The Domain Name System (DNS) turns domain names into IP addresses, which browsers use to load internet pages. Every device connected to the internet has its own IP address, which is used by other devices to locate the device. DNS servers make it possible for people to input normal words into their browsers, such as Fortinet.com, without having to keep track of the IP address for every website.
What is a DNS Server?
A DNS server is a computer with a database containing the public IP addresses associated with the names of the websites an IP address brings a user to. DNS acts like a phonebook for the internet. Whenever people type domain names, like Fortinet.com or Yahoo.com, into the address bar of web browsers, the DNS finds the right IP address. The site’s IP address is what directs the device to go to the correct place to access the site’s data.
Once the DNS server finds the correct IP address, browsers take the address and use it to send data to content delivery network (CDN) edge servers or origin servers. Once this is done, the information on the website can be accessed by the user. The DNS server starts the process by finding the corresponding IP address for a website’s uniform resource locator (URL).
How Does DNS Work?
In a usual DNS query, the URL typed in by the user has to go through four servers for the IP address to be provided. The four servers work with each other to get the correct IP address to the client, and they include:
- DNS recursor: The DNS recursor, which is also referred to as a DNS resolver, receives the query from the DNS client. Then it communicates with other DNS servers to find the right IP address. After the resolver retrieves the request from the client, the resolver acts like a client itself. As it does this, it makes queries that get sent to the other three DNS servers: root nameservers, top-level domain (TLD) nameservers, and authoritative nameservers.
- Root nameservers: The root nameserver is designated for the internet’s DNS root zone. Its job is to answer requests sent to it for records in the root zone. It answers requests by sending back a list of the authoritative nameservers that go with the correct TLD.
- TLD nameservers: A TLD nameserver keeps the IP address of the second-level domain contained within the TLD name. It then releases the website’s IP address and sends the query to the domain’s nameserver.
- Authoritative nameservers: An authoritative nameserver is what gives you the real answer to your DNS query. There are two types of authoritative nameservers: a master server or primary nameserver and a slave server or secondary nameserver. The master server keeps the original copies of the zone records, while the slave server is an exact copy of the master server. It shares the DNS server load and acts as a backup if the master server fails.
Authoritative DNS Servers vs. Recursive DNS Servers: What’s the Difference?
Authoritative nameservers keep information of the DNS records. A recursive server acts as a middleman, positioned between the authoritative server and the end-user. To reach the nameserver, the recursive server has to “recurse” through the DNS tree to access the domain’s records.
Authoritative DNS Server
To use the phone book analogy, think of the IP address as the phone number and the person’s name as the website’s URL. Authoritative DNS servers have a copy of the “phone book” that connects these IP addresses with their corresponding domain names. They provide answers to the queries sent by recursive DNS nameservers, providing information on where to find specific websites. The answers provided have the IP addresses of the domains involved in the query.
Authoritative DNS servers are responsible for specific regions, such as a country, an organization, or a local area. Regardless of which region is covered, an authoritative DNS server does two important jobs. First, the server keeps lists of domain names and the IP addresses that go with them. Next, the server responds to requests from the recursive DNS server regarding the IP address that corresponds with a domain name.
Once the recursive DNS server gets the answer, it sends that information back to the computer that requested it. The computer then uses that information to connect to the IP address, and the user gets to see the website.
Recursive DNS Server
After a user types in a URL in their web browser, that URL is given to the recursive DNS server. The recursive DNS server then examines its cache memory to see whether the IP address for the URL is already stored. If the IP address information already exists, the recursive DNS server will send the IP address to the browser. The user is then able to see the website for which they typed in the URL.
On the other hand, if the recursive DNS server does not find the IP address when it searches its memory, it will proceed through the process of getting the IP address for the user. The recursive DNS server’s next step is to store the IP address for a specific amount of time. This period of time is defined by the person who owns the domain using a setting referred to as time to live (TTL).
DNS Servers and IP Addresses
Computers and various devices that use the internet depend on IP addresses to send a user’s request to the website they are attempting to reach. Without DNS, you would have to keep track of the IP addresses of all the websites you visit, similar to carrying around a phone book of websites all the time. The DNS server allows you to type in the name of the website. It then goes out and gets the right IP address for you. Armed with the IP address, your computer (or browser) can bring you to the site.
For instance, if you input gocit.vn in your web browser, that URL, on its own, cannot bring you to the website. Those letters cannot be “read” by the servers that connect you with the site. However, the servers are able to read IP addresses. The DNS server figures out which IP address corresponds with gocit.vn and sends it to your browser. Then the website appears on your device’s screen because the browser now knows where to take your device.
The 8 steps in a DNS lookup:
- A user types ‘example.com’ into a web browser and the query travels into the Internet and is received by a DNS recursive resolver.
- The resolver then queries a DNS root nameserver (.).
- The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD.
- The resolver then makes a request to the .com TLD.
- The TLD server then responds with the IP address of the domain’s nameserver, example.com.
- Lastly, the recursive resolver sends a query to the domain’s nameserver.
- The IP address for example.com is then returned to the resolver from the nameserver.
- The DNS resolver then responds to the web browser with the IP address of the domain requested initially.
Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser is able to make the request for the web page:
- The browser makes a HTTP request to the IP address.
- The server at that IP returns the webpage to be rendered in the browser (step 10).
Common DNS records
DNS records are the information a query seeks. Depending on the query, client or application, different information is required. Some records are required, such as the A record.
There are many DNS record types, each with their own purpose in denoting how a query should be treated. Common DNS records are the following:
- A record. This stands for address and holds the IP address of a domain. A records only apply to IPv4 addresses. IPv6 addresses have AAAA records instead, which use the longer format of IPv6 addresses. Most websites only have one A record, but some larger sites have several, which helps with load balancing by serving different A records to different users in heavy traffic.
- NS record. These name server records denote which authoritative server is responsible for having all the information about a given domain. Often, domains have both primary and backup name servers to increase reliability, and multiple NS records are used to direct queries to them.
- TXT record. TXT records enable administrators to enter text into DNS. The original purpose was to put human-readable notes in DNS, but today, machine-readable notes are often put there. TXT records are used to confirm domain ownership, secure email and counter email spam.
- CNAME record. Canonical name records are used instead of an A record when there is an alias. They are used to retry the query of the same IP address with two different domains. An example would be in the URL searchsecurity.techtarget.com, where the CNAME would query techtarget.com.
The goal of DNS caching is to reduce the time it takes to get an answer to a DNS query. Caching enables DNS to store previous answers to queries closer to clients and get that same information to them faster the next time it is queried.
DNS data can be cached in a number of places. Some common ones include the following:
- Browser. Most browsers, like Apple Safari, Google Chrome and Mozilla Firefox, cache DNS data by default for a set amount of time. The browser is the first cache that gets checked when a DNS request gets made, before the request leaves the machine for a local DNS resolver server.
- Operating system (OS). Many OSes have built-in DNS resolvers called stub resolvers that cache DNS data and handle queries before they are sent to an external server. The OS is usually queried after the browser or other querying application.
- Recursive resolver. The answer to a DNS query can also be cached on the DNS recursive resolver. Resolvers may have some of the records necessary to return a response and be able to skip some steps in the DNS resolution process. For example, if the resolver has A records but not NS records, the resolver can skip the root server and query the TLD server directly.
Browser DNS Caching
The operating system (OS) used by your device stores DNS resource records through the use of caching. Caching prevents redundancy when someone tries to go to a site. This, in turn, reduces the amount of time it takes to get to the website. If the device you are using recently went to the page it is trying to access, the IP address can be supplied by the cache. In this way, the website request can be completed without involving the DNS server.
The DNS cache, therefore, helps streamline the DNS lookup process that would otherwise be necessary to link a domain name to an IP address. This makes the process of getting to the website much faster.
OS DNS Caching
The operating systems of many devices are capable of maintaining a local copy of DNS lookups. This makes it possible for the OS to quickly get the information it needs to resolve the URL to the correct IP address.
What is DNSSec?
DNS Security Extensions is an effort to make communication among the various levels of servers involved in DNS lookups more secure. It was devised by the Internet Corporation for Assigned Names and Numbers (ICANN), the organization in charge of the DNS system.
ICANN became aware of weaknesses in the communication between the DNS top-level, second-level and third-level directory servers that could allow attackers to hijack lookups. That would allow the attackers to respond to requests for lookups to legitimate sites with the IP address for malicious sites. These sites could upload malware to users or carry out phishing and pharming attacks.
DNSSEC would address this by having each level of DNS server digitally sign its requests, which insures that the requests sent in by end users aren’t commandeered by attackers. This creates a chain of trust so that at each step in the lookup, the integrity of the request is validated.
In addition, DNSSec can determine if domain names exist, and if one doesn’t, it won’t let that fraudulent domain be delivered to innocent requesters seeking to have a domain name resolved.
As more domain names are created, and more devices continue to join the network via internet of things devices and other “smart” systems, and as more sites migrate to IPv6, maintaining a healthy DNS ecosystem will be required. The growth of big data and analytics also brings a greater need for DNS management.
DNS does have a few vulnerabilities that have been discovered over time. DNS cache poisoning is one such vulnerability. In DNS cache poisoning, data is distributed to caching resolvers, posing as an authoritative origin server. The data can then present false information and can affect TTL. Actual application requests can also be redirected to a malicious host network.
An individual with malicious intent can create a dangerous website with a misleading title and try to convince users that the website is real, giving the hacker access to the user’s information. By replacing a character in a domain name with a similar looking character — such as replacing the number 1 with the letter l, which may look similar — a user could be fooled into selecting a false link. This is commonly exploited with phishing attacks.
Individuals can use DNS Security Extensions for security. They support cryptographically signed responses.
How to Perform a DNS Lookup
Each domain has DNS records, and these are pulled by nameservers. You can check the status of the DNS records associated with your domain. You can also examine the nameservers to ascertain which records are being pulled by the servers. On a Windows computer, for example, this is done using the NSLOOKUP command. Here’s how to do it:
- Access the Windows command prompt by going to Start >> command prompt. You can also get to it via Run >> CMD.
- Type NSLOOKUP and then hit Enter. The default server gets set to your local DNS, and the address will be your local IP address.
- You then set the type of DNS record you want to look up by typing “set type=##” where “##” is the record type, then hit Enter. You can also use A, AAAA, A+AAAA, ANY, CNAME, MX, NS, PTR, SOA, or SRV as the record type.
- Enter the domain name you want to query. Hit Enter.
- At this point, the NSLOOKUP returns the record entries for the domain you entered.
What is a DNS Revolver?
A DNS resolver is also referred to as a recursive resolver. It is designed to take DNS queries sent by web browsers and applications. The resolver receives the website URL, and it then retrieves the IP address that goes with that URL.
What are the Types of DNS Queries?
During the DNS lookup process, three different kinds of queries are performed. The queries are combined to optimize the resolution of the DNS, saving time.
- Recursive query
- Iterative query
- Non-recursive query
Brief history of DNS
In the 1970s, all hostnames and their corresponding numerical addresses were contained in a single file called “HOSTS.TXT” and were maintained by Elizabeth Feinler from the Stanford Research Institute. This was known as the Advanced Research Projects Agency Network, or ARPANET, directory, and Feinler manually assigned numerical addresses to domain names. Adding a new name to the directory required a phone call to Feinler.
By the 1980s, this system became too inefficient to maintain. In 1983, the domain name system was created to distribute what was initially one centralized file with every address in it across multiple servers and locations.
In 1986, IETF listed DNS as one of the original internet standards. That organization published two documents — RFC 1034 and RFC 1035 — that described the DNS protocol and outlined the types of data it was able to carry.
Since then, DNS has been consistently updated and expanded to accommodate the increasingly complex internet. Today, large ubiquitous information technology companies, like Microsoft and Google, offer their own DNS hosting services.
Free vs. Paid DNS Servers: What is the Difference?
In some cases, a regular user may not need a paid DNS server. However, there are significant benefits of paying for a premium DNS.
- Dynamic DNS (DDNS): A DDNS maps internet domains, matching them to IP addresses. This enables you to get into your home computer no matter where you are in the world. DDNS is different from a regular DNS because it works with changing or dynamic IP addresses, making them a good choice for home networks.
- Secondary DNS: A secondary DNS nameserver makes sure that your domain does not go offline. It provides you with a redundancy or backup that can be accessed in the event of a complication.
- Management interface: Many paid DNS servers offer users a dashboard they can use to manage their service and tweak it according to their needs.
- Two-factor authentication: You can provide protection for your domain with an extra level of authentication.
- More security: When you make use of a paid DNS server, you get another protective level of security. This helps shield your website from attackers.
- Better, faster performance: A paid DNS server comes with a service-level agreement (SLA). Each SLA guarantees a high rate of DNS resolution, often between 99% and 100%.
- Customer service: With a paid DNS server, you get the additional advantage of customer service that can answer questions and troubleshoot any issues.
Free and Public DNS Servers
The best free public DNS servers include Google, Quad9, OpenDNS, Cloudflare, CleanBrowsing, Alternate DNS, and AdGuard DNS.
Here’s a quick reference if you know what you’re doing, but we get into these services a lot more later in this article:
|Best Free & Public DNS Servers|
|Provider||Primary DNS||Secondary DNS|
Below are more details on the best free DNS servers you can use instead of the ones assigned.
If you’re not sure, use the IPv4 DNS servers listed for a provider. These are the IP addresses that include periods. IPv6 IP addresses use colons.
Google: 126.96.36.199 & 188.8.131.52
Google Public DNS promises three core benefits: a faster browsing experience, improved security, and accurate results without redirects.
- Primary DNS: 184.108.40.206
- Secondary DNS: 220.127.116.11
There are also IPv6 versions:
- Primary DNS: 2001:4860:4860::8888
- Secondary DNS: 2001:4860:4860::8844
Google can achieve fast speeds with its public DNS servers because they’re hosted in data centers all around the world, meaning that when you attempt to access a web page using the IP addresses above, you’re directed to a server that’s nearest to you. In addition to traditional DNS over UDP/TCP, Google provides DNS over HTTPS (DoH) and TLS (DoT).
Quad9: 18.104.22.168 & 22.214.171.124
Quad9 has free public DNS servers that protect your computer and other devices from cyber threats by immediately and automatically blocking access to unsafe websites, without storing your personal data.
- Primary DNS: 126.96.36.199
- Secondary DNS: 188.8.131.52
There are also Quad 9 IPv6 DNS servers:
- Primary DNS: 2620:fe::fe
- Secondary DNS: 2620:fe::9
Quad9 does not filter content—only domains that are phishing or contain malware will be blocked. There’s also has an unsecured IPv4 public DNS (i.e., no malware blocking) at 184.108.40.206 (2620:fe::10 for IPv6). Quad9 supports DoH.
OpenDNS: 220.127.116.11 & 18.104.22.168
OpenDNS claims 100% reliability and up-time, and is used by tens of millions of users around the world. They offer two sets of free public DNS servers, one of which is just for parental controls with dozens of filtering options.
- Primary DNS: 22.214.171.124
- Secondary DNS: 126.96.36.199
IPv6 addresses are also available:
- Primary DNS: 2620:119:35::35
- Secondary DNS: 2620:119:53::53
The servers above are for OpenDNS Home, which you can make a user account to set up custom settings. The company also offers DNS servers that you can set up to block adult content, called OpenDNS FamilyShield: 188.8.131.52 and 184.108.40.206. Those two also support DNS over HTTPS. A premium DNS offering is available, too, called OpenDNS VIP.
Cloudflare: 220.127.116.11 & 18.104.22.168
Cloudflare built 22.214.171.124 to be the “internet’s fastest DNS directory,” and will never log your IP address, never sell your data, and never use your data to target ads.
- Primary DNS: 126.96.36.199
- Secondary DNS: 188.8.131.52
They also have IPv6 public DNS servers:
- Primary DNS: 2606:4700:4700::1111
- Secondary DNS: 2606:4700:4700::1001
There are setup directions for all your devices through the link above. Another way to use it is through the 184.108.40.206 app, which provides quick DNS setup on mobile and desktop devices. It also doubles as a VPN. There’s also 220.127.116.11 for Families that can block malware (18.104.22.168) or malware and adult content (22.214.171.124). It also supports DNS over HTTPS and TLS.
CleanBrowsing: 126.96.36.199 & 188.8.131.52
CleanBrowsing has three free public DNS server options: a security filter, adult filter, and family filter. These are the DNS servers for the security filter, the most basic of the three that updates hourly to block malware and phishing sites:
- Primary DNS: 184.108.40.206
- Secondary DNS: 220.127.116.11
IPv6 is also supported:
- Primary DNS: 2a0d:2a00:1::2
- Secondary DNS: 2a0d:2a00:2::2
The CleanBrowsing adult filter (18.104.22.168) prevents access to adult domains, and the family filter (22.214.171.124) blocks proxies, VPNs, and mixed adult content. For more features, subscribe to a CleanBrowsing’s premium plans. This service supports DoH and DoT as well.
Alternate DNS: 126.96.36.199 & 188.8.131.52
Alternate DNS is a free public DNS service that blocks ads before they reach your network.
- Primary DNS: 184.108.40.206
- Secondary DNS: 220.127.116.11
Alternate DNS has IPv6 DNS servers, too:
- Primary DNS: 2602:fcbc::ad
- Secondary DNS: 2602:fcbc:2::ad
AdGuard DNS: 18.104.22.168 & 22.214.171.124
AdGuard DNS has two sets of DNS servers that block ads in games, videos, apps, and web pages. The basic set is called the “Default” servers, which block ads and trackers:
- Primary DNS: 126.96.36.199
- Secondary DNS: 188.8.131.52
IPv6 is supported, too:
- Primary DNS: 2a10:50c0::ad1:ff
- Secondary DNS: 2a10:50c0::ad2:ff
There are also “Family protection” servers (184.108.40.206 and 2a10:50c0::bad1:ff) that block adult content, plus everything included in the “Default” servers. Non-filtering servers are available if you’re not interested in blocking anything: 220.127.116.11 and 2a10:50c0::1:ff. These servers are also available as DNS over HTTPS, TLS, and QUIC, as well as DNSCrypt.
Why Use Different DNS Servers?
One reason you might want to change the DNS servers assigned by your ISP is if you suspect there’s a problem with the ones you’re using now. An easy way to test for a DNS server issue is by typing a website’s IP address into the browser. If you can reach the website with the IP address, but not the name, then the DNS server is likely having issues.
Another reason to change DNS servers is if you’re looking for better performing service. Many people complain that their ISP-maintained DNS servers are sluggish and contribute to a slower overall browsing experience.
Other common reasons to use DNS servers from a third party is to prevent logging of your web activity so that you can have a more private browsing experience, and to circumvent the blocking of certain websites. Know, however, that not all DNS servers avoid traffic logging. If that’s what you’re interested in, make sure you read through the FAQs on the DNS provider’s site to make sure it’s going to do (or not do) what you’re after.
If, on the other hand, you want to use the DNS servers that your specific ISP, like Verizon, AT&T, Comcast/XFINITY, etc., has determined is best, then don’t manually set DNS server addresses at all—just let them auto assign.
Finally, in case there was any confusion, free DNS servers do not give you free internet access. You still need an ISP to connect to for access—DNS servers just translate between IP addresses and domain names so that you can access websites with a human-readable name instead of a difficult-to-remember IP address.
Additional DNS Servers
Here are several more public DNS servers from major providers.
|More Free DNS Servers|
|Provider||Primary DNS||Secondary DNS|
|Comodo Secure DNS||18.104.22.168||22.214.171.124|
Some of these providers have several DNS servers. Visit the link above and select a server that’s geographically nearby for the optimal performance.
DNS servers are referred to as all sorts of names, like DNS server addresses, internet DNS servers, internet servers, DNS IP addresses, etc.
Verizon DNS Servers & Other ISP Specific DNS Servers
Verizon DNS servers are often listed elsewhere as 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, and/or 18.104.22.168, but those are actually alternatives to the CenturyLink/Level 3 DNS server addresses shown in the table above.
Verizon, like most ISPs, prefers to balance their DNS server traffic via local, automatic assignments. For example, the primary Verizon DNS server in Atlanta, GA, is 22.214.171.124 and in Chicago, is 126.96.36.199.
Frequently Asked Questions
- How do I change my DNS server? You can specify a DNS server in the settings for your router. Specific instructions will differ depending on the model, but generally, you’ll log in to the hardware by entering http://192.168.1.1 and then entering one of the addresses above into the DNS settings.
- How do I fix a DNS server that isn’t responding? Your computer may fail to connect to a DNS for several reasons. To fix a faulty DNS connection, check your ISP’s connection status and your antivirus software, and run any network troubleshooting software your computer has. If none of this works, restart or reset your modem and router.
What is DNS Cache Poisoning?
DNS cache poisoning, also called DNS spoofing, involves the introduction of corrupt DNS data into the resolving device’s cache. This results in the nameserver returning the wrong IP address.
The operating systems of many devices are capable of maintaining a local copy of DNS lookups. This makes it possible for the OS to quickly get the information it needs to resolve the URL to the correct IP address.
What is DNS?
A Domain Name System (DNS) turns domain names into IP addresses, which allow browsers to get to websites and other internet resources. Every device on the internet has an IP address, which other devices can use to locate the device. Instead of memorizing a long list of IP addresses, people can simply enter the name of the website, and the DNS gets the IP address for them.
What is an example of DNS?
An example of a DNS is that which is provided by Google. The address of Google’s primary DNS is 188.8.131.52.
How do I find my DNS?
On a Windows computer, you can find your DNS by going to the command prompt, typing “ipconfig/all”, and then hitting Enter.
What are the types of DNS?
There are four types of DNS: recursive resolvers, root nameservers, TLD nameservers, and authoritative nameservers.
Is changing DNS safe?
Yes, changing your DNS does not present any inherent dangers.
Should I use private DNS?
Yes, a private DNS can offer you enhanced security compared to other DNS options.