DNS is a UDP-based protocol that allows computers on a network addresses via easier to remember names.


DNS zones are hierarchical, stemming from a single root. Below this are TLDs (top level domains) and ccTLDS (country code top level domains).

  • Root zone (.):
    • com TLD domain:
      • google
    • net TLD domain:
      • google
    • uk ccTLD:
      • co domain:
        • google

Internal DNS resolution

gethostbyname() provides name resolution. At a high level, it considers a number of sources for results.

hosts files

Hosts files contain IP address => name pairs: int

Its location is platform dependent:

  • On Linux: /etc/hosts
  • On macOS: /private/etc/hosts
  • On Windows: C:\Windows\system32\drivers\etc\hosts

Resolver caching

Query the DNS resolver cache:

  • Linux: depends on configuration.
  • macOS:
    • Enable private data in logs: sudo log config --mode "private_data:on"
    • View DNS queries since enabling private data: log stream --predicate 'process == "mDNSResponder"' --info
    • Disable private data in logs: sudo log config --mode "private_data:off"
    • On pre-High Sierra versions, send the INFO signal to mDNSResponder and check /var/log/system.log: sudo killall -INFO mDNSResponder
  • Windows: ipconfig /displaydns

Clear the resolver cache:

  • Linux: depends on configuration.
  • macOS: dscacheutil -flushcache; sudo killall -HUP mDNSResponder
  • Windows: ipconfig /flushdns

External servers

Root hints (cache.dns) provide the location of the root servers, required for seeding DNS clients.

DNS queries requiring recursive queries or receiving cached responses are non-authoritative answers. Authoritative come only from the nameserver hosting the zone.


DNS queries that a server doesn't hold the answer for can be forwarded (from the root, to the TLD, to the domain's nameserver) in a process called recursion. Queries made in this fashion are known as iterative queries.

Conditional forwarding is more specific than forwarding. It can speed up lookups by allowing requests for specific domains to be directed straight to the appropriate nameserver, saving the iterative queries to get to the domain.

Zone types

  • Forward lookup zones resolve hostnames to IP addresses.
  • Reverse lookup zones resolve IP addresses to hostnames, e.g. for mail lookup. Their zone names will be in the format 0.168.192.in-addr.arpa.dns.

Record types

  • SOA start of authority records contain metadata about the zone:
    • Serial number, incremented on every change to signal modifications.
    • Primary authoritative nameserver.
    • Hostmaster contact
    • Minimum (default) TTL
    • Refresh interval
    • Retry interval
    • Expires after
  • A (IPv4) or AAAA (IPv6) address records, pointing at IP addresses.
  • CNAME are canonical name records, pointing at other names.
  • SRV, service lookup zones, contain a hostname and port number pair, along with a priority and weight value.
  • TXT records contain arbitrary text and are often used for ownership verification.
  • PTR records "point" at host canonical hostnames for hosts.
  • MX, or mail exchanger, records point at SMTP servers for a domain. These include a priority value indicating a failover order.
  • NAPTR name authority pointer.
  • NS nameservers.
  • SPF (Sender Policy Framework) records are deprecated in favour of using TXT records for compatibility reasons.

All records have their own TTL, which can optionally override the zone default specified in the SOA.

Zone use cases

Primary DNS zones are authoritative sources of information for their zones. These zones are read/write, accepting resource record updates.

Secondary DNS servers are read-only copies of the zone. Zone transfers allow the contents of DNS zones to be copied over the DNS protocol (AXFR to full sync, IXFR for delta).

Stub zones contain only the SOA and NS records for the authoritative nameservers for the domain. This allows responding to recursive queries.

"Cache-only DNS" and "caching resolver" configurations require being able to service requests from clients and caching records over time.


DNS packet structure


The header section comprises:

  • ID is populated with an identifier by the querying client, used to match requests and responses.
  • QR indicates whether the packet contains a request (0) or response (1).
  • OPCODE indicates the operation type:
    • 0: standard query.
    • 1: inverse query.
    • 2: status.
    • 3: unassigned.
    • 4: notify.
    • 5: update.
    • 6-15: unassigned.
  • AA determines whether the responding nameserver is authoritative for the zone.
  • TC indicates that the message was truncated.
  • RD indicates that a request wishes to use recursion.
  • RA specifies whether recursion is available in the responding nameserver.
  • Z is reserved for future use and must be 0.
  • RCODE contains the response status.
  • Caching
  • QDCOUNT specifies the number of question resource records in the question section.
  • ANCOUNT specifies the number of answer resource records in the answer section.
  • NSCOUNT specifies the number of nameserver resource records in the nameserver section.
  • ARCOUNT specifies the number of authoritative resource records in the authority section.

Question section

DNS question structure

Question sections comprise:

  • QNAME specifies the name being queried.
  • QTYPE specifies the desired resource record type:
    • 1: A record.
    • 2: NS record.
    • 5: CNAME record.
    • 6: SOA record.
    • 12: PTR record.
    • 15: MX record.
    • 16: TXT record.
    • 28: AAAA record.
    • 33: SRV record.
  • QCLASS specifies the query class:
    • 1: Internet (IN) is the only widely used, though others are allocated.

Resource records

DNS resource record structure

Resource records make up a number of sections:

  • Answer section
  • Authority section
  • Additional section

They comprise the following fields:

  • NAME specifies the domain name.
  • TYPE specifies a resource type.
  • CLASS specifies the resource class.
  • TTL provides the number of seconds a record may be cached.
  • RDLENGTH specifies the length of the RDATA field.
  • RDATA contains the record data.

Zone transfers

Zone transfers, sometimes referred to by the query type AXFR, is a DNS transaction that allows replicating DNS zones across servers.

If it's possible to deliver a the result over a single packet, UDP is favoured, else TCP will be used.

There are two types of zone transfer:

  • AXFR queries return the complete contents of the specified zone.
  • IXFR queries return partial results, requiring that the server store delta information between the current and several previous versions.

Load balancing

  • Netmask ordering is the behaviour of listing resource records for addresses in the same subnet as the client first in the returned results. Since clients work down resource records in the order they're given, this should favour the "local" record over others.
  • Round robin load balancing offers a poor-man's load distribution mechanism: the DNS server can permute the order of multiple address resource records.


EDNS(0) expands the size of several parameters of the original protocol which limited its expansibility. It was proposed in RFC 2671 and later revised by RFC 6891.

The extensions are facilitated through the use of a new optional (OPT) pseudo-resource record type to preserve backwards compatibility (old responders ignore them and new responders don't include the records unless they exist in the request).


Troubleshooting should follow the order of the DNS resolution process:

  1. Check the local cache, if applicable.
  2. Check the local zones.
  3. Check the conditional forwarders.
  4. Check forwarders.
  5. Check the root hints.

Tools are platform-specific:

  • nslookup is all you've got on Windows by default.
  • drill (and the BIND utility dig) are more feature rich.


  1. CoreDNS
  2. RCODEs