What Is DNS?
Every website on the internet lives at an IP address – a numerical identifier like 142.250.185.46. But nobody wants to type that into their browser. Instead, we use human-readable domain names like google.com.
DNS (Domain Name System) is the system that translates these domain names into IP addresses. It functions like a phone book for the internet: you look up a name, and it gives you the number (IP address) you need to connect.
How DNS Resolution Works
When you type example.com into your browser, a multi-step process happens in milliseconds:
- Browser cache – your browser first checks if it already knows the IP
- OS cache – if not, it checks your operating system's cache
- Recursive resolver – typically your ISP's or a third-party DNS server (e.g., 8.8.8.8)
- Root nameserver – knows where to find the
.comregistry - TLD nameserver – knows which nameserver handles
example.com - Authoritative nameserver – returns the final IP address
The result is cached at each level to speed up future lookups.
DNS Record Types
DNS doesn't just map domains to IPs. It stores many types of records:
| Record | Purpose | Example |
|---|---|---|
| A | Maps domain to IPv4 | example.com → 93.184.216.34 |
| AAAA | Maps domain to IPv6 | example.com → 2606:2800::1 |
| CNAME | Alias to another domain | www → example.com |
| MX | Mail server | example.com → mail.example.com |
| TXT | Text data (SPF, DKIM) | v=spf1 include:... |
| NS | Nameservers for domain | ns1.example.com |
| PTR | Reverse lookup (IP → domain) | 8.8.8.8 → dns.google |
Popular DNS Servers
Your internet provider assigns a DNS server by default, but you can change it:
| Provider | Primary | Secondary |
|---|---|---|
8.8.8.8 |
8.8.4.4 |
|
| Cloudflare | 1.1.1.1 |
1.0.0.1 |
| Quad9 (security) | 9.9.9.9 |
149.112.112.112 |
| OpenDNS | 208.67.222.222 |
208.67.220.220 |
Third-party DNS servers often offer faster responses and additional privacy features compared to your ISP's default.
DNS Over HTTPS (DoH) and DNS Over TLS (DoT)
Traditional DNS queries are sent in plaintext, meaning your ISP (or anyone on your network) can see every domain you look up. Modern alternatives encrypt DNS traffic:
- DNS over HTTPS (DoH) – DNS queries travel encrypted inside HTTPS (port 443)
- DNS over TLS (DoT) – DNS queries encrypted via TLS (port 853)
Both Firefox and Chrome support DoH natively. You can enable it in your browser settings.
What Is a DNS Leak?
A DNS leak occurs when your DNS requests bypass your VPN tunnel and go directly to your ISP's DNS servers, revealing the websites you visit even while connected to a VPN.
This happens due to:
- Operating system routing the DNS outside the VPN
- WebRTC leaks in browsers
- Misconfigured VPN software
How to Test for DNS Leaks
Use our DNS Leak Test to see which DNS servers are resolving your requests. If you see your ISP's servers while connected to a VPN, you have a leak.
How to Fix a DNS Leak
- Use a VPN provider with built-in DNS leak protection
- Manually configure your VPN to use its own DNS servers
- Use a firewall rule to block all DNS traffic except through the VPN
- Enable DoH in your browser as a fallback
DNS Propagation
When you change a domain's DNS records (e.g., after moving a website to a new host), the changes don't appear instantly worldwide. DNS servers cache records according to the TTL (Time To Live) value – typically between a few minutes and 48 hours.
During propagation, different users around the world may see old or new DNS records. Tools like Whois Lookup can show you the current nameserver configuration for any domain.
Last updated: March 2024