DNS: The Internet’s Phonebook (And Why Your ISP is Spying on You)
Imagine if every time you wanted to call a friend, you had to memorize a random 12-digit string like 142.250.190.46. You’d probably give up on technology entirely.
In the early days of ARPANET, researchers actually had to manually copy a file called HOSTS.TXT (the ancestor of your computer's hosts file) to keep track of names and IPs. But as the network grew, this became impossible.
Enter DNS (Domain Name System)—the system that makes the internet human-friendly. Let’s break down how it works, from the people who run it to the hackers who try to break it.
🏛️ The Hierarchy: Who Owns the Internet?
It’s not just one big computer. There’s a chain of command:
IANA (Internet Assigned Numbers Authority): The "Grandparents" of the internet. They manage the global pool of IP addresses and the DNS Root Zone.
RIRs (Regional Internet Registries): IANA divided the world into 5 regions (like APNIC for Asia, ARIN for North America). They hand out IP ranges to ISPs.
Registrars: These are companies like GoDaddy or Namecheap where you and I actually buy our domains.
🧩 Anatomy of a Domain Name
When you type blog.google.com, the internet reads it right to left:
TLD (Top-Level Domain): The
.compart.Generic (gTLD):
.com,.net,.org,.edu.Country Code (ccTLD):
.in(India),.uk(UK),.ae(UAE).
Second-Level Domain (SLD): The
googlepart. This is the unique name you purchase.Subdomain: The
blogpart. You can create as many of these as you want for free once you own the SLD!
How DNS Works (The "Journey of a Request")
When you hit Enter, your computer doesn't know where to go. It starts a "scavenger hunt":
Browser Cache: Chrome/Firefox keeps a tiny list of recent sites.
OS Cache: If the browser doesn't know, it asks Windows/Linux. (Check your
C:\Windows\System32\drivers\etc\hostsfile—this is where you can manually override any IP!)Router/Firewall: Your home router often keeps its own cache.
The Resolver (Recursive Server): Usually your ISP. This is the server that does the "walking" for you.
The Root Servers: There are 13 logical root server addresses (operated by 12 different organizations). They don't know the IP, but they know who manages the
.comTLD.TLD Server: Tells the resolver: "I don't have the IP, but here is the Authoritative Name Server for Google."
Authoritative Server: This is the final boss. It holds the actual records and gives back the IP address.
Note: This whole process happens in milliseconds. Once found, the result is cached. This is why when you update a record, it can take up to 24 hours (Propagation) for the whole world to see the change.
The "Record" Collection
To make a website work, you need to set these records in your DNS dashboard:
A Record: Maps a domain to an IPv4 (e.g.,
192.168.1.1).AAAA Record: Maps a domain to an IPv6 (e.g.,
2606:4700...).CNAME (Canonical Name): Maps a domain to another domain (Alias). Perfect for
store.mysite.compointing toshops.shopify.com.MX (Mail Exchange): Directs emails to the right server (Google Workspace, Outlook). Includes a Priority number (lower is higher priority).
TXT Record: Plain text used for "Proof of Ownership" (Google/Facebook verification) and security (SPF/DKIM to stop email spoofing).
Why You Should Change Your DNS Resolver
By default, you use your ISP’s DNS. This is usually a bad idea because:
Privacy: Your ISP logs every site you visit. Even if the site is HTTPS, they see the DNS request.
Censorship: ISPs can "sinkhole" domains, making it look like a site is down when it's actually just blocked.
Speed: Top-tier resolvers use Anycast technology to route you to the physically closest server.
The Top Players:
Cloudflare (1.1.1.1): Fastest and most private, also have family DNS .
Google (8.8.8.8): Reliable and fast.
AdGuard: Blocks ads at the DNS level.
Quad9 (9.9.9.9): Focused on security; blocks malicious domains.
NextDNS: Highly customizable (block TikTok, trackers, or porn for your whole house).
The Hacker’s Perspective: DNS Poisoning
Hackers love DNS because it's built on trust. In a DNS Spoofing/Poisoning attack, a hacker intercepts your request and gives you a fake IP. You think you are at mybank.com, but you are actually on a hacker's server.
Even though you see the "Green Lock" (SSL) on most sites, the initial DNS request is sent in Plain Text. This is where DoH and DoT come in.
A. DoH (DNS over HTTPS) - Port 443
Hides your DNS inside regular web traffic. It's invisible to your ISP and nosy admins.
B. DoT (DNS over TLS) - Port 853
Creates a dedicated encrypted tunnel for DNS. It's cleaner for security but easier for some admins to block.
Pro-Tip: The SysAdmin's Toolbox
Want to see what's happening behind the scenes? Open your terminal and try these:
nslookup google.com: See which IP your computer is getting.nslookup.io : Provides record fetched from different DNS resolver
dig google.com(Linux/Mac): Get the full technical breakdown.mxtoolbox.com: A goldmine for checking if your MX or TXT records are set correctly.
Final Thoughts
DNS is the "Invisible Glue" of the internet. By switching to a secure resolver and enabling encryption (DoH/DoT), you aren't just making your internet faster—you're taking your privacy back from your ISP.
