DNS servers locate web sites when you are browsing the Internet. They are the most trusted component of your web browsing experience but few people understand how they work or how their security vulnerabilities can cause you problems. This article provides the information you need to understand what DNS servers do before you Find the Best DNS Server or Change DNS Server

There are three sections in this guide.

  1. How we find resources on the Internet: URLs, IP addresses and Domain Names.
  2. DNS Servers resolve Domain Names
  3. Issues with DNS servers

This article was removed from How to Change DNS Server to make that guide more direct. I have deliberately omitted such topics as internal DNS servers, zones and delegation. If you want to find out more or get another viewpoint then there are many overviews of DNS that you can also refer to. Here's a few for you:

Internet Name Systems

The Internet uses names to identify and locate resources.

A name indicates what we seek.
An address indicates where it is.
A route indicates how to get there.

There are two main Internet name systems:

  • The numeric IP Address system.
    The Internet Protocol (IP) is the original standard for communications on the Internet.
    IP addresses identify each device on the Internet. They can be used on other networks so some ranges of IP addresses are reserved for purposes such as private networks and testing.
  • The alphanumeric Domain Name System (DNS)
    DNS was developed so devices with IP addresses could have easy to remember names. The most common meaning of domain name is a label for a device with an IP address.
When you are browsing the Internet and you enter a Uniform Resource Locator (URL) you will usually be using one of these two name systems as shown in the example below 
    URL with domain name URL with  IP address  
  URL Scheme http http  
  URL Separator : :  
  Redundant Separator
Omit it and your browser will add it.
// //  
  Host Name  

The URL usually identifies the mechanism to retrieve a name. That is why the URL Scheme is often called a protocol, even though it is not, because it usually corresponds to the protocol used. For example, the URL scheme "http" is commonly but not always accessed using the HyperText Transfer Protocol (HTTP).

The Domain Name System (DNS)

DNS is often said to be similar to a phone directory. When you know the domain name you can find the IP address. Try it for yourself and do a DNS lookup of some domain names to find their IP addresses at

The domain name  is equivalent to the IP address

DNS is a hierarchy or tree with numerous branches and levels. DNS name servers work their way through that tree to locate each domain name. It is similar to looking up a phone number in a directory. You would find the correct directory or section of a directory (e.g. white pages, yellow pages, government departments), find the correct organization name or last name of the person, find the correct department or first name, and finally select the appropriate phone number (e.g. home phone, mobile phone, fax).

Using the domain name again, it is broken down from right to left to locate it in the DNS tree. Note that the periods (".") are separators:

  Root domain
It has no name and is empty

com is a top level domain.
A subdomain of the root domain.

aero biz cat com ... travel xxx
  techsupportalert is a 2nd level domain.
A subdomain of com.
    ... techsupportalert ...    
  www is an alias of the FQDN - these terms are discussed below.     ... www ...    

Fully Qualified Domain Names
A domain name that can be resolved to one specific place in the DNS tree is called a.Fully Qualified Domain Name (FQDN) In other words, there is only one specific interpretation of that DNS name. Note that one FQDN does not have to map to one IP address. Each FQDN can have many IP addesses. is a good example of an FQDN which is supported by many servers around the world. Of course one server can have many IP addresses so many FQDNs may have the same IP address.

DNS Record Types
An FQDN is the primary record type for resolving DNS queries. In IPv4 it the host is denoted by an "A" and in IPv6 by an "AAAA". You will notice these if you edit any host configuration file that has a list of websites for DNS name resolution such as NameBench's hostname_reference.cfg.

Other DNS record types extend the functions of a DNS server. Again, you can use DNS Lookup at to check these out:

  • "CNAME" (canonical name) records that record aliases and point towards the real name e.g. lookup to see it is an alias for the canonical name
  • "LOC" records that indicate the geographic location (latitude and longitude) of the DNS server e.g. use the IP location lookup for to find the location of its web hosting service.
  • "MX" (mail transfer) records that indicate the mail server(s) accepting messages on that DNS server e.g. lookup to find that there is one mail server (the 0 indicates the preference  and is irrelevant with only one mail server)
  • "NS" (name server) records that indicate the authoritative domain name servers e.g. lookup to find the authoritative name servers and
  • "PTR" (pointer) records are simply data which is mainly used to record host names for reverse DNS lookups e.g. lookup the PTR record for to find the host server

DNS Servers

DNS server are more correctly called DNS name servers as they are any computer registered to join the Domain Name System. As DNS is a highly decentralized hierarchy there are currently 242 root level servers that must be used to access any authoritative name servers for the top level domains. The last statistics I saw said that there were nearly 20 million DNS servers for over 220 million domain names.

There are two main types of DNS server:

Authoritative name servers are the ultimate repository or host for any registered domain name. Authoritative name servers are by definition non-recursive (don't have to use an algorithm to query any other servers) for the domain names registered with them.

Resolving name servers find the IP address for a domain name. In more technical terms, they find a solution to a DNS query. Most resolving name servers use two methods to resolve names:

  • Recursive name servers use a repeating (iterative) procedure to work through the DNS tree to find the authoritative name server for the requested domain name. There is an example of this at the end of this section.

  • Caching name servers resolve the IP address from their cached database of domain names.  This cache is more efficient because the DNS server does not have to find the authoritative name server every time. Each domain name has a specified lifetime, time-to-live (TTL). When that lifetime expires the caching server must get the domain details from the authoritative name server. TTLs are usually seconds or hours, sometimes days,, and occasionally weeks.

There are two further categories of DNS server that you should know about:

We distinguish Public or Open resolving DNS Servers which anyone can use from private resolving DNS servers which are restricted to specific users. Some public servers are limited geographically, for example, to users in the United States. This can be done because blocks of IP addresses are allocated to different regions.

IPv6 DNS Servers are relatively uncommon but will increasingly replace IPv4 DNS servers. At the moment we are at the start of a transition that will take many year. IPv6 will eventually replace IPv4 because we can have many more IPv6 addresses. So IPv6 addresses are much longer, e.g. 1003:8bd0:3a85:0000:0000:e2a8:0730:4337 which reduces to 1003:8bd0:3a85:0:0:e2a8:730:4337 by removing leading zeroes.

DNS on your PC

Your PC will need to know how to find its DNS server and so its has its own DNS Resolver with a DNS name cache.

  • Your System DNS Server (aka local DNS server, configured DNS server) is the DNS server that your system is currently configured to use. Typically there are at least two as you don't wan't to lose internet access when your primary DNS server is not available.
  • The operating system will have a DNS resolver with its own DNS name cache. For example, Microsoft Windows TCP/IP has a DNS name cache that reads in the Hosts file and caches DNS query results.
  • Your web browser will also have a DNS resolver with its own DNS name cache.
  • A Hosts file is a text file that contains a list of DNS names with the corresponding IP address. The names can be FQDN but may also include aliases such as abbreviated shortcuts. Hosts files can also be used to block dangerous sites by redirecting to a non-existent or harmless IP address.
  • In the situation where your PC has the router as its configured DNS server - it will appear as a local IP address e.g. - then the router will be configured to use your system DNS server. The router will usually forward the query to the DNS server.

An example of DNS resolution

Finally, we can look at how a system finds the domain name This example assumes that any DNS caching is empty and that the any new result will then be cached. It also assumes that the authoritative servers are found from one query. Even so, with the new results cached there are still nine DNS queries and responses . In practice this is far from the worst case. That is why it is very important to get a DNS server with a large cache to maximize the likelihood of finding the domain name there.

  1. Your system DNS resolver sends a recursive query to handover the search to the system DNS server. The query asks to locate the "A" record for        

Your system DNS server now starts its iterative queries. First, it gets the addresses of a root level DNS server from a list that it is configured with.

  2. Your system DNS server sends a query to a root level server asking for the DNS server for the top level domain (TLD) com        
  3. The root level server returns the address of the TLD server for com aero biz cat com
  4. Your system DNS server sends a query to the com TLD server asking for the DNS server for        

5. The TLD server for com returns the address for the authoritative DNS server NS1.TASTYTEK.COM

... techsupportalert
  6. Your system DNS server sends a query to NS1.TASTYTEK.COM for        

7. The DNS server NS1.TASTYTEK.COM finds the CNAME alias for and returns the CNAME record

    ... www

Your system DNS server now starts a new DNS query to get the "A" record for the canonical name (CNAME alias) The original query could have specified a CNAME record in which case that would be returned.
The results of the previous query are now cached so all steps are not repeated.


8.Your system DNS server sends a query to NS1.TASTYTEK.COM for the FQDN

  9. The DNS server NS1.TASTYTEK.COM finds the "A" record for and returns it.        
  10. Your system DNS server sends the "A" record for to your system DNS resolver.        
  The browser can now connect to web server.        

General issues

Global DNS server networks

There are advantages to using a global provider such as Google or OpenDNS.

  • Speed: They have larger databases which mean each DNS name is more likely to be cached.
  • Reliability: They are less likely to be damaged by a local disaster because they have many different servers located in many different datacentres around the world.
  • Safety: They are more likely to provide filtering or other protection.

Content Distribution Networks CDN)

CDNs place network resources near to the people who need to use them. So a European organization with many customers in Australia can use a third-party CDN in Australia to improve the customer experience there. They are owned or used by many large websites including Google and Microsoft. These servers may even be colocated in ISP datacenters further improving response times.

There is one problem with them. DNS servers normally return the CDN server which is closest to them rather than the closest server to the user. At the moment, this means that some DNS servers should not be used in some countries. In New Zealand many ISPs operate large caches to minimize international traffic. If I use OpenDNS I have problems when its servers in the United States return a US CDN when my ISP returns the webpage from a closer CDN. My web browser is left hanging while it waits for a web page from the United States that never arrives because the cached page came from a closer server.

Public DNS servers can become more private

When you use a public DNS server from an organization that you do not have contract with then the DNS service could be cut off at any time. For example, in New Zealand, the ISP TelstraClear recently announced that after upgrading their DNS network access to its DNS servers will be limited to its customers. There are good reasons to do this just to improve DNS security.

Secondary DNS servers are often slower

Most primary DNS servers have secondary servers to provide redundancy in case the main server fails. Many secondary servers are not as fast as the primary DNS server because their primary purpose is not performance but backup, load-balancing, or supporting a remote location.

Some DNS service providers provide DNS services for other organizations. Often such services are slightly slower. An example of this is Comodo Secure DNS which is provided by UltraDNS.

DNS vulnerabilities and threats 

DNS servers are a central part of the Internet. Your system assumes that the address provided by a DNS server is always correct. That is why DNS servers are an attractive target for malicious enterprise. Any breach of security on your DNS servers can leave your system exposed. So it is worth checking that your DNS servers are reputable and secure.

In general, public or open resolving DNS servers are more vulnerable to these problems because they don't verify the identity of their users. They don't know whether the system asking the question can be trusted. So the simplest vulnerability is that anyone can setup a DNS server with malicious intent to exploit the DNS.

Impersonating a domain name or IP address

IP address spoofing is the forging of IP addresses to mask the originating IP address and to allow the impersonating of the forged address. DNS spoofing or cache poisoning occurs when a DNS name server has stored data in its cache database that did not originate from the authoritative DNS server for that domain name. This "poisoned" data will then be used to respond to DNS queries with the spoofed IP address.

You can run a DNS Spoof Test to see whether any DNS server is vulnerable.

Masquerading as an internal address on your network

DNS rebinding attacks will try to fool your system into thinking that non-local addresses are part of your local network and thereby avoiding the security checks for external addresses. The ranges of IP addresses reserved for local networks include 10.x.x.x, 127.x.x.x, 172.16.x.x, and 192.168.x.x.

Redirecting when a domain name does not exist

DNS hijacking or redirection occurs when a query for a non-existent domain name is redirected to a different IP address. When a domain name does not exist the NXDOMAIN response should be given. When it is not provided there can be minor or major breakdowns on your system or network particularly if you run a virtual private network (VPN). It can also provide an opening for malicious purposes because your system thinks that the faked IP address is what it was looking for. You can then be redirected to a dangerous site but more commonly you will simply see an advertising page.

You should generally avoid redirecting/hijacking DNS servers but you may decide you want to use a DNS server that has a benign purpose for redirection:

  • correcting typos e.g. the typo "" can be changed to ""
  • filtering and blocking e.g. as OpenDNS does

Exploiting the lack of DNSSEC authentication

DNS did not originally have security features so the Domain Name System Security Extensions (DNSSEC) were introduced to authenticate DNS data using public-key cryptography to protect from forgeries. Many DNS servers do not have these extensions enabled so they are more vulnerable to cache poisoning and denial of service attacks (where many systems are used to send a lot of difficult DNS queries to swamp the DNS server).

Denial-of-service (DOS) attacks

Denial-of-service attacks seek to overwhelm a DNS server with too many requests or too time-consuming requests:

  • Flooding the DNS server with many simple requests e.g.  Ping flood, or masquerading as the DNS server so all replies flood the DNS server e.g. Reflected attack.
  • A lower level or intermittent form of flooding leads to reduced performance without crashing the DNS server, ie. a degradation attack.
  • Crashing the DNS server by creating deliberate errors such as a malformed request, e.g. Ping of death, or substituting (spoofing or cache poisoning) a CNAME record that refers to itself.

Two types of attack are aimed at your system, the client. The attackers try to:

  • spoof (masquerade as) the DNS server and responds to your query with a flood of responses; or
  • spoof (masquerade as) your system sending many requests to one or more DNS servers so they respond to flood your system.
Related Products and Links

Using DNS servers for security

Products mentioned here

SANS library on DNS Issues has more detailed descriptions of issues with DNS security. These whitepapers are in PDF format

  • Security Issues with DNS (2003) is relatively short and easy to understand and relatively short
  • Current Issues in DNS (2008) is a longer report discussing a wider range of vulnerabilities with statistics on DNS server vulnerability..



This software category is maintained by volunteer editor Remah.

  "I've used TechSupportAlert and the older Support Alert Newsletter for almost a decade so I have saved hundreds of hours of work and many more dollars by following Gizmo's Freeware recommendations. Thanks for the opportunity to give something back."  

If you have had a similar experience then you should consider becoming a reviewer too.

Change Log




July 2011

New article extracted from How to Change DNS Server



Domain Name System, DNS, DNS server, DNS resolver, DNS query, DNS resolution, DNS name server, Internet name server, DNS issue, DNS security

Back to the top of the article.


Please rate this article: 

Your rating: None
No votes yet