What Is DNS?
DNS (Domain Name System) is the internet's phone book. It translates human-readable domain names like example.com into the IP addresses computers use to communicate, like 93.184.216.34. Use our DNS lookup tool to query any domain's records live.
DNS Record Types
| Record | Purpose | Example |
|---|---|---|
A | Maps domain to IPv4 address | example.com → 93.184.216.34 |
AAAA | Maps domain to IPv6 address | example.com → 2606:2800:220:1::68 |
MX | Specifies mail servers for email delivery | mail.example.com priority 10 |
NS | Lists authoritative nameservers for the domain | ns1.example.com |
CNAME | Alias pointing to another domain | www → example.com |
TXT | Arbitrary text, used for SPF, DKIM, domain verification | v=spf1 include:… |
PTR | Reverse DNS - Maps IP back to hostname | 34.216.184.93 → example.com |
Popular Public DNS Resolvers
| Provider | Primary DNS | Secondary DNS | Privacy |
|---|---|---|---|
| 8.8.8.8 | 8.8.4.4 | Logs queries | |
| Cloudflare | 1.1.1.1 | 1.0.0.1 | Privacy-first, minimal logging |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | Logs and filters queries |
| Quad9 | 9.9.9.9 | 149.112.112.112 | Blocks malicious domains, no logging |
For enhanced privacy, consider using DNS-over-HTTPS to encrypt your DNS queries so your ISP cannot see which domains you visit.
How a DNS Lookup Actually Works
DNS was standardised in RFC 1034 and RFC 1035 (1987) and still works the same way today. When you type a domain into your browser, a chain of servers cooperates to resolve it - Usually in under 100 milliseconds.
The resolution chain, step by step
| Step | Who Answers | What Happens |
|---|---|---|
| 1 | Your device's cache | If you visited the domain recently, the stored IP is reused instantly - No network query at all |
| 2 | Recursive resolver | Your router or configured resolver (e.g. 1.1.1.1) takes over the search on your behalf |
| 3 | Root servers | 13 root server identities (operated as hundreds of anycast instances worldwide) point to the right TLD server |
| 4 | TLD servers | The .com, .org, or country-code servers point to the domain's authoritative nameserver |
| 5 | Authoritative nameserver | Returns the actual record - The IP address for the domain |
| 6 | Caching | Every hop caches the answer for the record's TTL (time to live), so repeat lookups skip the chain |
TTL and propagation
Each DNS record carries a TTL value - How long resolvers may cache it. This is why DNS changes "propagate" gradually: resolvers keep serving the old answer until their cached copy expires. A low TTL (300 seconds) makes changes fast but increases query load; a high TTL (86400 seconds) does the opposite. You can watch live records and TTLs for any domain with the DNS lookup tool.
When DNS Breaks - Or Gets Abused
- If websites fail by name but work by IP address, DNS is the problem - Try switching your resolver or flushing your cache (see the flush DNS guide).
- DNS cache poisoning plants forged answers in a resolver so victims are sent to attacker-controlled IPs - DNSSEC adds cryptographic signatures to prevent it.
- Your resolver operator can see every domain you look up - This is the single largest DNS privacy exposure, and the reason DNS-over-HTTPS (RFC 8484) exists.
- Rogue Wi-Fi networks can hijack DNS to redirect logins to phishing pages - A core risk covered in public Wi-Fi privacy.
- A "DNS leak" happens when VPN traffic is tunnelled but DNS queries still go to your ISP - Run a VPN leak test to check.
Who Runs the DNS Ecosystem?
No single company owns DNS. ICANN coordinates the root zone and accredits domain registrars; twelve independent organisations (universities, companies, government bodies) operate the root server identities; registries such as Verisign run the TLD servers; and millions of authoritative nameservers - From a hosting provider's managed DNS to a company's own servers - Hold the records for individual domains. This decentralisation is deliberate: it means there is no single point of failure that could take name resolution down for the whole internet. The registration side of this system is what a WHOIS lookup exposes - The registrar, nameservers, and ownership dates behind any domain. The reverse direction also exists: a reverse DNS lookup asks which hostname is registered for a given IP, which mail servers use to sanity-check senders.
What This Means for You
You use DNS thousands of times a day without noticing, and the resolver you use determines three things: speed, reliability, and who gets to see your browsing history at the domain level. The default resolver is your ISP's. Switching to a public resolver from the table above takes two minutes in your router or OS settings and is completely reversible. If your concern is privacy rather than speed, pair a trustworthy resolver with encrypted DNS so the queries cannot be read in transit - Especially on networks you do not control.
Frequently Asked Questions
Is changing my DNS server safe?
Yes. DNS resolvers are interchangeable by design - Pointing your device or router at 1.1.1.1 or 9.9.9.9 instead of your ISP's resolver changes who answers your lookups, nothing else. You can switch back at any time by restoring the automatic setting.
Does DNS affect my internet speed?
DNS affects how quickly each new connection starts, not your bandwidth. A slow resolver adds delay before every page load begins; a fast, nearby one makes browsing feel snappier. Download speeds themselves are unchanged once the connection is established.
Can my ISP still see my browsing if I change DNS?
Partly. Changing resolvers stops your ISP answering your queries, but unencrypted DNS still travels through its network in plain text, and the IPs you connect to remain visible. For meaningful privacy gains, combine an alternative resolver with DNS-over-HTTPS or a VPN.