, 1997) defined a standard way to dynamically update DNS records, typically authenticated with TSIG (transaction signatures). Modern DDNS services often use simpler HTTPS APIs, but the concept remains the same: authorized clients can update their own DNS records.

The Dyn DDoS Attack: When DNS Breaks, the Internet Breaks

On October 21, 2016, a massive distributed denial-of-service (DDoS) attack targeted Dyn, a major DNS provider (now owned by Oracle). The attack peaked at over 1 Tbps and took down DNS services for major sites including Twitter, Netflix, Reddit, GitHub, Spotify, and many others.

The attack was notable for several reasons:

Mirai Botnet: The attack came from the Mirai botnet, comprised of hundreds of thousands of compromised IoT devices, security cameras, DVRs, routers with default or weak passwords. Mirai was particularly effective because these devices had huge network pipes (for streaming video) and were often never secured.

DNS as a Single Point of Failure: Many affected companies had resilient infrastructure, multiple data centers, CDN distribution, robust architectures. But they all used Dyn for DNS, creating a single point of failure. When DNS failed, users couldn't resolve their domains, rendering even perfectly healthy servers unreachable.

Amplification: The attackers used DNS amplification sending queries with spoofed source addresses, causing large responses to flood victims. DNS is particularly effective for amplification because a small query can generate a large response (especially with DNSSEC).

Duration and Sophistication: The attack came in three waves throughout the day, suggesting coordination and persistence. Different attack vectors and source IPs were used as defenses adapted.

The Dyn attack taught several lessons:

  1. Diversity Matters: Using multiple DNS providers from different companies reduces single points of failure. Many companies now use secondary DNS from different providers.
  2. IoT Security Is Critical: The Mirai botnet demonstrated that insecure IoT devices pose systemic risk to the Internet. This accelerated efforts to secure IoT and mandate better default security.
  3. DNS Providers Are Critical Infrastructure: The attack highlighted DNS providers' importance to Internet stability, spurring investments in DDoS mitigation.
  4. Anycast and Distribution: The attack was partially mitigated by Dyn's use of anycast, which distributed load across multiple locations. Without this, the impact would have been worse.

Cache Poisoning and Kaminsky's Attack

In 2008, Dan Kaminsky discovered a severe DNS cache poisoning vulnerability that affected virtually all DNS servers. While cache poisoning was a known theoretical attack, Kaminsky found a practical way to exploit it at scale.

Here's how cache poisoning works:

  1. An attacker queries a recursive resolver for a non-existent subdomain (like random123.example.com)
  2. While the resolver is waiting for a response, the attacker floods it with forged responses containing malicious data, not just for the queried name but for other records in the domain (like www.example.com)
  3. If a forged response arrives before the legitimate one and passes basic validation, it gets cached
  4. Future users querying the poisoned resolver get the malicious IP

The defense involved randomizing the source port of DNS queries (providing 16 bits of entropy) and using additional query randomization. This made it much harder to guess which forged packet would be accepted. The fix required coordinated patching of DNS servers worldwide and was one of the largest coordinated security updates in Internet history.

DNSSEC completely solves cache poisoning by cryptographically authenticating responses, making forgery impossible. This attack was a major motivation for DNSSEC adoption, though deployment remains incomplete.

The Root Servers: 13 Names, Hundreds of Instances

The DNS root zone is served by 13 root server addresses, designated A through M (a.root-servers.net through m.root-servers.net). This might sound like a vulnerability. What if one is attacked or fails?

The reality is more resilient than it appears:

Anycast: Each root server address is anycasted across multiple physical locations. For example, F-Root (operated by ISC) has instances in 167 cities worldwide. When you query 192.5.5.241 (F-Root), you're routed to the nearest instance.

Multiple Operators: The 13 root servers are operated by different organizations, VeriSign, ISC, NASA, the University of Maryland, the US military, and others. This diversity reduces single points of failure.

Local Root Instances: Many ISPs and countries now host local instances of root servers (typically anycast nodes), dramatically reducing the distance queries must travel and improving resilience to international network failures.

High Redundancy: You only need one root server to respond successfully. All 13 would need to fail simultaneously to break root resolution, and even then, cached data would provide some resilience.

The distributed, anycasted nature of root servers has proven remarkably resilient. Even large-scale attacks have failed to disrupt root DNS service significantly.

DNS in the Modern Internet

DNS continues to evolve to meet new challenges:

DPRIVE Working Group: The IETF's DNS PRIVate Exchange working group continues developing privacy-preserving DNS technologies.

Oblivious DoH (ODoH): RFC 9230 (2022) defines a protocol where DNS queries are encrypted such that the resolver can't see the client IP, and a proxy that can see the client IP can't see the query. This provides better privacy than standard DoH.

QUIC-Based DNS (DoQ): RFC 9250 (2022) defines DNS over QUIC, combining the benefits of encrypted transport with QUIC's improved performance characteristics.

Split-Horizon DNS: Many organizations use different DNS responses for internal vs. external clients, providing internal IP addresses to employees and public IPs to external users.

DNS-Based Service Discovery: Protocols like mDNS (multicast DNS) and DNS-SD enable zero-configuration networking, used by technologies like Bonjour and Avahi.

The Future: DNS as Critical Infrastructure

DNS has evolved from a simple name lookup protocol to critical Internet infrastructure handling billions of queries per second. It's been extended to support security (DNSSEC), privacy (DoH/DoT), performance optimization (EDNS), and operational needs (DDNS, AXFR/IXFR zone transfers).

Yet DNS remains fundamentally the same protocol Paul Mockapetris designed in 1983, a testament to good engineering. The hierarchical, distributed design has scaled from thousands to billions of domains without fundamental architectural changes.

The challenges ahead are less technical than political and economic:

  • Balancing privacy with network management needs
  • Managing the tension between encryption and visibility
  • Preventing centralization of DNS resolution in a few large providers
  • Securing IoT devices to prevent botnet attacks
  • Coordinating global DNSSEC deployment

DNS is often called the Internet's phone book, but that undersells it. It's more like a global, distributed database system with complex delegation, caching, security, and privacy mechanisms, all designed to be fast enough that you never notice it working. When you type a URL and a page loads instantly, you're witnessing decades of careful engineering making the complex look simple.

And occasionally, when DNS breaks or is attacked, we're reminded just how much of the Internet depends on this elegant system working perfectly, billions of times per day.