DNS basics in one page

A quick primer on “resolver? authoritative? DNSSEC?” and how name resolution flows.

High-level flow 🌐

Clients ask a resolver; the resolver walks up the tree (root → TLD → authoritative) and caches the answer.

Recursion vs. iteration

Recursive query: client to resolver, “please resolve fully for me.”
Iterative query: resolver to upstream servers, “tell me what you know,” then follows referrals.
Answers are cached until TTL expiry.

Caching resolver

Does recursive lookups on behalf of clients. Run by ISPs, enterprises, or public DNS (1.1.1.1, 8.8.8.8, etc.).

Role

Receives recursive queries and, if needed, walks root/TLD/authoritative.
Speeds responses with cache; honors TTL.
Often validates DNSSEC and sets the AD flag when signatures check out.

Authoritative DNS

Holds the correct data for a zone (example.com) and returns SOA/NS/other records.

Notes

Answers from zone data, not cache; it is the source of truth.
Primary/secondary for redundancy is standard practice.
CDNs and cloud DNS offer authoritative services, often anycasted.

DNSSEC 🔒

Adds signatures to DNS answers so resolvers can detect tampering. Trust chains from the root down.

How it works (short)

Zones publish signatures (RRSIG) and keys (DNSKEY/DS).
Parents hold DS for children; walking from the root lets you validate the chain.
Validated answers are often returned with the AD flag set.

Practical notes

When enabling DNSSEC, remember key rollover and DS registration.
Some old resolvers/devices may not support DNSSEC—check before rollout.

< What are DNS root servers? The long, layered UA string >