D
DNS Monitor

What Is a DNS Server? How DNS Servers Work

What DNS servers are, how they work, the four types involved in DNS resolution (recursive, root, TLD, authoritative), public DNS options, and how to find or change your DNS server.

A DNS server is a computer that translates domain names into IP addresses. When you type example.com into your browser, a DNS server is what converts that name into the IP address your browser needs to connect to the right web server. Without DNS servers, you would have to memorize IP addresses for every website you visit.

DNS stands for Domain Name System. It is often called the "phone book of the internet," and the analogy is accurate: just like a phone book maps names to phone numbers, DNS maps domain names to IP addresses. For a full introduction to DNS, see the DNS Guide.

What DNS Servers Do

Every device connected to the internet is identified by a numerical IP address. Web servers, email servers, and application servers all have IP addresses. Humans work better with names than numbers, so the Domain Name System was created to bridge the gap.

When your browser needs to load a website, it sends a DNS query with the domain name. A DNS server receives that query, looks up the corresponding IP address, and sends it back. Your browser then connects directly to the web server at that IP address.

This happens for every domain your device communicates with. Loading a single web page might trigger dozens of DNS lookups: one for the main domain, others for CDN domains serving images and scripts, others for analytics services, ad networks, and third-party fonts. Your DNS server handles all of these.

The entire lookup process typically takes less than 50 milliseconds. When DNS is cached locally, it takes less than 1 millisecond. This speed is why you never notice DNS happening. But when DNS servers are slow, misconfigured, or down, the effect is immediate: websites fail to load, email stops flowing, and applications cannot reach their backends.

The Four Types of DNS Servers

DNS resolution involves four types of servers working together in a chain. Each has a specific role. Understanding this chain is essential for diagnosing DNS problems and choosing the right DNS configuration. For a deeper look at the resolution process, see DNS Resolution: How It Works.

Recursive Resolver

The recursive resolver is the DNS server your device talks to directly. When you configure DNS on your computer, router, or phone, you are setting the address of a recursive resolver.

This server does the heavy lifting. When it receives a query for a domain it does not have cached, it walks the DNS hierarchy on your behalf. It queries root servers, then TLD servers, then authoritative servers, following referrals at each step until it gets the final answer. Once it has the answer, it caches it (according to the TTL value) and sends it back to your device.

Recursive resolvers are operated by ISPs (your internet provider assigns one by default), public DNS providers (Google, Cloudflare, Quad9), and organizations (companies often run their own for their internal networks).

The recursive resolver is the server that has the biggest impact on your DNS experience. Its speed, reliability, and caching behavior directly affect how fast websites load and whether DNS lookups succeed.

Root Nameservers

Root nameservers sit at the top of the DNS hierarchy. There are 13 root server addresses (named A through M), operated by 12 independent organizations including ICANN, NASA, the U.S. Department of Defense, and several universities and companies. Each address is served by multiple physical servers distributed globally using anycast routing, so there are actually hundreds of root servers worldwide. [1]

Root servers do not know the IP address of every domain. They know which servers are authoritative for each top-level domain (TLD). When a recursive resolver asks a root server about example.com, the root server responds with: "I do not know about example.com, but here are the nameservers for .com. Ask them."

Root servers are queried infrequently in practice. Recursive resolvers cache root server referrals, so they only need to query the root when their cache for a particular TLD has expired.

TLD Nameservers

TLD (Top-Level Domain) nameservers are authoritative for everything under a specific TLD like .com, .org, .net, .io, or country codes like .uk and .de. They are operated by TLD registries: Verisign manages .com and .net, PIR manages .org, and so on.

TLD nameservers do not know the IP address of every domain under their TLD. They know which nameservers are authoritative for each registered domain. When a recursive resolver asks a .com TLD server about example.com, the TLD server responds with: "I do not know the IP for example.com, but its authoritative nameservers are ns1.example.com and ns2.example.com. Ask them."

Authoritative Nameservers

Authoritative nameservers are the final source of truth for a domain's DNS records. They hold the actual DNS zone for the domain, containing all the A, AAAA, MX, CNAME, TXT, and other records that the domain owner has configured.

When a recursive resolver reaches the authoritative nameserver and asks for the A record of example.com, the authoritative server looks up the record in its zone file and returns the IP address. This is the definitive answer. No more referrals. The recursive resolver caches this answer and sends it back to the original client.

Authoritative nameservers are operated by domain registrars (GoDaddy, Namecheap, Google Domains), DNS hosting providers (Cloudflare, Route 53, DNSimple), or the domain owner themselves (self-hosted BIND or other DNS software).

How the Resolution Chain Works

Here is the full sequence when your browser needs to look up example.com and no caching is involved:

  1. Your browser asks the operating system to resolve example.com
  2. The OS checks its local DNS cache. Cache miss.
  3. The OS sends the query to the configured recursive resolver (e.g., 8.8.8.8)
  4. The recursive resolver checks its cache. Cache miss.
  5. The recursive resolver queries a root nameserver: "Where is example.com?"
  6. The root server responds: "I do not know. Here are the .com TLD servers."
  7. The recursive resolver queries a .com TLD server: "Where is example.com?"
  8. The TLD server responds: "The authoritative nameservers for example.com are ns1.example.com and ns2.example.com."
  9. The recursive resolver queries ns1.example.com: "What is the A record for example.com?"
  10. The authoritative server responds: "example.com has an A record of 93.184.216.34"
  11. The recursive resolver caches the answer and sends it to the OS
  12. The OS caches the answer and sends it to the browser
  13. The browser connects to 93.184.216.34

In practice, most of these steps are cached. A busy recursive resolver has the root and TLD referrals cached almost permanently. The authoritative answer is cached according to the TTL. A typical lookup only needs step 9 and 10, or even just a cache hit at step 4.

Public DNS Servers

You are not stuck with your ISP's DNS resolver. Public DNS services are free, often faster, and may offer additional features like malware blocking. For a detailed comparison, see Public DNS Providers.

Google Public DNS (8.8.8.8 / 8.8.4.4)

Google Public DNS is the largest public DNS service, handling over a trillion queries per day. It prioritizes speed through aggressive caching and anycast routing, with servers in data centers worldwide. Google Public DNS supports DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) for encrypted queries. Google logs query data but anonymizes it after 24 to 48 hours.

Cloudflare DNS (1.1.1.1 / 1.0.0.1)

Cloudflare DNS focuses on privacy and speed. Cloudflare committed to never selling user data, never using it for ad targeting, and purging query logs within 24 hours. Independent audits verify these claims. Cloudflare's resolver is consistently among the fastest in benchmark tests, partly because Cloudflare's CDN network gives it server presence in more locations than most DNS providers.

Quad9 (9.9.9.9 / 149.112.112.112)

Quad9 is a nonprofit DNS service that blocks known malicious domains. When you query a domain associated with malware, phishing, or other threats, Quad9 returns an NXDOMAIN response instead of the real IP address. This provides a layer of protection at the DNS level. Quad9 sources its threat intelligence from multiple security partners and does not log personally identifiable query data.

OpenDNS (208.67.222.222 / 208.67.220.220)

OpenDNS, now owned by Cisco, offers both free and paid DNS services. The free tier provides basic malware and phishing protection. The paid tier adds content filtering, which is popular with families and schools for blocking specific website categories. OpenDNS has been around since 2005 and has a large installed base.

ProviderPrimary IPFocusEncryption
Google8.8.8.8SpeedDoH, DoT
Cloudflare1.1.1.1Privacy + SpeedDoH, DoT, DoQ
Quad99.9.9.9SecurityDoH, DoT
OpenDNS208.67.222.222FilteringDoH, DoT

How to Find Your Current DNS Server

Windows

Open Command Prompt and run:

ipconfig /all

Look for "DNS Servers" under your active network adapter. The listed IP addresses are your configured DNS servers.

Alternatively, check your router's settings page (usually at 192.168.1.1 or 192.168.0.1). The DNS settings on your router apply to all devices on your network unless a device has its own DNS configuration.

macOS

Open Terminal and run:

scutil --dns | head -20

Or check System Settings > Network > [your connection] > Details > DNS.

Linux

The method varies by distribution. On systems using systemd-resolved:

resolvectl status

On older systems, check /etc/resolv.conf:

cat /etc/resolv.conf

The nameserver lines show your configured DNS servers.

How to Change Your DNS Server

Changing your DNS server takes a few minutes and can improve browsing speed, privacy, or security depending on which provider you choose.

On Your Router (Affects All Devices)

Log into your router's admin panel. Find the DNS settings (usually under WAN, Internet, or DHCP settings). Replace the existing DNS server addresses with your preferred public DNS (e.g., 1.1.1.1 and 1.0.0.1 for Cloudflare). Save and reboot the router.

This changes DNS for every device on your network. Individual devices can still override this setting.

On Windows

  1. Open Settings > Network & Internet > [your connection] > Hardware properties
  2. Click Edit next to DNS server assignment
  3. Switch from Automatic to Manual
  4. Enter your preferred DNS addresses
  5. Save

On macOS

  1. Open System Settings > Network
  2. Select your active connection
  3. Click Details > DNS
  4. Click + to add DNS servers
  5. Enter your preferred addresses

On iOS and Android

Both mobile operating systems allow DNS configuration in the WiFi settings for each network. Some public DNS providers also offer apps that configure DNS system-wide, including on cellular connections.

Flush your DNS cache after changing servers

After changing DNS servers, flush your local DNS cache so that old cached entries from the previous server are cleared. On Windows: ipconfig /flushdns. On macOS: sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder. This ensures your device starts using the new DNS server immediately.

When DNS Servers Fail

DNS server failures are one of the most common causes of "the internet is down" experiences. If your DNS server is unreachable or returning errors, your device cannot resolve domain names, and no websites load. The internet connection itself may be fine, but without DNS, your browser has no way to find servers.

Signs that DNS is the problem rather than your internet connection:

  • Websites fail to load, but you can ping IP addresses directly (e.g., ping 1.1.1.1 works)
  • Some sites load (cached DNS) while others do not
  • Error messages mention DNS resolution or "server not found"
  • The problem is fixed by switching to a different DNS server

For a systematic approach to fixing DNS issues, see the DNS Troubleshooting Guide.

DNS Server Security

DNS was designed in the 1980s without encryption or authentication. Queries and responses travel in plaintext over UDP. This makes DNS vulnerable to several attacks:

DNS spoofing/cache poisoning: An attacker sends forged DNS responses to a recursive resolver, injecting false records into its cache. Users querying that resolver are then directed to the attacker's servers.

DNS hijacking: An attacker changes the DNS configuration on a device, router, or even at the ISP level to redirect queries to a malicious resolver.

Eavesdropping: Anyone on the network path between you and your DNS server can see which domains you are querying. This reveals browsing activity even when the websites themselves are accessed over HTTPS.

Modern mitigations include DNSSEC (which authenticates DNS responses but does not encrypt them), DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT). All four public DNS providers listed above support encrypted DNS queries.

References

  1. IANA, "Root Servers," https://www.iana.org/domains/root/servers

Monitor your DNS records automatically

DNS Monitor tracks changes to all your DNS records and alerts you when anything changes unexpectedly. Catch misconfigurations and unauthorized changes before they affect your users.

Try DNS Monitor